23d2ca16c7709d6103cd68d08fdda6ec77c854c374083579da9e2cc9b6a1d9c4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_8c352c8bc74e7df1d0595d57bd453e8b_ryuk.exe
Size

1.6MB
MD5

8c352c8bc74e7df1d0595d57bd453e8b
SHA1

0fba7a49a7f8554483d3fecb8a19c548cdca68c6
SHA256

23d2ca16c7709d6103cd68d08fdda6ec77c854c374083579da9e2cc9b6a1d9c4
SHA512

46790958c2ee30f50ec7004d461e23c20460b80cd829c14e4460dba52bc9fb7bee9dd369a38f61c3d4fd1dc57e9a79369ab7ad2f0cac18e5c3d018e5c90ac380
SSDEEP

24576:j6V64C/AyqGizWCaFbyNSkQ/7Gb8NLEbeZ:j6c6GizWCaFb1kQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3012	alg.exe
1880	elevation_service.exe
4564	elevation_service.exe
4924	maintenanceservice.exe
3096	OSE.EXE
1788	DiagnosticsHub.StandardCollector.Service.exe
2152	fxssvc.exe
4464	msdtc.exe
3700	PerceptionSimulationService.exe
2188	perfhost.exe
60	locator.exe
1468	SensorDataService.exe
1860	snmptrap.exe
4732	spectrum.exe
624	ssh-agent.exe
4428	TieringEngineService.exe
2308	AgentService.exe
1848	vds.exe
4220	vssvc.exe
1068	wbengine.exe
4896	WmiApSrv.exe
3040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7d47d0cd352c8123.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-08_8c352c8bc74e7df1d0595d57bd453e8b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\java.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faed219cc8e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6859b9cc8e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2d92d9cc8e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010d84c9cc8e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6859b9cc8e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae273c9cc8e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060eb5f9cc8e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000579e329cc8e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1420	2024-08-08_8c352c8bc74e7df1d0595d57bd453e8b_ryuk.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeTakeOwnershipPrivilege	1880	elevation_service.exe
Token: SeAuditPrivilege	2152	fxssvc.exe
Token: SeRestorePrivilege	4428	TieringEngineService.exe
Token: SeManageVolumePrivilege	4428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2308	AgentService.exe
Token: SeBackupPrivilege	4220	vssvc.exe
Token: SeRestorePrivilege	4220	vssvc.exe
Token: SeAuditPrivilege	4220	vssvc.exe
Token: SeBackupPrivilege	1068	wbengine.exe
Token: SeRestorePrivilege	1068	wbengine.exe
Token: SeSecurityPrivilege	1068	wbengine.exe
Token: 33	3040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeDebugPrivilege	1880	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3564	3040	SearchIndexer.exe	117
PID 3040 wrote to memory of 3564	3040	SearchIndexer.exe	117
PID 3040 wrote to memory of 4624	3040	SearchIndexer.exe	118
PID 3040 wrote to memory of 4624	3040	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-08_8c352c8bc74e7df1d0595d57bd453e8b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_8c352c8bc74e7df1d0595d57bd453e8b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4732

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3564
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d936c8336f3d36259aff9afffe27a5c2

SHA1
899215bdff33a46594768be787073d3f4c50fdf2

SHA256
b442e5d14d26b1aad1be9d2e28458876ab9b645bfc8def7b58e8287e499bc1a2

SHA512
84eabed5cc241db9f50a5b6fe3fc0ce6e549ef8479f0c1e96d6563a134aef2f9108bb95401d0a75dde77e18c5ea33f916a4a93848cce7536ee6f7c20186276b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ec1a32d7fc5382b16e9bf28b74780d64

SHA1
700a887a2ce8d7ff89ac1ea708c9eac27ff10988

SHA256
fc1ec36f46cd5270409adafdb5fdc9f8097af046c0dcf9eab0a5e5b1d892ba6e

SHA512
37c837031106a2e203ff785fb65ff1f9841f0d9230dc4039828c3d37919e467079bbf27fa4b7a9686400d8e8381901964dda1cb34f40520976610d8dcd1be436

