51ae4a6e3d6cab5fe92613d3fdfa3dcf323233f13f2c97e7a346bbf97185cac1

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_df5504750270c11b03a3413dfcedf990_ryuk.exe
Size

1.5MB
MD5

df5504750270c11b03a3413dfcedf990
SHA1

b52a9c92e89fa1036532fd5aa8c85302c73e950f
SHA256

51ae4a6e3d6cab5fe92613d3fdfa3dcf323233f13f2c97e7a346bbf97185cac1
SHA512

c49eb9748db4c6b161c4d696c94fe435eef5ed4d9fd57ce3e3d386e82d199c9234ef82fbc67a2c27887026889591d45dafb94634c3b318507f1509d1b9abfe13
SSDEEP

12288:dOb3A4LWOsvAYFTDMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:6TL3UTgSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4292	alg.exe
2216	elevation_service.exe
1480	elevation_service.exe
1960	maintenanceservice.exe
3660	OSE.EXE
1408	DiagnosticsHub.StandardCollector.Service.exe
3972	fxssvc.exe
1172	msdtc.exe
756	PerceptionSimulationService.exe
3952	perfhost.exe
2968	locator.exe
3576	SensorDataService.exe
4176	snmptrap.exe
3688	spectrum.exe
4024	ssh-agent.exe
4864	TieringEngineService.exe
876	AgentService.exe
3180	vds.exe
2684	vssvc.exe
3148	wbengine.exe
1948	WmiApSrv.exe
4228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_df5504750270c11b03a3413dfcedf990_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7e441383b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008a49a219bcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a576d219bcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fb98e219bcbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ab7ad219bcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf16ee219bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cecc82219bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c7d93219bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2c9c0219bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4932	2024-07-01_df5504750270c11b03a3413dfcedf990_ryuk.exe
Token: SeDebugPrivilege	4292	alg.exe
Token: SeDebugPrivilege	4292	alg.exe
Token: SeDebugPrivilege	4292	alg.exe
Token: SeTakeOwnershipPrivilege	2216	elevation_service.exe
Token: SeAuditPrivilege	3972	fxssvc.exe
Token: SeRestorePrivilege	4864	TieringEngineService.exe
Token: SeManageVolumePrivilege	4864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	876	AgentService.exe
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeBackupPrivilege	3148	wbengine.exe
Token: SeRestorePrivilege	3148	wbengine.exe
Token: SeSecurityPrivilege	3148	wbengine.exe
Token: 33	4228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeDebugPrivilege	2216	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 5116	4228	SearchIndexer.exe	117
PID 4228 wrote to memory of 5116	4228	SearchIndexer.exe	117
PID 4228 wrote to memory of 3540	4228	SearchIndexer.exe	118
PID 4228 wrote to memory of 3540	4228	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_df5504750270c11b03a3413dfcedf990_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_df5504750270c11b03a3413dfcedf990_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4188

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4b024788f30602d2d17e73f8991c861e

SHA1
aa5f2aba12e5cd92c13a7f294f9b767a1b328a9f

SHA256
8c56316a559481c6e4e5359c94bac99a7fc141499b1ea79d2f5ea9d1b6527f5b

SHA512
04acf74c0d74f65e86ad3d1623ee04e601a923f904e907a414746399a045c5226382ed1268d92d9f9b3abccb5a1d1fc12b3d0c8becb971882eaaa46fad0b2bd6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
062ea6fc2a443ba8ef64fca76e8c158b

SHA1
c4d6b60bf8ea87baddf64adcbc69619fa589561f

SHA256
279cd2f29de96a3a422d6e36c08eaebb53545ae045dce2409ac9f5ca2df3b989

SHA512
77e69fa03bcca329e969dfcbb56f3ba57cb36182c62f09811daa2823aa980aefa09cd489217ab4697fd03cbff8fc308c747e1be213f46e27f31dc05185041152

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
99032fd4364428908947ef080406db62

SHA1
26e03ea1d35811d82c512f399ba2dbd4ee7ec3a6

SHA256
cebcd77655dc203075a0056130a87b1769ca285e6bbce20a7e06acba327cbfb8

SHA512
7fcefc0547429e613657f03fe2d4730e28d1eb7634cb5585adc14a8942062db75c0fb17584290705b7d7de5d2e6f29b7295d6fc1dda540a97367c772e70c4f86

