9bd81723ff04685b4bd6349616c6803b284cfeeb0cd7f909af956e47cdc60d24

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_493111439739c6f151dff8ad77330807_ryuk.exe
Size

1.6MB
MD5

493111439739c6f151dff8ad77330807
SHA1

869f8f41bdee6be0b108416a2edf33e86ab560dd
SHA256

9bd81723ff04685b4bd6349616c6803b284cfeeb0cd7f909af956e47cdc60d24
SHA512

c0c78f69e69adb6c81a0298b610288af774ae2a25164e7b2b0d0837b9fee4f119e49b763779e0e6cba3e988c5c96b932795d52b8da719b5cd0c6c1308af35dc9
SSDEEP

12288:a1MKv/gcgZwdxmZR0f62B5YV1tQxvq343EGGjq7Hab3gnazjU4GxS:amGXpdxmL9o5YrG5q340sZ14

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1768	alg.exe
3236	elevation_service.exe
1012	elevation_service.exe
2464	maintenanceservice.exe
512	OSE.EXE
2464	DiagnosticsHub.StandardCollector.Service.exe
2900	fxssvc.exe
1692	msdtc.exe
2288	PerceptionSimulationService.exe
4864	perfhost.exe
2160	locator.exe
4528	SensorDataService.exe
468	snmptrap.exe
2312	spectrum.exe
1864	ssh-agent.exe
1608	TieringEngineService.exe
4992	AgentService.exe
208	vds.exe
4812	vssvc.exe
5040	wbengine.exe
1480	WmiApSrv.exe
884	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cbea37a6293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-29_493111439739c6f151dff8ad77330807_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c48dad372cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8fcacd372cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a396e8d372cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092acbdd372cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b6e00d472cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc99aad372cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004334e6d372cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faf628d472cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3236	elevation_service.exe
3236	elevation_service.exe
3236	elevation_service.exe
3236	elevation_service.exe
3236	elevation_service.exe
3236	elevation_service.exe
3236	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2428	2024-06-29_493111439739c6f151dff8ad77330807_ryuk.exe
Token: SeDebugPrivilege	1768	alg.exe
Token: SeDebugPrivilege	1768	alg.exe
Token: SeDebugPrivilege	1768	alg.exe
Token: SeTakeOwnershipPrivilege	3236	elevation_service.exe
Token: SeAuditPrivilege	2900	fxssvc.exe
Token: SeRestorePrivilege	1608	TieringEngineService.exe
Token: SeManageVolumePrivilege	1608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4992	AgentService.exe
Token: SeBackupPrivilege	4812	vssvc.exe
Token: SeRestorePrivilege	4812	vssvc.exe
Token: SeAuditPrivilege	4812	vssvc.exe
Token: SeBackupPrivilege	5040	wbengine.exe
Token: SeRestorePrivilege	5040	wbengine.exe
Token: SeSecurityPrivilege	5040	wbengine.exe
Token: 33	884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeDebugPrivilege	3236	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2964	884	SearchIndexer.exe	117
PID 884 wrote to memory of 2964	884	SearchIndexer.exe	117
PID 884 wrote to memory of 4744	884	SearchIndexer.exe	118
PID 884 wrote to memory of 4744	884	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-29_493111439739c6f151dff8ad77330807_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_493111439739c6f151dff8ad77330807_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2464

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1692

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1360

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2964
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c523f2ab4de39643bf8171ea80f217c4

SHA1
fafea2e83aab1d6046aecd8b2a754f96d0dd2bf4

SHA256
947e7248a308e7dce2dc14dc39fbb4d119a1079bf34fb6915945c85bef05debc

SHA512
f46e1e3953877ef31f8393220ea689eadfc349c8130730c677e8d8540e9f2d59c7eb69917d35e06a45cfa716fd75e59854b099b39ced1f3ffeb57253ea267946

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
598fd6faac339f7080f87f47fbc7dac7

SHA1
10949668016039a3a35a5e20f8c875bc54fe7f18

SHA256
939be5e63bce2119c82af6168b94d3805c47e6d039918f69b07813bfc9cdeb2d

SHA512
9822f4d4fab15c01692e8fdd7fbeacb242c6d08a371a860bcc785041f6c2b5139c0ead0e3efd336bb074e679e92ac0a1895c41650c7fcab7ed18e82360e87faa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
a4a182fffb39fd2720eae503b46cf5b2

