d85c6adf9b6ab8750c42bfb3882ddb5de07286414ef878daf9db48c21c9cdda4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_e21ca12440c541c3379b5c42d1e3f1d3_ryuk.exe
Size

1.6MB
MD5

e21ca12440c541c3379b5c42d1e3f1d3
SHA1

9fd2fd3703c8b571fc285724f0e2dcfd1295fe95
SHA256

d85c6adf9b6ab8750c42bfb3882ddb5de07286414ef878daf9db48c21c9cdda4
SHA512

1cfbf472292696dd3a5d508e50e0c117bfabab48b527c1b7282f382d2670a9c10d77318c033fe20f5c6a814da723a2c58c881218480ad51085a0a460ee9ef7dd
SSDEEP

24576:X6V64C/AyqGizWCaFbyFSkQ/7Gb8NLEbeZ:X6c6GizWCaFb9kQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3920	alg.exe
3432	elevation_service.exe
1152	elevation_service.exe
756	maintenanceservice.exe
1464	OSE.EXE
4536	DiagnosticsHub.StandardCollector.Service.exe
1428	fxssvc.exe
3280	msdtc.exe
968	PerceptionSimulationService.exe
2148	perfhost.exe
3104	locator.exe
732	SensorDataService.exe
2476	snmptrap.exe
1980	spectrum.exe
4516	ssh-agent.exe
4568	TieringEngineService.exe
4072	AgentService.exe
3096	vds.exe
2836	vssvc.exe
5000	wbengine.exe
2284	WmiApSrv.exe
3668	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b55ff61bc9b3195.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_e21ca12440c541c3379b5c42d1e3f1d3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CABD5C61-B299-446E-8273-0F06174CB008}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee38ca6860ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5e6726760ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086234f6760ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a485516760ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d834816760ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006edb6a6860ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c745b36760ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3432	elevation_service.exe
3432	elevation_service.exe
3432	elevation_service.exe
3432	elevation_service.exe
3432	elevation_service.exe
3432	elevation_service.exe
3432	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3088	2024-07-04_e21ca12440c541c3379b5c42d1e3f1d3_ryuk.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeTakeOwnershipPrivilege	3432	elevation_service.exe
Token: SeAuditPrivilege	1428	fxssvc.exe
Token: SeRestorePrivilege	4568	TieringEngineService.exe
Token: SeManageVolumePrivilege	4568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4072	AgentService.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeBackupPrivilege	5000	wbengine.exe
Token: SeRestorePrivilege	5000	wbengine.exe
Token: SeSecurityPrivilege	5000	wbengine.exe
Token: 33	3668	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeDebugPrivilege	3432	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4496	3668	SearchIndexer.exe	112
PID 3668 wrote to memory of 4496	3668	SearchIndexer.exe	112
PID 3668 wrote to memory of 2304	3668	SearchIndexer.exe	113
PID 3668 wrote to memory of 2304	3668	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_e21ca12440c541c3379b5c42d1e3f1d3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_e21ca12440c541c3379b5c42d1e3f1d3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3604

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fbd6df94ab287efd989fc70a24162b8d

SHA1
b14cce85b80ee1c37f83c0ad16442ff0f41e03cf

SHA256
9c3eb3f823d5db3099b94d41a6ed57f295e1eca52af4a340b6f16c10039a5e3c

SHA512
e06d15c4ceb1cb3807ec6d8a424b84eaead0684cd45e97fd3071ba68de399d2729f0dad910e8a68a1fa015293d32249241fed09556257380676162674ec403dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d244abdc2dd77fba89aaa003de3e293e

SHA1
68611c730963fbd71d6a8760bb3745722f93c7c2

SHA256
0c158d1b45a269b29fb0b46898e9967c279e1ce1877fe60457ddde4910764507

SHA512
e8194e7c0fe2a68c7ca529b4cd619e139c8a2be2f74371d1c8d0dbfbd16ee048f5e16b713f150793f848898b6120b84d64fea74a10fd9d95878e3f94d28929bc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
35c4f060a5d23ada2dd45338e9517e4c

SHA1
516c037791f853a767b26a763f04fbcbb89cf02a

SHA256
e17e51c956cf8c400cc812420952aa6cfaf9d25dbec238b388405f3520efa0ab

SHA512
1cd2fe874e5e2dc7bd805bc9c00e6e3e55876bca4c7064adcd12273838c6d4305996567103576c5abc2846f2c815a692aa166fa8d2b3820068fefc7fdd954061

