3b1106e1a27e6e904916812fb6f13753f492a5ee37ff09fde731b5d3205c4c48

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_210504c46fecb8d6d1787943b4130f33_ryuk.exe
Size

1.7MB
MD5

210504c46fecb8d6d1787943b4130f33
SHA1

6ccd0fab1c9f7d324d2c62293557cf73e99a70b1
SHA256

3b1106e1a27e6e904916812fb6f13753f492a5ee37ff09fde731b5d3205c4c48
SHA512

1ccee6194ca753f3b5fd5d9d74de18b188dc1a3d0c7a14b49e86038ce989ddb30db165670da0a6bb858ff9db8fd6fb3cf537961d400b1de9b8a82aca6caa65bb
SSDEEP

24576:16V6fC/AyqGizWCaFbyj2OCWnpgA2Q3bMH2e:16cVGizWCaFbCCWnOA2x7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2976	alg.exe
3872	elevation_service.exe
4476	elevation_service.exe
4100	maintenanceservice.exe
5032	OSE.EXE
4256	DiagnosticsHub.StandardCollector.Service.exe
1740	fxssvc.exe
1040	msdtc.exe
5076	PerceptionSimulationService.exe
896	perfhost.exe
1776	locator.exe
4536	SensorDataService.exe
2516	snmptrap.exe
5052	spectrum.exe
4172	ssh-agent.exe
4540	TieringEngineService.exe
4468	AgentService.exe
2488	vds.exe
5084	vssvc.exe
4088	wbengine.exe
4900	WmiApSrv.exe
4712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f3a60565325400b.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-10_210504c46fecb8d6d1787943b4130f33_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F23469F0-29AC-49EF-9260-16E5DB697B1C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000470fa8e2f1d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000536a45e3f1d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd790fe2f1d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032f4a8e1f1d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b19b0e1f1d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f4f27e2f1d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a33a52e2f1d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3872	elevation_service.exe
3872	elevation_service.exe
3872	elevation_service.exe
3872	elevation_service.exe
3872	elevation_service.exe
3872	elevation_service.exe
3872	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	2024-07-10_210504c46fecb8d6d1787943b4130f33_ryuk.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: SeTakeOwnershipPrivilege	3872	elevation_service.exe
Token: SeAuditPrivilege	1740	fxssvc.exe
Token: SeRestorePrivilege	4540	TieringEngineService.exe
Token: SeManageVolumePrivilege	4540	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4468	AgentService.exe
Token: SeBackupPrivilege	5084	vssvc.exe
Token: SeRestorePrivilege	5084	vssvc.exe
Token: SeAuditPrivilege	5084	vssvc.exe
Token: SeBackupPrivilege	4088	wbengine.exe
Token: SeRestorePrivilege	4088	wbengine.exe
Token: SeSecurityPrivilege	4088	wbengine.exe
Token: 33	4712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeDebugPrivilege	3872	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 1152	4712	SearchIndexer.exe	116
PID 4712 wrote to memory of 1152	4712	SearchIndexer.exe	116
PID 4712 wrote to memory of 5036	4712	SearchIndexer.exe	117
PID 4712 wrote to memory of 5036	4712	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-10_210504c46fecb8d6d1787943b4130f33_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_210504c46fecb8d6d1787943b4130f33_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1040

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1152
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dba6bce0fb54263b29516cde889a13d3

SHA1
65b5c42744bb48cc01e6cf256e0b9e825e270e22

SHA256
804bf61cd30e5bc1b63843b3769596a94ac06e596ded429c42d42534ad56687a

SHA512
5522400c62dc7dd5de9045b3b9e75c26ba05406146fa1b071e159d52a79a82144e6dfc8d6ae1efb9d48fd22b4ea2c31d5c9d02e273b1d77e38b6a5a2b8e675a3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ec82f83a570d658a842d6ae3bb713fdd

SHA1
e11edaa3c663e2ee608710861f88b8d62ac7d8b0

SHA256
576c6f54d1e4a9493b07370eb1574fa979b46cde8e14f3921d7815850d0c83b0

SHA512
d7badc2dae920ac47041ead30becd1a3d3445c9b9e49b2affd1bbe9588a8227b0f2203e0c957096f87831e2f3aa8c55cc5f3bed0823298da9938447c5bcdcfa6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
bd403a52659e56d13ccb23e1b9528f81

