fc86ab2c74a61c9651d7a924712dae8d26b0ead27c1a2b0e1c4f43e0c8b51dee

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_02151f18d97f5a3d5122c690b0a7e1f8_ryuk.exe
Size

1.6MB
MD5

02151f18d97f5a3d5122c690b0a7e1f8
SHA1

cbb8031e40dbdf22dbc86a857c82ef805795b022
SHA256

fc86ab2c74a61c9651d7a924712dae8d26b0ead27c1a2b0e1c4f43e0c8b51dee
SHA512

205579b60aff9a623eadab5af637fff22e3c3c652dbb280a1dbfe3d6c23bda9b3526530212bddd2143c085d7d94af1b53d5f6afcd7bd422d5fb897430a28047b
SSDEEP

12288:O1MKvvgcgZwdQVDgEZXIBaxqCKi60RoaItZICRtjch0Kp2H3HqFShkPUzlZjOJ:OmGnpdQ+EiAkbwRobfHRFcbK3eUKUzy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1876	alg.exe
2724	elevation_service.exe
1644	elevation_service.exe
656	maintenanceservice.exe
1960	OSE.EXE
4440	DiagnosticsHub.StandardCollector.Service.exe
5092	fxssvc.exe
1228	msdtc.exe
1748	PerceptionSimulationService.exe
2004	perfhost.exe
2600	locator.exe
4704	SensorDataService.exe
1172	snmptrap.exe
2820	spectrum.exe
1980	ssh-agent.exe
4888	TieringEngineService.exe
4892	AgentService.exe
2540	vds.exe
2488	vssvc.exe
4340	wbengine.exe
1668	WmiApSrv.exe
3908	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_02151f18d97f5a3d5122c690b0a7e1f8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23725c9c8648821.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dd09c8b51bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040a5f28b51bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002631be8b51bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b067168c51bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de80ad8b51bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a0a5d8d51bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3b7058c51bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2724	elevation_service.exe
2724	elevation_service.exe
2724	elevation_service.exe
2724	elevation_service.exe
2724	elevation_service.exe
2724	elevation_service.exe
2724	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4988	2024-06-15_02151f18d97f5a3d5122c690b0a7e1f8_ryuk.exe
Token: SeDebugPrivilege	1876	alg.exe
Token: SeDebugPrivilege	1876	alg.exe
Token: SeDebugPrivilege	1876	alg.exe
Token: SeTakeOwnershipPrivilege	2724	elevation_service.exe
Token: SeAuditPrivilege	5092	fxssvc.exe
Token: SeRestorePrivilege	4888	TieringEngineService.exe
Token: SeManageVolumePrivilege	4888	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4892	AgentService.exe
Token: SeBackupPrivilege	2488	vssvc.exe
Token: SeRestorePrivilege	2488	vssvc.exe
Token: SeAuditPrivilege	2488	vssvc.exe
Token: SeBackupPrivilege	4340	wbengine.exe
Token: SeRestorePrivilege	4340	wbengine.exe
Token: SeSecurityPrivilege	4340	wbengine.exe
Token: 33	3908	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3908	SearchIndexer.exe
Token: SeDebugPrivilege	2724	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4976	3908	SearchIndexer.exe	116
PID 3908 wrote to memory of 4976	3908	SearchIndexer.exe	116
PID 3908 wrote to memory of 2120	3908	SearchIndexer.exe	117
PID 3908 wrote to memory of 2120	3908	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_02151f18d97f5a3d5122c690b0a7e1f8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_02151f18d97f5a3d5122c690b0a7e1f8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4704

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2820

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4048

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
379a37f5e273c6350f637a4e2b87a929

SHA1
3204283dcb9a2e8e22573890d6162b8dee583aee

SHA256
83dae1d4dd01b6a6947e3e95586a100126f011d039e266e792a611d49516542b

SHA512
8be5b619ec9c3922b698a34f10db0d07c059b0d9f58f0b975aea4690ae36b558c515e8d142ee4e6d80ecdb4ddb698b1d58502275f719f24f80393e1784b27de9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5ba4c94a45c11a9a0b80dd0e53d52831