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
fae031d0c3de53f2000564a52141100c

SHA1
e6128217b5f87275d647bf8992a5f7d015fd06c9

SHA256
083825526646c1361cf0ffa992c52e10968dc142921f3f18ebc8111f86b1e183

SHA512
ecfbaa1b98a851b1c2844a1d5ce27f97b665586efe38f4bf832ae9a9b3f1cee9d23b2b83da24acf123d3f58c1132893fb40310fee61759a51f2f0d3a04a96818

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3d95563e564bc42fc7e05fba33c9f047

SHA1
2fd191869335276ba4b21888b1f861309a9b2730

SHA256
9aeaf24380465f9b82cc89a4c820c394283791cd84f5e7a43a67d3e42c13df35

SHA512
65978ea45fd5c225125e4889b44939b2f69469c32e9d876e36d55a9c6c1b8ab3e89dc85d88a21818de550eb0af2315b3cced3202730150d4735a37c2c21a096c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fac0998e8a88cfbf33a3c2925e5250ee

SHA1
9ef2c930b5ba39324ca7c71833654f2962bbd41a

SHA256
d391ecc233f45ce14ebcea75ad21ea1bc8d47b4338c09b160290fe521a1c1e59

SHA512
c27540d8082456af2f5acbc4adf02e7d15cfb628b39ce6b54fdf5a396aa3477d0d73b6a50011206623b0e67ac219ffeb8dba00ed2d874c31ed0281a02b20480b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
00667408947924be456725f9da935bc6

SHA1
669145ff16448a7e5b25ceb640296b30cc71a33c

SHA256
c9a497b4aa147ce261786b98b2a6279cdaaacdca6c971adeb8c72c3e96ba0a86

SHA512
1ef3295d1d71c774d06d265602317fd6ea0ba965e7c94b25c2bcd0b649838622cb500a40a56a73221c4e0bfdd8abf20cbc6cc1c90dbdfee44b240769fb21ef97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
de42d7f54b37a5d3f96615c00a6f4581

SHA1
e89bf8d1c4df151e8b3f4780a63815242448f074

SHA256
7399ad5961bcca50317a22bb9f6887fd02d6d58de709fc1aacd97fdbf36b89c1

SHA512
ccc5c947bda3c60b005b66d5a9bc18a8e53881ca3bc5dc1b045acb30ae91d9bf3a54fd7906f2bd4cc183e1cc5fe6d0599b4c554831bc1cb381a43bc48d025554

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dab5f9e0f39ffb342a6ce04f7e57bd92

SHA1
b61ad54262d990862d4eb3c248e4c91f80213f16

SHA256
777c48fd69dceb2bbb0d67522db048334cfc51af50be19af8547cc34d15a6a23

SHA512
79aa58de001f895f18cb0a5040ed812768bea294f60272888658819edc0a20dc328b3f0102084ba0df0c383ea808ef686a4d111b0da40aaa5d8c0d924d5bd674

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ea74b7e0fbf526057ba76d97b4f2c94f

SHA1
472ac85dd179a462943c0923eac610a55a6aeecc

SHA256
50962e1878084e06a5d0e1a2e6a693f0676a509a8b1179d08be5683d265536f3

SHA512
1fbb3a0f65b4383473a6e9833fd2b24a28e4909710d326030228b0bf3334a152f36f33232dd7c89e2d028b45b10515aeccb49a1626c8c674bde96e98c5bd5d41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a129e415d05e0c9f08dc1a0ea2ce5645

SHA1
fead9546e1010257b770c2f30fea2ac218bc761a

SHA256
8655948425d654f9fd7813cc1a5a8588c0976177afefbc0102f6e2d576a010b7

SHA512
a6d11cf3aee748d06d0124d94a51ae88460da7f9e02a54058efeae97036a15ef984f16a4a52f7f4e85b87c16fbe90af8a5e4e6308545d8be1b6a6acc014365d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4884ffbfea282b7e04b4eaad7e37a0d1