SHA1
6be11a691a468a0793715a9c2e20b0610e1e71d5

SHA256
8e936d043999a78e759d0a2450eaaf59afadda403bdd19afca5358b42a8475b9

SHA512
9cc48b286f63db9acc008b5c3469a6af896f75de284d22160ef163cfd201c6529d4528cf7aa927e1a08492a4c44b37646d282d9340318785acd6dada65a8e418

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
34c93566302683d80c8b5e6dc8609a91

SHA1
d577fec00685a97a89fbf37133390d16195dc66c

SHA256
3c8cb12ca9010e8ba54af6852e090a020e498a9886aae110676678c79d397e4a

SHA512
a8145baf01cf9b5ad721db04a56fbb2624e9d2a135b865edda9271175f2ae250deab684eeec2e80d394d0f4b1c54bf6e8381274947f686610dea25fba09d5d29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
76b26a1eb26bd983936144c7402f0679

SHA1
4b919a422fa4dba34ea1a261b3ca73f3592eed7f

SHA256
a6b23b98e8c15dfd8f23cac4f524afbb0d4c4e45e2c61d7e7dfe91efd73cdada

SHA512
c77d7cdea500abad518eebd82e6cdbb496bd28a54b759eabdc1a89267e3b252c07171114102f15d310e2644ad5ecb4ddfac1bbeb99ce02936c378da7a9d90e2e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9d262c8f5ea271aed597cebbdff83fcd

SHA1
2f14ec0893995efc48a774e7142b27d7e1733294

SHA256
3a4a19efc38f14da7959f07810e66533976cc10df5071169ba33862936e0f145

SHA512
b878e21892150c50335c12a16600c9684e3789c8e06caea6152c19cf740c6438abd5eaa611d6bd79c06082b44160eb418186562ef98d6e7236e88e57c1af2831

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
84cf91e71cffc96976b78325e9fa2e5f

SHA1
35dcd5e517adf872686500315866d60fe17a3fe0

SHA256
ae061666297c2df421a184926bf5668a3c0dbcd71d42a3440192ae9da6a66cea

SHA512
13ca3ea935aead57c6713b3d5c26081275bf9778b0fe18659e30dd452a34d268b29aec26ad0e42c099221a44acf7212e4db547f4a6ded377300a44c097057d6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9a047f8559c0957cb0ed8e11e61511fa

SHA1
8564554f6b89c1892eb14eadeaa05d640662d508

SHA256
5aa8b1e7a84b712cd6c68ac57cfcbf5a437a785aa7d6f970ed124a1446b0a293

SHA512
7adbf4ebfdef2432f8fabecebbb7be4f1a7ca8c23c2fb0daf60b295be467f85478a27a951d210090c2a4afdea93b56d7917a4616dac7d0c57e788737ba0f1920

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
72d3ee9b32613137742a146120a9e95c

SHA1
a7859b7e4537400489d3bb079af8428a9c591e3d

SHA256
2c2de55a8cd9b698569a7125e53fc577500d57f47862bf33ba7f9b6de11dbb9d

SHA512
3813cc84f3eaa179ebf47aeff6ac558f833505de6d5c1b277b891389a53ea3e6d544b343cf19cd868c6d332fb9c25fde99337ad3dd5d842ab02b3e6e9308f9ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7f8bacb09e6be176f693869994d70a6a

SHA1
22c291f856de16bae431959de37cfbbf52a2a6a2

SHA256
25cc2bacf6ef66d1f265ff2521eef885353dbcb628eba23338a5c99845c7ec25

SHA512
6c921799ce4e2af719ef5dbd6613fef3e8e329fe7564e06e46c457f7430f69a9fd4675dce117b31b6a1e47df7d66e569055022c98d93c7966d246f02d53fe011

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c86b98ee408939243801b821905f61df

SHA1
2ed5fef9f471974dcbd310d228c20e08f10e7236

SHA256
da6fa836e63aa19d12825bf9ac1cf12bdbc265726f3cdade54a18c571d3f0b37

SHA512
35e9e4c09ac78e41abbf6bce1edeefa9756cee18cf9486b5095299bb49ceb69a6189e77b57de262512ac4ef00209d963628b04d19511b5b6fb352e7727a1ea6e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
428d162b1712cb7bd40770eaf88123a1