SHA1
a4a050a4f752ceb3b65feea48c645f5e4463b0e0

SHA256
ef9bdfebf0e4c844f7ee541aa36d082d9d2205f7402d17f380d21761872ea01b

SHA512
43a74823529bf078b34fcf82e72b5ed76d68782a523b5b6157f37cfc6a98f31b83f073a6217f8cd3b35130035c3e959cf339f28d03c7283d7a3d062387ef100c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f3f0c9462b8eca2096de50132fa28af4

SHA1
b69187c8dc168a72a7c86f23d0d2fc89ae4cb69c

SHA256
6433be4e4064f5b247b74e3cd0dfd2cbfafcedff277eeb624e15084b2d5ce36d

SHA512
9a48bf938cef76f10e0527780fce7ad2d34ea35b8cea32be190cea4c43cce26c547bafe6426ee430121e59cd0197be8dc45fa85e7e39c326fc06da954878a0b0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
af5e700c5c04335c30e7c0b9c9b563ed

SHA1
fb29f4ea80472e399bfebf86b4741b786b4cbb58

SHA256
d80f477125c0d0851264a50aed1632b616241094329bc661b726bd58f3e1ba7f

SHA512
574c1a9abcb322cd82cd1b91e9169acf9e5ee65e00c5a913e4390e7a22fb47ed2ad535cf2ad44290e8e3014ee83dc3a32ca0798efe2c09f5dd73a8ae99a11abf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4609c8ef586b07717137bbf6424e1a37

SHA1
1915bbb1edd109f0953c05dfffb6f9ca88f40137

SHA256
8e35d3978f6938dab31cdd648f3ae5ed9f7b59e4f6821b721b118350418b7b22

SHA512
895bc1bc97ecf7b959ef8dd79982fcdfbf73479d53ac00f50d891c5a02e15d8349648f88abe9307ac4b52ff7b985a4c9315c8e5692f1ebadb43f9262b87f58b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
fec03361ba3511dd97fe4a7139e87f5c

SHA1
cda72d0476918188b57b02425940b1a2e06a8ed0

SHA256
40130f18572055d73c841aab5fc7fe3fba6a0ff36344ec5b261e1355913a57b7

SHA512
fbc06335b40786fbad9974d1beff5a9f52e5e6cf3cdb0166c88cedda02f59020692c9e478245a8ab1b07d020c005e00853553e0a6e2829fed7014aacdd81f9fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e6ec1a50287409bbbb0ad7950da41ec3

SHA1
d039011a207db28c4ff8cefed35ca8da2708398d

SHA256
214b62877cd025f9a9288491ed73afa8e9947df74255bcbe45916ea10e5ff866

SHA512
22b3feef544d416b54c8b61a3c5abf6d0a1515899572dc6b724fadb7337ecadced279143870091b4504c5776eb38c004f0d479d4f0090921e8c733da43657079

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
01b02aefe8d28ec60c052385c4fa3811

SHA1
d87763468c6a71544a881a5d89686b66dbf2af19

SHA256
41941d1c8b3f19bce2a587d3b3461f2740e4e9a7ed5e516f3f20e8c8a431557c

SHA512
24285204a598e0776ef17d39885c5c8ba7a45530ba89abd7df27543357fe62bbcbce4d85548a61977e3cfe94f3e471c5ddb94adee32cb0014f9420b0d94e8d98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea1e5705952825ce5afb5938e08180ca

SHA1
d13bed703f6df276766489731eee2bc3b78479eb

SHA256
ad289e17a08b7e2f860649ee596b79ad15c2cf6c93d3b13bf2c3662698e69807

SHA512
0e0291475e7716e47f9a0337500405348bf8eab6b07d8e4377e7a719c30c7c7c43142909d1e782467d5a9054ad0495c92e0f43405651c5ce8ecfbf4f8d636958

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
88c535e3f67f71cfada42c4083a0dd88

SHA1
8ac7837e5d16b86d9c21f8edcd297585807e595a

SHA256
2c584c3cd74e500395703f5a9e0c45ce067c6bf10e9d026f676aefe61c41742f

SHA512
c55a6e5e9ef9cd8367d3bf0707f9e6703663cc54c9ab4102cccb9344cd57e538ed25d5393459993919d96cf1b35074f82d342fe026ec0fe1067fb0a10c92a4b9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
000b66b3f56d5cbd973e197ecd8a6d91

