168092bc306041a18eafd95401600b9c094140c611f4c97f403dfdfe487eaa07

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
Size

1.9MB
MD5

c0874b13744422c4ccf111ee10613ebf
SHA1

5d17c143be1c7c5712fecd0049bc183747e1d359
SHA256

168092bc306041a18eafd95401600b9c094140c611f4c97f403dfdfe487eaa07
SHA512

4991a3c9aaf5f7d585193d66dd9511fd6bf94fd34c54c983c638f84099a2f4424f6415ae282286773a07401cb849f04b35a3e02cbd2f0620c8186f60069e4deb
SSDEEP

24576:/78r8FfC3F32nUnCdAaKu++nOrRrC2YQcHCKbNe6zwr0ErlMq://fQF37CGaPwuJwaNe6J+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
1152	alg.exe
1072	elevation_service.exe
4696	elevation_service.exe
4068	maintenanceservice.exe
4444	OSE.EXE
2888	fxssvc.exe
1080	msdtc.exe
1552	PerceptionSimulationService.exe
1096	perfhost.exe
1128	locator.exe
3864	SensorDataService.exe
3420	snmptrap.exe
4544	spectrum.exe
4860	ssh-agent.exe
2324	TieringEngineService.exe
3516	AgentService.exe
4684	vds.exe
1932	vssvc.exe
1264	wbengine.exe
4664	WmiApSrv.exe
4912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ea13deefc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e64288b5d6c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c81e43b5d6c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000209539b5d6c5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc593eb5d6c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a8fb5b5d6c5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004354bab5d6c5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000598064b5d6c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f71f24b5d6c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8761eb6d6c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1072	elevation_service.exe
1072	elevation_service.exe
1072	elevation_service.exe
1072	elevation_service.exe
1072	elevation_service.exe
1072	elevation_service.exe
1072	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1944	2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
Token: SeDebugPrivilege	1152	alg.exe
Token: SeDebugPrivilege	1152	alg.exe
Token: SeDebugPrivilege	1152	alg.exe
Token: SeTakeOwnershipPrivilege	1072	elevation_service.exe
Token: SeAuditPrivilege	2888	fxssvc.exe
Token: SeRestorePrivilege	2324	TieringEngineService.exe
Token: SeManageVolumePrivilege	2324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3516	AgentService.exe
Token: SeBackupPrivilege	1932	vssvc.exe
Token: SeRestorePrivilege	1932	vssvc.exe
Token: SeAuditPrivilege	1932	vssvc.exe
Token: SeBackupPrivilege	1264	wbengine.exe
Token: SeRestorePrivilege	1264	wbengine.exe
Token: SeSecurityPrivilege	1264	wbengine.exe
Token: 33	4912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeDebugPrivilege	1072	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2996	4912	SearchIndexer.exe	125
PID 4912 wrote to memory of 2996	4912	SearchIndexer.exe	125
PID 4912 wrote to memory of 4616	4912	SearchIndexer.exe	126
PID 4912 wrote to memory of 4616	4912	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_c0874b13744422c4ccf111ee10613ebf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4068

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2156

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
8cfc822e3c67fd4c58f34d0e985973df

SHA1
5572a05fc78673c11af772f2357a70bf2c4a38da

SHA256
f304774f4b2cb50ecd7f6efd6daa89f2a4d10d04485716283cdcaba081b95bbc

SHA512
178c032481774045eedf1c2104c63b9ae116d7a9503e442084212cea8faa5ac70d7d4d7ca79ebf87937a26f046b57477cc5458a0bf2045bea05a529798e32004

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c857182d40aca7739d61238eefc84596

SHA1
9ac844f74d936b25894e3f0aa6b8557b8c752cdb

SHA256
269e9c83e79707561fb481449091e1ca05db5145d73abd98063f007a5ec7dbd5

SHA512
9c98d4c5ed93fb18878faf75613f6fab3e8ad4182572b8f665c17b03d7dc930ef179642fb51a0450b84a3e384a7356f91c55bc6885a7fe3eca339deaa738db01

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a12d8411bbd7ff177a174382803814ba