SHA1
1d6743d4c1117ee4fa98019fe9e0cf4d803e9730

SHA256
3e44b036a491c24f79f3a41333f1d59b4e972c56ea47a89f9c2a1da944727587

SHA512
d8e91565ac028c99299ad74e973a02dcaca4dab198f0bb14483a1c7eef155c152622830336e868eeb13573c1474210cbfeaef9b5da866b2b17d422289f1495b4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aaac8e362a06ee91bbd788731b082d1a

SHA1
f97f6bd919680bad5d41568532c4f823f65f5981

SHA256
214905e62eab139ce51a2aeae283ec181b49877bfda06f56e0c02ff2eec42be1

SHA512
c97a35753cacd891964bbff7e0efd03f0c29fb02b8a4d0665fb3549d94548c2cca264596cda10b95e0b0d976a53e56ac1859f57da42cb70e7692a26659cae14e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2bf9eb8775a108e59473d462ca6869ca

SHA1
a256937253ca2bfa63b7d217c0665aa1a3994510

SHA256
79a7d9d86a9aec3a62c77e63e34a2241c4697991b2d2eef761e30c3dcdc0f9c6

SHA512
ff5dd3d3792cd69cfd5be2f8e98d7641beaf735a409073d0c7dbff057fbfbb7eb4e3b88c8eb7a39450aab1e4f44aa57fea160be5cb7b638d1312a81d8bfbca6b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
8ba3d3d1696cd37e69b6c0e49c8daf81

SHA1
407e19d516749e0fd84e8ce7b8b79fee804deea4

SHA256
de7f3b723b6d57c5f6ba481b6f194b0789261564fb11f24e38e4c62cf1cafd51

SHA512
7a5e050396fa9ba78d5cff0ccbb66aa292faaa1de524f9b1913d79603f16be042c95526526cdf243c45336a2d00ffb17190c0c756820d14d1d6f52efd773beda

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5bff411802468cb8e408abdcc9c07444

SHA1
bb682b0de15f68473cd0b64f7018b5a65b47a1d7

SHA256
d289eea30434a696a1480e9bdc975b7bff3dcb881db7f9ed6b6ca2fbac004eeb

SHA512
aadd60cca69abe3c4e6b75cd161ea35feb4bdaf782ca58141e86aa308c9d0f9fb698f4a4a67c3992b4de39be7a9f46e30af527d00643f393338a2de10c739208

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3d340568f5f1ad0076cf02860d99b2e2

SHA1
04c2b986fa4c1078c225f3edaeb66bcaf693a947

SHA256
c18096d4216417ff6e1076fc9779b1b26fc834976153bdad8ce0fb91c3c1d3bc

SHA512
04905cbaf08018bfbe43e703d0fbaeff9d3a7ccc9ddddde581326e54340321d954783dcffb242468e9d28ced9700916249f7321c907086362146c2743166fb1a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4c8641adc2fd2f6e857ea812ed046741

SHA1
0fdc30ef248450849952a1339bc056d68b940a05

SHA256
5287b4bdb16e1e0bcb16d9d230d47dba0900ddd66cf053fd663b833c5ea3c10b

SHA512
e907214f5a70bce51ae90d7e59a3be0c1f7b05535c69d5b232d846ed6a3ec2906e792058461c1bd6df1a21da5a379dde662b942523d850e4ba27e197ec4f53ff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c2c982fa46d607ab4579f1e4aed0f6d5

SHA1
4a6b9270a0271e87a05b3fc0fbda283205b3b73f

SHA256
2dacc48deed93eaa47ed4f27bfac3dbbb32310ffcd604b1464c094e252b989cc

SHA512
cdbdd66640d9bab8e46cb33cdf79a9bc11f7e860f194efffb9334f7872f6c6dda1ee4e8cd42e7f200e6b609a67f27891739573e7183367a6c544e55be286f69e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c8821d4be15a8ff940042e6072be45c1

SHA1
c28b775e7933c70b12b56a601a41672a6a58e2c8

SHA256
d9b8c8bb6ae60c957bd2173674e94e48b241306e2b0b5e757237356428216417

SHA512
f4b1b050ab354ad85bf90c1c4d8f721a4ec9a183d4022af36259990d4dbf176f25f9eff546a4d5087d3e6be3235266b5dc3fcb28bcab4aa1abfc70bba12a03fa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
af69d41205ed7874add6748fdc54e631