SHA1
19b80620b8bdac0ecac282194f33d3e964b67a84

SHA256
f68bba2dbfd1f95904ae1f0f088005364de254a92abf420482779050cde2533a

SHA512
e5e2ba285c7985b843d8b057ac3afe951cc5bae3ecde546700dff4e90c9e1c4c2476ab6fc6fbb1698a94248572919a6b6f8a563afb3f2b4410c0afd6b214ddc0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f8a2138b17ab61162de1f30abfcb285d

SHA1
9e430e14fce586383ec2f0f3fedae14ebf8dd5bd

SHA256
a904db81296702694507d51e78d00609f2819c9ea6aaf7446f895b8a5be18912

SHA512
0c52b41a8096570dea2e4d3c91f0111cfe186cc683a3832454a8fb851e48e97aeef148b575f8fe49b0337ac809c774e2c22a678a1e8dfc3f41cfbbbf507e232a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
25a17ac084bc65b5ac0b7ec908a46c26

SHA1
b59d655a0bb7e0b4dd36efe3eaf4166f1f1e3e1d

SHA256
c5c15289a684bfd33545dd9c7b5e6ca41e5c0d69644b8463845fa5858048fa63

SHA512
befe49d18facecf155fa3e1261905c03b0201d73cb28c4d9da1e9af48dbe04d81b830d7538b9f02aa23e0d07ea7e2c3d99e22d154d8e5f0167093a2137d01b1f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
668050839330079d1f89bf67a4bcd081

SHA1
233078c397feb389acea010083b5d952804efb99

SHA256
b1db92e533eb032c5467c0727f1f0467b1d6357a5282b735e676410844fa12d3

SHA512
dfa59a42ce98e26da555e98369851eb7d218ad18e414416876f54957348d15da32672a4d00ef605aea3272d40e051edbb0df4e1bc6996d114a2531e52f44f8c1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c63068b4f208405730425b64573c5028

SHA1
715a9292d8b5df723e204ac385702d58cf0ca5a0

SHA256
0aa79235f5be907c394270bd49d528f877abbc6a7f72788bf5df9bb182c3075c

SHA512
f1e2f81aa4020d454c1c22e71bbc38f041f1e1d8efa2845a3275f9152d58a357cd0a77879e441f1b882a9cb817b4e15fdbba11d31f02983c5db968fe451b3ecc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6e2a3d26b02e9b811385c86e21e2960e

SHA1
6ebbb715d9ac65ebf4b0782fb065c64dae439981

SHA256
379c8f20a938278773bc3f2b633748c5a07045f81938ad33118a70df09af9e45

SHA512
6c7ff62af863ba1098fdc6b0f937ee5a07b74b9656bcdfa1c658c5153d8890470649203eb35a845dbbde8f2bf55353fad6bcac28b4ce683b5c79e25d8c4d8bee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6453bfae2e026536f5fcb13e47f83721

SHA1
850b91bd54b0cf1166d63b0dedc54c6bd5c144b4

SHA256
a41094da246c95d688c9350e4c7f395cedf2a6cc28461c0b7ded99c71ee01e39

SHA512
91bb1ec17e758176d57f3d64f4087c5d703e3f0c1bcb6c50594beec8471777baa01e5bed56c2c3e061d9e3093a7502751b930aef11430eed7d909e35eb9e7f6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
540ea2c921f7332994af316f9b215eff

SHA1
8a52899bf6b87066e38d5b015bf6449d4e438e43

SHA256
23e8b129cf0546aa8d98cf1cb68dcb78428336b33ce45527accadd3c40a58f9b

SHA512
3cd9c247acfc7ca42e76abb2c31de687f2cd28393cc3779e09532c79a0f6ac0dcd09af3029127a444c0101d5a0fdc59f319cd1ded83e9a4731468fc80a3d51be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
512f96fcd7a53524a07d8a596a5ce1c3

SHA1
ba32ecb4a5112606e3b1d248f6768cf801909ff6

SHA256
b73ceb62803b6b5f0ac928447bbdd01d7a97b64a0b73eb9e8a7e072a9a7d300a

SHA512
28dac199801bc1dd305b2d29782bc5657c45ca98ac600f1278f8931c2d0e2c18141e1ff1ea0145f597cd40a665e2304e5983ce8a73480ad0c281dac586826a57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8bf08a10ac7dd17dadf23be7e7f59754