SHA1
d5a5c059ce9064bc9f52b747c44aadb8c0734d39

SHA256
e5249ea5247d1619e0cd16c358dff0e6f25ca4716e4bd3570ad27ee2622ada02

SHA512
e80a70b0b866c81a310d3c376d8bcdd5c7d3358154cd853f6637318981821acd5e6d1e01a48ef8ba1645353b5b84cab0271d7100832062c85927a35cb84c5aa7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e481c9a295fafcc637563a5a11d9dad3

SHA1
af9cdff5bdfb68d70fbe1300b44e8aeada0f6ba3

SHA256
3299124699ab18d92cc6ff9796fd423cfe25a18c820dcd870a4edc568e5db94b

SHA512
713da363ad3602bacd0e307a9869a7981c70cc1ef1c3a804b6d40353e3eba59f593f5c52ee2e64d534098eb185e7125f6804516e9a47ec215496e33317c2af57

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ea0b0f08714ee2496062f73a0591ef3e

SHA1
4b6812f0567f4665f25b4e75d11d6e62b0d233a1

SHA256
92ec3b781194c70c7d213383f8dca2653c574d57f09d27f4960a611f686a0025

SHA512
364bf80a02c4bf6173b056a82a6b294747fa5e8ada92bc2dba94bd0b1eefe0409c0ba53ac23f1b4f6f1b0d370719278879a95053e4caf84a129f42fc038a2a27

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
53d7fec02a87d73531a16cbe4305f7b1

SHA1
3a45d48d438dc16e419b63aeb299a559b539ecab

SHA256
f8840409205e606a4f4a7a9752298c5ec91305dafd3c7820300c7e7e64dfd0f2

SHA512
541bc0ecb4e20998176f53329bff33e5383e414277e1b1002effb490247be114e5ca104a2bad99e23884c37aa5aeef8dba4ede0bb94ea8ae7e9c093145650b1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2e8e3ccbc480cdbf8c8ee605bbeafaf1

SHA1
2c47cdf196513a10266d05c705056019d3d565d6

SHA256
af65ecc443773a2f3e484ec808c438786037e3952a51f5e039baa2ce0616faa0

SHA512
b925620226b6579bd90464b54a7789a5760383a0c6aa70c424158a30930019441a6025c08701a15736fa965b7d776cd371e298aa3737fa5f1049079967d1cbf7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b1fcd8e6b36dec122664d6f5b2153ee2

SHA1
86eb459d691d8ffe7215cd38b3823bb298c681f1

SHA256
c03af56a5690e6fce0b836b01da70f5ac6aabe588839281ffc409dd0012ca267

SHA512
fc84ab8e8e273f1ca8ea9905508a484b9967e5c40303252d86369b4cda450eba4843eb6a7ee487469198d15240404d2a34c80046c0e5d41895399a1fffad89e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
92cb7db43bcf3fa132c8a3b4cd369750

SHA1
50b3b6b4b4f3ab115eca55c91c943d800c0af510

SHA256
0465f51c0d0a8e022ad020c3ee9f68ba23eac2959667e6e31cf413e0dc99948f

SHA512
292a3cae14a82a0a030fbc92ee19ae1feb9438357d0cd5ca498de432d0a23be2d5284d2fba7df780fbbe9da418dcbc59a1ff26bc114f8b977800e0915b94d28e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5c8d92c265a99200c7c0ecd4594d1142

SHA1
d794ff5325ef9f740dab8a6843f396b1b693a41b

SHA256
7fa9acc6850a3d49fed7a42d8b1523c8c36651e2e631ce9f104c17ee73eea101

SHA512
b5fb87f6ba2e8fb5c907ea18106d97ff9c68246c8a25c8de5a4e77b2c0ab157020eb09d8e368e54c89450007c72b3d1c5b75589ad6d5c34080bd39f1f7275b6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cc6058338482ce75a5c5e812b4905a17

SHA1
f2d6312f8f97431237bddd3d216a04edf0438365

SHA256
bfd537e14262cfc433bb9c68b04462a704972dc19126c99d5a319f329ade51e4

SHA512
f041d267686cb97b145e65b823227808da5f79809df9025849124b5401401abf631e213e1141472cb9672dfc804e132545011c1fc9cddeecbea4c9865ca8049d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4a95da3f30ebb29efe6991f83c0a4971

