30f4363538db5730f430c4eefb0bce69f5ee8a155fe42673b7bc8968fa232270

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_299a7a920e7887c576dc72ce5bc3f24f_ryuk.exe
Size

940KB
MD5

299a7a920e7887c576dc72ce5bc3f24f
SHA1

677ba47172ae37c78763314f84ff1517dafc6c2a
SHA256

30f4363538db5730f430c4eefb0bce69f5ee8a155fe42673b7bc8968fa232270
SHA512

a9cdc4b4e74b0680563b9f90ab27767c5fcdee3f5210498195ce4f3f887bc91b5932fb54bd3028189cc6c785886cb64ee3dd0e329a6de29b6fbf47c450bca5e4
SSDEEP

12288:WOb9A4LWOsvAYFTwGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:/pL3UT3t/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3740	alg.exe
4568	elevation_service.exe
3952	elevation_service.exe
3096	maintenanceservice.exe
1464	OSE.EXE
4824	DiagnosticsHub.StandardCollector.Service.exe
1100	fxssvc.exe
1108	msdtc.exe
4768	PerceptionSimulationService.exe
2656	perfhost.exe
1156	locator.exe
1396	SensorDataService.exe
2576	snmptrap.exe
4072	spectrum.exe
3144	ssh-agent.exe
4684	TieringEngineService.exe
1364	AgentService.exe
1052	vds.exe
3896	vssvc.exe
1440	wbengine.exe
4228	WmiApSrv.exe
4540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_299a7a920e7887c576dc72ce5bc3f24f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18819a55293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000660ccccbf4cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a35b4cbf4cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df5718ccf4cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f994f4cbf4cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adc603cbf4cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005332f2cbf4cdda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4568	elevation_service.exe
4568	elevation_service.exe
4568	elevation_service.exe
4568	elevation_service.exe
4568	elevation_service.exe
4568	elevation_service.exe
4568	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2332	2024-07-04_299a7a920e7887c576dc72ce5bc3f24f_ryuk.exe
Token: SeDebugPrivilege	3740	alg.exe
Token: SeDebugPrivilege	3740	alg.exe
Token: SeDebugPrivilege	3740	alg.exe
Token: SeTakeOwnershipPrivilege	4568	elevation_service.exe
Token: SeAuditPrivilege	1100	fxssvc.exe
Token: SeRestorePrivilege	4684	TieringEngineService.exe
Token: SeManageVolumePrivilege	4684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1364	AgentService.exe
Token: SeBackupPrivilege	3896	vssvc.exe
Token: SeRestorePrivilege	3896	vssvc.exe
Token: SeAuditPrivilege	3896	vssvc.exe
Token: SeBackupPrivilege	1440	wbengine.exe
Token: SeRestorePrivilege	1440	wbengine.exe
Token: SeSecurityPrivilege	1440	wbengine.exe
Token: 33	4540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeDebugPrivilege	4568	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2448	4540	SearchIndexer.exe	117
PID 4540 wrote to memory of 2448	4540	SearchIndexer.exe	117
PID 4540 wrote to memory of 4780	4540	SearchIndexer.exe	118
PID 4540 wrote to memory of 4780	4540	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_299a7a920e7887c576dc72ce5bc3f24f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_299a7a920e7887c576dc72ce5bc3f24f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3096

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4368

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1108

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2448
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
944a7101458ffa27156a2d280457b46c

SHA1
1a5b1d504c514f70784a9f8d0dbadf5b5498c91a

SHA256
84864a8435a0110a4665cb788df215b7b5a209b47a67e1905dfbd6a901699cd4

SHA512
817cf08fc0b0d904666e8cc58d3a587195fb6bafbad6cad92ce702dfe51adbb055c6ea037d64f2e72267738075a4aa0dd8ea3fb64fc433ca37ae26581c645a42

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d72aaa7c310e7c7f0a3aa35e94fdb284

SHA1
bfd505c32792392f10a464ee07fe30e8b46852f9

SHA256
e62d39bf48a8d4d0fde593a58b0c156138a07d32341acb857e0f61938133c3fa

SHA512
f6b8bbcea669d99cdb79e623b4fcfc2399bac513417695a2ff9a0630a0cc16b3e0caf83bf8dd38f4bd7fae91c9ac22a9a2ccb32e1fe3d215f919be0dd70df124