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
36ec63b7b2c3eaabe63b705212f0ad34

SHA1
93eaf42037bec678f0475c0690355f5bf302fe24

SHA256
4f1557e67c8d260f13eebb19a211fd92f046fc72f8103e7e6dc72ce71890d73d

SHA512
f3f8ef5ae6489e300cdecb3cfab87119ba202ca0a5bf08c9578fab1eafa714cb048db6cff72bd8b309063c1596c24f5c51afa3828b254fbe9b8f6f7d9eac9fd7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0b5d36b42d4c9c2015c36eb69807811f

SHA1
cb180b4c66a9f4b8e3a8e453035650a9db1a6237

SHA256
a32e5356a737366269d38cb039bb21fec30175c1e07bd9337d8e8622f20dd199

SHA512
534b818094adc2748677ad3f099bb14567cde646067c0a1062279cba47818c8231214ae946f8905d89cfad5ba7d5b8bb4c98bb6f23180fb83d7a82ac91471010

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8d817e1b1d5a7b5338fb95f49553491f

SHA1
b1b85ebf183aacac6d2bfddf889d04cdb542ed3a

SHA256
e5e846c9bb775a5df073b16fce55db80c13e5124b26c03a3adf3cc509546814d

SHA512
cb3f5a43bf7a30090321cfb7275c79f979becfd941ee3d5c62ab20881ed1ef46fc375e5a496481b031749d8343c8203b6df6beeb634a1137a88d98f3cade4595

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
fa9c09c66ba36f0d0d16f578e8669cdc

SHA1
644a82535eb69e19345aee06e7b0d59eec26c0ec

SHA256
1ce81aa3998550a43f86cf20ff18e8d17db1c2443d7d615fe07d415d7c67094c

SHA512
f4ed0a1ba74c349f5c255c7b81c1a7c511dc4f5349a19718f31a85484e85c88bd72418ee27398320baef387df084ae6f021c6a315e1efaad46f8d3cd956d6142

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0a45f93ce2bc7abc375d78286469a162

SHA1
7e8df7818cd88587402c315bce4a5240dee1f2fb

SHA256
8098e3af8ce95c776c234a50ed6b87850d8d3f63b3759238bf61848d290b7040

SHA512
b87d96a4964f54902143ec17639e621ea375a004198dc0bb80ae8bb30fe11eace4dde4f962798beb286f55a36aeec26ec25b17dd049404cefc46d4361d1f4912

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9bf13f821ad5eb74b2eeb4547216b291

SHA1
fc90bd168c837d0f73ac6eda90e5e5a8578cb661

SHA256
2aeba39d1006e221a6fb38ae0898217a5cdb1acddad1b32c6d5de39709d0de94

SHA512
e3c0a5364de30fa2e89eb9a2409fda13341e7040aea05bb4c25a1783878547e82800ae5fba7f4dcbedb47f9f965c93f53930c310695d24426a58856f1069ceb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3dfceb04663f136c3649fc3017997a75

SHA1
25f1d4d1613ec997760446f1df8db61487be9925

SHA256
adea8b8d26f4c326fc2c85a872f71b2d93a197af897865a4443baafbdaedd149

SHA512
afe17182e682b9c0d86bb940a55f6d740093406d2b6fbc3e173f766cdc5faf3b9da4c7080f79cd703ea738008db7dd813c9219c8bdcb0428e649bee90b54ef3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2cf439441251b75d6d37023ba6ba5ad5

SHA1
0761a695ef938b6ba01b580095e2c71c48c522a7

SHA256
62ce6e4794773e03c75578932e288bfc731b87314a741e910b26f6d29b36334e

SHA512
339279d60d5a33b4f3b42bae692458dbee7d32be67dbe980a43c1be2736c3d1b1247a7f04a15035c21af060142f6e7a51508463c746154e19c6f7c7b395b1b82

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d417a2bbc15242d60c891bd751371256