SHA1
3f00a25aa4244351b8bbca6e5b24091614950552

SHA256
cbdb6bf943a64eaa847508b7f84bdd07884ab4297f713abcc11b4b7e645eae97

SHA512
e2ce325f6dac23aca1676c760ec74580acb55cbd655946ad0edd049e1adcefea52b747961c9d280c31ba8f99e1a06617ddc61b4bf192deb4c1e0cdad1c73554e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8409b70de8ea6f2ce7d38fc41c5a1e3c

SHA1
4319cabe7267c2bea90773815ad2dfdeb44373a6

SHA256
8a2ebe5a0a2f51d922728dbac39955fd708e044686f2514ead284825e13fe576

SHA512
960ee10356b0e4b111cd9f555e444fc5ea56c983f9b8e400137981f3cde05d30fb49b808e8210ef2d5628678ff2c3ec169d57ca1ef18905fe26aa0e02e8a9b02

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
bbb3a621b2ff6785a1f8387ef04dfec2

SHA1
df37c24618a1944529768af4a5d3fdf1623f641a

SHA256
940979100eb8da7bd7fc496a438f8e85fa6d2cf2cfe347f685aeebf22ac0e968

SHA512
4d285b10e00b655d062c08f96b4c1b32a87bd7735203478c06e59cb327f774d8c9e19e8aae971b9dfa2ea30658db0457e989db4a16599ecd8a23a273a8fa5a90

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2b206fa7deeb826e7319cf74e5cd05be

SHA1
6e66d1a77a5e9ce840c8cc8f62d60d9691996fc0

SHA256
0e11c36b0a0d2ba331bf8a1e6563dcf850d2b39f31fc8af9d17bb7cc1003c4b6

SHA512
82ff0cfb830b81f22aa3c75e6c9a74d740bcd875c12f9c826db10ec553f0f19e894c3ad5990170363b8d566fbcc007a1aad30db8be67ce7cf5c12964e4a1fb51

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
6cbce63a32c24872f9a2dece5071cf0b

SHA1
2c2952fd74fd460407ca6079b12025419a172bd8

SHA256
3d6f5600e4fc4a3ed80d87a1fdffa95d0e8c6399ab98cb14622299790eac6071

SHA512
ef72c61d555edcfd3614ff5e75eb0f0921a447b5e24c136dd88566004c9e8478add001f03fbc5dc3c29578a04ddc98d44a178ba7cce9dde57e09b4d001057729

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
60d6430881b5683c29ebe974b1e7f19c

SHA1
f2dfedcd3ad48bad0ed0f03ef6533f09e5a30f3f

SHA256
9b409e9bd48f7653d9cc5bb036264508bf7a2b67d9cd799e1119b67a74260485

SHA512
aeb19126c381d4c82790e2b7f30f5b575dd17b9b924c63cbb98d6cdd9171856ee6147d4b38569519376c4e9cbf3f36d60a9474503ee618ac2f2f82719b424e78

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ece87ff6ba1268164dd90f9a2c58cd61

SHA1
d804e12462412b50e82c6a9ce69b517cd29027ed

SHA256
af8d433b7e13ce2665e49c28815c0b8785607ed3f2f8e5e4a7febb620004607d

SHA512
556110836e657f986ea3614f75fb181737d4411fc3d16f82e61160b75182a0e15ae1ac15f88c2c921568797a834e6144acbf6e56f29766b7022307d9506cb65e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
32727b7fc000dcc0a56044bf40d0a9ed

SHA1
2acc64425151e8ed6d07e26082b4a868ca3b6d62

SHA256
f02b396870f5d7e29c9640b4beb26c75aafe29e62db20af9ce1fba5bd3f45744

SHA512
cd7a950235f01342c4921dfeac689c39cfa86758c2c2a9680b1e3d3f07774af3b3300356e6442cb43455851b5502f10a392674d760e51c72676dda47de6ab8a6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fd4ad56e8cb9843355a24a8975ad6a29