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
466e0903c7b08e1eeaa24160a89cbf14

SHA1
0729e69f729c40d8e1e4cc5c94f80ff67c071185

SHA256
6d7ca4824ffa70cf480c228437d532c0eced701c1c6be8d33114e6e8a2c7f6b7

SHA512
0b978872cee502025bd573c313779643e627a386f5c7f6c01fb135ad32be36a2e99d458dabf3a234ad072b1ef5453b2040ae9c459fef7225e4599680d55df0f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
91945c131532676bab18ec0f1f9185c8

SHA1
60588f3efd201af47efcd73e23f8faeb593d4057

SHA256
bff1aa966ec43b67ba355dcba7efe252633d24440649ee1aac58199748b87faa

SHA512
23df899146dcd509e01cb88fc66628deaaa22cda0a88624d9ce4c4a2238e661778fffdb79457f5bd6322854be5148024921c660c37f27eed85322eee92212de3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f377beb7ecfbba5c9484285581ab51e0

SHA1
cd378c261f73d98696002bec7f4d30f9dd1bdcb2

SHA256
472c258adf6ddc2748245d0a98247e16d84f704fa1601ac036f15fa6e1c16ccf

SHA512
bec651c5204050c97d0abe5477f474247f729a5b4e875b6040ab2b040d7d51362510a16ede1ba2fd3aa05c7fc2ec9aaa1dd05033145e00cac5f2dd1e53477f05

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e21bf7bfe3a14f49246d0a41bcf80346

SHA1
afdf75571c342f2cc6e388759789231fe4e7268e

SHA256
66ff03db9f7e12c01e2c0c2e3fcfedc6b6898cf944557c4a48acc371df19253b

SHA512
53d69228fbf030f6e44f29bdf9e5fb0211e880ed4c043e180ed91e60143b6f8e20c66e0385fecc4973f97f98379a54afdaf083190747decc6f32dab536a157e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
936fd837a9298f7f7b6580ed0127a92b

SHA1
54332caacd85f9e6889304f5e7bd1236d1d6de6d

SHA256
bc32ebddefccb48b8d18167ba1c997e0607df5627a544947e7cb6b75c87e099d

SHA512
2ce59eaebc56105f7ddb6f5a0aa8a3c1f4f07e67159773698c0b4931eadf582bf67f9f41516b7b6327729b9278cc4d8a7d9d8854981f5b7588d8917e4033e848

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
41733695765a5933117ce03b08a317d4

SHA1
bc961fe3eb6c2f2296496fe83d0322c27604240c

SHA256
42e2985042e1a55c98311695b042375a80dd3d32fa2a2c3e2b50d3df1d30de81

SHA512
04bcb1a8fef267e9ab5fd920f0ec1b81c350a5df11b968745f84cb0ba10566dd1e7e9ba345085257b50eeaae33b03a1a8f6403966207acdd350752f461b7facb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
eae6c22d14b79c8c13cf89725fa3ae23

SHA1
b9e730d42ae2810943e70459e1a86d95f28cb67d

SHA256
a85dfa572ce7d155d6995ecf0d4d0bc3c39365264e30b28b0136ebf07b2b85fd

SHA512
f67b849f8f33a80e8f8906ff820d87dcb68fc5f49f8d943ce8045d13c918daa3d1a4c539ce21639d706ac9786e3885e4b18c52dc92ea407d96d16c31db6105c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f1e66acfe1bb9666dc851589bb68aed0

SHA1
fe4051749bc5c6841fe3c976463a77e378036b56

SHA256
a16edada7d0435eef2e30e836823d37b73b5ffbf56951b981fb3a76179ed07e7

SHA512
8af174d86940cee9ec6ef71118f90ca39dd38029316572fb34a4fae4c96d09d9456732994ecd22955c7b8d4471eb166658334502882eb44388dd653fe93ad0c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6fdafe26211632ca3b1e002813fa30da