SHA1
100df622c46264b095abbc753d9eff7851b4aec2

SHA256
8af0aac57f87fe0c465f5df6164a2991692d18effeacee6cef67de04a30f8aa7

SHA512
c93cd3e9c2b5440eba0afaa68656eee38c573a69c52799c534334dbebbc826413f133bc9552911b8a7ccbae9c5f319562a4cf8df279f1e105faf7cc9a552840e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f5e04a27e3368a4e012aa1a3a88cd46c

SHA1
5c63930a7ab9281a1cc0bbb56bdfaa1d3e8cbd2b

SHA256
3315d68d71a36c496ca77d1a903e7727ff60f702dde5429022ea13b16fed681b

SHA512
18454cf0c21c669f1263e36c4e4f3efcb4ab46705dcacbb3d061781e3c8812ccd93671b1e96e8d8a2d46f8047d45c2937f8969dfc834540025d2c092a5a74760

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
24c16615caa6740fe1b17e6298ed063f

SHA1
87db810360d22e4dcb91b5693f05aae17c296ffc

SHA256
e5c920f27f49900d529ed38fbc220db4edf2dd9f761b9261b4acc8e5ff736295

SHA512
429aabe9fb7ce836c2d532b5b993ee7a26b24897a98191ccc49e97db8fb0b1e54cd6a7e6535ab861704acec2cd53512ec2e454170d76f2e8d810ebf57f9a1fb8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3e51d165e1d537a54dedf8d9dcb6dbba

SHA1
723472bf0693734fca9202520349419fb6d0ddb4

SHA256
efc2dced653854563d8d65a1ab2d4d74ad61f1120ecd769a33400f5eb54e7746

SHA512
8aa5ecab706777920a7f13986b5ed84164214806261c2f76763b0419c043a1ba27a02fd5d0ded28a744dc2201dafd53bba4d9ed061f2ad8ee2e092f79439e9fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b9830654ff877d7a27df5c3874aa1917

SHA1
0e806149c88628e565178df31002e74787e8446a

SHA256
f8813a3a29a6fa9a51e565d866d81e4b94d822a3135a7cd543019c0c432a7d82

SHA512
aa04f025e0be0c13abf2e429f1c5e14b8e338fd47ac19d5351856c0d099723f3ecc329f130077d08e197b7f6ff0d37dfda6125cec91f846f27af6922fa3e0215

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
31f7e55438fded7c09a97bb0f48016f7

SHA1
6498f3170048175ec08f26fe4142b503e9c8a759

SHA256
8dff38e91e2143a04ddc900cd00ebb73afb27005dbdbdbb74f7fd9db3cc829e4

SHA512
2031aa7b236f104041ca9de1e5a193ac8530a34d35909e4c49d3d0924e042929ac98623fbbbbcf323f38030d61f943ceccf9806ad9ecced3ad0056f464662a79

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
60061349631cc7db7b7ebd32870f58b7

SHA1
dfd6d1e825a461750b8f698f2f37e4d685667370

SHA256
193809769fda0161be15e4cf412843a269da3d50dcc1b0aab43615d073f0ecb8

SHA512
590469ad5c7e3a0be77cd06e726320b2828435218089be7406d371429bcc8c97578285d47ac19fa2188747c425b50c8a422a8e217bbb5fa5055126eea07ca8cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ee2bf254cefe049eee4fb1e8681a89d7

SHA1
4d7860f59527550a87caaf94d5b8f5b5a2d5a376

SHA256
3bb32022989550f57f839cac419ca199f0aca82d5aca6e517456ebdf938f7979

SHA512
1da6983f402e475fea27a7d8e7c701966f2d1f9051496df882427696229cb6d267f3d67d3c80179768f676b4c9c7af6bfdc07f4ad54a174197d63bb8409d45b5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e3a0f88f9aeb5d25d41cc2f153585c4b