SHA1
819b1524a43055ace461bdc02eb76fad8ef38943

SHA256
516582a99a33783864060883978de2750179da8ff2ab6e7b813111c4a8ff8e36

SHA512
41bd42c485c9075448bb9d14e113e3fa16b11abe2911a97faa1f90c4fa4e36c61cd169c4b01eb7d4b19aad4d85f5d9543685a128b851d8de1fa7371a14364eb0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f8f52746f9acc875ea5796c69b6e5e30

SHA1
1ba9f394fa31eacc66f4796cc7627ce2f78cf33d

SHA256
fc7e5ac50a87050882e0e2da21417fbbae6adb01895a1238c656bfa2e87f3e44

SHA512
202a9964e9e6a648767d4e7ed375ecf83c5b7b2ca135c2aacdbcc7f0be1bd972fb6288f3586eb0f5665c8256d94510688f68647d8c3225ef070422b1c8ad3234

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
72f79a465de5014fd1fe6113e6176d78

SHA1
a56680d883b3d73fb4a051e7807e1dcc4241c076

SHA256
e8e495c216a248d85e77577e4d48bc0fd4bf791cc9a9526bb60487a9a4136bad

SHA512
b7925cd030cc4153b51719325d6e5ec82bac7527eaf9bbd3dbc4d49b7383c6aaa8ee35db43bb16d40c239628f2422a6cccaa8f64a54731cb1914284bb21451dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
52a55b737db5251143897cd0bd6358c0

SHA1
8db00e7d3561069203b327c9e6df89be558e21b7

SHA256
ba22aba277fc3fcd0a98922ff0da2461bfd869cc9db28630125670e4a0223b08

SHA512
8ce3f0d5c0f58bc4a9da1a88bde9d2dfed90cd62c51341ea02f9b13a77566300a0c80fe609b7064b60dd5af87dbceeb04bb37f82b1b7e4c4bd8c1fba805e679d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ec4d7df25a2347d7ceb28ef007fba83f

SHA1
424e02b2b5ebb95044213a6b2188f6820202b63e

SHA256
6f26cc9a3e15e6dc0df20a1c7751a02f0b73de7559bdf7071dbbb86f13774329

SHA512
26f4bbeea6d35759fcaf00af86f4faff7bf3c0e06298902451ca71b77bb4556b5ce14af834aa8a72ceb4fc77660bed4d8c88b012c4a5752735a81dd4b9aa1332

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
790553a15e7b7e4e60dc061bf65934d8

SHA1
9338652ab781465b6de6829776663f611aea1923

SHA256
b1ecb5589db8e4470db3838acd88363cfcd0f08618856a76d542004914388e33

SHA512
81b3cb22ea6496af46e180b4f02a45b3e2c446cb72f1662134d9bf0ef3c31ac243c2f9f0335292e2c8e4bca3989eabc77bb462f68b54a6a732c994a044b72408

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cfa1525bafd8ab3e06e4b34a190eb89a

SHA1
27f3cee9649346ac4e1ef25108672507145a2819

SHA256
18b9a9c19d925c6e4628fbc911211f618f620148fe363930e98db08810a9ce20

SHA512
81a6b2aec58022ed2f2b1f2a4a02578a166dbb4da81b5899f76876bf8af43e9ba84e269eca96e210aa668be794444fa93e079d080737293a6fb35676f6f82e82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0ef963ae6980c14ebadf276540dfc405

SHA1
464af27de9d12d507e283da12e3af272ae72290a

SHA256
38b7c90c261f313be2749fadcf8f4fab02276ed99da16666c246cc67a012bcc8

SHA512
5379a90859d09acbf7743dcce80d7150aaf8859897b15e2f3886f8b46bd2557618ad77744402624b070f1b7596058d85a6fbf31d823ca0ba02c834d0b6396ea0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3c5c9cde52cf2acbcc164d11756a2b5a

SHA1
9d67cacc38ad3bbc96a467a5832a5205e1a732d7

SHA256
a36062cded4e416ce8cb3e189073ad5ff68ded2373c5ebfb46436e21f46c4546

SHA512
6c698036200ec4d9f72250ac59a79cfa2b440a9fde15b7a0238d7e5430191a347df7b01340b923873265f9c5569f921baa5a4acbde740d26c1ae0f4e73c3221d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
34c3ac483dde70148447f86b9ea0a167