SHA1
48eefd059bc04f1aecc6e8f12271b40a1f3095c5

SHA256
6e6527c2e73a6405de6b3595d96108cd8dd0ce725eae9d41da04cf087510d03d

SHA512
ef0dd33842504568cc1617bed02b76252f1014bd199924eed7407ff94d0954326691c1b0e438ccb0040ecf412f8d08d40742f51fb8e41d925f4e93139e21e25d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d440ace3e55ba29f79dfe52421d4cd27

SHA1
5bdb70130cde4fd63a4ee21f92036f02095f90d2

SHA256
1c9ab71a8167474533d3a5a4f247715985e462a0d2c9335f40434539e4dbb143

SHA512
56621284352992989c8786048fbe6e2573d23ea3e684612c2578d274f81848510063c8a32223e6836eb08c890efff80126178e104c052f5b39d312211fb3fa15

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
de5881427bc175164f3f01b1a12596dd

SHA1
60d7599ebc53a6a5d7bae06353d5507590a2df2a

SHA256
6cd46c88713f07ea01775baba638c316b1d7ea8b76641c773de5cbca974b09d8

SHA512
e234cd619b5336e104e8ae8b52db10c6e4e9dd32c3d39303fa195ba5fc308eab21b922f56ac0ea2bfb02d12805eec89902998bbd7e7412990b6b21b5bd74081b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0a2939f86e26ec5ee91838edded09ed4

SHA1
44167b51c49d0cda42869e6a68c697b65463df4b

SHA256
a1f86dbf7a2f4490b6493e927a2d1085fdfa79bc1842c50b1a09d7da39e401e2

SHA512
fc0a95d018f70a60cba64aea40f4129fd0ec0e78764b8e8ea0a1dbb3f73a72183a0725cc079e98e30a2b994a1288329ff7d276f30f47aea3126487b2d45f1477

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
38b58245d28f629fb65744b8832b7f83

SHA1
eaf6f5d67cebe9e663a2293b4fd2836815cbd998

SHA256
d79e0906fd4e191390abbb2413d59da90c7bae8d927f69594b8c6bc2b661c5af

SHA512
f7a5cbcd2cf058837955373b8529cab4882ef02600e212a02f6f346961038668b655d126ec7927dee9edce86106840a10cbf2c506293ddf06c55b6bdf8ad86e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
df21034cf21da3950ec4c381594629f3

SHA1
a6b0810b5786e2303b9dee28aea0960bf03273b3

SHA256
8d55cb0a522a7e6bcb79e1eff1148dad546f1c2cbf46ca32fbc984ce7b41f824

SHA512
4d4d78165a06fe50f269485bd33613675138c6fa1fda99bd70b07f1fb8f76742dab88878c822d31bb263db4ca2976c80a6b419039d1e3eb4ea591bb666eeafbb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
253bc8ecb44eba3cae3339238727f7ac

SHA1
ab6711d188bde31acecdb53c8985775fd2a06f59

SHA256
fa8e82224fb9849f9ddb27309ddd9eb27c3d4624526a0dc2a9b7fc8a768bc572

SHA512
82343eea5d73e9d8069ef7e98669322ba968fe8595220449ed996a37c5866b20bc339d2daa47982ff2a80e7f6cfebc90a31011dc4a325fc6ad143df1524b535e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
af432d25716eb80ecb0b3ed5b29530d5

SHA1
12da3343e2b7835f5dc89edb6ca573d01f0abd31

SHA256
b6d76d8ab0b185af645b261d98e606312a269ea1216a70a1d215004fcabc91fb

SHA512
e760089c826f5222cce8a0e138af0e2901703fb2577f78efc99387c7f15bcf411019288fcaf75b3a33bc171805a516dfb5ba7942dc3ae6c0640b62672cc65ed4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e19488491663e1dabe4c91ece69ab5d5

SHA1
78d3937a3c26308a981af285979dedf6717bea83

SHA256
2c1f2b31605f92de2abc4cbfc4529ef0e3c30294f46a3bbea6ebec7f4209d537

SHA512
500ee662d7818e72ecce34da60ccc34b0a036c4b7d8948123ebf0e688db6c784db1d03e7d95e98379d6685f7475fdb5500dfec3129b697399f8d9e7149fa5bba

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6601df26e45cb0f073e5f85a13a2a7a8