SHA1
8909e951559baa58318d06ce2edfb2f4bbffe44b

SHA256
d8a5772dc4fb04f9ecb16954e89a6b0865c50a9cbe08f6297f348adad3300dc1

SHA512
75ec39840db2e6d75d0cb40267ff5e7f144bf216497d7ad7528e5f4de3769573d154e2f2fe5885c20211eddf42c4931d0ae1c63b445d21dfd4da3420588e8592

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
75f24bf271a82c7d2630e37463ad6d54

SHA1
9dd47467c0904cb6200815f6334187b1830562ba

SHA256
f67f59eda1b4d374adf4dda7ea64c2de312612db0f68768fa58bd5bda218226e

SHA512
9f8c88328cc91907d0b82aa15c3fb133d7cff109f6eed51f32cfd77c1029931ef368b7406af36b86dedcdf0122cc6c64cfbc7556575ee372f1f750f0d24346d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e30ec629a0c45bab567996b58b2e1017

SHA1
ef81b9d81dc3c4707b23d1b42ac268ba53e72183

SHA256
ec6f6f1a1b63a529b3489b5b98ff9e3cb85f32e12d3c15e9ca0f1cdc6a2e6d40

SHA512
097ef4ad920bf5e3787bc4e837b900e852b511dc9ac5453378e59f003a8912bd2175512a48407b04f6e1f951fd238713dbd31245164f6b4a2d06732e41041eb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1abaedd01a6ec22a64f4317cf3dee604

SHA1
a403380ed3dd44c158be9cad537765b9e64f1985

SHA256
e95b4143a19668fbbeb50cf448816eeef1da2f8cca9af076fe05f30eb0cc9a39

SHA512
f0861fa6a308355fd21f707ac4bc789f7834b018bf782baac183505f7c8c52b012fb3acda51e2cbb6739bfcb417ed36616dd74c81143b81ed8fd28fee22ebfa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
2f7931f7d075b729b8127c0d0e00926b

SHA1
ce898e4441961e9b2a59a0b69557275e7660cb93

SHA256
d3f3af0a8c472dfcc2d9cac8df240748cd94d22acbe4976631319f044be8a83b

SHA512
3f44d7a4091a12096aeeeb9b26c3347b1603d8714266c88b4f17adb4178a598757c61cc53cba5a20044b5ac223127c99a24a39d9b6910ac8e79c90fd6f200491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
59d2c187f2941398fee77c784c96c081

SHA1
e51b43ed2f2c946265b117c527c03b0f364de19e

SHA256
df89b5b0ccf9a29a7c3a2af617581639b30d545ce47927cb02c13836119818e7

SHA512
751397f8a71ee35bee65ea13608e665f357c296a06b1e1e7f1e07a233f8018d43b575a8e4d596836ec57fd128320c0d32310da2aea1b471ddaaa2c8c8ea132bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
dccf401729563b4717bd907c4be5b24f

SHA1
5473e9a5d9462530876cb502ede6fd261e136fe3

SHA256
54b471caa24ad2c1b33bedc62bc71ce91214fbf44907ff4776046a03242416dd

SHA512
e1775b8dd8a6dead6329c3298bb766e30e20f7925c1e06f8133477ce7eec17121fdb253a5f9fa06b2c0496d4f6010b4bda8dbccaa3fcd8321bfdb28aafb81556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5bc84f542bd82fcd63571a125cfec757

SHA1
1d7a41878958aae44464a2655aab86f3b0db6f2a

SHA256
75ab516c3e61661a6eb03c83f17f57987e7daadb7953317dfb480967a50f6756

SHA512
4cb8acee7a287ae318edb353ad2d9deaa37e23c27da9c298b2940e30fc00a52fb58dec8a9022e85114baed97ca78e233847bc3d00ca70affe3f669e18fe1a6ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
ed03c24acf29432ec781eb29949d72d2

SHA1
890a71faa5f1e0bda1cd19fc5051bc7ba02892a0

SHA256
0ec0cf815235c428b6938b726e66d0e6d7e8991766a535fa02718b90af455243

SHA512
16536a032f7661961190689b01a1a04be5965d28083d2b809f788a519af2348ada015ddf25b97afcf17d3601bae33f7f54fb7d4a6251c72f063edd73186de60f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
660e48248df5f0a9e32d0a0ab9c51b7c