SHA1
d5f4bae11edc65f80a74fa7250f096a5bc407d3a

SHA256
a3865a9d3a302033dc67187f79ca9aad5ab04bf3323ce5f51137c179d01b62e9

SHA512
d3567985c37e5dd0100166d146ee7b9fc8925a132c17a83ddf2fbbee1eae51147aaea2d8faef8d7a8689916fc41367327616493acedc02462eb1896c7bf8501c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b9eba2c64c843857faad4de45da56afe

SHA1
274bba56b0305d82c2a662588870b604bea73d39

SHA256
baf806ce3726f3bc72f9a5cd8f22194500df8d99e0b46a216165c7af7f844ecd

SHA512
1fee816c6b9e88aa9874b6910413eb5af059117dd050fef7ec712ef1d3effa9b9f42215f35cbca2f814344d4e90f2255eb6f2852a24c6edae98acf147c1c1189

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b7dcc23766cd204a3d4cbd45f4352387

SHA1
54b10ec8390e631306fba446821b9607fbc97bb0

SHA256
9a3b173a4854b6daee6c70bb2e9744aa22a02395240ae6871d5730cf43b7f8fe

SHA512
9a1e1ab902aa4c1786b451c3e312ed541cae8f1e2a1db2eb7ddd54a8a770de36a10cc31dbdee03bdb5a8f2c35ed7e68b0831f61c6adce2e9899176be31702a79

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
af4bf0ffae10d76fb8b90b89091c0f4a

SHA1
19c67478ea1ddbd7bc5098fe186c41442a287010

SHA256
8fc98f0fea05a1918c7cfb5de4c890924eb9b7f2caf90383aac9d3f776abce6c

SHA512
5835746cf18d5f3dcf4adce9275f32dbd5e5823771e4dc5735d3e2fd8fadb273a816b4bd9b355f6c31f0afedbac01e1f8cb8a4b05739b909126461dc1fc5f6ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
caced073b16ad681bf5e73282aad4c33

SHA1
543cfef0307c85cedf54afdb1cc43bc533041b87

SHA256
0d1dc76bb33d339af193669c071b1c3da4b6619e99b79596df74d481eede1d5c

SHA512
5ee5e30b7a61014cd3b1c80a2f747e3294ed743146c0481b2ba29c91936efcadc72869ae68d250992202685bdde56eed1e0f2ab8af508c1239b3d80a8fd62f24

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bb844e658d159c4e7dbd261916e0b03b

SHA1
f8496c5adfae938d0cea07b44202c14e1c492df2

SHA256
6d57360a19f258e6e07fe0412f23242ad1460832ce69b1845e25396b67829ee2

SHA512
59f0c4c67f28e6c9f533bd97123309187172ecb1e36c47625c2fe0e7a7575dc19919fbe9c0294c903550cdac6c4a696db6b9a9d968b3b8a2d5f4b98890cb0a7a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3b26a85cc90d6fd0bab516b2f067e8cd

SHA1
18e7829a41f159763c0456d31904dd0959394420

SHA256
2e8a41f7facd5df6f36189ff8687e4e8cba8caecfdb42241ad7919b402b90818

SHA512
6106abe0d7306015925dec14e36c1c8183e317a3de8306d8c7d29718448b9f90828dbb86db352808ac8104b6316b67e68c737d17f57176845f363ea9a899172c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
03dc74db9f1457d554703af18ff457fd

SHA1
ed67a9e0d75e7dea25bbb8ffe9414779c18e4520

SHA256
3fbdbd4bc9a3f69f431c6ba9087da5a8bca98116643c4e9ab0b053710909c591

SHA512
425e03bfe3092c60770d80ac23aef2f4363b7b78dd8aee1f2fa96923e3ee215c5c51893502f1b1f0028c3b2fa8a86fa7b2987513f7916097914d098b8ed9c990

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cf2edb6c5ca7904f9e7e1186f236d9a7

SHA1
2650ccdefddc59620c3078224fdea4164fbe03eb

SHA256
a288f1c7f5c420877e1e24c4a4e1c7b41768b325caaa1cba3cc0aff8472436b2

SHA512
010d7c9ba12bbbd3c9da9bc4fb4613f7b4eeb640c2a71ee78de6de7809918695cf38e507c0a95602e364761868db451934bcb44159980c07e7cb141286672cb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
efe120b9f43797b87d9cc2296d145443