SHA1
8b7c8bf97e4cba5b0bef84e37550d0aa405aea29

SHA256
1687a7bf07e124674532a8e9cd2cfe8ef855f7126c377ad4288b4ccba8a0652a

SHA512
704f6231dd9d0e8003c7f08e58230943df46d7838e2845f366c2d2a7c4aaeb6384067e08a2ba54c5ab79af4508cf27fa9a72d184bae1e241fee5d655e8511eb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0a4a98cbe2776dcef5115a2278d5627e

SHA1
e214602763f484a83da329cf5b178c112a4b3886

SHA256
6afe7353401d5a8833bb072188ad884cdc5fbbbdeef6163d24dfd081d234d4bb

SHA512
e5c143387cdb5e85c283b5ac76a801de2aec2ef7424826c817b0cb14e1a68d0fbf362e67e6d9f41ea74666ec221c6da04ac7d635fe6675124dddb4595048ea22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7a1cab82d8cdc8062bd91468e808288a

SHA1
11d1a0bcdc4b09c60816783fd3a0c75a41cdceec

SHA256
3aba62fcbbecffb83103e8e3dbb82a7474012809eb2c47d491d9f77baafe4564

SHA512
bcb51b0775d53e40f398cb1baa43214de65cc33c3d03177d069a937e23d65c72f3a4a3b3370352772de407276e368809bde77164b45713c2ec7c60442e8281a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
fc75339156dbd0ee938a169b7fe9d9a0

SHA1
a6b96b7d2359582b4b297ecceb9a4d6085b2a882

SHA256
fc4b145de11539a9c707df08d96b9bc7a19d6098d3e5180aefac48649f5ba57a

SHA512
e7272659294a039f1023ed46321b434cb7ff1eba27f1f08174d74fa866c1f64e0f444f9470c315b72c92fe6e4fb5588615c733d7f651fbe9c78eba3e494f4ba9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f4929312120cdc8f2bbe5273a890fde6

SHA1
222f0a2abf464071568770865eb527cb0e218595

SHA256
d55061e519fcab261458827916309de103f0256f0d01bf974161b0c8b1c26955

SHA512
ab5dc11ad8ea6bba3e95732ce06e1060153c7d0e8f155eaec01a75ae107364b957ffc926fa04df9b5ccc7ca916c9224834a32e0a429cfdf727d62b7c6e7a8430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c2aea9ac36bc08d0735817c8145a74ba

SHA1
ee1ba2ab3d693ad363a227c255a28605f930cfc8

SHA256
31f9fdfdb54cb1743d59ab8cce89ac446cddbcb039eddf5f4fb1b0b20680313c

SHA512
427efab6cc774389ed7de2258bcdae4b35ee40bfbb2098df031df6b7ec1f960ec4be5adf6f39081e47c25fde8421050588440454e0a8beeb764b309110b8d3fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
3a950fd9ef3f61beb43af01b07679c87

SHA1
01b7d6c254a4b9b6fad41212241907d30712befd

SHA256
bd14e3fe28cf37bedc992cfd7c67e1afb478f99382127371caed6e44da9dccfc

SHA512
4bb847d58bf82d6ac0985d8979ca4bd585304bf861feb2582755a2bfbe9032e17b8f898833b3bfad3a9ddbe4d23dd78f8a4e53e14757c40db44f5c8c3d299186

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
4c7c5cffd5cace41b4e8c1cfcad09761

SHA1
4ecc2553f9ca55935a5bb62aa71a94d00e576427

SHA256
bf386427d20e9cee4ff2d5687abf1dd03fcda8e670bd8e8b7b5f3c3bff250eb8

SHA512
b0c78315db6606a11e0b5c33b4f083acde4ae716e39f67cce4c5a2cfde127a143a4b032d66032d9f6713f30594035394e199c0bc7a7a261011cffa48ec3662a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
35de0037cc680b4162dd9fa955b58af8

SHA1
e3ca39b7e57bba42c2f2dacc4bc8862366bc08dd

SHA256
464b9ef1eb4d56387479ac6a829542d720aa68547f7d61092d91048bf88f98f1

SHA512
c954ea7f04db0e9bb92ee1cc444159c0a9f87cf7a3645ecb0c1ef2169187246ceacf73775b24689d49f6e449e39079514594e1571ac4d8716d8e237c196147c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a17510598a9ddaf23306d60b5a8ea845

