614f4407de42e9983827b5051838a270664b078afec3ff92d7514a2da1c11f97

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe
Size

1.9MB
MD5

0ba9c74a5e01ff231b623553dd9c5c78
SHA1

3feb6fe8efc7df7666a3a6b510d5e146768d2a62
SHA256

614f4407de42e9983827b5051838a270664b078afec3ff92d7514a2da1c11f97
SHA512

8028fa616abe3cc1e9393afa5b6b8bc552fe0510825ccf2a85db793cfcab25f4b04f2ba53560ef340b734c95ba2fc5af153b70739cd8b561ea5b7d873df9080b
SSDEEP

49152:26cZGizWCaFb4gDUYmvFur31yAipQCtXxc0H:4G5CaFbRU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
8	alg.exe
4012	elevation_service.exe
3776	elevation_service.exe
4860	maintenanceservice.exe
4896	OSE.EXE
1908	DiagnosticsHub.StandardCollector.Service.exe
4864	fxssvc.exe
3132	msdtc.exe
2136	PerceptionSimulationService.exe
2748	perfhost.exe
5068	locator.exe
1600	SensorDataService.exe
4632	snmptrap.exe
1660	spectrum.exe
1924	ssh-agent.exe
3192	TieringEngineService.exe
3328	AgentService.exe
1544	vds.exe
1416	vssvc.exe
5084	wbengine.exe
1464	WmiApSrv.exe
4588	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8790268f293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e3e1a0e37c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065b22f0e37c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003be4030f37c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e44b8a0e37c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db6aa50d37c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4012	elevation_service.exe
4012	elevation_service.exe
4012	elevation_service.exe
4012	elevation_service.exe
4012	elevation_service.exe
4012	elevation_service.exe
4012	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5060	2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeTakeOwnershipPrivilege	4012	elevation_service.exe
Token: SeAuditPrivilege	4864	fxssvc.exe
Token: SeRestorePrivilege	3192	TieringEngineService.exe
Token: SeManageVolumePrivilege	3192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3328	AgentService.exe
Token: SeBackupPrivilege	1416	vssvc.exe
Token: SeRestorePrivilege	1416	vssvc.exe
Token: SeAuditPrivilege	1416	vssvc.exe
Token: SeBackupPrivilege	5084	wbengine.exe
Token: SeRestorePrivilege	5084	wbengine.exe
Token: SeSecurityPrivilege	5084	wbengine.exe
Token: 33	4588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeDebugPrivilege	4012	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4260	4588	SearchIndexer.exe	114
PID 4588 wrote to memory of 4260	4588	SearchIndexer.exe	114
PID 4588 wrote to memory of 3316	4588	SearchIndexer.exe	115
PID 4588 wrote to memory of 3316	4588	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3708

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3132

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1660

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f14061a3ad58d3e07dfdc739dff4f55d

SHA1
d850f167ee117f93b78026e56c57f5941568a33b

SHA256
5959cdeff55f8ead07b11308120d19ea9ab70b6b5c794101b58ed2eaa810e504

SHA512
d889df01a0011aa9914926d6cd1fdbb383d5de4bd10abe7795aea9255cbc6fbad12a6fa82bd32c8edcccab594a5d1debee66f1b5f9bb783b43fcec396d12162a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c03eaa1fdc59bd150cbe588466085c5d

SHA1
9e31d2ed665b3b702a2f1e83892776f90a3bf0ee

SHA256
0b633aab97a01883feabb29cde09b45336221fd31751a9b400c441fadc3f0e2e

SHA512
72b4a85af2486234127bf912f0d259ba2d1c51a536d387c9b99111ad815885bee918a6a7fa21325bfd471e677cca61ab79c2fc3f2ba3ede6a7bf26f35cfe2f1c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
185dc6fb4c99494e1128453ba2e05d39

SHA1
81a93743e7bbd33f30bbf092968594be40daa31c

SHA256
711e4197a09737747d4dc8b7c8c3029f19fa248b9c4e0e234d6b4b2e16adbe04

SHA512
6f05d164885967c3fc1a51cf5683007736db4a394dd52c75e18adafd336f2b8004018960c1addba6d1b7839416f53748141abdd2e0d0852a8df3e473289d016e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c6dfd72b405efe630fc1981506910e2