SHA1
8810903a699e8bc470bd4e46624683537175b57c

SHA256
e1cb772dd21cc1aa21b652427e7a3ce7d182e3aedc5de3152ce6d871c99884c8

SHA512
e40ced855172ad865d7c597cab87606af850119737a3286882423d7baf0dffd5f7f96feacb74806d75b5f8ae0b65bf8fec12240d82a391e5dbdd361c0979a982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8ed6ee46e30c7f705497a9ec5ef511ef

SHA1
433f94b4c3a626e99cecacd40e8763cec18a9dc7

SHA256
3d8940311fe6f0272862a2a09345315c9536773d0ff27769d66dc223b756eb41

SHA512
7d67dcfd526f75f2ab456491aa88a76b1b969e0bb5c7f7f3d2d00303f61b2e501f98a7dfa32869223da1c4866d175ef36acfee5cbad0a48b3cceb40f24099450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2f797b4598aa0b998a4e6f3f5dbaf535

SHA1
df19419ea8fa3faf27cb482ff67bfe9231a5ce90

SHA256
afd3bf61a414b487cb1c474025c28dac2f4ef6ae5ed8f1880ff18de0c7993bff

SHA512
fdb686cf44eb8e6d4a71914d5a3def13f0026b2f54926cf66b7b6b6ea6671360a47537c6f8c7e00ca9ba8656c3609f87abb6efb9226e163435232f6ee4095ca5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
93db345fd3140959b2c4c3b57c2124b0

SHA1
8639b824a146603254db20b7147e2aebdcbfccde

SHA256
d508c90f8cb0d886059e74aed61623a6ba6b42a723923b17a04f9e0581ada1cf

SHA512
72f9e9163dc3110592c5150ad22ba2645bcc872b654cdd523b95f8a23885ffa0e10a60ddae28f539a8c915d37a8af4a5a006bf8d0e513cbd43d6a244014667a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
88092d1750433eed9c5fde85ffd5424f

SHA1
b3b25dceb26e4a9316c9a0213a2aed7ab5139cb6

SHA256
dfba030670d825f19c86beba13010e0f2a50e57c4db6e270d7a3a094024423b6

SHA512
dc99c11ad96b62bc363b23d215932ff763ced145e4dab83c5c8f0a6a21132db4a72d5b81abf8d6af4930a7b6eda7e111774f07faab53797c9a8c8e304edc2f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f3ce662845dd612cafaeb1e7c2943c65

SHA1
e675591f03c529337ebd783743965ead4b802be9

SHA256
9e03d0537dbc62fcd700055c7566067ba35b68a122c9d90c14f9f9e716f20e9f

SHA512
3167b95fa73975c753d0774f5c85e18566f0ec19eef5bc41e432a5da94d4cf1bcf65a0c25993e8330a0c0e07bfcf8c8d28930f812e0ec7afbc2455cfa3853907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0e860ef23315f42792e4d7f6680cb463

SHA1
554b60ed43e9863b19d7d37f822170630f9998c8

SHA256
7cbfcced6cea768eaa1b6e5bf6cf9d3cc9b0db26223fd293c8c694435d3d9814

SHA512
8163048d39452940e62c82e49fc6c5babf75b5a16d2a8cd417ce5428c1b237cfd992105b31dc1082e05d58095e71047ccdb617091adc6fa797ccba34b5b94e77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6f911ad1488e7a4d60239ef2ba836197

SHA1
72a44d98a4de9b6e1d8c4e11c43670dd9b3a9b59

SHA256
26a665c8cc95ca2f4115aa12617e2041c5fe72c029823eeab215b2e03ea9a7bc

SHA512
195f527ecc7f566438cdc064195687b90469593fa5362e3d9c66604893ec48ec1be8488d0604a853395eba5b466f0280f2307cf6ee9583d6c65e39b9da321b22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
04ff29ba39102be7f53a7a2991ba95f7

SHA1
eda6e01d7748d57f56f22d2cc35f51a281293881

SHA256
9f44abc1f522bc3ac2dea9b6966407290081d4a6711d8771fd63383a4f3b4a7e

SHA512
ac4013f9a65cac6a75348f50b246b8f9a056bda46f99d81afebcc08bfd7ea5d791330ee8fa7ac66136e8f10af7158626c949df209b33c1a82c0f36cccafce417

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
345b97e1ea0eae4ca52bf7b72e66cdc2