SHA1
88251c091dee2afad530acff2d043cfeaea80953

SHA256
58be93798d8e51ac9b5dd343058b8e609c9d5bfa355deb46a9255144e473c2a4

SHA512
0bb835f8abba9654149e501d5d5d012e323e07e6ba1513cbaaceeded5d7108138275b5a1caae002a50594df64522cf9d9ecf999869cf7f567c18687c2d84db0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
487984f71d24bec9f8fd4fb387e51764

SHA1
10e30ff95f941c69a58fdc3bb79ae801af508eb1

SHA256
3881a6a53bdf17ae3e7b74e71913fdfed9367ec7d83fe6de6291bce44026fde9

SHA512
b77949adc836e65ed894a51851a91a8b492bcade863b40440a48d05a1c09d5551b18af7486801d5d16945d750a514f915528df69678be11960b033acfe221593

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3711ae42a0c79e428cbc81cb48a57d12

SHA1
845863138fb6d7169b6fd2c304f061b103733975

SHA256
3a48075cffb5d2c548abed3dbdb9cb786c0a564be6e2e15f5bf33199baa2ef0e

SHA512
d7fa6c94b7f1c7f78df4e0bac533202f4a80c4df53e64b07175b3d24f9443e00537d64433e393fb8db71f64e0d4512d9296d4f634e0cda44b237a4153a4c0c37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b2cb0256b091a9c17283a165a493723e

SHA1
407d82880aa03f7309543ff92c6c769b61749d4a

SHA256
cd7e630e4587acae6977007448ea365ccd8e90331d0a186228beb93d9f70dabd

SHA512
0d02e60b0283161fa3072dcd0a3ce36d7f88f485d110f15ffe9e068027e419c737c7b55c595c8fcc59984e6f3e10b545c247c55ab8ee4680a5c4f4b6e9974115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9a0b0498d0ffbf5f0be1f4c5e672c103

SHA1
1a4fd22fbb2c2ee61354ce0da22fb81b0466cb11

SHA256
ef928ae5cd580fed50fd3386f5b862066919e55eae0df31e3b70942c64263aa7

SHA512
1421bc4a0f3f45d64589ad18e6562ebb097de665dbf25aa6594b299a66009e8a6cf41f874f37fdc4a6f0ebbf99f740b7340ea4058b2af072bc43914d5f1f692a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b36ca1bb853fd925b5e4e253c4a97413

SHA1
b079fa7ef6bef7c49f4fea785dbcabbb2c84e19f

SHA256
b6a3639d61b48552ba0c1c313f5de54e4caa3668ce175a52080c307ab11fd4c7

SHA512
53e1f1e6ffd7ff5d5c7b6576abf223d0b94793e14b712bbd7b2bba7860186d6ddf1f00fd43d0031bb2210b6c9181a8543283b8d4fc39bf8716c72067786e575f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd4f53a7a6b8bb99c71a91792d00fb52

SHA1
e225f7d4472ddfbc398d7a22137b80df210caaec

SHA256
53bb19c0d894c087729d406f0b8ab0d16e6ada05c12f09c88203a71fe18d8a16

SHA512
b1c70d85e66d86617c342fc75c8b96693cdcd48e767dd15c7f065a622dfbe71744e3cf261f39709ec30cb13c60a5a000a804366231b0eb4c5f7a59d586f57341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5e229d20c20894ea092159a88e26eef5

SHA1
b692d9309b52598936b40e1f9efb00cd6ee96614

SHA256
c54a8a3d0876d590f8c2e79c1ff9bf3a709ed41b2f7cc24963473fd785e9db21

SHA512
f9b2a0a0152111cbb5760dfe1729d2078e4eef7814544e49af9fc4a0505291ec512a1928144d56521c2cf6533748595a1f069b34bd2a3d1b8e62dfc446c6606c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6ff460f4ff96b9d2c0dfe66f29edd7f9

SHA1
db42452a882733d93e0df88210a79435378da0c5

SHA256
a697fa9b54a891b530375e18f0149fd72589e138d3a563c8008071ebc3bbc0c0

SHA512
19c7092931f4b0f972d196853701e389d53f5479c5f51070b93f3e8db97ed73e56462a146f20dfe53992f767c1ee7516511cf199ee2bcb86a4837413c524851e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
523d6f550c557c0534573f1eef0bde62