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3f480edee9b07858380b7cc6a15f86eb

SHA1
6d15cf7856d14d45080ff62d47524768bb12eb22

SHA256
8c7765d72925918060a4bda0adb3133debd3d8b7be0b93f933659d3f8881a3a6

SHA512
39892e4f1e06a42dd15bdc294177029aa0a71f403fdd4c9f38051d9497a2537c689a3fd885a30c2f6f04a87cbecba682258137fda40d17a862b7bf5f34c44c0c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
151bc52fd59776ae4a26bb1ec76a2ab6

SHA1
e042a34438c07d63c70337d273e1e83e9c5009c4

SHA256
95283aa60373f9ba6722838f8f85c488f8df14f13ccd8ebc59ba291f41a54a83

SHA512
d1cdfae67071a9f8717ca4667be72c7966a7a52f2af142710a4e371d4ed8ebfc9939af62089b505971adb4fa0c45c8f24d5395f6dd2dd82bccdabdf794cd1ac0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bbca5a0e8a7f8bdef48939e19098619a

SHA1
006dc787dfb86ed94062b6dee0463e551669e5c9

SHA256
e1f30c148b192d60416abcfbabe535fd318d6732fc231930c0cde02c221f3451

SHA512
58c4128766d5056ed36e7ef9338b311e68b155606e1ef91b929491de7d2d0bc7822069af32c037de6dbddba274aa7b3cffb61464e6afdc4d992e1c022b3fc2b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
22daf796fb379aa6a6f5c734c9e95c33

SHA1
5d380c0a8e9702b2f6b0b61616d40fdfde3382ae

SHA256
f126073fe3cc6e890da9b0cff4c59ba461666fbd35bf9e9653c40ada54ed785c

SHA512
b8faa85a50ec8bca322f2969ff8a56117db0571f9afdc2cd379a4909e87de4480b2bf249c063dfd424c88fc45dc194a13d9767d4e1519d219ad11786c6cca7a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
213195dba0caf6a705740b7e484a79d4

SHA1
abff77f77580477aacf78dab2cccd9bab63a1aee

SHA256
d4aa7619d2315f6da69139766a959968246e64cfaccf03851ad1c612a15d385f

SHA512
c7b3aa6fc24969134d8e201e66c2fd92d9c0443a4422c87cf36359f58003af4c8236be04814a81902c176ce33388bfd667c843217aff9b2c5010a69a977fbf8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
0c88b1f47e5a32ceb19ac13c7c015659

SHA1
f895d04baf602abf74d203c00d08319b72ac2855

SHA256
999cf74965b4a5e9ac237e503844ff2ddcdde67396d45690cefdb97b84facd8c

SHA512
93c96038d40685b5cfaa27dae3b0dabc64b9ce1db29914f42e65d330c68e27951fd7d73c0a935e48db5cd347f877c40e00bb8b09dce686956dd99839e7c73a1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
28fc8a6c339569232a0c8707e2685945

SHA1
039d6751719d47694313812d05f586b0e0c5d89a

SHA256
0c028d602e9d64f06717cc454f87439fc0add8a7d9acd49edaf53ecd9f1f5dfd

SHA512
86f13cbe7662420a73e8fddd870bab4838b2ea60c80a554010278f61aea0494e970324e581f1816d8f660dc237f12090fd44756c445752355c0b3c7bfaded2ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
aded22e925840810c12eb2d3bd4dc261

SHA1
5a1f0f6de5af0abd7ff2db9b378ff8e6f77c2f83

SHA256
76f414ab57a5d5d63320284bf0a62b2ffb45909dc977a49ec88e7a61011b8835

SHA512
ee5cf1e130eaefd6d2639d8a262dc60b3dce68c4cb228e6f09c5f0a3d252447f0a1e61430c2ac2908784f1b4fc02f32f997231ed7b591bea48fa52a6cfcfcc95

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
561f53d179e69c16f4bbf0ee8730e003

SHA1
58e67f226545afb87f00f1dfc92a97256ecc12af

SHA256
1093b3b199d174b548285c235a1105a5d31811d968d73d48f49650eeaf877257

SHA512
07b2f45307e29c93f2c122dad7e4336e6f2310f94427ada0d89a6532a7de0906fe50ad4590b481ca8f6ebdb5b9a7f9663ef66ec8616f24aca8f790c7c49eff64

