7a2fc23d9156738945fdd44552b2f2b6866003ced8c89c1451c86706d5c3a8d7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_2c552c2f9cd37dbdd316080322ca5906_ryuk.exe
Size

1.7MB
MD5

2c552c2f9cd37dbdd316080322ca5906
SHA1

6c90a5a3846117ac2ae1b464d7398621337c6456
SHA256

7a2fc23d9156738945fdd44552b2f2b6866003ced8c89c1451c86706d5c3a8d7
SHA512

5421bd41e84b355715f5d099208d1ebab84c9365ced248c88297c8d9c44961569223b60a47841ca2bbb226ebe8022944fbf7dd014cdba1d8fd4fb5b23c3b050b
SSDEEP

24576:86V6VC/AyqGizWCaFbyRTNjx+mZCkt76f/24pN+XNqNG6hditW:86cbGizWCaFbUf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4396	alg.exe
1624	elevation_service.exe
4976	elevation_service.exe
2544	maintenanceservice.exe
3684	OSE.EXE
4844	DiagnosticsHub.StandardCollector.Service.exe
228	fxssvc.exe
4124	msdtc.exe
2240	PerceptionSimulationService.exe
4772	perfhost.exe
2876	locator.exe
3876	SensorDataService.exe
1408	snmptrap.exe
4584	spectrum.exe
2268	ssh-agent.exe
3416	TieringEngineService.exe
4920	AgentService.exe
3628	vds.exe
4952	vssvc.exe
4996	wbengine.exe
1328	WmiApSrv.exe
840	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f7e5b98293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_2c552c2f9cd37dbdd316080322ca5906_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009204e8372eb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000380dd4382eb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a92bef372eb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d8a2f382eb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062d75c382eb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa8008392eb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089ed31382eb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1192	2024-06-05_2c552c2f9cd37dbdd316080322ca5906_ryuk.exe
Token: SeDebugPrivilege	4396	alg.exe
Token: SeDebugPrivilege	4396	alg.exe
Token: SeDebugPrivilege	4396	alg.exe
Token: SeTakeOwnershipPrivilege	1624	elevation_service.exe
Token: SeAuditPrivilege	228	fxssvc.exe
Token: SeRestorePrivilege	3416	TieringEngineService.exe
Token: SeManageVolumePrivilege	3416	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4920	AgentService.exe
Token: SeBackupPrivilege	4952	vssvc.exe
Token: SeRestorePrivilege	4952	vssvc.exe
Token: SeAuditPrivilege	4952	vssvc.exe
Token: SeBackupPrivilege	4996	wbengine.exe
Token: SeRestorePrivilege	4996	wbengine.exe
Token: SeSecurityPrivilege	4996	wbengine.exe
Token: 33	840	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeDebugPrivilege	1624	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2396	840	SearchIndexer.exe	126
PID 840 wrote to memory of 2396	840	SearchIndexer.exe	126
PID 840 wrote to memory of 2628	840	SearchIndexer.exe	127
PID 840 wrote to memory of 2628	840	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_2c552c2f9cd37dbdd316080322ca5906_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_2c552c2f9cd37dbdd316080322ca5906_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3712

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4124

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4692

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
318dcfeb395c20d7fb7e0d9815789574

SHA1
ed74cf4f3f3388350800d26a5bb2b016b240b60b

SHA256
eeb22fa0ff8ea461cd79af9d53b7d4e97902e48dcebb586b01b32b8380839817

SHA512
80ffbbfb8d13fdb045c24ba62402d30c517f377354bd9592db9fb83f153c8d92c8fb611d39604b94443b8daab16b33f8942a5ebb59ecf16dd799f9dd1665d97d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
54ef569216a61ce8d9337e2aa902e006

SHA1
b874ada10d7e6213ce36fe11404b1f5da31cf094

SHA256
d95cf97d01d5b112f3daf3fd86a7ede630f0fda265906deff7e8cf3e2c046f77

SHA512
e85cef7d505a739f355f0683c9b68e6bfac23881134ef988f4d164b9e9774c5fa6faecf058b3a2bcad86fe7ebb313672ceb7d4a1cad754e7569230befba8c976

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2eefa3b7194fb04e68039a055b29926f