SHA1
ef7cd7682268554299ae2320f2d5ddd930a735f0

SHA256
5af0ff93ff7274bbf378db310bc31b6e4d9b345a205d3936a51db988b5282b7c

SHA512
d9e75d33f0a95af663371a726e6a16784cab86cbcbaf52f5c750e01f2ffd113358a70a5ab1a723701664d2addee90e15c6d285c68d05fb90b44df91ff6a932a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
25cbb56dfac199ebf3cb55e3bcb02c19

SHA1
5d57513c9fd680dd0a9077cb13fafb44c5a27487

SHA256
7cd1ee362953a6f8070f29a1fc9d057aa0a7d028eed08cc5bbcf446c9bc8a50c

SHA512
fd7aac533d978842de489da8d60e2630e55ff2e97b946ab6cc6829763ac5dd1f8c8cf3aa5d27502a568eb6aeb68f725fd931d7217ff6a0eff38a24151114e8d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3f55714a3dde388e72c53298fdb4a32e

SHA1
4746cef93bf4d12699a8744b4ecb070c3445f85d

SHA256
63ede1b531603d871db4d31eac4dec84e5594f261aa4f278790e0d2237193e2e

SHA512
b1b18b8a0f98120fec06cced99aebcf1e57a4db0f3bea9dac484fafab48dc92c8c887ce5e61bc04769ea34e9b45afc688d94e6dd68644facd4f627b616b9beee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c6bc8ccfff0937bf456a90dbf9514128

SHA1
a0840873256e0321af2392dfb17f055f4683d4ef

SHA256
b8833d08702484896b694e8440a3d27dbe5ef2e3be3ea000bbbee9ba0ec541d4

SHA512
00e8b6480ba80af303a21265c4d9f5d2e87d38d873c178912f8adc8d7944fa5675f7678e3c9001323fda9020695ea120a0406357e128a2661a0884585d3877e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dc9b4fde20e56ab8874a9acf20672c30

SHA1
f85ade8c3a51df9a8ebb4062409c68ef1504bef9

SHA256
07b608b42f894536bceb5b50e28b39cb7657d107a3cf8baa53d0d5f0950e77fc

SHA512
4d0c13d77e36c934e47337d1dbd864ccd9417f50291927a7b0fa591872465d9360f5bcc0ed6b0aaf423d21e1974214c4b78d4ab2b7c519fa62c76c695bc02cc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
8d1fc2f5520f50175e4585bfdc5f245d

SHA1
ee2383c502466133e6d0486751c46e456d7e91a4

SHA256
5dc442511bde599a2065106ede186628559ac7bdb2cee53a12b6f0f97a0179a9

SHA512
eaf21b95dc9cc60f9c4b0a01ff64b886783f63897975146bb96fdb3781ec2441c0aeb909ffa76b0c22c6ba29133de8cb9f1b59c83a7a0819743ecfd6da241ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7ac765b6d5b9ebd048361b8ee8e24185

SHA1
c4e4355ea499a3a7055f260c5152175c16ea1d7f

SHA256
6a1aff491eb8151029bf8f9b0f45e52a0c56c450fb9f9c5b67c73dd2546c89ac

SHA512
1ab21a1e6800da12c4e7b66074ab32881eaae27eec030beaf206bcb77d7e087f62f1d637609486a754e58fd0f40df2b1429c12c4ade07f49a7c14c5b21898bc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ed53d74949756599c334e2d95ceb1e59

SHA1
788a24cbfb3a83348f05552c44fb109ff230d27f

SHA256
81b8d2c0d1c3e397c0af20a434a66cdabf2eb7b5968e4eb5f5d11008a3f1b4b4

SHA512
21818f003981624857ec78ae7ec3927f3c8d3843fb338c16893c03a7efc936d5623baa51409cd0ffda4c7fb56f22a14b8720b748dbfaed07bb676aaa8ffcb8ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
375295d19edc2f426135840d8a85fea4