SHA1
abea4bb21ade4d90de9651f0c386c3b2ee6f415c

SHA256
3d0ffa4620d654ac18cef292abc044c9b1c48f8d492091cbcb732c562c4a743b

SHA512
692c03cdbfc358a1061b872edf5c9881aebd2cad8cf12980b07255d6262e71baa96ad77eac3be1bcd36f61a07b42ca8fdcd16cf9b5f6defe1e290f0f912f869d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fe33c6257228da2b59c2ffe19c50b09f

SHA1
cc5aa074368368eb46e05d03bc06a327fdffa54e

SHA256
fbe0e2928a3b8fd5f3390697b129dfd50201e64fc29746cc737ea1d81f0b7b43

SHA512
00f458effcdc13b2e75f8c59bd3a7f8171c4587fa1264a6ae39214be58f8b2a17b4be658b9ee17051b3187817dbb9df44008a8a1ebaede07daa76fbfd05ba417

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f0008239c933874fd25e5cd2c5c9091b

SHA1
789a389b61da856e4adfdbe702cf2c171c82407e

SHA256
728d9fba7db58c9e279fb2b56fede6d4a9906995dc5f2b5a53f7e24c728df791

SHA512
45bca42849b7846a13a95eeeb7cb141f30c48f5dea67de888616da4d65b5645d68f6e7db2d23a9a9d1f7500e2939fa9ad067c20df0c5417ad6de65cee2f54902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3db6254a7c131e870e3fd798266ae6a0

SHA1
0f4f89f29005718a19f6a028b0619ea153b091a2

SHA256
8c7f9a551c5726f478dea8e025eb8b4280819a0c020b2271f0eab34545737be5

SHA512
5a281a0455ee123d3150467b5dafa09256f4ab0d7074e43d9a8e1c075991e96193f2afe8d5393bcc79ccde63cf8fc829a7164f07f3b519684588517df6497cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
14c84a2a7dc5d50c4b0de762c0239d43

SHA1
dbc6ba7ae9d9f36357982a3529d8659304540b1d

SHA256
648e4d5d54bb719eab61a4e491a1ab0a99b1514c07c0ea75a4d90d367169a194

SHA512
3c57647b4e316c52b8239b6dbb9cee616849dc9c441b1f95f46d7224e5100442f95faded41f0aef8305cca076373fc445d70b8f38440327eff4dbb6865a15507

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
796603bc2eee6a4d599b4a9291a89a1b

SHA1
4346de153c46315f262b9d04a117acb2a71643a6

SHA256
0348d433ad3e6ef9b44fcb8aca0774ed4d2b06f268c8fd18043f76e71b102be7

SHA512
64f075b6a9eb6b81b011cc93cb6c834c6f69f1b6ea284f9db2a224b6a3661e5ae8f408068a9653d2e98a6c0665a5bb8eecb78103c20d79139759a708efb17cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
ce48ae3c949dd8841a02aa9cba18fcda

SHA1
5cc5dbb2d505c05461826d5f6d0fc82b36a2264a

SHA256
0b8e2e15942b9a6286290244ed80bf152986be837445153b62bb1895caf8b156

SHA512
603aa2b21a00d15015bceb35a0855dce3018fead1cd3a5783491147de6f537232d19815c014f7c2aea41527d7fc61447231daa67c336c6c2ad066b81ce989c49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2986e3a553281a3d970394e59db3ee07

SHA1
01a72bc66a37d60279713f0db125a65ddaeaea7c

SHA256
aa525f9997d4d38b59d9202d419e13d2dab7def4690552048a288d364d0236e3

SHA512
91a4b76c542682815ffba6061406d51be20fa09a2eb340c43bc2b93c31da2b0d6e89a806070f04c59b7ecc52efb2fcfe59656c3c81bc003001667c2e642a8f16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
9e5bc0401613ddc2875f59feba5fc5f1

SHA1
a5ddacc330ba0e9d9ac07087e4a6beb47d447984

SHA256
f930624d2d52c27bd7153339ed409bafdef1e22b75b44c71cb6960d652b777db

SHA512
c2d351f2c1b19474b3171c5973dc47cfdbb7502c23d80fd3a1a96d6dd549896fa0937606f64f61454b356e67b7eda6b15be0ea6d7815f566c6bbeb1b7ac8d503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
75cfe98300a87cf3ecdf6a101065cdf0