SHA1
25763ef7b77e72819ba97c0ffb9c744cdc965bbf

SHA256
da9738f5f9a1867aee90374a57907d957bd556625cb9590c126d5cb6a24308b3

SHA512
413182f6f05e3aff170a17a68cb58e741edc7c8ddd17021a51dc8bd8e90af17f31969ef2857c7c911119318bdebdca6e8f305c16c24708bfc7e1c36887417a70

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1daedaf1eb2d4c12c4ff9fd4672d7a81

SHA1
59637d505953c77927306d865983e4ed81db5ec6

SHA256
44b3d9037621e774a68b655ce43bdc57e489d2a6fec7ffe8e18f5a6ae147dc89

SHA512
d9572c3182d9cce4f054f6e06823cb376e20e71f6845aeca5e480b561a19367eea74d8cf838a799350426f65f5f5f6d774bffb8b94f95a0babdcb110d23e0562

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
78d1948b5aa580b3140dcfab55db18c0

SHA1
542d51c939fe8dbd33a84bca81426c753e5cf4a7

SHA256
eca68d1b1d23d6dcc33f18af71b65bf40066751a2d097641865f06f53af32efe

SHA512
67b8669ed69714f12a3fc77e30ba2be9a06b7ce7c08b21ba8ece9d59b9ec80eb13f289b73d89d2c8c81e526ce747a32d4d2096f3bda81d391c43cea7552c165f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0a2ec5d9e0f515a8ec735bee97e77d2a

SHA1
3be5c6d286b112a82e3b91675cb380c735bdc7cd

SHA256
bca8c53a4bf1817a5b6a07b3a9c5f637d5640535402bd2cd5d46c759289e7b1a

SHA512
ffc9c5bd3631e8050b973b30ade2fd36f758f208019e16250f0b01477fe6070eed89a38ee8a058cebb638910edfcdc7f30aa1784417ae12ba6d6e060c419e021

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6a436f378ca3343056a4f20cf3c99afa

SHA1
f031af79ec9647fa5082d32d3a73942d183ecdf1

SHA256
d69bfa493ff7394448380e6c0cdd4b878a0f5ea919238e7ff0de521c43a84a6c

SHA512
0abae52f961d40447f1a610ba33a926ce3f150f9e1aab3a0d05076f2fe7c5b03a20b0170519ec810249a4ad67432711f25031aada0c4e53bfa5267c6d15ce9c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0d450a737be0a43dcb32ff2d503df91d

SHA1
4d3ea4791fa315440e222db452e202432ac78f60

SHA256
7d8823076a273c556738fe4763e5475108b2b4fe773d527f1712839b720609eb

SHA512
42304ca3f4eb63674f9425a9ac40f15225667816b31b6ab30a73da1354a8e9cfd789318489d606e7431b303923e27ed62670a3240575891f27c41e999b445946

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
095441af3a59f87ca47290ba0dff72d3

SHA1
3eda61cc8f90476bee1ad085853c844337a3c9d2

SHA256
a34e9c9575f7fa486048813b2af70fbdaa1a3975724d156d51349d577c9f9d74

SHA512
fc38085bedbc3d73b8b813888aca70a866ffa0e584f68d536d55825bdcd84465ad03d48ddd545805aaaa2a9ed2e91f8c92b2a072d8e1c19d5462154cbcd44345

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
898c7c3ff06c9be530e7fcfbd491b3f0

SHA1
c60ec599247af5624a7514ac4b49883920f38456

SHA256
ffaf32f103a416a3be21de549ea6f59b2c9787b559428c0d99c04aa7e8e02a6e

SHA512
9b56640f0435e91ed2f20edee9fee7f6fb9ab9d072c5ac90d34e48a21f20a841852e95b7bad60d1fec5ebdac2eb7d830d8b9314364f1dd0c3eea991099b98536

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7391f3b823a292ab6190c439d83340f8

SHA1
6f5b0985b7cb7b236bc8c953f905184a99a3d544

SHA256
ead5e4f9de3ae9557a067ee645f274e858303cfc313a851c5bb6b0a89c7a0546

SHA512
bda4d5cdd90aacb67dfed24ca88e029ffb33ba4932cee9b2b0344a40c601d505e1d946fea8768e906e592acefde65ffe75e7860907ae29736a62272282e97a43