SHA1
f3b539acbc6a0352fe2b7c2e98a6786a0592529c

SHA256
b69a84dd268fb439c1d1a9c6c39c29d109274e31782797d5a4b5e29629f034b1

SHA512
c1cd2d13afb0626ea97ceabf95661af36bc4520c18add68a5bb0c8d012530e4a65ad83f50f375017a7da9429ec71348e1cc2f8449c8404e29ef9c5bd52907900

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ebc29ef49fb7e37c1e15c22279bcaadf

SHA1
5f35e18d16a3bf1243e5831bf620b565210ff68f

SHA256
2a99a22236a142a27bbb1f8438e09ed46c8d2dec1e30e0f57be1dfe8dcbb044c

SHA512
d9375bc78e771c0088586757c636a87f5b1997c608c4fda2c37367163cf5b62dc6de81f3723e170f54dc5b643cb1fa446cbd0bdde715441ff92ce0299381e0f0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6413fd02196c4b8048305533703ef448

SHA1
075afb9684f2583fe09cd38cd7ffe84f24275ac7

SHA256
e53d34e329f4baa691ea5b818b08f6083db875f523004a58d7b1f7ba7ee18c91

SHA512
d3ba298ef95302e35fa41cb8fa88514824a9cd15d6d83b95f2254e973221413ef70a24d6404acae3492ec39a336754987741c5dee0a79cbc2cff180afc74e484

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b7014fa9d9bbae2c3a9a3adb80e010cf

SHA1
85f2f140d5274f460f55c960f4343a638d6574cc

SHA256
ed82d53a4e9f732245d3d66c0c604f27220bef29dee2ad762fb85d967a6cbb77

SHA512
290af54aeaa3eeeec62672d617fd4f6ef806e30d2c54c8daf33a7adf6fb162332f3866e28c8efb238271ca7408d34e780210be71b23482ec906f23604dc6e3d1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6d0ee4b7df71d78b463f42778d03caf7

SHA1
f1183b032d4eb28b5aa98c8cf8642ff1dc97191a

SHA256
7a9312d6b7470ab89ce0cd7bc4c0ab0b1e9120b7aa71a6b6478fc943c2c18752

SHA512
ce5639a7f537db938df06aff3fbd807e9989024f9670a55d67459ac54eeaf3ad8be20aa41ad36c57a844f062165d3e960ad456b9219ef287945f9ec171a3e9c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
63998f3476247b37ac14fa37650e12ba

SHA1
1c221580d08f66ec324be5157ac7af6e20605276

SHA256
dda022567b6cfd5342a9901874fd42250843cc15dc1d6d88f7261f27087a5362

SHA512
24519f4c576ddf74f8129b33340014823c34cac5d8987eac2350ae722a9bbc3d9877fd26aef96c3defdf177a4f21eb93efe572c396397805f26f288d3ad6276f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a24aa848fd8b91b56ccdf1e0f98915eb

SHA1
221a2b2fb6e6b8b7e518dbf799a313b28ec099b7

SHA256
c41e4252dbb4285ee3097748b6b23a6c596adcee5128a979e64c0327f8ed914b

SHA512
9bb2f481254d97178edd3301a4439d561f7b5fb075dfa176114b55a21fdb0603d9a0d7c09b047a52132a93261f99d5fbb75501a0e42af97393d6e5dc7f275da3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bf4cd3b062c767ef3caa73cf7922be22

SHA1
0550bc10b070353bbce2af08393ec9a6a95d053e

SHA256
7d44e66b6504ff0a22f5e15ba29c9f8141a23b4605f27f3cb4adaf8bdc5b20be

SHA512
71e3c2ee29bca317370dc6e9e55b625ec219efc674e18ad0b6ceba8444d6d5f2bb5bb091e6bbff30a7c20a61dec9eb1dcaf94ce4ab1ba3bddd4d95fc7d113a64

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2ac65fe3cd2b1eab12d5f365ca27b3ae

SHA1
adaf2ecc74add58ee8d58682ade0f23d62511583

SHA256
cbe3742b4ec84a18cb06fcf7d3985ca18c0677dd363135c7dc092e633601267a

SHA512
547ee11e0e4491de2b03fe782190e31361ceb08bb9e07308f6d77ff6da2a7721bb8fbfbee0186faefa065e9d2fcff20d0c7c48ffd26e5661e4e57a8b5de07fa9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5fc22d8fb36b1859d68065870e10c9a4