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
975ce7a3c5a7e17fe19e5a1945165b68

SHA1
6ffb1eb4195455d51b012929a29db3a28ed630d4

SHA256
a2ff44f626cda9ab878070b77452d6499848eb3ac3693c602a89437f52f6c767

SHA512
6309a0f8f22ce6b8c40dac6fb125487a68af16ce949bdebce5b23c367efb873539d4f32a9dc4037d401c0afeac51166670d2999d09d1aab4fcfbba19b222b5de

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
16883d277431ac2bdf87c7c1133c518b

SHA1
4393afe1b0f13cec5db3bd7a724b274eef87785f

SHA256
b4b56bf549a0ee86348d0e98f9695fdaefcbaa4bcd36c0b36d2f7ee65060cf14

SHA512
3fe57eeeee096e8a0314741eb25e31dcc95402d9991fa77afb398ec31858a00756dedc6809c670aecc0479ee77cbfd7fffcc352b7aadbf396cbd56c913601c1a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
70ac09b991984d61b70ca8d5580d6dcf

SHA1
d8f2b45164622310fcd201139244d8ecca44c391

SHA256
3af52f30b50f82b89a5b6bd807e193d809a8089f756c7a2a8902c461c26c5c8c

SHA512
77d20dab8fda310462fea4a91ec8dbf8ff75c6d1c3ff765f63e9bf689b80d3a6575860b56ec0e1c04032cfd618e341c5bd3a2ecf06ae49fcc7030023671ab89f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c4fc581058e2de9659dc17714c8cd818

SHA1
168265822f1987a90404042af3f0a153d11af0c1

SHA256
073ad77e9bbecac2669ee0f10aea066d1eaab48593dbd65d8d384613811c32df

SHA512
ae84353a06df83c7895f4f3318d825c83cda120832532b67773a18f5ce7f3618aac0b237a13236747a9daf8b8b021fcf2fb4ac784f6a3d412b8c0c0e3ce8803d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b287880df305551f7a4de5af222ce6c2

SHA1
29dd87f2039328a64c6373fa260fab32ce2648cf

SHA256
918a16134078f09c6685532660ac730ed9ea3d71281e34323d1bfdba3c764543

SHA512
7755f8ff2b5015b252967131f790cdd8bd602ba8bae38f3c9c7d088869f618e0f34b2b094ce184aa85b9cc6f9a30079deb655d76560fcbe424d9e0e884ce7135

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8bf7a3a7f6aa7c83e4efd604b40ca326

SHA1
1067316ffd07e3dcb6816498befbedef754e546b

SHA256
d953ad537aa8a6d8319db25bb0177dd7ca4f5757591b863711d27033320ed856

SHA512
0a3ebe5b2f91340555f3c4e1ef24383039b67fa134fe779e605cfe3d8432a155bdd37561b879a1fc7583dab6319eb1a3c9b997e31dc9d03371a7cf73083c372b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
247e44bcb980bedda7f42887fa44fc05

SHA1
6cb54c77dfa6278ecb3cc52d0ff548394fb640c7

SHA256
3d24d8bc0f72508449d4c588e0c8334cb442310ef29e597c395e7a776e2120e6

SHA512
997691748ce2189ac56cb491ad9a3bfe34252f95b22047c6bfd507b085e9568b01f8a64ed4f550b9cb6550e8d19d8b76507825b979bf97c9b01b80952faa73de

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cf92a9830dd304f492332bddb01b7852

SHA1
8b9d7461c7c7502ba4343b2bfc647a042b9729c3

SHA256
0c73b53ab829f4fb5d7bdb2c253fe9403db2ba789179e9a040450334f1e40aac

SHA512
768ac09c9a156f93c73a9b34e679e5f7d2571358aff388b12135480998206d4651a69e1599cf8e90ee3761c9e4d78f222152a38ff832cdb80d6e5a63f1f5476d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c8a9419a4ec81c2e46429eea40d4f31d