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
492f934856bdec772b4707750628fc5a

SHA1
5c28b7a659efe86324f19f57456488985f5f435f

SHA256
8be60862134b4b54cb23aa38e1efe0390be14fd833fc7be78832f70e1dc27e26

SHA512
c18f3f54fabe372eaf20977b55777862defbdf540bd9f6368dc41a335dc6428bae337006fe8e40106c761b3ce056ef8a28de94158f519ab1578d3d6628a4d98d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
62995029483022f94eef73fd3a7845bc

SHA1
7e02fd624fd6cbc9f39f9c550c0416cabc7bec09

SHA256
016693c97cf5c8c2d0739fffaf665de69ad080dca9e5a5ff7098a86712e7b75d

SHA512
bcdcf1f8dd2d502460cb95894ba5804c6c2ab2814512b4744aa6961a78769b9c9e5578264d89ab3a6b53675f90db60f5d652cc5d1c34234323beac7368e2d951

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b37393440e6497a1ebe3bf5580a00466

SHA1
07677e42a681dc6810c5df2c3624f140d7d2cd88

SHA256
544831bfc27ccf51ae4be4c4c371064faf5a639c4f129ee65ced83ff238db253

SHA512
3a8ad4ec56d93146474575ce3f9aa98a0a38da63ab7a6db9b676d00248c454872c134dce5dd408f4ebe36babd66dc3b94018026042964c9292d7bed993f33b27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8dce03bbec654d3714be159819b86a05

SHA1
051ddeebddecbe8531c294bd1341ce156218fa8c

SHA256
dbd7b92c8e7684127c8ec9e527ea481cf0d276256beb9b6ea8f66de0c20330ff

SHA512
bbac920111b83cc4f3a0f2c3a4210ea48386b5cf25548984ded849a9ceaa0fb2f44add232e98aa872aff29f6be82ce77315a1b12c41151c7c6a17b094e5daf21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
420319b8bcc4237d79a6373788f8b3a0

SHA1
849a14a260be17375603c340059a4ab1da973c4e

SHA256
fc0681423273eae62dbd31307f205a04b94a45df96d41ae6458d0a7fc1e00201

SHA512
a43fde554f664b4b84f7651c31b9653bb16b06f511a8675f30af6f8fbfea97058106bb0cc5bf0f5f30a5de841e015ad99ee8e111672c2a2a7f1ae1ac791bfe16

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c4295dacc33ebeb99a4f6d46dea7c8a0

SHA1
805fc055e4880681e8d78e31f6df36d01edd57e4

SHA256
42c3d4b09b628975b28164c0c4d1f708ac14ff266a745a3bd2d538492d9bfc42

SHA512
983a3dcbe210c3ddbcd978b2d35471af3d341174ba88187691fc62f9de064082fc189bb36772cf857dd57996088f2a41dcd5bfb3127d419002dfa4ba01a61a27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f034f6c4cbfecb3984150eec465112d2

SHA1
97e40643bd8abbc898cdf557a006ee3d734d8f6a

SHA256
66ed3a243f1ec4755dc2bc2dd1ff53d4a94435bd976bb5dc8a84e89ae7367568

SHA512
81d753d22aa40192fef17543500c478d9dfeec4709ce795d107ea8ab585f3a67d2c772cc5aa56ccf494d824a716f59994a91a855c4f5b61526b8d3d722f85602

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a4cfd27a3a070b16ebca1ec89ee5e84a

SHA1
60f8a5341489016dbc4670b92e8227be23a757fa

SHA256
352bc010c95f43334ef4e826b6ee8d9b9b9072cd6ab0043de9aa78b3e86d968b

SHA512
ac3484fe48323d51c9179430866a73dd7f27e02c9f3fc5485c1102e7e4adc2f3d753f7a3e9c1a6c7d95fd14a63621c1c06ed76e791a61b5e17148c4598f85d8b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4f2e22c30f7186eee4346bb088036421

SHA1
a4a84406c899714875bae290b5b33924e7e9d1d0

SHA256
e0061d5b068fad8c735a971990707e1b1581a7ea0887c113b0547ee108cc6dbc

SHA512
3097e3dda0faec188d2bf8b85629036f17cf0cff187aa4bdb186c756b6b6bb6245eea8721adb806802268c10e7ef72825e78bac8629da9cf166607c71d31658d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
88bca5b9be7de9b13a429149ce7b8e0c