SHA1
322d68a3836652e1db42be31c5f04aff3824f093

SHA256
f044fc5e15ff89fb901ec99e07d44aca28f59fcc121c00494166f2eb2a39ccff

SHA512
046795a9c9f9406b1df640ece7a0218169a4aaf5608cfbe107ce782b548e09bd1676f262d3756bbb96a28eee0ae8ddba8fc4d6f98c36210f37519a28a790f347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0732d4fe7d9f5fca4f37d6d3c6ab2791

SHA1
463ad15d0127a1fad3a882cddf8f7dbf54efa783

SHA256
8fdfca6c6df66ed4ef5e938959a2c7a597cda170306806ff2a88ca46c026bced

SHA512
590b0423bebc8da389cda575ced1d460e6afb80242ffe2b70b329fb8ef7551b38b93ef40c327c0a1016e53ad919afcb745a5eb54607d93e023ea322f38228b73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
d6182cd84c557a77db1a539336a06768

SHA1
a109dfb057a49aa0ba70054d612960bdec708bff

SHA256
6e53e0d779e67330d312acdc4b6718ce77f7a91cd52c95c052597b7cd49b8ff1

SHA512
d26decd7b22cd2b5ec73abf2b3e816c262e541981c7cf7d80899838b8d724e47458e72bc1e6a34332ab7069b040ecc2dbada70622f869efc3405ffbf5d722950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8ef152ef178e2a8bb56b20b589972d10

SHA1
86bcc37867b807f9900bd5ecec7e6234be746a05

SHA256
5ec25fd9372f5d4c17231c370acdf2a68c0922ab6b64798ebbcfaac494c0581e

SHA512
f4791020e4f98ac5e55860ea13e9dbe39a582bc34ffb200a28d3e19b2a36e26fefe083cc0af9320d6a67adb5a931acf653d87b057fab4b5a842056ed34949602

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0b4213bc9232116ec2fb586c770df052

SHA1
6431fe9d7655489698132cbed8067be21da2452a

SHA256
c676da04760a8dc218979d7ef9f2859ffb73536eb051343ed824f19d4772aba3

SHA512
1f578666d93afdea2ae59e18fd734977ed7abe19ad7f5df28b8a201a27bb7cb5b52f7c0035eb9edf82f4d689bcc3ceb6774075a9eaa493c0619642bf4efb9d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
dd6d3f10e611bcfc34f16353f1f6e3c2

SHA1
af27216bb7b57045ed7d806ef4e42fa0e6e82a4f

SHA256
3523d3a6bdb4018c68a2bd9d6f6cf25d798b0e6e3d254aa90935f70115446d82

SHA512
f9b5bcc550cb42f990a88567961c21cc6d86d5c9e4994bc018f8f666c1a7be5c6e9e0a4890a24968ad9ccbfae1c4d75ef7dfc074fd7116254b80d11301ff73b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
40d9f0b1574de77fca1ed20b01be4460

SHA1
5db1d5b76b8a67d895712d2d3f80c1e516fbbc4d

SHA256
56c550a8ea6b806365f595f65d409afeef52eacd6b6a5c935f93732afbccb04c

SHA512
54ee9dfcfe7e72b91882aea1912599714a3ab93a0931bf3113d8343bc5a8d19cf3514142222a18c13cb6b2d4c5b323a77a74bfe692728095eb60826f71e5d3a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
6c05d1219df3967fb10ecbbb364845ee

SHA1
fb75ad3268de38cbdd82e09d96fcceb7ec285ea8

SHA256
2f8362ca7d3d402a5cf293b5542e089656c7ab31efc3d030ec26989ebd4a02f1

SHA512
a042d34888b3871503be69b4ad08b7a587ef8021050d8e1963ce962259346972c695b130c3e1c8cc3c260e34d781b98af54c47f23e4a3a002fb5e4aebe2da474

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ea06ef3efacb8d941c9f3005a513b3aa

SHA1
5c98a84303b347c319431ae7ef4d3f71c081fa3a

SHA256
1bb760aebbc1bc725382aca5363b4ef656773ae8d7fb2147b6580f36e3d0dae4

SHA512
2caed74c090998a0a728843159283f42fee15f7f8e560080af158b1df93c889b0a00b66eed360eba7e81f949f0b0017cc5dabcad371a9205603a3d6db9095b86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
4e01701ecc9259c975b704eb576802d0