SHA1
88bc6826a7647a464c08b1bc634eb9ab1d6ae4f0

SHA256
c20ebef79b197ef8769f7661161e815b332fd6f5fb928a003ea5f8cbbf2e28f6

SHA512
c66475af462c8e9b6802e72364b1a481ae96de1afb5cd0e6ed3384e05da357a918969e4c6b35c1e717cef500dbd2418d8aeb8400841b8756595b952c90cccc99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
20f23180536310053f0dc37fbf6fb284

SHA1
60597e7348076808e88272cd2a01b36823a56dbe

SHA256
99797b7344d3aa34dfe11c17fabad39cff69e9aeb91276f5237fbd9b8b8f91bf

SHA512
18220c5ad2dc714632c383e261ad324eb77faf6e2ca62644755b00b3bb5765bebe2eee827ab8cc05f915da670ace68bd1db9da7069c4e65df2bfd263e16e8760

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c95c8df4e801f5396ea5f59bfc98a27d

SHA1
3c6d6717a4cc6f56bed18ca3b8e7b663dc852ef9

SHA256
98534d062d212ecbdd85dda0f3ae63ac3646b8a4ada854b8cf274b7574f42de6

SHA512
ad8c9acde861fcf5e6022b582285cc13f3cec860013a73b193a8f12868645adf3ed6787f212fc495bd9a59dbf52833b69f34d5cb4e00f9906d6232758cb68dbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
896b48ec58584f6a390db85b0f41fb61

SHA1
a7d11c8c924567031ee31ad874225d94db796fe7

SHA256
4c8742b9c0b56b833ad630b0671c21dfe9765479b9945ceed76767c91332d981

SHA512
5bf6d411821d919950d1599947d9e671e0c66a283a123a662f25f672fa8ca9de88c9245da76303e8a7a32526ff8b70c38825d76e40e99736ded72df54f10739a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
980d3ef186f3ea1be4fba5b7eceb16e8

SHA1
e8c387b53dc44d14ffc231e6564b20cefc4424e2

SHA256
92eeef5104eb532047f9e8d8d33246fe2ce3de628361e12e503be2ff7194bbf2

SHA512
33f15e76965a842885633d0b6104323ebc1f4c6fb5e8024eb148c07a57e8a9a94fa205f3545d3195469d6bc1ebd05be4d7d4798cc50b916ec147661cd3410a58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d85d698032dfe83c7a82939c927f912b

SHA1
c19e21c136c5cf0a0dd426810725c932058251dc

SHA256
0180275f2c6f5dfb19ae580986ec95a93c6bc954e89aa4a8a57070e91587c78e

SHA512
734380cb279426c5b7378f5c0ff53500fd6c2f36b41720699cf24c083584c8fe0be62040e35d5c9d070b10ac7f83a18c3bac23654e4b910e52c0ffa6c41f281b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5fc5d1e3f026288aa6e88f5916485469

SHA1
e68b54f29a88df93b4c1d091a82e5af359ef88e9

SHA256
538cd4fa4972d1dd65cfc2722db41dbb410e3fc24ffa0a9202a4709184e0958c

SHA512
cea32ee33a234d64f0c246e36a5f888a19aa671ee63973026e9ef15cd9eb34456f3a707c7f1e2d79d12d2a52f0c8afb52093d9bebe1af304eddec7c53141d9e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
597781174189b5393011b621f56030f5

SHA1
bb28de19c8036aadfb31df965a4ff25383e24102

SHA256
c607f5da38fb0ce145844d166c018bae76bedc0492afcf4e4c2724858d55bb7d

SHA512
9c52631696961573c92e2fc2611c56a55ae494e595745e47e027b217320f9eb0cd8ca3245b33f0584e912724df410974c50060e40dcfa8817cf02dc504df674c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ebc22882bd362fd29ea53d903282356f