SHA1
e8c597d869686205f77fe8636ea81cabe592e032

SHA256
4fa341ddcbdb99e7792fb7831b009c4b72cc79d79f19235dcf1d058a4bd6fea7

SHA512
c0965e9d40f91238cb7f70c9094183b7c63b5f12c1760e3daad1b7028f6d65e240d58ccb222fc947f914a9afa5219ead74cd55810a39ede698a2d1502b27303f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7b045caa1f0c5261e6d0cd5d8db4a9bf

SHA1
41228e8262778a293b56ee6c815d0dc8630df5ba

SHA256
628b0cd7163fd334e017efb45155acd6393139ee0ff99c375e672743056dc25f

SHA512
d95edef286e9ad0a87574d8d7439f82351d4abed3357c27883939e427b53e3a1dd3d3ce7b6fe3315d8268629c0df230fcffc2b448503b3e80dd0c6e3ec906b04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e8300ea759e45c9939aa3482569fb4ac

SHA1
df49bf44513023bcae28889f08eac6993b0538d7

SHA256
8bfebbff58dc001e3b853b98b7946184db7c2eb347d3a1bc9b0d48bd8e9b2865

SHA512
bcd0da5128ccdb74e4d8576729baaf96817fc8c7a307eb914495969ade42c79e4290380deaebfb6020924335a4f0454aa46ad037b90f6488b3e69917079ad5bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ac11ad0ebd9b0ada87651c29289df4bc

SHA1
a9546680e49ab1f8e8a172b4a1d2284cb91be597

SHA256
d94d7992b3ddc02496bd3f965ad193fd3d89f47bde41a494c5c42257ed37141f

SHA512
625188379d19e5f5d906f09c79f22d77d91dad614c2259be2e95c3806cfd98e23c9111baddd648e901582bfbacd546e28376213f4c4398ef78be8c1a4506f32a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7faef8210d6e5eb315fa0209b540df36

SHA1
aefc92e8c0c2a844552c954ffa3d7b441c878445

SHA256
b2e19ae2943a7e4d1be16e68a52aa4075a06a9289dd08c2c86204b2b80773092

SHA512
986c6a9d46a139f7c77abcf16f62ec1bb69a7e027aad0b26085c364e4373f1a75879ce03bb0c33f7ad063c9c94c1c0759a0870520bd4dee17b4e500230078bcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b7141e9a9d92c25a3d3fe4053ae1c439

SHA1
91b84bf8d11332443d86c2d129cca414ecf6734e

SHA256
d926d943ebe040d5f23b6af0fd0f16a7c527070c8ab823f0c1a9310027af3397

SHA512
c5d30f7385cc08b1a5ad6f844ce80b49d3ef974b53c2f19f19f2477b5599f36d4d586480faf6bdcf1e59dc44fe5820661ade59355850b2bb087226d2ce6ab833

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
51976747190f139c42f12929f72be7aa

SHA1
423b1107e4bdcdb119d225d3a3f191a3fe937f68

SHA256
06036039e5f52519593b1d60a3aea2a5380fe8bc601338dde8dba380bb61c245

SHA512
a42c5886be166248250bf18c91db93a005be2e8d18ff6387cc7733779479c0e404eecd3f1220d751420ed47568edc468d1f991a14778d34d6911da9d1039fa9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
903236c053014cb30590b7d2c2db0bc0

SHA1
cd421c1f6b33a8a8a161ca0f5c549f0de38880b2

SHA256
7f186ebb7b9cc5a9eff706e91c01219890ef0cf2706fcbf42928f7f1d4af0f70

SHA512
027a0043922e4e4bacd15c40d69ce893ff67eb921c43778351043be0e71d6d2e6940bfee529c13920f007d3695b759e18ccb869713b08541c773226af3ac8c3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
046cbba0be47866f67dae64e4b95667c