SHA1
547eb5cf01ed3d62d7f99c3de7aca41729f8f46e

SHA256
fbcc38c117c6320840c34b143609f0c3f66b041eed59647a3eb0118fd5904aed

SHA512
5992a04aa74c5a4d34b7884a890acd784d7e19a60a9fbf6049e130f75f0141cb13eddf79ea1ae2fca8dcbd006978f145e0430b99752ef90212005c2923c5ee65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6951cf624bef16e9d55d1c49b8d47fb5

SHA1
674ac7a4d7b8bfa0892cba1936019e62b7cfe08f

SHA256
137e6710c59afbeefc4dacdb03fcbd9b6340e094708cca47160357aced98dc7d

SHA512
fd8ef3d905d92210c1555157df398288e30775ec83c03dc40dab9ab103dedcff2dcfd7e4a1154b01435b796a67a4d0e6286ba8a52a74ac643e18cb748dab34d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
06b47f1e7f1629e91b4190aec3b38423

SHA1
3d81a40448da7a29c135f7ab45404a9b33d229cf

SHA256
c7c8335d989fe753866224769a47bbd9bbbfd3cda622e4b7d32a2849212daa08

SHA512
db206dc241d55e76eb5d760d3aba664bd09c02319029db445cdac2743e30e95996c2e9484bc0f0eaf3545b47a649bdce7d1367ac6cddc008191737f3a63b51c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d32879be37fd6a1bea8462aa071304fb

SHA1
727454960387265d4e6cc7ccd826ea5e07732d6a

SHA256
0282207db75238f2a5d0dfef6d30b4d8790eec2206cf39d48a4a89de8215f322

SHA512
e06d2d0e20e27229a596bfd575003059d7fe425c9f331a1c229ac17788f52e8cf770105300ab181362fde717a938f83aafee9e73558c8d0d378403aeed8bb975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4d95369a98c0914b82016f9b1936ee03

SHA1
0d4f65175bb0ac6c36975881fb64381f2e9eb64f

SHA256
b34c06b75d2054a7ee07a5a0963a5cee02c2df0aaa3d3f9c3e7abf5ce4742781

SHA512
ad268e7df70bef3338e5a532cd42a57c0ec87d2bc4a1efdd978ec954205ba0617cbe5e7b2fa4832d98fe81cfab88b73bb5484062a659f29d6df7f32e7c664649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
a25525608e044076697591712215e775

SHA1
05e5f05588a7f3dde434ca350c1dfdb8e4f54167

SHA256
d5058b9b6898a114685214e55a92e377fda1f62087bce0049441ca4b77002ec8

SHA512
533163d29bb6b329359c7b46713dc6c2005eb37873087c546ebbe414b497fc06ac8c15f038bcd6f9abf644353c04a0dfc94bcfe3502627ebfb00b22d4138c227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
80aad06a0cac9a2ddcd03f3281551083

SHA1
3c5c0227d9ed135a9975f38097c86656b7c318f8

SHA256
71c4574af697300337659e3714fa52b2b1fefa5096b630939c5df7b0d61faaa4

SHA512
1785d79cd81e405d469fe683fa64db093009d21b8f86182db0cee53cc19342b9b3682064319dcd1d1776e26847ebc3e775a1967dab18cdfa6bca37543a5601c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
fdbed6bc3717d462e70e2c08bc19bdf8

SHA1
a7d6b3db20503ac7b4e5ed264be73c1497b239ae

SHA256
da8241c8ea5e4e1688e453e1dcfd296786a342385d2ab9b22b0961ff629400f9

SHA512
90637c44c062c3bd9014e6fb5a8370d150f51c03924451c62eb903c791f7a3955857f3ffbc466c2c20ed7f07e6cddc550ba9a9d657405cb61a06bb55bec64404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
83eb55a5c5dd177b89b5382f691c7eae

SHA1
775e01abdbb57b0e51a83c98bdae1b0fa52b8dc4

SHA256
3aa6d19d7f9c9d474a5dc77ff81d8d66dc71d32bf5201fcd3a214ff94661e548

SHA512
07c87acee43e6a1827a865a2d09471748477d5d373cfb6123b6eb536a9438bc93e2f717ccca70d611e7f8b29454db000f070218b841f67d3c6ed3740e726b084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
df5fc7525a1051ed904a29fb3ed363d4