SHA1
b5ebf5e575a338db63405f75fec969d940334c4b

SHA256
170acdf2f5340a13b52dca2f405fadc4360d0c0bd9b0d42e8819f435053c8942

SHA512
3f0f20452ddaa279ea34d70c629f0cbafa6084388b26def4798db34a6e533838a85b1ea4b88305432b7a1fabeffb1e6f0d91798bf74bdef05e16e7852a193a70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c46c0193aa398e2fe1d9646994cb6e80

SHA1
4dce08a610552a3ab90f3d4161641dd14775ae91

SHA256
7cfe8f0e9c9c5876222526b4c76245e27c71f835ab9e597cef0da49dca114cfc

SHA512
01614d8234545579c446bb7efd13e0e70813fcac5775ec8f49909663d9467467e29788f22a33f8709793d36db916e756446a93f0a98df340970e2b4f06b39bf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
15e2fb8ee0956ded4a05f8e17fefd158

SHA1
2a27bd8a3c11c0d4d3db4971a551daa9cf5a2d07

SHA256
4d1e87aa46df35bd3ac2bf6a4043b324ee46f03ebb0a03ac2e13d83faef3c334

SHA512
18112b7df8f23d856218de37e4134d40841dddd7a6274cd761d6321cd2a261392074e7648175441cdd4c39b5519af4637e2950072038ff1f683635ac1ad4b882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ebd4d5f954eb61a7bc39622bd5ed446b

SHA1
6a02c6a83bb6cd6f224a9ecd2af1f0fc22e6173c

SHA256
4699367548f9091f2c4bc54cc0348dfa9e6bcb2b8c30e6136f06e831197262b6

SHA512
b329c4004ae2ff79180996351a21a7e818257ee7afb8683b905b71f23090479afa2c41a0218601e27dc109085ed522a123eab0be0066348cbfe65dd7dbfec18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
cee31fbbac009ce737138975130f9572

SHA1
9c0777c3529f254ee30e98d3710ac488005ead87

SHA256
ead4901fc9a5de9e88c25fc790698f36049fc6570a810aaa4848d037bd887bfc

SHA512
6c8e6782af8c6831b90d4165fa2ca75fdc5b025839cee49c4b325e90529e29f1779370f14b4f644320db17c7dd88b1ee51dc2c542adee43c017997f232f2e626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
588a0b0603edb40b9a5e7158cd12e55e

SHA1
f3e247c6dab067ed11aac4d5a87c0a3f9a0b5a0e

SHA256
9b2c519add84718bcf3337cd131c7c8aa60888a16dd29b2bbe7d5e69b6e95856

SHA512
b6f6813a5edd3e3a4f78242f46a5812bc7953754d81726c499efb2238a524819f41308b451f783bf9d4878b2dd37e2406d739c703858963659914aa60a98e231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
73205780b0beab216897b2bce20d0d9d

SHA1
181e8a44993606a25f451a6d857685665c58e9ba

SHA256
6c3cd27bcd29ad6e99fbecca74177b7a5da612fc452ef8bd48b3d4720c9dcb69

SHA512
9a418a883706a7dea80a5a7ac3a3a0e99b4fabdc0c04714ee3f65a948ec6e32ccdaa3da021beeb9ce52b7dc64d5d09b9297d9a1f59b844c8c30d982a7a9413a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
74e4cf3af52f2471fc89453c21c80a9e

SHA1
df3e0fa8c080bd9131cfc265e7d52042450c8cad

SHA256
6672654e9e8cc9c432e79d33ea2d540bc1f073229528c4ed7aefc99605c669ab

SHA512
6606e6c8a5c72cc027b440326ccb52b86d0d1913f5be40ae700635fd06a8c1cbee08bc1eb2e411ce69bbb4054a742a54355f72d9bd803e409e0eb619d1186612

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5f2a2545a2553321f6e3412c06337eab

SHA1
6da7668f4050c10560a97f2d40024230903c96fd

SHA256
c9465659020ded0d0996402f854a7fdc3de40c2c7fdfc2cf06525cd0d900ed64

SHA512
21404e6d68cffcc5eed54fdfcd841f699c7e6a887f5867295f984b20aeaeb9b3f5dedf257b4a4178a7abc0b6eaf6dde00d62e0c93c2091ca3d51d637eeb7846a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6ae3df57b14b0417f92536f20387e657