SHA1
f38b723b3e1192b2ad3338091b40519aae01c40e

SHA256
f2b6f1976f9e555abe669faee8810f3e9724b8313dafb4caf6076ea37fd27f28

SHA512
222e1a50b93ce0c933a7d4a981bda894823660b5062a26689c8dafcb09bf69884b27f608a09724209aa3b29f4cb7c45b0b5b67426bae8e1a7d72c22b0a713c6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
594c02067dbeb55634cc295a8e24f791

SHA1
0f948498b6590a91e6dbd0ae5a34ecc568f11ea4

SHA256
b697944b0e7917a6f508cb4534455927b810634c29079551d19b23be9d29b1f5

SHA512
7a1882b09e367daeab505aa2359bfae5e3a4bdd6a9909cd6f724cac40ddeefdf504309074cde788c16508ed6e67a36904db76a451de49979c2774c84fc3a360b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
befd998461acb364561a66a1439a1b75

SHA1
21dc0f7a8fedcd39cceae123981c81af5f116d13

SHA256
68ca8bc4b1c6f03675a6683795c1c993093f6cff0c25c1bb7f263da77f3917e2

SHA512
29d2f1f968bacbdad16090b6014fcd00e59a3f69f88b4d79dfce5dfba7512fb94da92d85e54b20fc84160b5b94afaf03466b684c870d153c8543db911d719ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
1e65a5e87b2766ea3fbfad13253bec97

SHA1
1c4c3d243bcab766677013592308ca95bad5893e

SHA256
acf66a4eda2e58715945b1b72b704388152d0cb4b9f3830541eaf65c2bfe6869

SHA512
d41fd46c22772dee69122963461fbfd2cd2c067b39a713ae6c50970a05b8a91ce12636bd8f3a637140037fb4a39180abca0289e4c2bedab721661e059a3dccde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0e68a4be7d31a548442549003fe086cc

SHA1
6b7141fd14f635845d386abd1995808196417b72

SHA256
83899da7818563baf6260011192b586113a7df9f11d08034d8efcb269f7493f7

SHA512
a5b32ec39868587145ca98b33f21fb298a829ff7c282436e20ce843c5720611ce18298d01631f53cf6418a246eda0abb31aaac76fd7b1a786a3d77996d4efd24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f048590a44d1c0d6759d998b1bce58ee

SHA1
58e4d47f534d1a773287d3b5b725b25d6e613eeb

SHA256
83142222daa0a85c677e8d6d6850228feb8b909d5a5b278c837c82ff8121b67c

SHA512
4c975ebc49aae973e5e3f6136052e58114fd0ff38779ce50843269778760a344801db529fc0ce1c54d396974cb3e7e16ebb8e174bac0a76f0215383a1e7c95bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
08af853ed1c0916911fb80481b47dd16

SHA1
aa0854f978e5022b01c3704703a2d82c9a078d66

SHA256
8625720d8f14fd8565954241ebc63224e263fe2b4679cc0be96ace5a844ee318

SHA512
43a877704548847c764507abf5a04a4fc05dea7cddb52ee20e8a704c81deaec5dc4fbe4f5db9bcb1867ab96c7ad946784817bac7b84708bf2886dbcd23cd75a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f5a6cc846b82fe187c67df95424c45f4

SHA1
69bf1c48a8071e5ed664885b33bcf3330ab781ca

SHA256
3e4f63a42be13cf1cb7295c2180d6f947e197dbace28cab6019608ca9a231e81

SHA512
433e5d8770948bad455d9e5c6b6ded483b004ad89679bd77eea677217e73beb083c757405af86b9ec9eb6a29ff7e672bc18c8e7d7921f41328596404fc6c8294

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f1e44ce98c4c45287af20c823cec34e8

SHA1
89c74dc600b03bcc358ba88f5b65c125ebc2ea19

SHA256
6ca973519779a6b5ebd382d6c6e5ece92d7da236210e1e2f84eb22c400d59afd

SHA512
0676ec57096c7a4609beea60cc2356228128579ff16ce14d8591c6d2d0a902c7f00cb8f317713353c9fd76bef601bdfed5064982b93a84c4715afb6a1ca69894

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
5bfe32ae8d30a06942c7c27e4c033ee6