SHA1
2a574640dfc4b3fd91403f9988666fb00255b032

SHA256
f6a3570edfdf66adab68f17205a6491ec52f1b6ea8f37865788b7849f409fcd8

SHA512
da87db0dfc9ba0de458539b95fe2670dc5e7eb0d7aa8936938ae2837472d1fa45140405512e4c792deb2506477321d88128740040ef6c5aaefd2e7bd5c4b3244

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ac4e82970c4f40fd649c6f262b62f251

SHA1
ad66a71d447e0f76fc400a6b149eb236e213941c

SHA256
59d161ede5a573da442f9d2713e56c3654032c9ea0939aec722d8b395c7850d4

SHA512
3341cf3462c4ade908a4d98b4c51d0846455bdb31c8b17c6cec05c53cb8d723ac607042a9c2c404ccb08b1b04f8786577b7b891dae02f99729be11aaa8abc106

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
04cf7336f3c666aeff6d63a59ffd4340

SHA1
1a87068e978b34182a4dc93e71491ce17a3d6c1b

SHA256
f84ee8088be8d407a320de72b05367a4aedfd2fc3b52046ce8daa16f413bf65c

SHA512
4bcb4781832fcf3bbfdb34c9fd97524556e3565c2b3aa068b0e903fcf56e35ac57b08bcc1fff10f90c802f94d2426e5336569b29ed4faae92515c4930e279efc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7e566e70292b04c8ce1746cecffb3c3a

SHA1
c6676745b051b9556d236d76dde1c473d51801f8

SHA256
beb4f96116f878f543e888a8df243a12a90b7d89cba455d76088ee8d22444b28

SHA512
cc02cb7685e6ed61fab88c18610ab3350df3c938a92a1b7990b0518079925bb6e39e849d6c0ec90a31a2f071c24782c866ffdcf654b03f4197259d6236728d0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c84db0cf2784dad0cd710a64ed2a8c88

SHA1
afc0471d29ddfe8c8c9073d36cb8d45303d12428

SHA256
ef194618cd73cc53678cb977326d0292fcd91770e4e716433153c71cf8ef2f02

SHA512
4c5af7384b28020e38f191cc85811d64b198fca7a4605bb16584cf180f57a63e2a11c664807a2aacbd3b9465e3d2ff957bdff2feaef3c74578991d89c39c0318

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
1b67b9c6972964d10662471f99522c69

SHA1
6ffd3e0a3b83420f3b3f0938333aaf65df6d29fa

SHA256
87078f9cf4bca83354cc0ce16687b4504e53dc598db5675ccc09cef34b27eb74

SHA512
4945d0dd3f670ea930a66dc5fc1339130912c4176f8f96edd180aa5c0b6b9f6c03dbea491dc3ebefc34b91c1c25164109a940ee6ba68d3248dfb15327e8d5c8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
153ac9c0b02ec644acd4b91c5ae26314

SHA1
7f9c2445b9d7c3fe69686912c7f1a0805abdfb16

SHA256
6ccc65adb45a2a8f0cee9dfaabb1dc0a973291201c05bcb0e32f585316912a75

SHA512
f680e558577aa0ff3c82e632892a8877d47f0ef145b87b6c23c5696c027331a97f1b1fee9b353603c7aa2e95abeb2b4db4e11407559d7b4220995ff911869b24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7d17dffd038e8c54d6a0dded0db91d1f

SHA1
8abfdbdf435669992b37a865b38dbb8b6c5f7474

SHA256
624e22c5a5094c619221136e2dbac83d6085f033b5253f041650c1e65d79f34e

SHA512
290f206d7a465603f5e3b62210423e8ac20f8779e7d746a21214f4e2cc38c5ecaa3f37670d08585d05fd2a9af46b84c86feb4f6e6e267ca8511534937bb0d15f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
db197c7370b914cc4e9e481b9f35a1e6

SHA1
4c5d32039dd7ebe912a270429fbe2f04f02ffb02

SHA256
6067e17371177a8f52f20117d6b564c5b276d04e435e4c210d9e001d6a0c5bf9

SHA512
f163bb1b61e92ec003f669903da2dd6cb7cf478de27d81e6b0b7a4bddc963f91f0ef8cb79b8f1ecfadf956958879de28f628dbc90b18f361ce019aa66cce6cf3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
96af64154d84739d2502ba0b07ef4d3e