SHA1
1f4002791a54f2bdd1d44e012a26403649f56311

SHA256
87756b0f011a1d9586e69a0db2aec61ed6fbdc7a6e4e71abda99f73beb94577c

SHA512
8fea707d3e8a1b5e6c5873bbfeab81ed76a6bbe6695bdbbae0cb033a020e6733cb4baad531dbff2716e8d5dbc79b7a63521c844531238ddecbec60dd62c7e9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8b0da483ff38d3e292d616cf4f57b272

SHA1
cd1b19fc0d3e68541f363092e82d35549a4f5720

SHA256
48c24a077e56b397750eb781ee2ee3e903fda314d4ba8eaefbc0878d43f67cb0

SHA512
39441bc933bef7104859771520e5e881c6f7268ab26d7863ac7546c24f01118bb472eb089da1b7f2d35235ae1f1c68ba951368729a02d3f141906fb7f8e9ec9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3925e799adaed66dfee8e96dfce487ae

SHA1
0ff38c2aa6576a9a615e152ab89b4c545f38989d

SHA256
10e42ea624691244cae6ae4960674c2cdb9567e6637f43d167812812275e3017

SHA512
501d4e28cc6d91209934c60d2d32ece64ea7ceb375883c420837e9944f0e040e9a7ec54668ef0c779a305f698140887f2178a99b58388389f1d4920f7df44e24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3f4086eb2b4ba1979315fe935f028a7b

SHA1
774a6ed8534f98cad94fd94538d7d966d2ad6c7e

SHA256
3fe841fd73d0baf17366afd1621298e8181fe80b591ad8fb20f942d8215de1f6

SHA512
f6f1869267c7be4a9f5fb2b3be554534d31761e84593cedddb6f6d7adbb6feed76647560933a234f92e9f844fdc41f5fae4adb15fd95144d9a29bb6ef3f2370e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6f036166731409b6bd2c6d457ac13bb9

SHA1
234a379f596e0dff56c2b8e4d27d42cff5b438aa

SHA256
36df775f64fc1d01c675fd7a58decf0ca4549ef9845036e90ddf155d1c072939

SHA512
540b393378385333f0c54ed41a1dec32b8adab6ef48ef6ae3ec31fa3f959176d30491ca0472f7578f3ec6abea98b0b084ab858826a71041b928b074737cac600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
95af8f645a7c592610dfdec94307db89

SHA1
3c23758faf188120536a496957ec9e86db863a6b

SHA256
4db1bc7dd49f098b9d83251b5acead025a53e3bbb4d2125a344d431081142b43

SHA512
9161c75af9ed07ecc1c450a852d86f43c87c4ce3596a29c823ecdff94cd5e85af95c19b0c690a70f424d8f29fc6a6f25bdf38fbabcaf21a2d9b67edbddb54055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
99e94d6ded9e606dcf9c3ba66c4eb190

SHA1
72a3a94fbb73a2718d491ffb93fe6fbf21ede828

SHA256
0cb855d0e42156c12c6fd9822a8306092cdd316c0a95b0645ba9bc6fc49449e5

SHA512
769bf380caa1f755ef74bb6dc392f75b3b71ec72208e0413404d7614dbe8d524aca7277f917dfc576c8eaf4cb2d620a9cb09bc24878e5d87a5e9b01eb36ef3e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
cc08eeed8d2b0be5cdf00af8161c6aea

SHA1
49c257bd586613cf915b5a826462e08bc6c3c43e

SHA256
929b12a50b063fd3e601c50b721c071cf0639089b8ca811af8da0ea95c3f46a0

SHA512
fb2477435c2eafdab5f0233865a978f5e6ca6716ace32f6009605be730f7bfefac11983805781e3ddc32fb5579c73be1b0367f24ac2f68c32d2fc26b9e4e028c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
f362dbea56fa1b7fcf5a9e0159752b5a

SHA1
910a65e6f9356b6b870347af10498781e3f9b43c

SHA256
df3cfb21a6536c28db6e505b8720c92cc76b852a4215bab215a20196c29f9f65

SHA512
cb351c486ff3810bf819c3a5ffd0bb6a21f98a77143208a0f60f5c8fb016912a7f4b06b4ef59cc9568e1caa9f2374d01033908add7be4d88075852cfbbedc4c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
adb6af20a5088af35ecb76d532203c18