SHA1
dd4e6b9ea8b55b55dc4ec602f77462dd1daefbfc

SHA256
325b5479cb89c553730645b0e38ffee4cc0a294808824a5e25f9868183b02dcb

SHA512
b326ea5b67be09881eeca4bab8ee763d4c64694c5738ca2f7cfd45f27211da1d8ecd53f4aa26befdb7bc0a4c168de36163855a041a107e41693cf6745a4caf26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
89f190b970920f3d7b4bb0d342e37eab

SHA1
5f7b9222cb7ad83eabb759516f9c7160503b44dc

SHA256
ee1db8fa9ff3c2e5cb273f7aae5a7335df35b9a93a9828a35ddb36735b212057

SHA512
88b9e683a70d2b20d2cf3ae35d7b60e084d33d4547aad55ec1d07143d3e6a3b8cca9694d93f5f8aa5e1e08c8b9f8d2154e7db500227cd547f72c196d69ae9147

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9a7fd6db7ecd9030a7c9511dd92106aa

SHA1
e1a5dfd195380a6f8ae50ed919306d073a44a39e

SHA256
d8aa3a9b805b2fb55e8bd49ac4ca642179f1a7daaa542967bf369994b5732227

SHA512
0e02b1a164826cc1854abecd9eaad615d16aa99549445bda1a1a75782d37824e9eb7cef64a76b51a178a424449f193c17e2e355cff3d216c697ef9ba0037801e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
827db5a518dbd7a66dc83cd390814d18

SHA1
c3474b8758c024bca09100f3932a092bab75642c

SHA256
f1375110a2437529c9fe1f61923f0d588c8e9501f4bb25bf9935849b795aed65

SHA512
f958ad93b5749a5da56d3a60138673f9b5acba0b97a036850812bb6966cb3dd2565714de7c7bfa581b1a790691c2737cc30d922202b6150ed3a5bf96a55d37a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d4bd69d643c473600c224425fe8648dc

SHA1
49d2e23a271acb075ed9ff49a60876bb96c7e146

SHA256
d0f514f7af8f4a9efd70999f3a6c1f72ca5bf8c9c39107e31af6050ffe56697d

SHA512
a60a522859d1129c8e16473e24da057722b00d5b3d5025599ba7d861d641fb95488f421b008f748a9de6bc79dfd865be684f331c10eeb1186a1a2579597d64cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1c27694af9afdf12b222f2e1e977d35f

SHA1
a3934c3079a4372f203ecc2fa912beb7e65f33b1

SHA256
22762d33e8a616441bc340abf0f79f9a6b00f8baa07caba54c37efd9ce9194cc

SHA512
f0cc80152256e5b08af37c2b524b57debcb31be7019e9dd4ab497503f7d32bf4315b5ac3d6845cc5d6b43c816f24e50ce739e3f8b29445729e3afbf7c300bcd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
730f49509e20d06cbeada10d2717cde8

SHA1
eefc591e56b163b335937fd0e4b08502a5fe6a50

SHA256
1322b831da1f900622e1434455ea4d3585b7064a9d0aa10533c9d1d6cf643671

SHA512
a052330c6b145909ede6acfbd0db34883ba942f3ed1c8a4ccccb043ceb7b16c8fb5e472bb4f4499bb1f2b135a6eb6797a17952f6f2abf0a422ed5885fc87f5da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
13a694ba8f3b0faee027758c47b75e49

SHA1
d792ffd17061306e7e77b6c122b3efc128517be0

SHA256
e0c1695ca85cd22a063acd7995368ac3085244ef654de0f32e217fd9c8ee35b2

SHA512
b1a70e5228dd60cf22652c1e210af500c30da859f76a2718e3f69d854c572b96bc9b1c6cc3d80fc513d46f1169f6af1e9ba8af4f92099c73626acfb78e955fbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
36a5d061a67d7948efef105b6916f250