SHA1
5a56e3d12aaa5fbc32c8bb122d918303b6c33c54

SHA256
3be1d2b07242771ceeddb50e8faf18dc5c7228ec68868be66821f93eafb358e4

SHA512
260b20334bad101f8589acfc602db79229eb99fcb7d9d1818e067cb2834c714e94a53538340beadaad30075f0784e87cfdd268062f841c1af852ded70ec5db12

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
99e63b424275863962a21a86fce14eae

SHA1
d63d358981fd85bc69c2d4a00bb3750c8dc350ba

SHA256
79932653d714f4616e1cf67884ebcf8efd2cadee2e7b83d8abe8ea5aa027f4ae

SHA512
4f059cd4f64788b047a0e5cddb4084f8215bfaf548e6ecb222a0a3169c0393393095070504829385744b51c7088563e1ed11750456882f4ad400819387bf0bcb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6e6326e9fa7dd34292222dea0510b0f6

SHA1
fb6c3f65949f3701475912da7c5d66550dc4a409

SHA256
fbdbe8a688796df72358b6804ea94f4735bf65451e4f080bd0af5f4b35eb8390

SHA512
cfa0fd09ac21c76d6557b45a874d57a6896774af2e52f3182d89be46c8e66e7eba0742057a03fa1f3fc50eb37b5a0651f56a79e4313b8d930131fa5817e84fd3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1c6b156741a1bde4f75f64e40153d172

SHA1
63a4fe24dee26376a6f0c159e95233d1342d851c

SHA256
6b6ca4ec956c7fc8cadbfeeeac551568393491923b452dec24ad391d500ffd01

SHA512
e49a689c71e1305109aaa8f1ba66958c1f0dd1883381812a8ec5b55f3e410d735a4a92626a7260ebf1bad9d1fbc96c4f593911c9c01174de67ae212c293afc90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4c94245318a2ca18d6ba234f91b2da3e

SHA1
8f024ea77a4887aa5cebfd741e4c0a3c374a6cb1

SHA256
cc7c85deba903930150b62c34f63a2772a4555ecd65aae18dc6304ba09604f1e

SHA512
10e0eef93b68249fc928ce3fca94e7dec8673aa9fab0b61cd780e467f42a9b5d2c0e8450e9a45c552053b9057c80e039d0e6a9f1c0194fefa1de95bdb381f9ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1319bc4589b0ead83849cdf0100de575

SHA1
7a798ad8ed61b644ad7d676df3c8c37347153dee

SHA256
237447e4bd855f79691107d3a3c890d5123688171b4eec93f1d23eb03048e572

SHA512
7acb2ebf8ced2edcb2df95e793ee1f74530d349160ee2a138c5b177722b61cb52e2c5ca3a403e103aae994af3894d953a4c16042be8e3f43c9c74029ff76e242

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
23d43870ea34dab46c96017c56704579

SHA1
d0adb0305cbc6d3e1106736fc2faaa0511c7236c

SHA256
f85ecf7bcf0c0ca325f40d64a8d8dea85d78cd9bda1a70f39a7e1c35309a3ca2

SHA512
63799d8430d53c1272392f089979eac829bb9904eb22a55777ad81332bc946cb2a64eee3bb533b1e6cae527421a2a483250e0dc7040f41d574e9af6444c50cf7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1d2a88e49023f914e684bd7bb41d9d61

SHA1
5bcfa77e7b459ddd76f8df9aa85bb7f93de6ebb6

SHA256
74e188b98caeb9a87c1a4e0cd2b1cd7bedb14704b76bcfca19ae1db5ab3ab08f

SHA512
a0ec596d4082b1495911777db42bc272310bddffa8e0a1d0fb1657356c527240aab95e8fd0351024129ec6fc9cad877a9e04b935d481689d178b95f5982d9819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e814f4b4aaa9a51d2c67c9c40540fe09