SHA1
1213780b4f37726a6378b1b507f57d62e3e409a5

SHA256
ea994f4bce9346af385818da4df14731a84a399f31a7da8eba5a978f31ff6c97

SHA512
bc9682e50ffc6b0ae7c5b78f9c7d02053427864c6387590d73a60960c5718b33547c0428959231ab7cea7d80f07df5aec598924bbc48531a98c356f4bea89ff0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
799f77f1226de80a866f9fcbb853757f

SHA1
682b17f272ac45b8ee8b614785d2ed6c3620438d

SHA256
88ed07cfde7c63f7bd538610892b4c10b8dc99bb4fc6eec076dbd238f614ea5a

SHA512
82dcc3722639e1216913bc277c97a33f9afae3631fe658b332312bee8e630a003eb8abb2662cac61c3bdbc6015cc6861fbb1db80acda2903ba7b19ff1946220d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
5a538c26fcfa15c45e14cd5f2dfe392e

SHA1
77835108b1c5ab9e0b7754a77ce10390abc4b937

SHA256
7f6539a1697633b00aab08625740a8cc95f3a1db23f65183cf2e0f2cdff646a8

SHA512
5d0a31a6069cab38a01c90dae1bf09c5c598e1f86c9502edb887ee83fab39f493390f53264a26d5762919b576f568d657f783e4ce23352f661dbd2e5554f3f01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
59eb28e044b090f69359ea8169994c56

SHA1
90c59f24989f629faea9533e3a1591f75f02746a

SHA256
ec7a26dffdda8e9f42d614b49eb35684dcbe47dca31c5b1d129d857c55941677

SHA512
cc5080ef55ecaf7efb100f23a2cf7ee3ac91acdad926ad55b61b0df3fa58fc9548ee909492180ee5bc78fdac1ad2f204fd20291ef4e72e6a87465aa4e6a2612d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
4f85dbeeb98785df6a19638e9c18bcb6

SHA1
1e79d26bf6960202e466900e84c66eef406af6f6

SHA256
ed90270037d2f4490f2057b5e64041a184e9bba2f25e04704276dbcf0237d343

SHA512
dd756ecedb5d59649f97d6bb73ed67bbbf7456758fc09507d63b134478245c06bca4776b69dba414f9de6c358bd2ac2654c2e9b8240400c64241db2039367f97

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9fce0efa167d17db9c4cf1eccf2ebf62

SHA1
bb0e48c410de2bfc5d50191a5bda11b8fe6ea232

SHA256
47124fcfa8008f91b96d0442af979a4c8d0bb159d398ad94012893362c0ffee9

SHA512
a55d079b0bfafe54d3e2ab73526d0eaa12f42baa6cf4dbdd93505b7323d6c407fb285d2911f63648de9815d904062b9554e1697319917c62ea14b7d036c783ba

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
58bb0b67af3ff96bc11ec3026ae7aec6

SHA1
c16109ac23a8e3178dda37911633d5e354ff3c6c

SHA256
fa10b6061f80faace7aaac33e0dc7114d3b5bd725f8787d72120700f905bbbca

SHA512
65375b51e7de480ca1c821a0b8ffa5278874109bbf508879809ad64dabb30d69c4c68ac7299e753036cae9be1dbc68b7fc25928f1800d415b1ee66a2253442eb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
619db3f149048dc938a95e26851adb2d

SHA1
3afac9f1bf00d98a736ff2b75555b18f38e652a2

SHA256
4568584a64ad28184bd670b96af7affded50c04b211477f9f99bd82f6e1e291c

SHA512
b377241e22e8e98baf0765905d7b36aa7e51fc607dc8b1fd0cf1b3fed41024d4761e01b5bbc7b79daff37275b26ffbcefe8ca282a8db75d8c4a5396e58260a30

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
9cc623e694ab87a5947120a786e93269

SHA1
0f2ec7add77f3bb5ed9a8f7c2f088f5ca656ee38

SHA256
2e10535fe63f2813ef62d161031709d375d15ccd39e225b5f7d5115ecddcaa8d

SHA512
2259b9d348b2b56f602e493bb3ce61f80c82c8bb11fb61dd0ed2ef26bead1f044bed2a2f041eed1313bd79602d71315d5938281c56e00759f06793b68570468c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
919609309ed79a579382c812e36eb940