SHA1
7e69376c07359c4d9355777bc3e21130478c34db

SHA256
eca9dae4a6390719e3a39810f7cc8ca5041ffca58a7259dc9687024cbcbd886c

SHA512
9176076ee3ef27e7ef60de4a0075444f7e1645b3283d70ba923a71cd7c20c9ebb4f1f5548995fba8e02233715b9fa0ccaf70df016e8ca3b9c2681158f9c34719

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
8fc9a66f9015362b607f20df422379f6

SHA1
7a69f9fc468ce7360d5298ca40208c8f1cdd69f8

SHA256
747034520be8e8ad646ff24b80f020f1e94d3b96e73041542356900eb247ae85

SHA512
6937d79bc6f66ce2a1e001aa1d449889167c3c6913dee3852cb20fc0f818ac0ecceddd192ed06134779680d760871e28ac5b12def875bf7700b7ad65c01406ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
684bd003281a5879d527c45e9518ce73

SHA1
7687a7282a48ee095d02ede4aa9d54ea8ece4556

SHA256
6ce350012d88725636492b3c95e968a44a76905d7e30138128e1ee06192f1360

SHA512
d0f2e10a8dc7e49387ac6da33031d3ec0975ae10bb5f76ec50d171940eb0ee1c1ae5dc2a7cbc4fceb50d4a35e3c9c43dae4b960d95ea68a84edfef6093cac480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
48b376680b94623b2f2d5d8d2055a473

SHA1
5649459fc7b79bd5868b4dbb6f7b1dd63aa97b3d

SHA256
28e51af1ae736d6b838c352f28d3a8c6005f5ae436ed38f8e1ef5ef9162f9670

SHA512
fbeeef9eb98b3aee581175db63518b48f1da1463a8198a9b510f7958d02a660448a3bfdde2d6800b2bfbca4720684164f83d392a627b680984a841a9631c6ac5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
987d0c7d0a6fc9fab1e1637326f9eaab

SHA1
1c5022b6b61a45eb74f075773b660f5b04ca8e25

SHA256
9e54772a2548873930cd75f1fcd75ac393839eced90fc974dbbf16ded79f1771

SHA512
b2b45bd71343fb20096c1bc90a64d08bdf54a783814480b3e2538775e90edb8ff83e49c92a70d7ce4f1fb559a41616dd0a480ebfa1f0ccf792685f16c3af0415

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
252c95117cb71e1f2f39515fbf22837e

SHA1
6ab304493a1c97c3f9b325615023914193ff1d2d

SHA256
c5c8d4f6f68090612508e1c2b4cc0e60dbafee209ec93f92c981615b3dd4de25

SHA512
a4dcb35ee151ea9749581420d181f90d940392ae06ead237e3087c4aa007faad850f4c6441ad8ec873d02459594beca9de31ff4f9bf44a070db0b6cebe127c6e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
18f5582896a47c9bc20ad397cbf9eee1

SHA1
449db113d0e43bff7d233eb0d2085bbe953d3a96

SHA256
137bc59e1b5a586e55f314cc55c0290c544656c938650f592f03898538cebc85

SHA512
a96c7abfe597a4010b941c42d4a8b3aa1976258392b9960223eda180b2cd6d21df96e559add74583a5caf9c000b358287488e2961507dd85b4a4c204d566d07c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
519200d1f499c50164b164a849f8ffa5

SHA1
e96aabb0bac967731c788bcc01e44ee28bc24eeb

SHA256
5a10278b12644ad7cfb4e5a45d337b45d67de0f1b7adf716d439450a0220d93c

SHA512
4daa78935f09c2acfa9b98f2e7af6f2064da1a1a5b0646141ce6ac2a763bf2ef97b5fd5c814186f42add061bb36134ea80f9c59f62b92d692dd6b8e7d18cd43a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1b2a30a6b5de324d4cf92c9014a1ffcf

SHA1
b917aa0b4da1287fa8b024eb8db9b846bd144f86

SHA256
1291628bd7fed32e7a49f0d436539c0c5bca2412795569ef8074f83368823d8c

SHA512
8c71dd931285e1e87a226eae76625295e13ce78393bf9f2ee867e92a84b9b02e5cc07e2e705c1165afad25483b6fc3151d4dda71982c80a80c1fa87b82de7471

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
34aa306f6be47bc2f32c773f5c5b099e