SHA1
896d0fe6939cd8c6e5e8ce6eb8a7c63e594c1e55

SHA256
de8f4191077ac6a3f89b13db9a8ef02c5849df2e6da21907dd88e7e09073f3d6

SHA512
2fe113d42648cda62cacf17b4db2303d6e020e47cf16cf22c1618383d21eace335fe6a92bb3d2738bcc921f82152e0a38af34b52054fbdc8a9b890b8a8f9eab0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0b627bf6f3a9616a130a3968c2109b68

SHA1
32ed8d2007b14ffe0b383c3fd97e479bf9526cdd

SHA256
9195efedb6264b9ae00e1c23c37aa46ca45e648333b89da8748ff938311183c0

SHA512
c5609062fb9f2b56c61a5effab56243bec156d238d5c2352a43d02403d68c308128f2a9311ee085c6f4451244baaf70031f4981a682f3f1924e8ca49e006bb03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
838fb390767afbb5475a5820e9fcca60

SHA1
94f3e0e4e2f970e8b054e45ab4ef904d0433d205

SHA256
1080d4bc6120dd81b08cf9867b11e53cee669a99bf201650f3047079e5159246

SHA512
4900c3408aef5516481f82c28a2d730df11c0b16d241a6c0923dbb88d3708ed852e3cff654dd6d8ae4cd883737494f5df311bdfeb64c454bd345fad85165e4cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
84c301916dd19d1c53eb95be993e2f2d

SHA1
f7847427322837999fcb2ebe80e6dad5d6cd1b9e

SHA256
7fd4a687ed23fdc16d9a6a6c813b7ddfd9512d47da5b31b25c9a1c4283e15c94

SHA512
947f928cfc8332ade23484cab556eb61bbc8752501d217e8dd88a583c5f09ecc71da1293f071a84cccd7723ecf5324ab9f21db328871b46fc15f8c94943044d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5dfbfb531f985737219cafa7e8f80978

SHA1
a9808806a9b83bfa861c7f9827934261f63bea3a

SHA256
db8d350f84a16747c0649dab7b5a84c1e45e1942afdba2cff2ff82dc3dc04df2

SHA512
d1f09de1611a7a4c24289aedbe958ea24d7d02830596c64cd0ed72c4fd68f75a4c8ef47bf75533632aeedc032667b4886b94da4645bccb165dc2aa5868750a1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e75138953bc271e941f7582388a83eb2

SHA1
31f8e72b9774d7edbcbd79c5dd3117fbc2ab8eac

SHA256
e22f4b00ab8d3e97fe2b71370d047929d1bcf31109c835ce220afa5726ba6dea

SHA512
5010a1248739d8134eaf18c0c46b03f1f92a114d14989820fd87b8fb82ab052681ee7f17060939bcb4159ebb5e7de9f41bbc4fd032d4f0719a75da23fb6d71d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
e2d660e18a4344b9791b91adb175c01b

SHA1
d86386405049c1de151d9c5d918d5de5e898ed0c

SHA256
7ced0cb65ccc1950ffc98f3da6b8f16c335c0da65e1a2eecaca5d086e9a2c04b

SHA512
b3194b5d86722a92aaea7768a21eb3113cb328af452c97f2f14fb28ffee858760bd159805953f22b0ba4ab09a40c7220547635d87e406f24e356093a67a30952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
772ba7547d13390fb96fa5e3bb553cb1

SHA1
9a52f0203ad252f1c552e0bcb804ebb794a4e443

SHA256
0f96c25b7fb15f11704adcadfb4faa75587067bdcfa59bcecebb394544727469

SHA512
a29e4a566363823bd49a1b8e46148131e3830c2d7cfaab5e00be0bb9d19337a15a7a924221eb9301044586cefafaee2166f9e46ce4f0ec5f35f8aac20ac06eb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
e23171ec785463305f577a50d8fead1b

SHA1
a59aae380329bc9c22e99bcd692d0b8fcfa9ac9f

SHA256
e68d7aa90b7cc7d95382c93cd122e9ce7c896a9ff6e7e801cf697cacfa945132

SHA512
168a6fe234614bed1d95c3f12c853bf274f01932ae26afd57c031f48adf29a9e6b73f088de9ecc16e3901c3d56327aa7945f1050e1873d49ca147d2771117898