SHA1
cc8a32055e8b5282a7f984130c78ac4fcc9c43dd

SHA256
5fa6ea33b8f750f194cc55f51b66c79e4d403eb7b0ed3e72b3ecb3b438af44bf

SHA512
4edbbeb657f99b0019331fc9a3ab06240df37c061a079bde5ef5785f2fa6f6a7c0c593d4ae29059b4b1e777406e7a36a019f0e967dd5f3ee304d6d88b914c4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
4e8db6091f5dabd91617b55d7365185d

SHA1
890c9c5b7036be1ef181c696feaa6163d154447a

SHA256
794692ece0a007ea8081d033e0fa33764aa1838b2065ee63b29603d442947710

SHA512
352606fb62b54b04a14a801df928550290c77059f51423087259424df9803db37484d2ce461f83820ce3e4ed6b6ecbddb717bbf621a9840fdc574692b69eeac6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b17ca698ccda5f3631715c6b80566bc1

SHA1
57d652d3f33acc565e8b716df4833571029609bc

SHA256
00272f79757f5a19345f85319fe6b26157f26eb637d3bf376b2195754fc8409a

SHA512
311766751956a4e4a6d45fba8d6be58ae37f4c98fb28a0f076f4546bb41c0c76e66bd915fbcc413b4ebe57a902144a82474ff2f16e3cc3e28b34a80bceeccd79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
131fd17e4dc3cade4ae109cf9b501f2e

SHA1
90dac96638c5df92c65d3648603d4e3b1a33979a

SHA256
79e21ca500de720d85aadc5667ee4cdc3ed86bff6dd6e523fee64cdd24853109

SHA512
16618bf56f24336631a7cecfaa76e9be8089745a5203e230bcacd3ec2d5860b8ace206f197a2862d26c90be0c0902a6d8bdba2b760f6fb6a88b050394d42e4d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c116133aac8d4eb4b1883c50cb6e7f1a

SHA1
fd6ad5ed6142d91d247d2f5c62b877576e558443

SHA256
7804e54cc440e4b67d97bb83dabf6f858f6da8220571b5ce04caa9992e932f29

SHA512
027c9fcbd642f9d4136cc9a5cf117f912a3f35c0409a8eeaa661360ebb714e5c6197199625b8fe99db5d5121f047907366ff94222f3f864bf5c3114538a2d133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c306c16382a1cc04f5d19a8e042c742c

SHA1
d53ac59f5e86a81aa258f4cf199031107b1a0cea

SHA256
2b33c04f5d7c58d0180e23c34d6f325fb2ac84bac7ac65b45806ab10ad253f93

SHA512
934a38c7496e2b3e2e3222e2a261eb556e3156a7ba310cb6fe30b1e88fe46d7f7d7bae5adc94c3b35c3bd6b4408626afccd2d86779b9c66e56107ee3f9413f9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
ef229c50f93e3c8b1991095139bcbc30

SHA1
8614676717a77fce25fd4419cf9c592f7f51839a

SHA256
cd3af21fa57b99a69b9b4e556eda4b9c245ca0d03cb8e14ed1a32541ef573bb5

SHA512
89275403cd0d298337df6d8e47ed6303b9b24c47c94ebb31608cad0c4449fd5d36fbe0a8781dc104ad4f7804de675343af09f3e2d0d937ee25afc4a6ad50aa53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0b13c1955ea31287c49e1d316151685e

SHA1
77a21ba878fe86cf28f4bf0bae5df776a96fc663

SHA256
e709e395cce2e69302348fa7ac1c9b3d86587bb8e188db423adbabf6bad28b96

SHA512
550cd2fce4af2a79ebec791265e6dde4b931d117461c23570c97d32d8d70dfbdd71ce325ed6298c565d96cbe291315c1d75caafb9f349f1c95bfb6fe04ec422a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
5b4d1fbad6770b9dfca5a8fd60404bd2

SHA1
2082b467d1648336eeac9700d30c94464a500b36

SHA256
8c9b607ea22379e2997baf8530675bbdfafe8355d7c02986895a2018ac95577d

SHA512
7a78174a27093aede130125551a9d07994e8a6b9c4f5cbec0f95ebd97f15ff6e16bffada001c04bffaf33b5675060e65bf09ada7c29019bfb4291d4877a3d8a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
28f12265bd6acad3ca013c35ee01c963