SHA1
a9f6fcfc1911dca041af1464690029bb800b8d04

SHA256
fcd4e6ed218fc4bc822b8999fdf502e8c071c36f1eb24819a67f8fab515b0641

SHA512
6a5f5f028f8225c749da2842a1534a230ae861ea821f1744afa1adf69debe7b78b3c759dfe5cf7bff80b9a5c7e6195086461bfe8fefa926025635b58527983ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5e2abfaf8abea236403dd973e5b5778d

SHA1
b13fde899afa2ea2e9a67b356bf52ac17e2cecb5

SHA256
cc651f96555b2ac037816f86591029da9f201dfce80d1ab1656bad4206b76c64

SHA512
a67758c240c4c9a8a5940ff8363bed4c6fc287bd751e23066208dc5feba46bfb6b2ab702b3b34600f3bfe4c9f6f6a02e26288d16827c00da5dde29532a44091f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
41fb623541909a8780d7a1c08fe9c18d

SHA1
fab3765b3f6a94ee973dfc62b87d4170289eea5b

SHA256
be60d09bc06d3d179192fa16c026f98c074893ac73e2e2caca72530795f1ee93

SHA512
5c11dd32d85c461c3f2f205d9a75172c4b87fc49f51762cf05c43da436b29d4d87be58111f17cd410fb7a313d89b179e3a32d7fed15e0c4a4d643fd5467c56c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
80a5cd840eaf19284a3bbc1fb4662853

SHA1
505235b6c71e29f5e0444127647047df4ac87d43

SHA256
fab763d0cc62d9b5822452b4704f68f1cb393dfc5bbceac3665bc071e3742279

SHA512
86b130cd8ed728033fe94035fdbc6974829f0ce34a86e8d25a25fe1e3c96556e6965dd41d2787767f3b34d6b9ba90e3e4c67cd745825fbfba4561aeecf9ca0be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ca6518e55501a6c49560e122f1526ebc

SHA1
e4e249b2cd850de9100f2a1911dd3bd7cf0fac84

SHA256
3f050a7b4326923a840b5c341a82aff5244b85f7a51fa685337da6af54532416

SHA512
685ad5021d3a7f5718d52aee9724e495f7a2007a66b50941f50182d38a9a14b819aac420e5d0a69fd6ed60752657be9e42b736a42998d455f5b174a93e0daac1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
cdf6a193557395f3291bdf9d64374e81

SHA1
27055db5d51f28f744a2a0268ea94a38309a7840

SHA256
534f332e94eff8f4e813a52f9bd017c2136788dc5bfda33b216d69ad5ab2921e

SHA512
873857a48fa36118e614a0380a2f37072c501113018604303b3d0370292683d313c7c6769919f79dda98448b11e7c7a603437ecd5f100f498895766e3c146ece

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
24da13bcce30f949bdbc604f8702b087

SHA1
7c6d53c75dfe85e151e64d63e9c9eb3d92b6215f

SHA256
8df4e84e985acfdae7d5d5925c58816c8fd2e5c95d92bc2dcaf9d1d96232a91c

SHA512
9fb1c1e8077ca2943acd99a20d8267ad16a0fb62d0956e78063ab1dc8e20c52f2f6003da198fb1a8c27ef5f1dbee347ad5b4ad5f905a62144f93320ef997e874

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7460ffcfbc81f3a555be2575882775e4

SHA1
3ebaa7ac1a651a3dd247ef5b60720579d70e8603

SHA256
bb17deda5280bdfa60f8cf5e7d1e818f4aead117fb54573d9c6afdf06ae143fd

SHA512
ccd30646f01e70c78db0b09cd0582e08449c641b94fded29b854917a8570b4681c6b7c0eb461ae508fcc4709d64e8e33b1cfe410a345179056395f6cecd53ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
c4debbd2e36c8aa5c4d964e4dc0d65d3

SHA1
47b8b681c31725d010ac0d139a13a2fd32652fb1

SHA256
9481a4de73299fea08b41fc163c426ce74566897034a109207ae8880e8059a12

SHA512
506c13bd1bb656dbda94945373d8b756b9d26b46d952659c3a002efd2b14e0c6a92dcf38a1ddb115a04deb8d25565af9f7941b8cb2083103aa4b9fec3936e596