SHA1
e351c4264dc00459a72881edc0b5a230454f28bf

SHA256
e3e8eb2db138a6c2443940306fd110a53a8589ea2374b2acb80b4fcd4e9c4fa7

SHA512
8a0c64a17389aeeca75ebbdbf4cb0148c94bcd54909dfd9cb61e9cef39d5e0d07e454cd5c80d1fc46f5edd2a83b1a77b3ab6d534012b203859de7b346514539b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d793d94c5b447e77a23483c786ddc95b

SHA1
0f894b87a2d8497e0424815329b3d80efdea3538

SHA256
0d4c792964cc77464473ce5e93c4a7058fa8ab51fcc62d517bf0805d02f2ff43

SHA512
8142ca1e42b2baf5713b4266bb303e4573020cded80c21da09e10c0c567930c3fe0252cc60403769ec628ba7ae885bbdfb3449fb61a4137d2632bdbc3fac38b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4f7271739d2a55aa2f8c28109337a969

SHA1
384a6160f2c1add5bf7994cc2de5befeb5d11dac

SHA256
4d10ca649cfdb4a6548d0de396b063b92490d4c917c184d2b828610576839a77

SHA512
1ac5c39dce15a7b1e1eccd2d0fbd8e6ea0cd4435d351aa1a72f8cd515896e0d9fdc18e0f896539ff0c0759fa5b8a2889349e972d2584441d923941ef8b438942

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
3a0969f714e18f1e8b8f8ed6a30dbc49

SHA1
453781fbcb628b0ea492656acf5393de817c04de

SHA256
5c44fc43fb748b7f2ad926cb197ce058b11aff9261e3d74bf369a9ccd7595c5b

SHA512
becb5507104fa9b08a4f6d176a5b7ca83edc874e07c7cfc11d0f43b112ef5b7621b938ef1803f6e72524c53cca4654012d036b731fde128ef16125cd575f0f89

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
629c7012b13272de7c60e699afca7a6c

SHA1
3c7657433e5b1f9957f81d782c52efdec9f6f9e1

SHA256
e425bf107f0273889cfa56cf557df9e3f70655d17d37c8e11f20ca06f8fdf225

SHA512
0c25d0e9dfb0de8a65f26f75ad25e39aea1c09519de05f40d746831da6bcfd896e6dbf83ce4234c50db59c874f66dd3b7b69788909f05ea86f2efb47f0d94f68

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8eb5120cde967012594c310cd5b1d92c

SHA1
ddc7c77226348a4e52ce3d6b391cdacb2b023533

SHA256
f6b9c6604fad2ee890e8c73e4d1d07cfa81afa4ebe0d11744c3d92c00c211c36

SHA512
349b7695716c9090e2e9ca08fd8927f088052e621af9e4cb5ddcf2c3fc26906af0aa89059f2e0ed0d51829049626c76edf2aeab476b8e924c7a03eb4d00627ec

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8a60f5b8b123e880c10cda23f8b14773

SHA1
06a8fab622ce00563ce9c9e9773343b15a43af95

SHA256
d914b292953de5b707289530202bdb0a007888bdde3119b0585fdd4e7a65cff9

SHA512
9537510ae6e77a8ef56d01171eeb9377584d2f1deab527199b278089187dc78fc5312e33189b03e2d6ed88eb2a1f192049f0714e6a1519c52c424c6093e27514

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2e6b789cb9fa5140bf69d3189065d898

SHA1
ae15f91e545bc6bdc8776af88997f6a4e8a8b1d2

SHA256
8b743f6a813efaaf475d678bbcb35bee6e66c734d8dd44e5e9731c62a9a5a66b

SHA512
00440c4eef1aa389648cfc63ac1a90d77f443f5b55e62a46b18e2c518edad67e02b02fa893613b66466adf7562e527c33664e3e2b2265ead8c4e7ee3ad7f4295

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d81b9bc80a01035fe133e7091f2e0d13