SHA1
9c8aed453d66fcfffd16cff40f25445521198a72

SHA256
8f8449026f2bbf8b76860267e986868ec8725e4ad0bd72576bfba870a2f9c10c

SHA512
305dfbb0d60b72049505bc52bec5f47d5addc50140574e1188e383d1dc5ef04866ffa296b87effeff565e7f8ea74036dbe32cf13b68b47dce0ac4149a10d8526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
88907f60a73cb38344331d9bbbeed6b1

SHA1
5c6e256245131eb5760222c9deb1b06efd13a039

SHA256
2ee4c20f919547a42bb35311f23aebef2ae39e3a116d8fa3d1ff1f29d1285316

SHA512
7b7abfdf20c955ad8edf59303b6cbd46e42c2e5e1b0bfef7e97588153450b0371cf0d493277592bb37576a43919bfb70963644477dad0161c32bcacd9c42227c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
7899c0e9f701fc2cd25137d306329763

SHA1
493eb6e1ad952db6ebe62160ca74941d282ed869

SHA256
6f60e7165ba96073b7ab711f46c13657105505c2b52e3eb631f3a5a13b694554

SHA512
84028637e07c555f04052b1c4d52b7a51e456207fc208657eb60ec82160c9e38ba37a273246cb60d31584b4cab11741ca5bb687df137a8cbc291907563833dfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
090fc6bd4df60117c9f6d6ef3043919c

SHA1
14cbfba7a3ec4465c42524a3e4a2bbf31b4bcdd7

SHA256
60234379c88de70a6a98f405081e1a89f5920d0f5a40f39db292ceb25faae6b3

SHA512
2e4df8fb4dd6f0b46cc2a52029522c316855d82a1717c0dc802c559915aa21ef8be077f5cab37fabe288226ff83a40c4ef463a0f3b5eecc4683f69cdfb7b4d39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
0fc70e0d26f76a509887ca97c46dec17

SHA1
28254a9b54f721b76bfdca82851c5b8e3e41f630

SHA256
56f736acf1368bed103196d450ab35568316c5fe4d33bae74b04f5d2daddcf8c

SHA512
4735d252b772caebea1174d767ae7a1143a7ad5a4ff7e7814e867fe808d0588185787caa1631405c54ef86a85b82d1291c13a8d7ae45b19727d18ff618f1f2c9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
600efd799932f066269058de250050cc

SHA1
69fbfec53973054456a8d638d2e728ec61271ce9

SHA256
0bd7de9d07406be00f4f01f1d706f096dc5b659d7e0f573e650cfeca62940593

SHA512
5552430c48b37726a6e97036ce6dc0489acc494708b51c57f89c9b17080c9d618e57b7d7bc20ce241d3c81db34bd3dd61bb6576d600995296f752a757a34c0b7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a3dbd1e89d832a6f36a1e8a31633fbe0

SHA1
84febeee70476b9d46f817f4dd4232ae466d01d0

SHA256
7fe98c30f0c8933e4c779fd9ce52574c649716ecb629f857c57bc1b46da80430

SHA512
87a8c8ac63cbe243f155e0c31549deba2781bbd9e05747bc5b2215f63b142d15587641397a3bee232b6d4d2bed4d6cf3f369d0f164ab597b293df67df72baf88

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a8d29426929ee2e9de7badecae512a20

SHA1
d6809084f63f4306b87461206a65532059f4392d

SHA256
efc0a7cdc26a3d966d02fe23a2cf6528261117f4fa8668859779a090490d94bc

SHA512
8cea2f57dc0dd7c3a35770ec165c5ccff580332fc03aa2419c006410f1dd62788699d9617c4e9da50ab93ee077435e1705458bd5de63bd006da48ce6c9d72836

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
98f64ed52aa1f47d62bafd9d9415d251

SHA1
b59448af5e60aeee719749def861433ee8aba29d

SHA256
251cbbf127c4b035c49906d47c6b56a5e60880b5db2d5bc355936e4772ccaeff

SHA512
406592159d21309eac00027f45c01ff2b1e4a45fa2d64798a6a3a72df1e91016a34a3eb6fff7229e328c2606d523669f3b4c12e05c9312a0ffab004f5928b340

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b00e4775246805a9ac48bd411aba787a