SHA1
d5d3fa71c5fd1d9ee475c18c01dec4b237d2fb1a

SHA256
92b4eee2ded7b1589c586e9d443a4177f1110144bdd6aa3601c93facfe746a40

SHA512
53cc4cd3a117f696c053dc67001e9b9441f2927f1eeba0dc9217c7c0496964a1994b0f47c608eec1bf16ef0535f9b795832b1e4dc27f50a298403d73a31ba524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1df165705b5b66e6d33c326dfdd04083

SHA1
af800f16a4d9f7135a891df55dca8e635eecbba8

SHA256
fa0ce0dfa6354579bb56f19362b90ce1e26b0a8dfb25bdad966208f368a5b12b

SHA512
8a56bf68d6a11bc5b50631ca5e28cabaadccdaf950afcf2d48c890de6765bb615c979f038bb482f6a54461cc45b38eef3aa5d1e5f286c47e392ecb246b182bf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
612d06ad4846af81b066f3fd0f8593bc

SHA1
920fea096c13c3fc5f868b8135e7ab3fdd6312d3

SHA256
ac9d40f79dbc51d938c87afa6007b9488a07230ef7fdd4d0fecc9429e0b076ae

SHA512
def9bb880d43c8c8676f07835f1267a72874826eb19a2b9f424337132f715fac0bb26367f9bc64ab7573850794186825a9a4803d0de93d22d16e1daa24350bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
805927e0b05f3f5826cd6894c91bd291

SHA1
e3e83bac4d4de94a160affd66d5de9dc9dd4688a

SHA256
9bfd53b27bb53b9e0576c4ec9216f23fa66f478d3259df72df68b1456df7539b

SHA512
d5db9be1015b53ad8665d71ca75bb271880dbd901601aea83f7eb8be130943bc124ea7717889d52eac5791312cd11b24240945e3c3b2707c8a08a60b948f90db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
eeec922c783d7ea3d6dd2ad3fcaefa8e

SHA1
e03a6d0f72fa6f3ebcc6f52df961d5f4e4b011ec

SHA256
399d6dbaceefec626755f833fc647d1c0b33f80e02e1e63dbf96e72280778690

SHA512
d7e5c011ceed8488d4cc0c028a8da7e78ff579d9ee07a2ca0cd49c05e1423d4ee677ac6c1aafada1942185ac04c6116a787919d18010db95fa56f368f0d0308e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
97c3dc4d67624ed51136269728815a67

SHA1
c61b71517be82ed5342e2b59b2024d5783c9a4e4

SHA256
0115c8c5267f71b4e50104b431f22cc10d50280dc174460e09c06ab275ca0d73

SHA512
c15bb9aa367789a88ce9c29aa47dc302e57c394e591d9dc95abd65b272ed96fe9b06f18650aefe72370ddc162f9cfd56cbd663983b748e64fd2310d2bdf38c29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a7950f3718447ef8a802de9780061289

SHA1
ebe4d8ebf52275ae12464d5d20416a1b7ee3cfa6

SHA256
a753e548c9500369e21e02be229b13d96e839fc2c48423ea47eb7860db04d201

SHA512
1267b8afe283dca007f4dcf85e7ee3f39f0ca3315d8a9c563e6aafe0840da86b414d615a06c1dd9352f82007937fb45c664d883832210b87bccc49e8ec1a17bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
8be719ea281bdf9ce5477a738be461d8

SHA1
35c7992dccfad235fc1b752de103845f7453c06a

SHA256
b839d67ee4b6d0460e9d0655f6574fdf16eb355c6665ccfbd53f5c7b665a76fb

SHA512
9f0658ba750433302a17cd161b88ccdff8c95e9a10cfef8623b25dd3aa60eff39217de939cfe23cfaf9d62477725d70447c4414617229e061f302ec1b47b7712

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f6d3497e365e4382e4898697313cbc57

SHA1
526ad27462974d5c1e08f9a21e47ea326ea0a7ff

SHA256
c1f0617afee9bad17f2b2e7b08adf19297f552bbc1445bb6f7f4a9155dab0013

SHA512
00fcc533553b70ba35d53a52bf9616010851df284cd77809bd61c57aed7f06a2b853b04d92454459ed1adf63b23b85c40a0f8b00e6728424513010eef6d6781f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
a5452afa9806a7d62b14c11618eadc85