SHA1
9080ce359a94cf1613b8a00e0272e9521e2a12de

SHA256
ab54e77d971133404bf784ea5b8f542230fa03695446fbc466f3cd1c6c677cc7

SHA512
91490854f4f7a8ed218e36e7804636b8c50500f9b496a324e23baf9362e0a8fd2cf166a9e73c03d89f2512ced59c8024e1fab6916623acfb09c02b06ade84598

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
b7fb8614918790251ee5b63be90f9d83

SHA1
a773ab684c3fa2332bc35c0be02555f4e3989fd4

SHA256
11626c4c8356f2503b9e42b9a60a5e39a854cccfb22c90af78d42c6bfcb8e3aa

SHA512
1a8abf2d85cf445a6491ac5c062c896fd73227c9ea06107a2c20344c6ef14bceee5daaff6f00be1afd644ab722e0171f0f02008f1fd550f38135c899009132e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
66c19abbf6d4a94e00ab858139d87cdb

SHA1
32aade3237669472a165bbe5fe328c74562f9317

SHA256
caea1a3964418e2cf15aeec5fbe2fd34851bea0d85dd0e2e86ee1808ac512ce6

SHA512
0961d7d6b7b91f7d4c90393ed440c3b306f9135fde32a4f06cff09c5d16b61d74f9280023b5a96cebf398c3660084bda8f3a4eef0d30dedaacbf1b3850cedc58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
f4f62f93dc2b9dda17ce9a5645c594ff

SHA1
9ff8ed15cd1873a081dd95688d15563128e22aee

SHA256
3a6fc91043f5ce68274186979b4c72c83f0f6b506c423254275cf99fd22c4502

SHA512
8eb2cddac4dad42b2742238722f02331807a38a5c8f19a24683c3bb80b4607693e011d32dc2a27301d6580324deea7d3d21dc9d218178a2b04fc6c5554cf8cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
1fff3bc8ff50f78ab83c83dfcfb73d21

SHA1
97de694fe6ad4f28edf527e1676b8a6157e0d0a4

SHA256
075042436e4a382f4af98982333c0e1cee1de58321639dcced69fec006293f0c

SHA512
be5887eed49981a4a436b81ab5dd6d2023f3c654c6e6acd1ba7148911ab96355fab2a0a8ad4b503f646f022b088d78fd7a3e712001530860375ecd7d5bad8cd8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
77a6427db2daf07f981ac3aa0424f5ed

SHA1
aa37589bd4b7beeb8d61a362c7be0f73ac148438

SHA256
124be072d6951354fd38afe40f1f483864a84b8394542a497e96c355a247dd16

SHA512
bc04d5def6fba7c091f3020f0b44b4161374b4c15de10693e2c6ad093dacd7b63803c44c4833870b7cdb0583de2426c99d2adef51e450df222b262e48791faf0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1b93d2fd6248313aae4ae1b3807c227e

SHA1
eb680ac8c0899fd1ec21dd06fbb2dd089b69d93d

SHA256
dd560f11e78cbd8e940ecd55c6356b94b0e61cd2f23092a5d1c5fb34a4b7f64c

SHA512
af7e3c625663b71936d7070ad154e649d91cd6357f192a3e5a4ad723e6de6e61cc98b4b5d7471b4ba6b6cbea556ab6997c5568e94060b23d925b0a5f2c62f12b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9df9bbc1ab51c0a579b92ad3d4e814e9

SHA1
79512f01f4e6e88ed85c3019f4e163bb469d3c40

SHA256
bd0319a53b08a971f18139e03476afe30a3e6ebad8b91276260a47f93e6ff478

SHA512
76fcb84b588530374f7796f43179fb29f60b91ddbfb0f55a71bfed70694acab3347449588349dc80922759d6dccc4fd06adc4f8517c071ef49cc78976ef02d80

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0c5e1512116f73ff2c9a6a12a22f24e9