SHA1
37d9b9821c274e54e835205efd41baf44104b77a

SHA256
f5b47d612f2ae2cc010123ba62dcf0fe4a81f28d6384eb9d23a89b1929583e92

SHA512
1e11088856a70849feb0fd363bc7ccbefa68f2d47c84d5b3e1bd12da373019c1340281c6a011c8259198b0bec78fe60072cf822b3faed87e10f2fe071e2b712d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
826c95ebc11b594c8ea96f58a162cad1

SHA1
25a7072eb8d517db102feeaf22d8f3314e02f80c

SHA256
df702ba1ce1ec6d107ba9f136580b01ef6d976c9ff78afc7f7d3ca8fe1e6d3b0

SHA512
ed92f112cb9f67e54d57e16de3548884dc88d80b4d0872bbb2f219d7f76793af98ebc084baf8174f17c94be50705509ac74df22a0a2d1fe412de8d2fa1b8d6f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
46cf024d9c857bbde4772c6f8f966aeb

SHA1
c8761aee4be25c6105dde53356e3d4fc2783aa8f

SHA256
079746be9376643794604775020379e22c80c83508c93999259f33f6ffe27550

SHA512
c7b11a07e2451030d2ea12a1bd089406973a335b28fd82d55e15dfacd9c967104d83b04b6b2f4fbc74ae17e713c4558badf68bbf4dbb5085d6e128da0b742848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
bfe166e669334eef32b9ec09e3a576a7

SHA1
ae351c15cc6b171e3f59c39a3ef42e570183f602

SHA256
b08762841aeddeb074b0eac28b469b73c26610f8e4df284bf6298b7e7a1a68b7

SHA512
65acc65cad0a72aeef1ca1a29a41677c04082987d87edc662279b7df8e4921459fe4d75c7fe7dd40fbbf8d344d5ac0c347503a61cae81406c7c282b77287b5f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
ccf0c0ce6661b2441346d6afd8ceedde

SHA1
90177fccd322a1645c59df6eeb7da7e7063fc31f

SHA256
19e8a25af62670a34b7073f2692c7c9f8cf2f1a14c272bdd5ca57308e4bc2d01

SHA512
8579ff27a6ecbe79fc75bf13d8cbb17a875e7357a3903d3fad5e4c5e9c74a71ace5237029f4cc78b5d30b589e31264e2900e91cdc4687136d38707eaad190fc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
20ea50705647be3caebe4822dc443d33

SHA1
ed0a2aabea6641a6121e61bec1a2d03b0551278d

SHA256
439ee0492d070d012414c0806869869a00bb72159e4309b4318cf2fd885879c9

SHA512
a31f8caa7c5751f22ce5973483602f700addca11cfe495b5b040706b934e4832a21bd302c7367a36285ae549ee47bc8b604ce66e1fc530572fc20a6c14d7fe03

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1476dae78841c5ee620c9b4187bc9ab2

SHA1
769b690423b97e753921cb3f7cb5c350cf06e1f6

SHA256
0cdb2c4e504eaf10aea85c9e4384d07cc965e847d645314d8a3e62ef2d2a4a17

SHA512
7665e41edaa3417730cfb24008ce747078843330b350ec7b150f004024cd7fdfc37bcf8708c99a2308e10717c403293101be6c44af5122ac178c5cb4e9bd150c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
238963ffd5324a40da3d4c7b61853178

SHA1
21174f82697f65acb9dbcd368ab8a2ed2e5138a2

SHA256
9d4f2edefbf4157f1cb129bd5dab229cf400de992c80ac72abb48f63136a2b2e

SHA512
edddbc32e577a04be0b06b8e69043b52554dd4431d6c316909e908439081f96c8e0fd24fc774ebd76933d596bff59687468280862cb008ec83907a1991e8342b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
33b5b4ace7db582c7802ef33e9e32b21

SHA1
9663f363ef07daa573830653a07949ec3a29fb53

SHA256
0395a9a0fa823fc4989f2976cb9ea8629d5dfcc22832b631a7c175264bf576c7

SHA512
8c25a957f05972f9cff4672f3920fd8667938a2b596745426cb1ec2c248f7d18e48189aff855ca6913c7234ac96e5b0d294674d16cc62f08f27223d9c5306ee7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
28c84e2eecc89794cc8832c8d320477a