SHA1
ee966c1175854b4d3a09751bc01b1c271b00aed7

SHA256
aeae9ac3f9c816ee7df9167cfe132bd320b2f278063a225565d09722e1bcd876

SHA512
ff1efb8b7127be12d03dd0a424d90a964dbcce981181e17dbfef37e34d9d78e270cc24368815429f765194f778e16ba375f1c994f6585aab443e46c8324b2d33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
dc9e1d898935aabbb140a2418f9dc565

SHA1
86617ef89fa0c7a9eaaa931df1923b9cf693767a

SHA256
9ee415bdae57eba8db97732998ec5cbb85836cfb593e50d1540e4e261dae72ba

SHA512
f1e6fabd3fede36ff3a6b4ae888982cda17c6f86a4222cb5f80a0bb4976ef017dcac673b9b98a4e473b42e6e4a584e42301b47deb59e1bf71d0bdab4b12033b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
5c83ad91c64030da5df74fa572611740

SHA1
4b9574ef354fd2857d60df71aef1f6b94f41c2b7

SHA256
160546eb670dff5b897356448a1a3f3167ef2fa237582030ac4dc79cfc5d0704

SHA512
d671fb1076106cdbb3b4e6f7906933a1b6e922aaac164886dd3b66a6393ee825b10935ee56ecce2206f3816bab43b83a395e6488c3c7e839c6c13f6a5632c458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
ced2c1a372644ab2b815814adbdaa743

SHA1
c8f4fc646dfa2c81d989f787218b8a99346fb8b4

SHA256
d5fe72868bbe16c583de27b6bf4fb270ab3f1d883d5969a0ffdc10d2afee8b6c

SHA512
5913b4b51a722717a9628e7e63ab3c4f9effb622728da146746bba3dfd4ccd08c47d76c10e437b8847d68a446ec64f3989cacc3811ca320cca94379d0f7ea34a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
81445c4e71236c42c1c5a98883dcbc67

SHA1
ba284e67b1127393bbea5a110b57e8361d57223e

SHA256
abb22b96ac06a87aa47daf5cd88e5d8d987b832496f3eddf2a7d6d94a291ffc6

SHA512
464861c3e0d4d53de251ec48c587a7c05ab154408bb0ace2cc19acb1f950a0d9ceda645ecb1d3d9689e9aa867cd43f9dda297a15758fb7f41c6440c1e7676b94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
a3de34b2973522d81c10a554941d10d9

SHA1
096ad8daaa3b1813aad94cc062f51bf94bab4990

SHA256
35fcad3c7620c0d5553573965c4af1821391560b66f8132a43e7425473db220a

SHA512
d8f4541dcfbeffbcc10c101b0402ad8ecad810b0401c05383cb0e6b27d63d34adba0b1eddda58b7471cd79943556f03c4f694531dcde1c644aea8f796fade96f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
90d0b7ffa7323b76d5f06528f85f7018

SHA1
479ff971e35a96d6d6e186bf69a504a3e8b737b2

SHA256
838851ec0ef1ae4306920f458ab5c29267e6f856898c1c12af1a4ae723ccacaa

SHA512
0b3ab25023ca27fa259f2912864aac28ab0e70bba5fe01c9ecdf1bd2da4149fc630bb9c6a1dab1b66ad107077f839102f5f10ae488b9abf582d4f60c29621c63

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
60504b3141a37bdb003b8fa4f0e3cd7d

SHA1
ea00cc455580645c9ca2f9cdff50ef421cfafdbc

SHA256
b8e3282b6c5da7fac8f445af4f38e41c24a7d209691e77fcdd42b8533d58e246

SHA512
78bea6ff6e42ff7c391136811e9a860fe3f2cb89e45b42a4579ef946a6ffa0689205a535fedcbdcaf67817895ff9c2775db0bf7accfd46aa3b01ee6b9d7535e4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
21372e167e732160b9f6c64b66bd3b55

SHA1
870a7eef9c9b909ba6c9d47bd9e99f341107f24e

SHA256
92eb680df464f052cd8c1482ac084d36b7342cbb563ae7df3d2ca70081671339

SHA512
48857c4d85adc7e09e1f6651975f5bd87ca5d61bdf823a6f1a806a04954c2ab13543d29fa464952a7e7f6de40244843c7113f701a53367ee7d8d2d29d77e8e5b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cad4fb3cb905ef1159279638e9a4e73a