SHA1
3c5bf0350ff9027ef10bcc36fa3f340b9d3d539c

SHA256
c4726be2c5cb0b646d333cea25236884e06947a1043d823e4afc02d91303324d

SHA512
38b7157881bb5106dd7ba3160360e579d1facf503dcba043218bb4604538dfe18aaa60afe2dceddf9411f9eed17a8f036467cf107e95391e19303f6b2a87d220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
0253e18423ee9dc216f3bd4be7d56f80

SHA1
de8dc63ad696f1c92e298125934203cee875549e

SHA256
ebdbd3a231a31ae07bea884d709cde4823e22120d180ab34ee5bf046ff9b6e5f

SHA512
95f493ab5db62c0c9e470eacce8402dece4d6e7409290af53d1575df2130ce5a94df9fc77f9aaae7a60479e997030473d0a955606b2424e9560f3b3ef9cf93c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9fb3e3707cfa5380143110f8e6f64746

SHA1
27dd6c1a25292ebb8f062bc84ae7ee266b79f6c2

SHA256
9849a914f73be35076da52458a98ab7dc19efd46001e60fdd66b3a5366152757

SHA512
293e2592a7596c6399b7b2ba7f95c89163d543d7ff83c66ec308bacf31becba7394d2400378c73e85ad888001950d912940fccc81c5f3b5e3074401398cccb67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a4557d21e5f9f31279d46470fd4aff99

SHA1
815bd9c484ce10dbf05a7cf6b419299df5537cd4

SHA256
c561b3ab1a865878f2bda2388805a755116f93d8846434820cb4236e439a2082

SHA512
a96ff67893743dd6a720d2e2a92e0f92c0016c600f15efb25d69d7a90ef63bacce32a0ec3dc24bda053bd2621fd1e90b406ba5e61759d0fc66d9fc90deeb5260

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
05ad94740e1815b6053e1941dc89bc8e

SHA1
a06f894e03d3cff3001af62ca583510a0b183c6e

SHA256
83eb73f2062432a67f8a390dff240d80212b6c6ee41b012a3e78777b3e7345ba

SHA512
ef54f2c1ba6c891ea31fb8f109b32149f520d002b171905a789f51ff89849bc8887900a743076ac8d3f5daed8cd35c86eb16b01bf75493475e7845fdfd4a6cf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
c9b6859b5b170834816a44e82f75a169

SHA1
f9927dd8994b2312a09db510b6debbe5f2e6d1d7

SHA256
e07e2b40ad750b029d6bfba3df205b20cb14d82a3746b84cdbc917af95ad91cf

SHA512
6d1506377b6ea32b09cddfaae4f55eb5e31c5675d30abaa1383fb743df7e9c99e2b5c53bef2d83a6ab412989e9330e0110ba8c93bf46e3fe2653efc29a6fc2d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
76354a40d0adf5346558a037e0d7ece2

SHA1
7c45a71d21f473d5b88b11a34924d6c7f04185c9

SHA256
3134229f6c28d18e90b6dd2bc1885a5918aba2d1ee9b673e9c332df7246f6d41

SHA512
c54ce4e49b2170ff4b516da1559112d2c6a055db77bcde2540cc5396120cc4622c21b0dbde65a731625891f18ffe05e8cf2afddf9f57fe9b91367305327d6f19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
497946b7ceb33c67033b7600314547ef

SHA1
4af7333af6f9e2457e00d1db94f69fd86b1b163c

SHA256
241236f931733e87a7448e83f292ed758b2274f572da085d12eefcbad6a5b5ca

SHA512
5b34b3d4d3256c4d3ea6d977061261cb760c417f0128da148a341c23860016f9264ec1a4f54777f7ba1d3fe955f526da2e2ecc79550f86e23860b12974c2b377

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
4f2740c4a2c994c747bdfd8e7ff95c4e

SHA1
2169d302d342204f9f1e92c09f8ef0fc2b117717

SHA256
66251242ec067d72faeed4b6745d9ea72c3495362c2340328e21b20c1cf72d68

SHA512
2bb481b5ec00c0a9fc68a276fb829e50570ef4f74f46add5a43bf78bbaab2e1968afa0fe8e20d269ad04e4f90ac02c0cb698968cd153bb98c056591251c1fd6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
bb501074e060908a422db89d0ddd888d