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
154a8b5b454c6d347c4380a7bcf4e183

SHA1
3bf6faaf24a6389635e014f62ba78b735a2387e3

SHA256
21841a6ab38eda9f7bd95b40a52c8563a0b3591fc3cd62e38f23a0768a004ee6

SHA512
b5a3a881e5a724827963af6386ab7e7f6737da6b266dfdd8bc167884394afcc1efcf2f812977355b21c142f43f2d7eaaaf6bdf4ca5b1fcefd55e45edcd3edf27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
e3f19efd3993809a65c572ba10fa4a0d

SHA1
baad89064fdca2f7a70e144ccb7c9f53f56e0df0

SHA256
ecca1c44738984808508612b7520a901e9d35078354e9a8eba0e0949f03f4095

SHA512
c2cf20ff6c2b60f8c3632214db4315f4ca7ff171d61899bd4e1b3470c5d8135885f1d283c722e95a46062a918a485ac099482af50c5d7220822d15419ba5d8cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
977e96cd70bcebac2e3881a4a66d86ca

SHA1
35190ca0bd1ebb788372f4317e3ec9c3c6ae6773

SHA256
e6f702c6dc70acb1bdd0d8fcfecf218610b011d3c1c4b61f8391590ddde99828

SHA512
186ca43dfc99474172dfd2df14ac5a66127bdf148f1a958944abda4a82852cac484c127d77b879309b8901af5e0f94522380b7649c40820167f4cfb1719e0d54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
a27fd61fc42cc15125df3a474911e140

SHA1
436a0e08f8cce68ef900584541acb23cfc0eb833

SHA256
2ea2fe8c6a68f7a9f27317e3eb327950e44cbd71166bedc940c15abb195ff06f

SHA512
de3a77a0a1d5acb88b90e37ebfda8a6de077e90ba745e90d7854fc1f34367c2920ca266d2146828d77f1b6c3a7420eb8c45fc0e9ace416bfe9927a3d41e5d2cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
2a51c1790855e85276d4456b84a34611

SHA1
1c27cbfade444226de2378a497ca4c4816ae52ec

SHA256
32aa63238e660a15f01143e5e190d29585a7096b03b2af179f1dfc6312617755

SHA512
ff008e45967a9b0253f3a80ea0aa678e934a59c6cc3f417ed85f308f2c77c0c3e7a5403413ffb20be6414fc6087922887ebf29a438689226192fcb4ea3cf0668

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
5f051f2b2a228461da8d9727c013cac0

SHA1
5666c12f36c5ea47b4e2718fcd04ad37bdccd9ea

SHA256
714ba8a0ffc427a0dfbb99b29cd6ea1c72a1f57729e6789b4fdc148319123f83

SHA512
54a29bffd580b2295e9b6f0c1c25cb228e468f02db903f3545d797daa3a035377e32cc57277e5f00dab0e05464f1dbd9c045edb87c30ee725413e36350fed7c7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5e9ff319de7dd2da8e32afcec81cfeb3

SHA1
1bf5def3f69c3aeb50eed5238adb0c998987b9f2

SHA256
13dffeb96b1a622594cc82445ece2795cc3296f55385e3447284a6c63bf3c1f8

SHA512
ebfca397d121ce57d2fabeae92861bde0c993c97bf135d48c23bfc67617c847a9c93ece395cd59ddac513ebc4201c1bb2a02acf0bd7c6beb777bf9010a2d7baf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
970e06fdff6be886362a0bdab8790b80

SHA1
0f9355e0fcbc7d0c6376991b3fde8d7eb2f24c64

SHA256
480a2b0bbd013cef35040ebfd4ba15aff24787d31d0fcd043df49cdeeed832fa

SHA512
b1f748dd0a35a062ebf592912554246c7c0c4186e4cd3eef63b56c522f92b3886498a4b4cb83663295730bbee6032df4f40761efe2b21362dfeb2074ada353ce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2a3195b712fec319d9962e1ebea9c407

SHA1
8a4fe0566dd25b48b5a0269fb5596143c28b5fe7

SHA256
350869250dac6a929b9327e10b0c0e67e34b06e3dfcdb5685f8600f3d5fce889

SHA512
e425943bea7004af9ed4e0c90e0a612a4b67794ae3a4f1b00a1d26b763df45c123b73cf5705d79bd47a5f75845f33da90841b6bc5c2f1b6b45db61640b3d8136