SHA1
f7431e6371aeb10c1ed4316b8a67a8aff50fb96e

SHA256
4876c426b0040a94b8406d28a45ddf84222491490d0bf1e445ae7180b838ae6a

SHA512
5c288f835290f0c82a8e75c29614212b408a82d650350237fa50a53e9e8d7da1138c0ab099ebd43f310393a98cae2dc08e3080511e05a0b9f34bb2f1d986f445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
131028a4854f8d024814c5f2180abdf5

SHA1
cc29b0c26e640b45e9cb95d693dd17b0bc88e471

SHA256
1cda4038f14940974b99fcc3b83f1303ad821796eb7ef0ad27d69bf8eb3252fd

SHA512
8edc48f1e1bf27d029a09d445a1b2d826b469b09b48d4e96d9ad1f55a10627ded32d8a6cb706c28791ff62d10737b1079c2cab15742239d18437096a50a24961

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5e915f454b976177af4223361fe5a944

SHA1
96e6417f4a3be189dbac6d380ab735ee9ea64096

SHA256
d12f074e61e5884334d48abab0f7f5cf9e024095628bc9310f79282004f76ddc

SHA512
59837464e6aeb92a97e9d93b30083d06e0c1c98a0672bb3a3890c2b5405f4758270bcf1308a128d09e172c4db8c636e6b1e33fd7ad8d9768955a04bdb1e0c8f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0478c5c8509aff896c087936abaa4bee

SHA1
a236174e26d00098896b87544709dc3a2d14846d

SHA256
cc5192ba3836c9500fb180801c08d4af4a5e156639ec10dcad0e46f4dd4bf7f9

SHA512
88fb7339c4929b475acc3b0e1b9301788f032e9d03ec99778f2729700418e863257961b51e60126c8ba2b61cf4d9ef585c26f2c43877cf28e23b03cc98e8d1e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2ca0b898878659381a9c349df399ba1d

SHA1
033e12b15b24bd38e0b667cffa689756d82f30b1

SHA256
7a6beeaecab092e5f8d31ba32f54b8700f26791868cf72a969c9a519e5ae8a25

SHA512
4a7f94b0b6f7a587780cd7aa62b1060fedbc9309c48d20bf79430d936f9d9fd636adac55138952e71003811b9959ce48860858f3e37b4ebace338b9ae0cbd889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5b0ad15d209ba0e15e2771a25dc37cc9

SHA1
7007335f1d798a70038c3060ff463166eb9d3fd7

SHA256
1e2bcc1a85932a89457badb88bf778a048f20f57840c6936fef5f854d893f01c

SHA512
7137dc16bb4be0df7b50a9b5f5e0648adacd01dc0b86b910b107672836fb1f202ef4443ad7cf86187794583f7fb3befd5f849b0a6ce00eeac18c65aec5c7cfff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
5e637edfd655dd882a704fbd51b4cd97

SHA1
34367addd5386860fe60ab838dc153982df8aa0f

SHA256
03e46100cb2e53bd120e5c2474b2a253b0ecdfde93819202e62f64fa72a8e767

SHA512
9d44f6a5b41ff6f2337ebe15b4a11f52c5d1b2cfa91b38285e4810c1a1f1643b51212ba52b920858e1a700389d41f6b1b454e8d26327b51e67de8418e3d5c552

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
b3ad3b31a58e9ee85e1787045b4b9d78

SHA1
284acc4fba087cc1990553081144dad9c6eb613b

SHA256
8c53ae56fd0e81be2d49460816f939e20635f6d9b9c80b5d7e28d99654e56562

SHA512
53fb7b52fd96cf2926c54bd48d641ebe014ccb2a4a241d672702d010554a4a81decb2e8cfcd763a6a8db7d14747ef8724ed6c74ef075b158c99db12ecb4d8dff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
1cda8bea22689a5213999fb9da97ce7e

SHA1
4180ed091f6a5d38a02e080e6d6c4341fa410e5d

SHA256
bb585b4413efde1c56f85ea8136383d0769477264251ec22d0747f40b41cc0bb

SHA512
666edd3424db01b69103fce073100da1253aef66f0fce94d05122faee67e23b09c031216ae842ef59eb918d80774ef5543b616343906b3b365db275e50105d6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
35edb59a1a1fe1d85feb1cdcf594f740