SHA1
a49518007ab4fb2fe371e8ee4338757bf77f5a18

SHA256
445c0c14eb333ae2bc0014bf5dcfc90b2fafec029021b79b64f979983de7ee43

SHA512
f4b223755b325c08d78aef1ec33db40b502a0f975163346a230e7da1abab5eb84e641ba16f430c849c49ba98ae54105525f07c474fe7072ba3760a45d5652887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
a896a4ddcc3218bccb2189abd347527f

SHA1
02f4c147b5c0406b551d7c34d460c7ac3513e96f

SHA256
49aeec07e20da95bff650efe46df9d1c9baea2170aa4df98181dce19b841bcf8

SHA512
a472d8e42ad696ba2bb5dcb2c12ca30f7911977d4e04ab31cc0d6a393821a598567631da720f7d6ecbc448544520bfcb5ff97b52fa2454d96f3f0447685cfcb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
0880697bb90a9a64394116ee6be07fd1

SHA1
49047069bb3b7e26d2fb12e9341f7bfbac2ae70a

SHA256
525f83f24a9482840f30bf3e6862e951eb28a2cd6a1e847e89769503349ed88a

SHA512
7ea45521a344e308eb7532ea03d133e77345f69239afca2876537493cbacbe0dcf71788cc42290acd0aa473bef662c2bec52f7538967d52af6f4ae2b3abcebac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
2b7e3004e7d20692b89150672f36aca2

SHA1
c204e1f20c80a55698b4f6b7acd0dcc0c1a31bc5

SHA256
30d3a1a5723fc75fafce0b9f51bac736d519a6eb275d0ee8f007da77041025e9

SHA512
a66a483a8c2fd9dd3f0f90431992341f0fdef46dc9a33117bb96c6722af940c4b5cfbaab9c4d8b42ab5fe3eb1df8a5a29cd83c8bcf3ad0d82e0b137b17d36661

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
d92c695b6c3622cd10b2e03ea1268af2

SHA1
2e6760b0db3b33a6775c482d531c2cc5aa6da14f

SHA256
23dd5109a84ff79380c9b60ce02eecc16e97fe21bf23771e321568738ace9dfb

SHA512
42cb9ee3fcc2195b47299a0fa41eedb1d5bd94e5847654e0227b713b20226cac6b96b0dad105fc4901f9b1611e8d36da25eb4b422ff455efbf7057c3f2534f7d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9eb5855024de31dcedda48ef99073ad2

SHA1
3ddf7aa87eb15c76bcd61bfda61cff3f220c89e3

SHA256
cee0a8ab7578930470c883c8126ab7c09f7361f7bbe1c389b4849bdf5678555b

SHA512
cbe451c11d6e5064143cd6b9b37468e191ba4bcdd74d8aedc22323788b9908d24e076e7cf90b577b5c72079c79ce7083cfd25169e2f12a4c39a18659a94f3a8a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a67db46bd85617ebfa23ca6a7292dc54

SHA1
409ffcc32c1d1a0fc03197d03255767f10cfa705

SHA256
64c4114aca5ce372bff021bd12774e3cf15bd19d0681a1606a36a51babeb945f

SHA512
05a5d2ababfce26828a8a23c1f738595bd1f5283c6bc9f67394822f6bf2c5f26d8c29ad47c6667a46005e9395cb989bdfd7d1d4a9e7f9f00842ebef2d22001b3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1795288fae5d20e4037b2c8048371577

SHA1
2f5c130d89b362f9c9b7c913a2d58a6c2f6343ba

SHA256
f6bcacae914633ac4dcfc0f1a0b953719cb0696c4ff03abc92e9080ed61f0314

SHA512
0f2ca16c7db78d2d288a0c42b3862203b9dc673ef383bc2f0ebf91c9c25a0082f42c62d26bd1ea17e3c8fda43f51d88b98ffe3936f97f689c533f080ed385dca

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
b652830d28506352e55b15b17cc96d06

SHA1
91e67cc984c5d04e81a5478d363111833806b5a7

SHA256
706165082bcadf0303495e81bb850543401e7de0a191d3e8506e6600b329999c

SHA512
9ac61a9dff9b331f93a4fcb1c75f6892117c4b0cf4dcf170c9f88607537882cb758669da950186ac76975902308b896fc7d2b23bf906329300ce1f3c595adcf2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9a63c69138f66ced29f60205aff3967b