SHA1
59fb187f35535b58d7bbe4c9f1ea7d57a8ae5282

SHA256
df3a8911a79527a7c5839d1c25d0abf940190d42cf333abbf03d555a0860a0fe

SHA512
56fface471a5a87246f55892314ce5283b20fa37a63992644ef72bc953563913f935ae621acfd20b940868f4630e56ba9808b0d53422c941472a0c56740aaa4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
45bfcc08f504e0f25bc55ea955aba7b7

SHA1
163292d913735d77bc2f4ccab57f5f513eb634df

SHA256
768099f80f79969c32cdfcfd59d538fb87c0db43dc3f3a308ff8036530702242

SHA512
f5fe1133f969a1aa2589a169d02e4f2f390f3930bf415ded95d3c17a268f73b8338f0d27381c0516379b56052f27a76640d5e101009dd44ec81ca9e7c6832123

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cf1a2c8315471664c28e8050820210d4

SHA1
602b6e814f4ebc2cda129041d1b480720d8630aa

SHA256
e35d637887e6aa6bc579714912ae3ae647e12a0c286828b7932bc2bdc2453bdd

SHA512
eb7de22fb4036116b467a839a67f748134d732b4f7f22b07f9114509fe7ce1b09f6c73fafcdee4f9bd89b8cea327cb53dde5caf0fa22473babac3aa284aeb421

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
aa15fcdcdf20b54b7424b5b17253d891

SHA1
00049d729364432db7efec1279a74ac4073987ca

SHA256
b976a4067567c627239ec226489cbbc2884d6b43af92dc3ba170eda3741ff0f7

SHA512
5c3fdf0017320063565d87a656641bdb9a1424147d76ed06823a2a5204ad9725444fab0bf3d9c8be2a6b5743586df089780802821960d2885c0fa55e0a63c1f1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
244d9b2cbdc8ef5df96c9def894d4982

SHA1
2396e72af549f1e7c68d31ded51408892524ef8e

SHA256
00ccd3c87611b096aa918016b492041ad860e1997e69517c317915e2534465ac

SHA512
2bd7d168d417acc9e700182cc9ebae499c892de459397ea72bc3003fbf435254a5fe88a6e50f583df31e2c7aad88988e9d0b57122747354289e61fd8118ae846

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66a0cda98ed7fd83bea4db367db346a1

SHA1
e2756adbf5c18dce795796781679bd32ca9ec659

SHA256
02164483d0721d62ece33658a14ad85cb3d13f9c592488273286ff14be2119ef

SHA512
cfa56cda379a56e178bacd0ac1bd3e5f21f664a0ca9e26db84939845fe969e5e9f3e66afecb6cf1c22aaca9d43c227d5622f5d24a492d9fee746890ae1fd0819

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cc083d8336e89dc2a1c9a7f77cb65652

SHA1
3bf91bbf590e4278dd74a154850a42ce6fe2b14a

SHA256
440da6d287aed3db429de46c53e25550d656658b67311e7ee87fa7184509c5c1

SHA512
d9fb0c74cfaa0c9bcbe8e31946e2852c1ba9b92633166ced8c350afc4e63048c799190278cb22f444bcf53cf72625f6b039c452112cec35fd39dc4c3135aafd6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
84690a5d93e55d3fc81d92ec50e70ca5

SHA1
d67823f1c294ee30e7e45d6a4f55dfc46137e949

SHA256
d554e59bf1cd1aea2f092891c17ddd264f719b3f5d68af3e6429027c47016bf3

SHA512
e06d13195aeb009042b516406ab2b6f068471f7b8850c9284dfbbbe5e89b894dd5f282c56b16bc8db4e76e4c630ff387363f53f883a7733826c50a43182f5f84

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
17f5a886950a6772f63482a81b9324d1

SHA1
c724515f0fd8b08ee647288f1cea4ea5754f65c8

SHA256
c5f4b1780a78d5a49ccbeb64cac63acd898ace6075614faaeb21b1cce47966d9

SHA512
351f968070b02a1d2c3af672b32bb5a396f6aaf18fc5ad0055308b8bfd9c04a6668c321cd6282b9fd7fa588d5059843544294d2454686ad55f5bdc1e7502fe2f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1394786440f4483833aa16b3f23247ae