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ce09b01d6a706ab3311e9645faa40806

SHA1
ce18893944317c8acc10f07568f50b8eb34218b4

SHA256
9c6ae5c4203d2629eca0f9cb1b82bbff91cf4878353ba7ccbb273a466e443f6b

SHA512
9784949eca89a11cbc1bc466ed1f20173f23192f6662e06d64ab97f22ad026b26898b0493a9a706c9e727ae59f37e1a784a94451f5374272107d997d1682df69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
0be264b9f4bec25cb8886afd5ae4c701

SHA1
e118f3742d471682ad2251f091bb0a2b471c3280

SHA256
19890fa60e78ee78152a3f1ac20a43ea5cdc09315d7817c5bc802c10169b8b02

SHA512
0f98edcb2d94b00a55a2233b367b31d378a48c3029e64c5f0c4d02448426e8eabf8f538598122bf41978905cf40ba232e378b09c0b7ea0e750c34f267a6fcab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
53faa8410910de9ec2a517a4c9143631

SHA1
fc9f2e8c569ce16acd53f618ff209c16af5bd845

SHA256
87ccdb222d87ef9cdcd235022d9f81ab8f314edbc866d0057a6860627d06a24f

SHA512
b20176937b418d41ab916aeefe355c95cf77d7a96494fe7509bad6783bd679a4eb28f637e5b9dad49f8232129a515be352ee71fe0e65250f0cf1cf0ff17c2eea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
1e35fe625a7d78f1b9355d47edb0a45d

SHA1
82d56252b36b0494c2553787f03d30816946670f

SHA256
e0d59bdc6f85296ef1dd7a939cb8e3f3c19f375e595c2f8f075ae17302053a04

SHA512
47f6710442e4f6eadf334410c97bacac61aa4955ad784162f13d1880ba9b8aef20a0bfdc673ad309c4ad0931c8e8ad17eed5bfd090caf2b51b31d3acfaaeb09c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
c34216d5a0a108799d3744193ac15697

SHA1
d003c5473b52ddbf3264994b4405286dd6725dcf

SHA256
59fee93ef35c02748b84e552dbfdbec544e15efcc988c7e91d320e8ab7c68b23

SHA512
c225b04ca224980a549f6bc67f1cd6b3dbb2b728971845a5a90baa2afda4337c6ec785a7ed769fccb58b90d4461a8703d47cd23a957bc839bd2f26db4cbbf8ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
a907cabbc42af186c0096a410e10415c

SHA1
d6ffa58cb573946b6ab6b009b6b719d7e9ea4403

SHA256
d71e719d8912ab0c563341ba6d0db35b03b572e1dab46c0b470538db6cd16820

SHA512
ed5a2734d3b7fe2635f8f69ecaa23cd0b852567c37109f42e23ca3646b221cd7493005990efe9e14abfd3cbabe1a1a84cde7dde3c633818a66a24e7ce22d5a2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
ac12483275331bd0b068da057d0ec41b

SHA1
8e25cf3e55b5c789878fc47ca3e9ed3831f0c195

SHA256
61f48b44c6a43fb5ed88afcbd2efa841b223eb44d0d0f972ba7af27c3ec62d8d

SHA512
f151ea8a6cf5d1df8af41f627813b0b79420af6c2f8d4b03ce7e6b987d24c09777abb5ffd82b8c490da3acebc19b2efd7f12094447cce8f6c177e0d2815636a4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
2b7a33b82f59976d8c408a9d2acb2256

SHA1
f406b73c51fa8fdfd5ecc6052770df3cf5f4ea61

SHA256
539ae5d7a2662ee3a5ae1bf347d6d2cc17a0f9d711ffbafdd36552e5aa6b35f1

SHA512
d373d9b76a70d3e55fdfdeacc84c0fc34bd8ee6b195fc58ae37f474610340634c773b63440524232e7dafa25192c3642839cbf4fe104b771797743f6e253f845

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f656d80e00874a2688011f197505a7f7