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
588cea4507ae5e2630b80ff948c57d76

SHA1
930bbfb719937f78eaa1e5a145a0e84a904d9ec3

SHA256
bc1c80cd5cb4d02c9544202e33c6daac1247dba757e45d2607b3b5c5d92fc4bd

SHA512
e3cb4630aec5739fb6817f97a9461a92ee79b2112f39a16711b20468f03d894bac4f45badfc284033d82a87c4c4557ee003613d5be6f8e48275d68fe6f21c678

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
92ef676239dbbc7cb460d5efe7e408ea

SHA1
0cb4fc7a4c47e9bdbabfb4298d1d1fdcd9e30d16

SHA256
266feca7591c55b10f71a51277cb8868ee4734c2f62192fd6089f272122d5edf

SHA512
df39153a4990f29a8f498d45916af5459c3dbecccd40d6d3729c2f8eb4ecfbedbb63addd1b9afc0f489616d592c497f7c45c89234e9003e928ba473bc1de20ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
965a5913810d52aced02046e2341b21a

SHA1
4454a506e309b273a3c44b7a2f1364c852478d85

SHA256
fa50aec375c8e1fdb8099dde176a3867b9b985cc823531732a983f57684caea6

SHA512
70c071bf1b6825f74bf1a21d934e0d061dc4f77cf95ec241379fe3811a55cfb54790f59d1463394637eb1d7e980185f07f77e277060a6d2c885899419dbb3138

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
64e83e4a0fd9feef7f1f8591c1eea9d2

SHA1
0b7679efddee306c7c8113b73175af94fb6add10

SHA256
16dd7f93bce665e874d95a5cb8e43b9c2d4b8ff7672731923cdc1d182577d00f

SHA512
b8370891eff0d89711b5230cd0929251452bf5b7852142144a0c8ef488fbeb7c9169b4ba10aeb30a5665c308042f475d5eaab69a241e20697b7e6b8d41b21565

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
89f8caba88a916851d7a9a8fdc103480

SHA1
83db1e7ff5009ea1c9e724ea184a41808824ac31

SHA256
04780fffa72143cb684a92d4c3941e1ce78dd8088908d3b7c3f67d3866dced8b

SHA512
a6b7a958d8f354ba501ac7f31350ea4f0d71816cbafa18d81c4b547229fd41efee6e1237e3e19106587f8cb164d91ba25ebb6ec4f9db414bec60c17aa700ec79

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5463584c39046e17c46df8c464d033ac

SHA1
fa91251f5ee922d0149adba98d96cedb6a974a04

SHA256
4d0791d34d213ebf771dae337234ab3e7314bc0b9bea70531292d3d7b07d2301

SHA512
f00826627cf6a5bdc922205d7dd8eb49d87df2b12ef3019dc8ee403f96132377f5725f58e47e87fe1f047735cbf30fa1dcfecfdc039e3f8b7f94eecc7defd09e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
34d8bfb74623e11b10e137b6dd293989

SHA1
b5e730535641862f967ac0b980b832e6e0e6a525

SHA256
51e90bbd9433a1b4331e52021621eba39c55f8f38a504712916a60188cd26f70

SHA512
d45f5f16673dd8c1ce989d613ab38e665d010155314c4ade9f80c82b5952db7fc189143e6146d9fe44c3bb8247c43c1cee7e233ec9cfd15513b001111d7d631c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9a66e850dea4204cc1124187ff24a95a

SHA1
fc36fe56f16e751c17aed18de7b64a8fc962cbd7

SHA256
6f40459056e918a2b74d01fdb3a6eb1ef256f56e278dc5f665e8b383568b1b35

SHA512
391ddedf3ee1d5976623234a64dfafa94eb224759239e0e814b5c26ac97d65b257db105a123152e678145fde3df84d50f2bb91948c76d5bc699cc89f88cfd2e4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4e871f189c5b5023e695c911fc4e7063

SHA1
49bb3b63de1b4bad27c509e8817e5a7e5a53dfcf

SHA256
dbc6f4ab37abb51ff8973d17e6286066017c26a05cdbb1873a5d8120b1698998

SHA512
24de1a8ad1891585a0d829aac520bb208c39b8d3b1045164fefc018f200efc1b818953d0f00e36ddc3b82d357d8e0378e2d90bd346ebc607b8d749dd0559d8e8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a21cacc2db2117ea2005f6cec4f4da5a