SHA1
fb24bfd5ff702133196247cb8d35d8fc1f672b08

SHA256
3ff6db18643424b04a1551371ca620312e3389c56a54a94de690630c9175820d

SHA512
60e0fa87006f14cf48924e5e5df56710a9cc49d96e5566196557b5fc483b336474dae27c9ef6be81f3b7e166cdd037dda71009c8d6ec435f735b4c67d4443af0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e2baddff55fb35365dd1608076bd3288

SHA1
60fd615d3f506033a74ae1ebb7bd9d26b9d3305e

SHA256
5047623fe6b6e09f967196e208acb8f5b562656e578b33ed6647416cf1ac9a44

SHA512
7943448d6c8474e758c6196d019fe05ae0bdf7ae24319c71104864c6a36738b636dd187e225d58bccfee2ab07a70a330e9b14051c22ebc53ee1c7993e5a3e329

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e8d34767d09c6311321e77e89f65836d

SHA1
f66a37f9aafefb7a99f49d0e128f54de0255fc39

SHA256
3db3d9d0ceb28fb0d30112a18ebd95789326e8c72b87352b1d867798d6b9deeb

SHA512
61c6ac406f11cfd67362e25b70ed1782632ae5bf712af17059d7709837a5f1c1bfbbff937152ad2941acf07230a7df1040e6ba02529060761023b3f119fbf95d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
42fc5d0cbb5734c2a532ee3dbe577449

SHA1
8f6852d459e85975e92636e0a52425d57a0ed588

SHA256
5265ba3907dd9f652f2d7f051053589d7a14569bdfcfe0f0381d69ac6e172d08

SHA512
b8d3558714fa846a7ae8095be14effb770ad81d1d9f7afacaa191b887b9d05806d72f543f111285c52b534a8787af592ca9fae482a53c569269dc605b1685b72

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
96f754a7ae5af0f0078a4c8c3c167871

SHA1
7debfe4984d057b3c838b809b59da9398896517a

SHA256
2e46c95e4cc535dd4522b7cff82d52a4619972f87f9cbd3ba21230b3699a62cf

SHA512
7963e40fedcbab20ee85063d16b8a8158bbefc5d9fb68b7302f54423076cc86c5db42923e0d95788db9bef5f3e2860b2769d4c3415ef21a0c2d49755c87a121a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
41a36bd1036b70d7551b6daf88248367

SHA1
ac7e528e341273fb3e40181e3e2eebfb4c63ac8f

SHA256
d6389f1ec728f149758ce62eddab05dafc7b4edf61d7a205ec1efb58eb3b648f

SHA512
708c7e3d2a6ff9ab00d77d0699f8ed375484cd6e92fd9d6a0cd9394507549a1cfe6b616b75dcc48544a2e549b77b8745f146e4ecedfe8e698610a93d89ab41ad

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2c4e7b2a3b657d577c2029c3be854ad6

SHA1
3ff5adf7e7fb9267655cf5e51d135c18c62f25cd

SHA256
8e77e0da85573a7fb871337ba88a9615cf3bb3f6d61f30ec32b1d7717993106e

SHA512
35cae90669646ea15a433578706b66d3ae9bedeae2da580bbe90b755bc3e2569556e30b48ce98b3954c1105ee73cc8b9e207564f551f02dee2216d90d75aae0b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3669e821ac52a55371d019773fc0c2a2

SHA1
e99c13cfdd1a435435db8b93709b0d418a491f4a

SHA256
f42b158c41f145293da6474fc164a9f5efca7b2e244d8da7d682cfd76493920c

SHA512
f0951c99173e59bcf3f4701cb6158e5679bd6d24449dc9885465e6e8d8fdf5cd9a56380e278b48df0981f6b66c92f9a1e087eee95c2c2d04a9aa52c77ee3dc72

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
96382139f31e37ecf495b9f26597480c

SHA1
5cfab27592d3a110c2ab0cafd83346c84109da0a

SHA256
670cfe9bc3e9f2717dcdb6bf650ce4fcbeeda72157466f783568d380e10930bc

SHA512
43139b1d22a55cf6ec6de506feba91b9811e9a967c8b75bfce62255db492f426adce38807905ec504524b5230fc7db3a924f0871735492bab2779c996246717c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
84fa7017ea0056ce357f7bff0b464190