SHA1
f49e18ba29a5802166f6db2e3aaad2137d9d75ef

SHA256
da88b5c9e4caad5af95db0e26f574408b0ea470cefb5e64a340973e8db65c37c

SHA512
e39df1773f6cafd4300be7dff8a5b7c7006a134e8c2382ecbd70d7329985f635e9d70cafa0f8847817dbe1e2b0866a54c3dd08c795faf8bf81f9e53f7feb5046

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
66e2a6cc35441ad6f5b8a747c2b9493f

SHA1
dc6d9cb37a92ad619f6a0258ffbfc5f0f6c050db

SHA256
ccc3a3bf3a8520e0a96cb94df6fb8e1f57b029a776526d945999eb24734494fe

SHA512
37f4d17476b703e2544cfc89d4a0cadd46ffac3e3da233256cec6ba0573f9fad2a8f6fb79cbda63eebcffc0232a686ee13655dd5079f5223d6cd49487ae7c8b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
99f63513cbb836e3099a1376d2a2444f

SHA1
c201fffe4941d00f80944efb95ca6d85c5585ab9

SHA256
e95e32a91c6c82c04dd0d3d67de0890879da841d5242a2c926f09f5235fa851d

SHA512
d424db7a28ab11622096d7cf86bf191fe9762d67c3d47a1dd439f804e70c4336fdeef3adc59dab583adca517aea941fff0fdd091d027ec1ffa7d7d7604bf28c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
7f6c4d173e688b8ac0112e923229b9e0

SHA1
c49983a29292befb4ef6352716c697eb6e52cf75

SHA256
8b9d838b79fcaf775999de6d9f0cce27428c3b4564a441bfaa9fee8a5635b4c4

SHA512
97231c06a68f222cd94d6bd909525511a10ed0f9753ba1b5e4eb767b34a472e5255842cc30ec448da952f7a6468896610888411a5a21b42e6ba35dc0eb0ed61b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
bf6d1af86543ac24f949c56901675a55

SHA1
39459f045542933f04951a4e8fca52598f9b1775

SHA256
e1cefd9c1c682795fe066a570f6ac1040c29c7cdc7f75393b19049ac2271297b

SHA512
9bbb10cc477a5054e04093fcbf02349f5980cb87b1c6a0ff09b17e5f4b8071ce2dd814ef57b8803244185169b17d2512f85aefbeb12449a871dd0f82ee12c88b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
213db762d8cea2f6d56214e36ca8657c

SHA1
66c3104256ad5ffdf33af590a111df2b26c4ff38

SHA256
0e6cce3010be4abfab9f6605f4f1d58cdfb4757afddb85eeb0dd6be5d33ee9fb

SHA512
2c1fca2fe20256c5a384b9a5a673ea387485b8bee763e13fa379ac2a362759df285b52643e45f6de2e7bc996434b40182422e320b465e5d6fe6b0ff6dec6c88b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
13059e88c79fe8f1c1d36216886e9e41

SHA1
a83b6b8d1a018b194a919c9863bfe09fb317e1cc

SHA256
8f852f9701db756597981eec0d7cef58b9ba19f267b7439b7eb35f5ad990bb58

SHA512
8d552dc06f0dc9f2e31cf3ee942a7c1ddaca482296dc65b1693f2221a0b255950877f434041e48a8b1d110bb46227870053b7749994b0ea4b5395aeb29954e91

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c61ef9624142e224fd68244ac03c0e0f

SHA1
b341bd123d285ce4e32ed431bd692770a3baf7dd

SHA256
bd50c6cdedb44e17bb4302a37d76434bac5429e06faae93dd73adef915cd4c3a

SHA512
23db2ecc40956b3c861eb26f9ada16dccaeecf5da73a35ff9c2196e0610a1ad65fa33527e2a4f1eeb494f1db407a6acf5b920603400c31f794a6de587abfa4f3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d2a5c333e93beffd4067270158b59a99