SHA1
92e32f758c82fe292803083eb3d4a747fd09fed6

SHA256
201a6f92c83b48cd6cb8721351cd4379b0310527be43690152e7fefc855a3e06

SHA512
6e39b9156bee203e2c33a655d5cae7bc8c13817bb3ca9ebc108b9ea8c3b6413bdbb1bad3dfe9da479b4cb57f08dd62c629b011242a3e365bab1f31ff48b20e88

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a4cd9c537fc65b580c689ff44cf31382

SHA1
e53d064f2f498afcea2625cc35c83242b836d92b

SHA256
77beafcf97d9129d017356597285f805773b47d20ce0bf9ff927c1426cbb54d9

SHA512
04acbd58e685f330de9c82daec603bb248ed5f9174dd48dde629ade4abd8e50fe155d63d62c3f665b3feb67cef958c15f32d14bbeb2f4edcb5d69cf81ace91ff

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d06495507d85ac65b061f36fd58f538a

SHA1
48f84c90fa6d595d33437349b3e607430ffb56ac

SHA256
d2da5ce4369df2c3fa723cdd2200c9a8d90fa21c043a144cd3d032ed64d4cd1c

SHA512
aeb4a41af5c41312dbcfffcd983bc53c6c188805aff842244a5ff155894114b3e1935fe6e514e3e6028a055225e04cb6511e0e720c4c23992d349c2c561674ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
0f2017e59abc8f090f4e3ab4b4afc7d3

SHA1
012470468415dd3064a848f85882abd104169cc1

SHA256
59899fb1c2a69f3914eeeb945d1c32f32f4f368385be9e1cd70e363975caa4a6

SHA512
9d291026f219bbeed7d93f6b02094ea416c855203149e14356d38a3fcab3b67ebc9dc44298eecdccbae19f3aa6d2cdb41527ddda021b5a4ceaa1b085d8c3cb24

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7946c2a295320ba3f94abbe189035ca1

SHA1
444f69defe058301ec9774aee071ae7c77d0fea3

SHA256
85aa0f55661e1b74e128ea282c53cdad966d6f02086833052e2778124f16c651

SHA512
f35041911cd0db6a65fc690e7c57f857962e4c6a48e5aa8b710c06a3ab2da0f2d604b2a826ebe95d28f788dd52045a4dc00ea19cf4dde062ae40935eaca81cdf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ce59a2ca6d553b31603834a8cbe91d28

SHA1
dc1e1d3f927e08e48b8d9ec2f4e48914bc59f024

SHA256
e6cb1dfe92f88b5f962df57ded1137d317e277a602ed1938da52859fdbf31e6c

SHA512
2e612876d9ea578d0ee35a153f6d66d8802d80cf554add0e0e19c78338342399996a94a4bb05f214d19b5e27407f6557e4e8837a989f80b18e2728c965786c25

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c3f5cb3100eb8107a9d0f1542d804646

SHA1
14bf7fe30ef5b77a8cd6e92e819f2b4ec3f63639

SHA256
8a6678ecd7ecf5b41eb2b881d1953a65dca067343e81f59f34538108df7bdf7a

SHA512
11579a9ec8151e20080103c6b4ed6894e7a3ca75fcd2d7d330ceccb4e411eebbd31217e441e450126fe6ad470e2bcb841a27500045b38964fc20874523966e8e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
90e5c44c17affcdcd9678d9f76e8fc16

SHA1
6efc46bef3801f274a554ac94542aea0082fbda7

SHA256
5ee88d4f00e10b91eb0a814662d0304e78de7ccff89efad7f93b73252c3f7e20

SHA512
5d32d1f9d82d632df20d840a9d5808eb1b91898530208e496b74ed453d6c76dff8d3d3a2d06eeeb9b0f1e6d5fdf9d10749c6ecda7fc28420b06161695f5fe495

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0f51dacf4994a66baa45e91eac4a9e4a

SHA1
06ca6e0b810c4263b856663ece6261a9c9ff34df

SHA256
b2f9621a6cb15c261fd6ab87073321e4d3acb071b189e58ded0106048a763c91

SHA512
a94d6288114686ae94fe8743150b4156cec2266836cf1b161ae70e788ca186be414c0966b77199e9ae8342dbdf76d579a4bde2e6f6cbe7d0edd3bab9fc64ecbe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3340cd8a1c7d1439b5d1121676774af1