SHA1
13f314cc2c5b9d9031b9986084ce0d24b2d5b208

SHA256
ff4230cdbd78c06d95466674c26ad658095d6910ee1d6b2e00551e2b21cf1486

SHA512
6eedb8a65657a6d7bf1f9638a34fda69771e9219b47f89fa3ca1a977bc601f23480effda06bf5426a3b5ec6283dcee2a5bc2ce8d7ec4ac14740e1771c1c2a3da

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
579443ea63e0cd5028c3c73e39c31e34

SHA1
986883feb0e9c9dfc702e75c37441a948d996dad

SHA256
f0bbb36e7b4910c99a1d6238c5b9d0c97c716e1ee0c4b70c066ab01a7bb7d8c9

SHA512
ae9353f886a5cf2d0ef199051beaac0e977b50986b4e0049619ca04076b5ad089e6ecbe9e7cbd18ba9412dce0c8fb37a82efae4059b54bbbe79a6552d6112b77

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
302ae5b2b0ee955b232f17443d870273

SHA1
ff32295c8cebde4a9c2d9c56db9f9e39fa1d13e5

SHA256
574154b6d3e7e6e915b15bb7d9b35c5bafac7a53a4f2de5ae9dd15821e2075ae

SHA512
8a9981c597f712f3713e8998a3cda04f41e7f506b891a61b695db55575655f67d1a6715088a19b69f9f36d892dd981948ffd016e1a80d333819e0bae8f807a33

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c018096cb0962977b5d75b90d14369ba

SHA1
ed124dae7d148996147059646ee1acae153e23a3

SHA256
2309a1eb2cdc04489b2acc0f1ca95ccd71373cce323cc493546000ca98d9644e

SHA512
36e167bd2c5b133f19628ca586e16fe81c3dbf9cf443c595ba3b49e76a6390b6febe7bde54d43855074a00f535fbfa671db51714841ae5ec092a0c9f2c6a01fa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
22718ed2769d51ebf7c4a0f2e0c89a0d

SHA1
f6e101d2b63111f06bca41e529d145959921341e

SHA256
74091eaf02f3995db88264e2d1eea23eb8710de7eff37e577c6e64b5eb950a40

SHA512
21386eca1d889e4b39d8275241ae933c0e32ad31982b16ac2b6f1c30c771df4719432eae4f52c43db19446c4fb82677190883f92bec82383bcb83c31c0298657

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
699d2a5b1fe0055f20ab208efdcc7554

SHA1
10d0075e2d55935020cc8ca3b2ec5681f0b53344

SHA256
d495dc709a86b5d0c3d24aa514becd2b0fb2a5c6d1955664b9f6752fc6268005

SHA512
6fe365704d5956cb984f931fe1c91c6bdbb10532d72e87040759878c4a4b7055d1389c585c5716107afc6362e1bd011b3bdc1c9f7d87e326b2cf36d9b0162e09

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ba0fa4ce30ad2b62669c0dd9cdc62999

SHA1
f74c85b37507cd427f1ef9da139cef6248206dc1

SHA256
32f32e95c7c2d945695839ae97cdd4ee80fb5eda370b534c3f56f9ece12f3486

SHA512
bdd582022c457331dd2cdf38b0855ec5dd06e820390760387eb0c18da629f19bce305ddce09dcc958de66f680022ead5e6a598aa757db95f675261ac27476d65

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1aa5406bd3a91d95884fc25b376ed45e

SHA1
f3491f751ed30fc6011b5b6f475202300edb807f

SHA256
6a5caefd32010223a12c8bc52764657d71813b58808b9dd321c92f549bf3e223

SHA512
bb981362ae8a05f36e8c733f8244b336b674a6a9d1f7dd65f887038a9bc1740906f5162de0a885c40948d6ed21e26b5f5baae8f7ed02dffe48f72bf053c4f247

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a5b9ca54a620ff9d5635cea0a27afee2