SHA1
de33c1b620238b45d676340b1b873656725b6a75

SHA256
f85f3ab8ee33ff007ebeabfa13beace031502a403a068cd2fef4c6280336453c

SHA512
5cac847f8c031ae28d015428825d18ad7b03570218de06071e695042a77f67ae6c66539ce5b6f6cf285db955cc0f4e8cbf13e737b9f7e7fca09860c22e78ed50

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
de035bca5e8c067e813d24d52508e4bb

SHA1
4d085b78cdd5e71170cdcc3ae8c05c8da520855e

SHA256
a4c93a12e94d45c048bc156af98f9a6d92ed95d2cfac6818ab5a3f9a7886a223

SHA512
84b6d4c46a2f6b0139e97a2c05cf9c54905d22d13c6d85281279d511eb24e6fe436308bed1e0c8f36b4f6e3b079d214915d2668b7998f8b955e208b5ec2106c3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
041550d64617e0497fa54d8b226f8c12

SHA1
5dbdbf9f7925e2aeac0cc0f02ca0ddde83810164

SHA256
91f93be20edc9063516f76ef828b83a8a54ee5247ed7eedb05a9fd045bcf0e90

SHA512
00fa0643c6e47c074dcf2b2e32df1f2e4c6c71569e08590cc9c55439455bd39c3e5d289612bdf3234e0040d793ca1462fca48167c66d4929ab506a7b4a97b292

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
acfe34ea5941f6195b8ef29265c3066c

SHA1
729d2dd1b8fdf31a2ac83c017e5d81729c7c807e

SHA256
324b1b226d167af2f08f5ce5207f69e16c19b73c299b8043e8431130d2d99267

SHA512
c90cfda16dd13e86356050c3740a2d9ec087f63e4c1b176194436431cb143e595c082ce01934379a9aef263adc3da509b01f8753d923f2fb80bde12ba8091e39

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
e0f97e71d215ff639c60f6b80d179ee9

SHA1
3e33eef1fd4c1eec99c37c86ad457e7032877394

SHA256
690c0cd1c6c8872f44385b83dc8238be8e1f8c63788a9f6d726efa304f27f991

SHA512
814d9bc3c0694d56799261bda92b546db02458bbdf859a7b7722fcd9a98832dae20191f4372804e2db64fc60eb57b6f3f2d32c3a9433b92c6369491119a2b41f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
85c3ecde0de474c08619ae6909c0a874

SHA1
94e8155d4518c8fe507359042a40a22bee49a099

SHA256
cc5bd17e9063b246e79a3ae3a56818392b9a975d958d6baeb578b7436c541d3f

SHA512
6ee92c85e75f281500b3a138c020ea44b96ac5e8422595c8fde190acf7ba97056c60361fbf8080e1d05abd5de74ff2e7f5d9efcdc48c96b06cae38d8d8fcf0b2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d566ad09574e7fb418e9a6bce205207

SHA1
acf4cddc4c8e89fb03de81e6d77947e456aca330

SHA256
91b5a31b17f3ce540f252694fc5419cc6d185df56e85316fc93c3ff7987a8d82

SHA512
a7c9d70939e90b9c0b41a0bd0d2cc4ce1b0dd8bc8991d04ccd62e2ccf29463da16d9c2196abe814de11737b0d242e9109cb67ea770f7367128605db5c55588c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
74750e118ab444f5572aed0e7d9052b7

SHA1
27970f719fe381d5b154169585e928131496e991

SHA256
39a3fa8da3f5cfa62e468fde34b7290edca5bb497657c6bfb42a807c1d002516

SHA512
f6406da5ae904ca712cdd1626ea4a706b1fc159467e3212bcb33beb573f6dcf8a6fe5dd8b6587a9b2077edad34e3da3085792641c0c80c964a931dcde1eef673

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6d4d4417e581b166a02b895a3c546ac3

SHA1
e0504b42199f307eaf84928b35fb9933694b4801

SHA256
b6fbc5d79990ddac490f8eae6b4233958d7563a9c0e7d9165719e381391d5563

SHA512
e21320cf09965cd31810b4c4d8710d1d650abc56f45f9b396c39bb5e89be31aefef6b86e47e5bb4784f1697101e9e56c10b71f872b66589d83751ac01a840d57