SHA1
668790d8034b8e75deea6895811e9b439d72dbf8

SHA256
2b7f54d8765c1343a94049779674027f17e902a80f6d851477220efa57cd3bb4

SHA512
48f4966584b0a032a5614ba7e42ca1ab70dcf805048af9108d69c052fd56542909a90785352b260d0a01b0e13d89fe2261fdfcc8658906a140b3f0c41aebb149

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7de89d5c9f88d08536a5060cc005e0a3

SHA1
bc3b581e9add05682a5a8db110329607dd3bfac9

SHA256
154539556e2ba1b6f1b035dc02a0f91e01e1d48e66285a04dfc37c9a175b633d

SHA512
a433a3f43f7d937d8954863159a9ad2a22c8edae3068bfdb04336a090c8de8d2cd2e587977cc842d52fa656fffead81ca12f906dc09b8825c7794057ef2215e1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b02a999d2336ad6ed3de61b48df8c43e

SHA1
8eb9847bf0c75b480dd54eaa4b0ee042d284813e

SHA256
6cdf20b17d14b5e5d56784f2a5fc7d80bc5367b261df91498f521c4fb2e8f17d

SHA512
88a8046da69df3f74903b8f7167b397f74ee5dbf61f795c3d3f653cec124a0f4f62b052c926ffb52d4809a244803934b5cee7a74740ce075f80d6d4aaa81c212

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a533ab3062f6d6dd2a69853cac9fea69

SHA1
1936152d5b26987c1f55d3d7910535b25899af33

SHA256
df42b8efe494c2e577c1fe300a9b76d76a88904ee962fea65e4c83670a41ccc5

SHA512
ac5f4b3d830d82e63a0bc647c1c612f5973484f2f40c9d92fb7078da3a23fd3666da6543a6d599f90a54156e0c2698460535e2c51caf1fbedd83055049b716a5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
100f8f54e67a98480250b4d528832456

SHA1
eac509c9231e83849112333dfa8bf284107009aa

SHA256
075867738c781fa3ef6e82d377faf20032e1a87deac8a3fe5349141b14d31b30

SHA512
220b26be38c997116afb3f8ce6f1de6d4629c0ee543461b9b54bde3e59bd2f4d8cafdf23d4bdafb52852a8a5dde86c48efba8b2d822c74e2aefd2851e41d083b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6534b6dd3a8e1140c952dc98848970b6

SHA1
328742edf8a79335d26f0e56e06b8cc3322d29c8

SHA256
919c3e89824ec7a00c0b9750e4930df7bb52acbe3bb4425690bec0b9ebbce538

SHA512
0fd651ff82b9f3dd16a5c04bda7dddf1b5b4d1b455611677b799532c61eaea6d6e9627103ae973d868e87c4c11eded3639a6c968b7d51e56a1fc89a73997b1ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b60657df2bed969653df1f052717eb2

SHA1
be138c1d115cab5919a6187edc3281510389cfa2

SHA256
427aa91c0a9de93aaa4df0fac8417174215006f61312e57289aa6b7e3a652b76

SHA512
10a9abe94c3ec2168db48f2d363de250e45f67dd126d428ccaffeaef4d0ef47b69851f3bd85fee823ae4c3036f2bb930769897ac03b5335450e0702c149ae1a6

Download Submit
memory/228-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/228-257-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/228-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/840-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/840-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1192-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1192-23-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/1192-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1192-0-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/1192-1-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1328-580-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1328-428-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1408-331-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1408-550-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1624-28-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1624-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1624-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1624-37-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2240-395-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2240-294-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2268-571-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2268-346-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2544-52-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2544-53-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2544-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2544-62-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2544-66-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2876-419-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2876-300-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3416-358-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3416-572-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3628-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3628-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3684-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3684-75-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3684-69-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3684-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3876-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4124-383-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4124-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4396-22-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4396-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4396-14-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4396-235-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4584-570-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4584-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4772-297-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4772-407-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4844-357-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4844-253-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4844-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4844-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4920-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4920-369-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4952-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4952-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4976-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4976-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4976-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4976-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4996-579-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4996-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download