SHA1
f0e286ad0ea2e3c5c13bfbb136bd09ecb2b80e89

SHA256
6ff1f92e2b1b9eb7bf37421e2fdd2e7728459b94d9400a4b60cf7021e9c17ab3

SHA512
dd7a2e4cc6a68fe671787484ee9edf356445adee92825133799dcb82100d764a44f50f360c03c851ade4859c995a44242761704489e8ecedac035b9845ae660e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
53c6934bba00f2f097186e7af6c18dce

SHA1
ecf9368eb9ce589e46e096a27c03dfc50ca16677

SHA256
4631132484d2524bac03cb19b834b1f953a12c2835b336620bfc3a52c23258f0

SHA512
4ccca886ef84b0bace99218e087d9f372caad54c613f10e79bbe41f4e7861c710ce2cba5812cf842044f751c8f6280a372af28dafb9c62a800d150cf33930175

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c805c74cc00eb2d95e26e2416a1e9c25

SHA1
deadf0dcef807cd490cee746a094841722e3be70

SHA256
c8e8b0237ac4a4ed23d2c12b5b36d817e27448182cfa5473d90d6572f744f4a7

SHA512
07889c84371703d3b185bb6012a4c923b7b0498a3cf6ebf076480c034a0c25ed505bc2bce6e897c6d48b9a9315a2e9987a2d8905bea52ebe46a4582899c4792f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
08f48a284d3c5aa0251a1b88d3d4c036

SHA1
9f02af49f73bd615a71586c7e633195a18e16bdc

SHA256
7fd413ef6c0c2d4fcd3abeb790569e0915f4a7e01f46df905b555b47443cea22

SHA512
90b988b041cb63b8e30d0a897b7fef215a41f63dfe25d95625ee1ae49bce0fec9545cbdf0bb7b5a22e126f122863c242a948487e36fb961740442e77aade430c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
231158f5c95ca0912e0170027a407f3c

SHA1
05159fd3767f71ab59035a67229bab528032a050

SHA256
17eac3709dd2d80841410af2a36b78f710ea6d67e9235d2f89d7d8398b138145

SHA512
718b7d58ae547b310af2d34d4ab7100d3db5475d27cf1d586117b16e0124804676267c9f9f15f94f4f62a93419776ce60150657f0e51fca41ee10249f3770bd2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f1b0cc2e868ad5459f6eaa8fe95accc2

SHA1
7ed04961e78ea42ed573367c7c27280be671ea1d

SHA256
a28a5447472fc455fb883d36f3e4516129e4dbcc46ab9a683b3564175e11e99c

SHA512
6b9957888a3d72d46254867e4717815a89b0d80312645481ca3f2499c62bacbbff8c595c9903689dbed114f5c15788eed73c64bc8e9f11065b0e3dd13bc4da9e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ef313129a27d6991355ceaaa4c74544a

SHA1
2a518233de08c9dd2d895c9ce8eed63bc217674b

SHA256
05667dbba30cd37c6dbdd553c0d5f039f6a4e8838f18edcba66cb377bb960f0d

SHA512
3fe8d1d99f947acd0d47f7630f651e8de303e7f56855fec1973097222dae751ebc14062f790b24661fd4fe4460a92f00ff89a1a599154b848e497c407cb550d9

Download Submit
memory/896-295-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/896-412-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1040-269-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1040-396-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1740-255-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1740-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1740-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1776-305-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1776-424-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2220-14-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2220-15-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2220-0-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2220-9-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2220-1-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2488-397-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2488-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2516-336-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2516-526-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2976-17-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2976-26-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2976-25-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2976-234-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3872-30-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3872-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3872-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3872-32-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4088-419-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4088-651-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4100-65-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4100-54-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4100-77-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4100-62-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4100-63-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4172-351-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4172-645-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4256-245-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4256-243-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4256-362-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4256-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4468-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4468-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4476-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-646-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4540-363-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4712-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4712-654-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4900-426-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4900-652-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/5032-69-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5032-78-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/5032-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5052-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5052-612-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5076-281-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5076-400-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5084-650-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download