SHA1
6542bfac581d15d68d9ef0189e52adae8f6f4daa

SHA256
3fd93b5b87326c6839cd024f82d46b1b73860959acb84a286a95b90002bec571

SHA512
478feb0e23b13597eeeb86514c5e556524c29cc93a6d779ae5b4e498072b4b1d8754e19cd75c345440d9c2f4f33601934c7490e214e88faf4ba07e04ba8264a2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
36820e72e1b2f973ceadae6b83750f4b

SHA1
3fb4400e4478f30a7cc87bb9d2b5cf524bcb617e

SHA256
2b0f3a62b1d68fa4e7bde04f569cc5bf783e01faf46d6f96287a94f1cb0cc94c

SHA512
d4bf05627594b74e728b07f59b2e2405eb05759a5da6f59326806c94480bab5f73479efbdc06fab14ba048367ca797751f6c62640eecd9f58af9c256eda620cd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a3920bb1ef39571e0bb9bff70b05e0de

SHA1
94f6f4f05a3338b049c4a783bb515e9f9372b918

SHA256
4bf65b240d1a5537cd601efa6c2e92c536f95ff9b38dea669136d32b8587842b

SHA512
2e162c0c185f23502f3b6adbc8a61645aa58454e06652b7fc620f34bb907c35a7acbfc37486e82df62c865ae4759fa3a9665afee93ead3ae283e848b68d58e02

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
188dfb08b6c040b07ea3302d7876f800

SHA1
460a49dd8584b639d92ecd9e0c833c0b4d312c49

SHA256
3f66cec5a2a4cb880ef12948828632c53c18b51ab82762e4b6be9ce51aacda9b

SHA512
3c09f636a995854a093211c96902cf0833ee1e23a0c49b8d2e30faa24760c60c4105b1128cc5e6247803f2a25b3045489fbe61231fca76a3f08c1bf9db4baa8f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0f86d430c8b2bfdfed4f9d2b997f01cd

SHA1
281d4f1879d1bf14dea3c9bace2a08b1fbdf62cb

SHA256
c560d0675f5403b359b25c9538c1ada3a9995b5280fb02c422942528a4fe561a

SHA512
d6a5f91f85a18473f61e996241753b483a12ae9b6d34c789dee63ede5b18b217821433e865b48f7214121a1d8409ffa443b663b2abcad90de2b73a4b72441685

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
75be697acd7f0aa10926a7c0e8d75353

SHA1
650f3e72ee5e83879db65b87ad20b1e4fc03a184

SHA256
c90e2fbdf6bd11c84cd61047f4ca1d3982998e99e0b576295e3e4507e1fd8680

SHA512
86440e6e2d12c83cdb1ce3c5bd404025831b803c1a8f3b17aae8f1273c14467b11dccf0b705ec57b357ad98a60a50db483b200239bd0ae197a084ff4c145341f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0291c2ec20d9d829c55e6be6c6296d8b

SHA1
aed07fc593d2795130f9982f7308cc43be747652

SHA256
cf24f181ea3dacaefaa2a6ec1573b39fc0ffab51e3f0c34bbc930271710e559a

SHA512
f9aa45a0da913cfefd8034174610ba3d2e3a7e861cb325e047753c0528094c9fc9c57c4fa41b9a0074370658d5271df2ba97243000d02c212ec8dacfd69ef5d9

Download Submit
memory/208-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/208-666-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/468-655-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/468-326-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/512-235-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/512-63-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/512-71-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/512-69-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/884-670-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/884-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1012-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1012-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1012-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1012-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1480-669-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1480-414-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1608-362-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1608-663-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1692-378-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1692-266-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1768-24-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1768-14-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1768-20-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1768-230-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1864-349-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1864-662-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2160-303-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2160-413-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2288-390-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2288-289-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2312-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2312-656-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2428-1-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/2428-0-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/2428-7-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/2428-10-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/2428-13-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/2464-61-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2464-360-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2464-49-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/2464-55-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/2464-48-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2464-58-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/2464-247-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2464-241-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2464-240-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2900-252-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2900-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2900-264-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3236-32-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3236-26-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3236-34-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3236-231-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4528-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-661-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4812-391-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4812-667-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4864-293-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4992-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4992-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-668-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5040-402-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download