SHA1
e43be9c2e5cea30d5e0813d2b89e5648a7eabf85

SHA256
62987c7158291cfb5851c953d2e89017cc1d939ff9be550da03724c8c6a1fd96

SHA512
66f13643c158c1174e77b81276d7b7d7521347e5e7e6eb344e9531d446a743df4d0fa0f8f11999b09f0c827f8972c264f32add7245dd169c7abbb8f3f8f0922d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1a1c9be56c7c4254aa757afd6ea9f213

SHA1
89d9f1fef37268dd12eef10a16eb4c4d14d4fc08

SHA256
1c271cfe834392c5cad9cc7cf763d8955627c45e91abd901675a95b5ba8e0892

SHA512
7cd9b150389a868dc27130ce747d24fdf4f6587c4eeebe0b734f279387724e88af9e9ffa392549f63559f098111b89d2802f62b9b94f2f983b15e8b04ba36ec8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
375ac5d0417da6cd4e895e7792d9eb0e

SHA1
1e4c93578adf12f35c3a910af43a311d60ddbb28

SHA256
acf479644f03143c1ed9aebf896dc8966b40ff27d34453eeead4ebb3c2342996

SHA512
cbbca07b28685971eb74a318e988f0fd160210b00305c0bfeb5eb66baa9f862ba4761032cfa576517d6c90bad39d6e068a0305ac7bb834767fd2bdb2131510b2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d70eed34a88879350688a9f2600b2668

SHA1
8bdc142e04f7617bdbc32b4702ef12a915a84d33

SHA256
b0c28033f19f1ec4279f86216743a0fb65becc23a5b345ce23f953038ffa4881

SHA512
e6f010541c7fdde365dd73f2573d91443d2a91781ed089270a5ff538c01d63aedbef893cd078bd2e7089780dfa8e00e3f651bdbf0be540be5e1cc7860c4b8758

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
bb439beb704fc1fcf2fcb99c3114b6f8

SHA1
59c13bf597500eec848c086b19be07c792905d9b

SHA256
d2564464b04359f9ffeb413415216c82b8abb72bf97524f7433ed7aa8472e000

SHA512
03b651e0563c366ba48b3626ab15e94c30d783726be4311057a914d5398e46d323911bb52dd35cd6275cbb0b9c034f40370d94bf49c64c3cc2e3aa69c86afe2e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
00e7c0532d8f18278f30d9c44be55a0b

SHA1
5cfcdcd15d804ad26a7e8327a730c87c3a2e9fbb

SHA256
c3e63932f7c1b1a207a5aa5e7ae50971da4c5ba59722c26aeeedb6a7329d4065

SHA512
5f3e84ea908801650354e3931e573cd5f696cdac79e060ccbeaad72f1fca3b33d4431eef0db3b1368c9df0de16299ffc212aa2212954edb170047f91a3cb26da

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
af44dffd7f5248030db354faa1fd735f

SHA1
535320f9fba84d4cfce57cb2d14f3a9298d91f7d

SHA256
14a4ff994b0d8671ae9de2e80a2479493171bb04fdf0ff3efb0951cdf1057961

SHA512
629e2e1197937677515c5879e91731af41de3725db21876126c441d7bd2c30df11a3783d188d2f85b7b63ce844d8312b890851b645e4156ade4d3ef19ff41789

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dcd086c2604085c5797be88a6fb6dfff

SHA1
043de61c43414eb74a6dae2070872829ff675015

SHA256
b35e090cf0bcec1d28b04bb3115127840034b74c422d2cd1e8e552427e0c943c

SHA512
521f1023b202e417994261c5c8952b4a0cd5df89e67ee25a38aa80fcfad3ee54041707e861b4db6f45c8c0d36fa597a660ce07d2f977d09954bec175a6e16fe1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d93a3af24d874030e58078d7b2515987

SHA1
216a64d624567bff8c257e8ab0531fb687b939b0

SHA256
93add31d6a908aa735fd5dd95dc5a8914badab26fd93069a633727db94a1b0b0

SHA512
8f4a904a8eb248974bbc16dba16488ddcb1cec32d4cc4304752fa0c38a0f18daebf6c002630dc6ac56656ef529f1ed60d9a8576f83f0782656420bf1e51a1439