SHA1
2de7ec494e7733368ebe660a7c3889883cb8b0d2

SHA256
4ac9306808e1c3e2c0ec87638bf434e70d8beb0dad05f119b496dda5e6af5d68

SHA512
742d18840b0a1c661c61457e653032f144e9efbc23df7d41d6b2becfabd60dccf713887a6a2b09e10458845b03f2748c882cdd49ed02e6ec842ce723a87dbd5a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2987375bcb4e3cddab6af33ae57043fc

SHA1
de99706485ed13b6d19cabc61fd1f9954c06ffc2

SHA256
52dce115a3d0f03832866db9da1c9557890e650f5b74018da221a28a42e5e3a0

SHA512
75c701de07e3f4aee6e9077572b202d2ddd1e1b6c9a798e4fc55edcbec763c4a7f1611c1acb0779a13f501762d5aa6e55fc7e22aeef5c9dfbf244c10478e6906

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
f711edab68870e095c225a42f49385c0

SHA1
48eca902f49f071b9340df34e2727887917ab433

SHA256
9bea5842e2741af9007b26b8c17cac351fea3332d39834b4a65ba26c5889c29b

SHA512
7465e759d1710b7a76b72b6f33488754d43bd80368c6d99c61e2dd09be1d0e857e0f7c00f0f1678bda56a91e0167edcef9cd091e31a920966b76538fbfdca35d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e83c0d132759d539fe29e4135dd2765

SHA1
84d651a8d967b705a147a31608b1c41562e3518b

SHA256
45fbb957e243292f40585cdf82181df43c36594a78d1222aa74ebf422032a900

SHA512
c153a84b356c5ddc091085f4ef4073cd13e58b6ea63e15257178f4a944eba28bffc167677b64f3c01aa4758c59798072bc079d58aff6f5e147c952a49d3a0e01

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
de9e9b2e1e4110cfa7a62b686864e8ce

SHA1
189954a82bdca4b236d979626051a1063676e73f

SHA256
80ad2d4b5262869b6a0d1e9e31638f64bb2a7635282090182a14f63f15369118

SHA512
c2136208939e2bb9bf8fa5bccd29463d534682398239485f2a38bdccd4050de7fc9bc47535a4ba00726ccfab24dd61cad0f88df79ef7c29abfd8dd9c25fb7b0a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f484b50519908ad8529c40f59de1a898

SHA1
b08847cb6258a7ac6cc90df0705a947ca905b838

SHA256
943b1422098d5870784bb9e44888cb1243bb06412a8e8a61ae7af3085d34ce39

SHA512
ee198631453f0473cb4a2a9435faf33e0e0c61dc6621552a249224c6a842173bae621a7639d4681d8c1da902fb9c55a02d643f36f93f0ff8bf714a0f21adcc5b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
62f8be39e237897e6fc701966fe65f56

SHA1
096e2303d38d85d0eceeb5b01497541d6cbc8154

SHA256
0de078e0fbe69825b2d6b0461fe9ea2911268c4d0e74d649455c15642003acea

SHA512
e4e6e7619dea3dac9cee98cca6745073ced743a2f8a227b98999054777b3bb5747b4fb63adbd817180310af4dc5c8bd07dde97e2f0c3262c905ef666ae72b835

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
094db586ad1fc9e8aa7d2cec47f8499a

SHA1
9187796d74154dcd4c46d0e3ff431bc1d17f49e4

SHA256
3b69011a0a878d78a204c9da5e8edb0fe2318c21d161eae98ed312f8bb4e44fb

SHA512
be3008be97f543628dac7c00105c8115aa87fc3f67c28fb8648e48035fb31ef0833991210f3e182caee477b464e35d1f0aee8cf72bfa38a306bf763eca511183

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b07f2a7cc42eef2dfc2c17c2308ab4f3

SHA1
b8bb86c7e37809d3ca034539a21c353511ef8015

SHA256
ff6fb19175a5b7d22bb757a8a5c1a646c7cbee688525ab0d482e5b2d36b06b19

SHA512
647a3ebcfe071242f988f85c8516a1b2c7e56b00562e3c4751b786bf297881b031ce57d77ec95e2042b4d08eb93fdf35a44991bd1adbdefa8fa208cfee45bad9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d61c68057d0946593a4933373c531858