SHA1
5268a5dcd4f793beb29e5ba17820370824a52447

SHA256
ac3be892232b190ca4b9e070e984bfeec91f133332031d17df7f8543b1bfe3b4

SHA512
ce2a798201e22be9e3373194263c4fee6b0c784671fd770ed4ce89d28df586c0555481e4b1c30c0e220ba092a1c68bcc26455e2bf54de7c84f5efa779ff408b4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
78c8ff59e32770fc6dd2b335f62d6463

SHA1
64558169774ac80b39b52fa4e2e97bb1142315dd

SHA256
06d806c8f9b59fa9a8a675d7381fe435b97c989b77ba004155cd05ea44f1d85e

SHA512
95306d0d3462a870b36884a64e99772ff0110ae25190d8b7d9d63bb23d6a6221601ac73e4c239c9f76ad3a98879affcce55a64ab09bd23b84d94e7b7195875d8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
40101f279baebde12baabf24df9c3262

SHA1
1f381089c4ddb42bbf1af57f740d694364d64708

SHA256
c5e2cc58773b852c061b9ddf20dc13b514b24f1856a8e68315acce92e426b341

SHA512
498f759c93adba1ea383d15b2aaa9fcbc6fb5830583daf7ffe83c5c1dd606e8a55957237cb59f5c3b66087f524595b54ad4944d7562cebc5af7d976a6ed99c03

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
54ddae61752af8ea4a1e639f4b0a4778

SHA1
3f9838961ed978312b21d43910b7061da9d79da7

SHA256
56fe7f6c93be14e39bfd96c616d338541fe099e73ea198fa7bc4a7441e5fefd7

SHA512
369371875f61612f3b76716c14b59fdafd7ccd17d5dac6129887b4deecfc645867ec543e9682426e0f49ec7d5436d0a7a01597a5ab2ec9f0dc40bf3e45e0496b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
607a2adefd82c842efea9b8e90b84531

SHA1
d3bdcb21570c5a28456f17399e07e65c09a526bc

SHA256
2a6bad151d8b65d7646d935a37a544a2236e12180fa17ecd91f23a5d249919cd

SHA512
797437ea8b957d59d7744a960f7c2636d347dc0bb6f89547fbf47e0a236398a7a5b2ca9b72be3071452f6a38ca77fc2e0c436febea468f899d709958b0a90cab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3fb706c3e7ffa26bd52edd725cae9465

SHA1
5eb7ff55722a23639adfdcc01db42abe0fb2f2b0

SHA256
68ccdab1897d9178e738f1d45bcc6304b8cdd227630b77d2fb369a6ea2640b10

SHA512
d5ecd752627ac801044215154c7bef2c92148007f876f11c971796e98af1ce5da99698a019d904128c868d6fdc699a31e1ef9ae0e177461cc201cfa6d087bcfd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c6b008a79458b2fea9a60889db996fe

SHA1
77c1029e82e193828a664a50cebe9275ca0b261f

SHA256
70a2a9917c8ce4978cd254e12f7fb76ca86f25ad47cbcc47440078595bbb3f52

SHA512
f16caf6e0311bdd0652a87069e6cbb8718447be6d34e49bbcd5fcc7da6dbff95bd1941461c1ea94f5c4bf1b4b503b831ac0da6e8a0e79f6116119cc379c5e500

Download Submit
memory/656-58-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/656-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/656-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/656-52-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/656-51-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1172-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1172-593-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1228-389-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1228-270-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1644-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1644-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1644-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1644-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1668-705-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1668-426-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1748-401-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1748-285-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1876-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1876-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1876-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1876-230-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1960-239-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1960-69-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1960-71-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1960-64-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1980-696-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1980-352-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2004-413-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2004-296-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2488-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2488-702-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2540-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2540-701-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2600-425-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2600-306-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2724-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2724-27-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2724-35-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2724-36-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2820-693-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2820-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3908-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3908-707-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4340-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4340-704-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4440-245-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4440-371-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4440-244-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4440-251-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4704-692-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4704-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4704-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4888-698-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4888-372-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4892-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4892-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4988-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4988-1-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4988-12-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4988-13-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/4988-0-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/5092-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-256-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/5092-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download