SHA1
56209ed253afcdd722e412c64e64bc624a282fce

SHA256
c440fe1f2fbbcead6c53340d768be8c44f14ac4d59898190dd353a47f5c6fb41

SHA512
b483fcbb5852a4755132347392e9a30fc12a05fa5a7b9f880f9e521eebc4c4211c4daf3041c5eee3ea0ffbb98fb9e79323147f368035e9261c99e38efef2e2c5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
076168fae4d9dd3fa1312911cfc48943

SHA1
ab20f9772404e90a63e0d8510e1d3a04e7740b52

SHA256
4dd07bb6f8ffc62ce8fc011f68dc0e2ab5dbfcbe3f7d017a1364b02567cad4b9

SHA512
d8bfc9a30b98312dd2af83d0d178c11e4b3bf517fbd8449c9941baf9497d9d21ea7329f46674414d2863144b1b28e73925eba9deb300af8896b069e608c0fef4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c38aaf4c8410abf30e93ecd7efe97a61

SHA1
1db7caae7a71f73c552299c551b517b1f4d38042

SHA256
8bda8e0f8b68349cf36811fdff117be5ada1d410614f7bce00ec7c454bfca0f6

SHA512
5eb23d19d5fb62c33344acdce4c2704e136c72eebe45cb01c1ecf6a26c28976084913ba49320074ba3858f377781c413a9d6cb2143fee8c7a14273e1af9c47ba

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
69c9d56d86b7900660858197f8aa09c6

SHA1
08499a118d34c4b9f1e79f75ff860f1de0d159d5

SHA256
b63188bc9e639e13aebec7391c79564a033af1815d9bef28096d729f8ac99804

SHA512
a8be4face8ae9d0fda9f033fb5e10b04cc2415123b754be6145e56914009d83d6ee150196c4fbcf2141a48fe463e3bbdff0442f1c5c778d4c6fa91443c896298

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d3ff87affb10d8b64846bbe23df9dc61

SHA1
a2c4defa8a37123eda78bb3006875375066d77a3

SHA256
57d46cfa0391c61a32c54528f5d2183277be807c42195f59596d8292f0ac32c6

SHA512
7b5ff8483c14f31750a4c3ee61001724e079b90b49324d84c02b0a045060f16249a1f7d7b826fc4e7f0642fa9ecaa5b7e6a18c6ae365e21078369aeec6c47688

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d817c252e8f27b23a7d1f1c6c1b6346b

SHA1
a91cc2d4a5d7f26cb987f4a42fcd2fe1f3709d1e

SHA256
c574e1f90f8922afab75a9504dfa70e2c3298e6dd9553bda9d7cde578318dad0

SHA512
dca4384c8b5135a956f1eae845025ac510f44854a38526c05b872abbdcc19ad97c3ae3f14ade972e5bbc02d5856e7c6698ef23685b455dc44a3f19206a85e2ab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
040f1bf1e0b6d18ca698affc8df40de6

SHA1
3d90e204acf6ebb05e2edf79c2fc60890ffa3eef

SHA256
acc0c01f33d8369923f114473692ef75ef73d585539081262ac40ead4c02e501

SHA512
c2ec6b1561d930b070f414694515a7d3fea6e493d0130e78fcee6056d311607b531763b83e7dd6e9ac27f0330afdad911e067e7a35a75beab6706a264e67cd2a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
51fea220dd01c4edc3c1beccf4210f8f

SHA1
27e2da152faad771cda17a7189e799343a310633

SHA256
fe00156c71e787baae78d4a7daf6de46e165062c1ba7766162a12f33de4dd146

SHA512
415860947d5d65cb3c67b87a88d51ac5eb5ede4386f3d5f23682c4217d3399e77495ec0f31fba35a114fa893d2b6bfcf33a1e32f17be8b9de11ebf99cfdba2bd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8a2e88181a244df6ec3054dad8e280c5

SHA1
f3e448fc6f01be74f130bcaf9173e71d071e7e6e

SHA256
e9686daee3cea55a94d7f396f288341755e310f3ff332277c9f46b666f0a5e88

SHA512
8088bf1b5acabfc4176739b8c661288aec5839f73aa5a6b09b0f36c5e3ec339d94823f4a3fa6ad96adf1f8c6ae4cb7c2350c467d51321f46c9f54597a27f70f9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a9cd9967d2e21d3b19cb2b34c62db62a