SHA1
da3584219aa17a444b852a83524eb89eb4069e0a

SHA256
87b6d61e09ae9bbb3bd98344b3a073ff197634eb65046565255159542e60fe83

SHA512
c8221c5382b559530c5460bd8c22e5b5b1f2e1f553236bd8d5446d0aa1dd426c402280db2aea8518efe893e7f87fb29ac0bdaf62132835d71eee17223e0eba71

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3211d91d7dd65bdfa8839456990cd4dd

SHA1
edb69c0c916912ed2f4bd98b8d503ac45659790d

SHA256
2ae937a216014fb4ca0d3f01255ef639c66755ea9347e6e6a010731d7c514240

SHA512
69c04b01c536a6746b00cb6e58cb6bf0c315abac44cdff7a991bf2c4732b4bedaca00c6bc993bea7c77806ac5fbf88c6ab7ef12c549f2976e86c62cdc4a9989e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
06b464a9d4718dd6ce49c96cd0e3be86

SHA1
088835c32c96fd98bcc8ab271a026e7d49f5338d

SHA256
a1d6f3072a254742e38289421ce343214e466a29cc857ebca0bc5c5d010e13e6

SHA512
e4c50c6d786d6b5867a545a3bb31890b555db09896241091d423c663588fe9f91b26f6740c062c2207071eee4d90f7f59783477a30f12123f227df3d3260cce8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
91d7ece25f3847bab776ef35c359dbed

SHA1
aa9ea79a0d143fd5e549b72d152d86a27a328236

SHA256
d76a1c4d008a0fd82f31936eb4885a61a5d9ea807d15739ece154618aae5cf89

SHA512
020933ee021fb358aebcf636bee9aea3a4a41f9c1e66364af516f6e1cb83bf763ce476cba6ec8e6014ff30b7a3663a9f1e4e45e95ceb97c738620286626ef0ff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
640c9c5cf89bc2f2cb23aff8f0d211b7

SHA1
11ad36cb6e6c16c595bec06324ab241e28f86695

SHA256
bf7bc3857e88642aaa99e96b9623c5780af384ba5fd5dd481983b8414a651a7f

SHA512
b5bbd34da365c911a0d73f6e19bbd1bc803a093b0127c0c95f6cfd541c473dc6ac53dcec9f031d8f52a57f64e21832d6c304168d8c9bc0c69964f7718a9b6d1e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1e2dd7a9648929836e8b7bbb433fd4c1

SHA1
dddd1676dcb7351739a57f40603ef4a57e725ab4

SHA256
42aa6fcedb52d021926442cdb76f932cc116380b3fffba6ebc533a2323f40aaf

SHA512
7f3d3c5d11b1b7367492f392a302755b9832e81fd8a4e24d84a12e2cee0afa45209017a6db29e2c268d5ec1795126c0bc672ab5c7434ef27496f5f343768ea2a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a6e58cc49a6ba7554998a368a4a3d394

SHA1
aa6f59f82cde880a027be0be2a86465a68cde846

SHA256
a8f321f151814d6ff020eacab58ddbfc69b51f29a53f3d0cac8097f97ae2c1fb

SHA512
d104b64526044342a9ed6345c789e56ca646a9a0599d955ac4f1e20d005fb7538bd433c77d362e45fbadce86c1b339ea19c7bb115d2088b9ad04fef497aff951

Download Submit
memory/756-401-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/756-285-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/876-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/876-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1172-389-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1172-268-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1408-251-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1408-245-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1408-253-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1480-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1480-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-432-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1948-650-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1960-51-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1960-76-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1960-75-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1960-60-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1960-52-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/2216-28-0x00000000009A0000-0x0000000000A00000-memory.dmp

Filesize
384KB

Download
memory/2216-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2216-37-0x00000000009A0000-0x0000000000A00000-memory.dmp

Filesize
384KB

Download
memory/2216-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2684-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2684-648-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2968-425-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2968-307-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3148-422-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3148-649-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3180-647-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3180-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3576-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3576-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3576-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3660-64-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3660-70-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3660-240-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3660-74-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3688-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3688-639-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3952-297-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3952-413-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3972-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3972-257-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3972-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4024-361-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4024-643-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4176-336-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4176-638-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4228-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4228-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4292-24-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4292-23-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4292-235-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4292-15-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4864-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4864-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4932-1-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4932-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4932-11-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4932-14-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4932-0-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download