SHA1
3faad88a2bc113d1f16b137f98904d7c215ad93a

SHA256
19084b340e475bb115bcd6795cefcc1531565d0c4aed2d0a90d58ca8e45e99b8

SHA512
c76986784a75bb4cd2601f77e883d790259b4d4ad4e0f06c05234e6d74bbf41dc3ac199be23e45bffff91767e173de72a97876be57646f94c8151e3df8de0320

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f9bf35274a0f73bd67637e04ac36e83e

SHA1
a0c8ef5f202fc2a46ea745d8ce268f6f21658d51

SHA256
99a811bed3d51533ba626ba81a40a201bdc713747bbd60ac0f62a0ce7fe2bd85

SHA512
eef317dd3b25c5f7904c8f22e54078e79e4481ee98aac24471d65f7a8b8fdaed4b917c91d995958dc86ff0b68912fa228b29f8208db105522cd2f538d0dd38af

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d76dd1c66376f9057638ebdcce52c0c2

SHA1
1536fe765b6272a6ce6111662049d3158f46eb49

SHA256
632068fac24a4adc9de79c6b9ce0f82646ddfc78f1084e1ef0a01172698a7fe6

SHA512
048b8ecd16cc0352e1df5b0ba441bac489af9d3096ee9edffdf2bc885d913e548d1f6c0085d408a6c16345f556258266725f1416cf5a21ab892b20ee057fada1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d2dca4e721f92b90b3a37e51cbfa7fec

SHA1
a6af5f57482e6fa8a3a780d42a0f16f6559510e0

SHA256
1d4e3556a107203f57d992c2818dd8e4ec82c70371299b7cfdbe040df966739b

SHA512
1324a80946611370d403c6e29a5ca70ce60135fc90a8d4838cac40b6fd4ed26e6ce7750ba2235bea6025853a74963da6a78908568bb6bf42ec17e75533768238

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0d8b9b3ce0da1914c54c1c833d85e906

SHA1
0e86a20b434f377eccf00e2959d41564271aaf69

SHA256
31a3a8d4167a991652c5cc9c4fe8265ef272ba7797dc801c3303689efeed014d

SHA512
7bae63ffb1049fb2af6d85acc5e03be6e980a3d880d683103f21f6f420e37bbbc9c42ba452677d58ac70a3dea3caec8fda355e2bf5985d19b9e78fedd04ffb10

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
ddbae65bbaabd894e5493fb010281873

SHA1
2d834105be3292445ee3b8dd5edce003b9177af7

SHA256
2a2647df10a1e5d0e0d32d7d90293bc7ec301a527fee2f23b768c09e70c5aa83

SHA512
efc5fb784c1cb7661b96a71d6ca10c763e9ad77b91e65a99fe9642110c9fa920f22afd613422e30dee51c13968de5fd309a1f8dcc7b8c97ebceea20cfd6619b3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
18f8c0a432cbd4c5f6568bcaf8e688be

SHA1
58dd048f7ada48d6494586373880944b6767853d

SHA256
3a3cc080ac2ed21018ddd2514f9a74a0298954edd2398428e25249467fce3c75

SHA512
a38d1bda91e642bbc6b14b72daff457f8c62ff03e9dfa91084eacf98dfcb5ea8bbb62522fba214a855b814a27c738fb3711736a5c2dc69640c3c42f8ccfd5274

Download Submit
memory/732-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/732-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/732-721-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/756-64-0x0000000001830000-0x0000000001890000-memory.dmp

Filesize
384KB

Download
memory/756-50-0x0000000001830000-0x0000000001890000-memory.dmp

Filesize
384KB

Download
memory/756-60-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/756-59-0x0000000001830000-0x0000000001890000-memory.dmp

Filesize
384KB

Download
memory/756-65-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/968-400-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/968-292-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1152-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1152-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1152-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1152-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1428-255-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1428-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1428-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1464-75-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1464-238-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1980-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1980-718-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2148-295-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2148-412-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2284-729-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2284-425-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2476-336-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2476-571-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2836-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2836-727-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3088-0-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3088-13-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3088-14-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3088-1-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3088-8-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3096-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3096-726-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3104-313-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3104-424-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3280-388-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3280-269-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3432-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3432-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3432-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3432-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3668-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3668-731-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3920-24-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3920-16-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3920-233-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3920-25-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4072-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4072-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4516-722-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4516-350-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4536-362-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4536-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4536-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4536-243-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4568-723-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4568-363-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-728-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-421-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download