SHA1
bc3c2de4afa74e519a7f45ca7a7a173595601f14

SHA256
f979ee708f69b0fd6823203e6e4b6e8932870129851b87f174cff5fe1bdae32d

SHA512
ad1fa41d29da436bbf85c367b45612f9241962653d38ed8512fbab77feaddf86c0c10b0d5cedbee69ccd29a5ff11c104e94d660d450bc847bac9d80b45213bc5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4d64d199c7b4b4718cca6a329ccb27fc

SHA1
4d41666d75ce835f6cbe70d7cd0e64b6123698f7

SHA256
04819a20a6d177578ec1fcee1ae6cefab800598333e5cc71b1cb7c018d7aaf1e

SHA512
c57b296cdefd55bfc3936b1fd38aacb26af9fa2ff5661b424fef1f2acc88b3a821291c2323a31ef235399270f22485d05d5130eb2e180929dd1c0250d18d649d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
02a2aad714d0120b98241df447ab239f

SHA1
e518278b030e6e2f33caef73cf767858ec19f4a6

SHA256
2a7e32f858f6536dba8548df9fe64448e366e1b25cc0732abda728da7c13358e

SHA512
0843c0f98919df484c27fea52df1a8d227c92b5aed0a591c9565bab79cef9fb4c53afb506ebb955c8c484f6711bf65b224b4286b770813c813d453f8d5c360b7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1e4ecf52cb4ef4279e74628fd5afa97c

SHA1
c8534b278e1bb0839e920c0089e0ca3a4222253b

SHA256
cc7da77a9114fab7302420f13da36489c0675e2b538a962b68b36e84a5843116

SHA512
0ab10c7a6cbcf98ab0bc483f49e5149c99e75b408a854f6be72b2d06b199ad0869d3b3bd34a0b33d84d6b9efb03890c9eb0e130dcf0056d9de1247508f1901b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5211b2c9f7d3d95b65ca4eddbdc4fcda

SHA1
a2a145c02c353612d9769833ede73d33d2a3c293

SHA256
61fe78579166eab4f01543827fe4ca3fd466bc9d0195ca535d6c977f4aceef71

SHA512
0710a9e7c7f15fccb5c620e8cde2798edd8c3f442e04b402b749e1c4c89a587f9efb9a7d77f16ac187a80ae956c614f37c8bcd5118266d1d57d949c2e901583c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e217aa60d388b6e60c50dc15800fb198

SHA1
236af0745444eb069b4459cd20b11a3b650760c1

SHA256
148ce05838085ee3da80d65ea9e996513d7f6798fba0445131d829dd537f7c85

SHA512
ae88a1437d8baedb23d0eaa796b16d1527ab8d99cadbfb168f45a51506f0a4ecbccc1de4d810bd2ae69ae863555d489f3ce5d38795bcb8211aa9ca7cb993479d

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
61a37286061e36471ddb4ee7a5b974bf

SHA1
fbd1f156ac6881f8fd15e0fc95f2c7ae52c2c3c0

SHA256
d7517cc4650cf0061dea967175b3df4232ecdba5fe4d8550cc6c75e3fd9bae0c

SHA512
1cfaa44b02bd43c90e5dd4a4ca0fae14d40b2a0c22b2728078770dd832df40590461834001d6ecae90367dafab82df60fa17412ee44095b0c99c338d1adc6e0d

Download Submit
memory/1072-32-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1072-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1072-41-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1072-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1080-266-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1080-256-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1096-400-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1096-285-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1128-412-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1128-295-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1152-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1152-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1152-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1152-236-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1264-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1264-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1552-388-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1552-274-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1932-391-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1932-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1944-8-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/1944-9-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1944-29-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/2324-352-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2324-630-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2888-251-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2888-244-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2888-245-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2888-280-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3420-544-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3420-326-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3516-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3516-363-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3864-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3864-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3864-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4068-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4068-54-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4068-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4068-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4444-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4444-65-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4444-71-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4544-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4544-628-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-638-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4664-421-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4684-377-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4684-634-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4696-240-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4696-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4696-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4696-75-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4860-629-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4860-340-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4912-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4912-640-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download