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
471782ff89506d99a1cc81d97819a814

SHA1
4183d34ae6ad2b48b699f7e491c8e24189cd0aa0

SHA256
018494064ea86a82d775804be373e270442893e8b52ccece3de1f4928cb78b82

SHA512
e51ed879b31cf3cc1bc988d13be57eecf1fd4c1f63b1c82e3472920c05bd749a0a430901704657088e0c674bf76021a060ad3561dddac81ea17f1577c70b80db

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
24da6467d787e5c5b7228d6ab05b1419

SHA1
8ea7a0f6afedcadb1766c1ac47d85b397d9044c1

SHA256
4156baed3b27697ec8f91e3008f40457db10b6d456e01afc65524d7161af8f79

SHA512
8eab1c6b55784b321e3c564036716c98e5cfd6abfa7079e71d3586258bafcee7779ea3f4819cb0467461d891f8b56058ea7be7fce3860a269e81273a40f1010f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
6c1843c2e99c234de0b7e136d70ec139

SHA1
841d1d2cca56eeb2a799d3a4cc7b7befdf4270fc

SHA256
0bb703369f3befdc0049a4581832ae5d821205239846debd9d61ef755f563e71

SHA512
a11999015b7e7bc5eaa999b8ed462f0e8b464c2265974631b3b08ca22208f9f6a284601205dc5ab1eb9a23e94501552612a1330e2a09a283a5998b285e3e9361

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3d99509bc79598b029855d39e45f7020

SHA1
66582ddcf98d0dc6d35f0b1838f90f9d69ef00de

SHA256
29d6e8fd871da7cceb9d235a7839895ff6251447e5038660c6b7e650bf485323

SHA512
8760bbe076881ce962656baf45c5a6c4ebe819d9a8d2aaef2d828aebc52653d0066f6801c5d6d9cd2171216d871ca6c9c02d5f8a948676269f27ea66ae044cca

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
35df8b13854123d8157fbf4978a3e68c

SHA1
e58044bd1691325582881b478a9c4a5c5d99d6d8

SHA256
1dfa26f15ff6cd49770728d8b51a9d6dfc063568441fdbbbc66ac958e1335a32

SHA512
9c10e8df59e2f4588dea3a88829a220ad2cd141a0ef36751e21ba86cb3b28de56094da43f8b589430cbd677f4de113af7fbe73a85b24dc2fdaf9d5ae09e88de8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d61b45fa8c40747a6e96ad75c1030bff

SHA1
cb0803a26988a85fbff2faaaa66e415be18f81d1

SHA256
c836110f211a34451d4917417b55858b1b59136647cba29907e443bb678320d9

SHA512
9218e97bf23eb9c39f6e2e20a1fe9b6ffa358794e6a0db787a00b6e62d4cb4003ba46bc4e2d8e9100c21c94e9f31dcfa301dde08084a32f2aa5e736a96b0e5a7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
26cda44a76164f31355f28f9e9d90ea0

SHA1
1de93a9d166281b5e62fb9829c7cfc94574c3985

SHA256
07c7e70c5d7ee6febdba6cec641d9b4200ea2d70f78c01019bbb95c31081ea78

SHA512
bbbbd48f34f4c798d965a2d6a06d4f49e365ddf0a469bb68625655418974a6feeb47c900666166593927fb53da1350c5a584a356aa22fdbbb308ff3edc46d758

Download Submit
memory/8-23-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/8-24-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/8-16-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/8-228-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1416-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1416-662-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1464-664-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1464-432-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1544-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1544-661-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1600-653-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1600-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1600-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1660-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1660-656-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1908-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1908-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1908-251-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1924-657-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1924-351-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2136-292-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2136-399-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2748-411-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2748-295-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3132-387-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3132-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3192-362-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3192-658-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3328-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3328-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3776-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3776-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3776-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3776-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4012-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4012-28-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4012-37-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4012-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4588-665-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4588-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4632-332-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4632-522-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4860-52-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4860-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4860-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4860-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4860-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4864-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4864-255-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4864-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-73-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4896-67-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4896-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5060-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5060-1-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5060-0-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/5060-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5060-13-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/5068-305-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5068-423-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5084-663-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5084-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download