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c4868b9bd39976769165fc3dcb1ef3bf

SHA1
4a2238048f10366b2b46deae55a139d15fd5e927

SHA256
af4dc57feb2f751f249f3d67628722c2a9a2e6d391d5ca0f0ce19e35a0551edc

SHA512
38435cafbe8c72599d63a9b321fe372a034e8baffbd406f515723eb7303b60f819262781e07b7719a013ff1dc1691b594cb2b39175fefa039fd3a39c7595f756

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
82d7fc75b6577cb602c330ad21f6eac4

SHA1
24f514323801cf501196cc44565873e749a1a224

SHA256
645fd5ce8029641633384d7a3d19269c159ef148d976c0b7ea70b6e4d1bb7bf4

SHA512
75d8eb85b0c2dea3e8441e81e8edadcee13a8a55078992b48f74958e858ec5fc87999264e6da7ad924ce41521cc9c3b8a39dd66afc79ffd3aa527fdbb4af3c71

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a6366b12cf2fa5c3ddf008e9bb125691

SHA1
2b1dc0d1f66f3cddc3f19f37a2a6b5629c1bec5f

SHA256
005bc75e89942c28c3cfa276eed9b9b13c1abf803da1411fa00e239148624dba

SHA512
802baff47c76bb80f0e9a45cea7cc7ffe4ab0e0cc5c330be27cc14e8102684cd0fd6e604603273aa53e573f356da21d5a68fc37608b13620012aad6ff4624dbc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b2f8d04d47af8497acb52fe359cc8053

SHA1
d4dbf8b0650b75a7d3c3a53e02d72862a76499a0

SHA256
8cfb28f71e4ba0b582b697e189989b48efd993e28b3cbc0ac3331f1e79fc63c2

SHA512
bde3148e282ec02c29bef48de9aa5a116cad835c5273d9caa0531fa813e797bfb697ff3b1a46880daf87115769b7b910334794edd7c686ffd5d0cdfb5278e41b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b1bc1cf6304c57551bc260a26e9bd403

SHA1
dab014842891e46f01f8f82391727afdf0b11dfb

SHA256
62c68ece8ccc0a00f4aca497c52b5fa09db145d80ee27b307e2edd222a35f92d

SHA512
983140662949164736695770875f59572df92333956be1f6ec3fdce2b65ab2472e535c4e346e1ef4197650cf264f66800f2f811946d3a5f6fe8cd8f69a8e453a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a9466c415b176fd89824953ec9fd4cff

SHA1
c400249057e53a53b766eecd0aa1d08d19120012

SHA256
1ab0290959e9d3df835c257f2858549e8bb16923bfb5bb688faffff81e5f36fe

SHA512
fbb085d951dfb292f0550fc17f6706c45b6b0f1f18c15cb57cc6ac00cf5d309f2981a848f0fabe0896f99e2a1eff90373d13939f0dcba100b5f21489a728b14e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5b451425366f10fd177121a27fc3fb94

SHA1
70355558a7abefea0eb68e5137d3875a677763a2

SHA256
13d91143bca9886777952d19ab5f6037d604a88f034b83fe73a77b4fa9c64280

SHA512
c364b62eda9ba11ff3b8a7ec6f61dc97a572726e06a402de9b64c87a56373554bdaa9fc95f2cdc0bda1e3716710e1b93a8a5844ad76eec036505c6392749ddeb

Download Submit
memory/1052-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1052-631-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1100-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1100-256-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1100-278-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1108-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1108-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1156-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1156-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1364-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1364-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1396-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1396-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1396-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1440-633-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1440-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1464-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1464-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1464-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1464-67-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2332-1-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2332-0-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2332-9-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2332-12-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2332-14-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2576-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2576-620-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2656-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2656-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3096-53-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3096-62-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3096-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3096-59-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3096-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3144-627-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3144-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3740-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3740-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3740-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3740-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3896-632-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3896-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3952-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3952-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3952-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3952-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-623-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4072-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4228-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4228-634-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4540-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-635-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4568-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4568-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4568-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4568-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4684-628-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4684-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4768-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4768-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4824-245-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4824-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4824-251-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4824-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download