SHA1
4732d9cb42480ce1a695dd418a339e44cd894aac

SHA256
c142b65b8a9225b1ab4671133fd24979769871d12ea6968f82622035b0fb6dd1

SHA512
457681b8d70681e791076b172a0966251ffb7954ff173e64c386379cca7afd6d234daabf2ff65b7ef7ad60f426063829ac537a5545dc72b1e500e0f9db5d5379

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d9004f96294df43add8b02b09100b49c

SHA1
9d81f9d2267011442ca08ed6c55dd7872170268e

SHA256
0d2672d483b2fd4844e71bada0a2f24291bc7d5070c62f1f117891a269cd6e8e

SHA512
2540cc9928a92e66b8db8fa613313418033ddc8c18fc8216a4ae3862b82ff92195bbbbaa399487c53b2b087731f49eefbd67ee3cd113d50dec6fe130cbc6c570

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eea76c7916da551d6080501443571594

SHA1
0fcedaa9e8460d4011b53a7d15c7e61852dfd717

SHA256
012026c63fdd4cf2cbf907a4275112694875d70ba99e12da802ec3b8ee08d777

SHA512
61f649090c94c75af3c9d146beb231c4cea547546eb44dc4bfde8a2426bbcd0ac644364761c7bd037b80bcd4b51a198e5735677e66bc3e20eccf2f3a68d6aa82

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
8c20bcddf3e40d82b2375b17829e6641

SHA1
0b82d4a28447fcfd1a3b5dc1f9c4175a85cbbcbb

SHA256
6bb4ed8524951a9403bbcde37c1c203968725565107423b516cdc5186a70565a

SHA512
6f7134404f2b2f7fe3da56616d822524b06086a12ea8900b7d3b0a6b4a86dc9f8f66b53f85963428e84fc68c2009a558cfef10345c4bd87fe1b71f1049aa3007

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
46b4fdec3ccb49cb566affd41dc3d8af

SHA1
5b2769e468315411c9e4d849a51f84c7f5c6e1f7

SHA256
e3117c3b5f0d94961de3976b9a7d70c37d3972982c8cbb2cf4a9da85c7f3551f

SHA512
9d221cbcace9a9b5153c49c4ceee97ac02a4b77c9b9d8c556f81e256856ce01a950e65cb80bea4b96cb3a6bb00742eb2364c522ed91141fd2ccbb31c6cbe2a40

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a8ddb05a9119ed4959a6747f3d53fa05

SHA1
765d263af86d0400ab907cc5ed39479dc0368594

SHA256
ed07595043fec37739f54e9768595a3ac11b74f4ddfbcac2e90bc0112f529f58

SHA512
f972d2e4fb3e734b38d22623ea3ccf60496be5f48fbc04e1cd2472d5d94e3dd09cddc01bfb662019d85924bf96eecac821a956e0a8cdf50e9b5cd3c1eadfae04

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
66ced47270d389b3fbd0537ff73e7886

SHA1
54cef2f05d077227fe9701a9d1adf2c5cddaa40a

SHA256
d9993198e161da91439a4f82f05f62f4bab1962d49cddb057f96de41199e5684

SHA512
1ae63e54bb15196bfcb7b4232ee6275ac013703e9c27cf4156718d589fb27f3250515b808d186252bf11206e6030f4c6c0824bea1d1d31ee7f2cd9b15978b9a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
ed8026ed3c22c4f622754ac1fdb3e638

SHA1
cfd5bfa07e0c8805b57492f9116a4bcf9e6db7ce

SHA256
725a52b736b002433495a96da35e04558c8ecbff267e105794be91b306305961

SHA512
431afaa3c4bee0f24066b4ad5d159a1975c8cc76455d48709fb11ffa71fc3f8d27666e4a110282fb14ca9c0895d0faf1f5903f684e0f1dca51251deac88a4449

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7b53862536e8244977e7acca8d1c5a72

SHA1
b33161803c7a2ea589b5d0f9ebaad08cb95e41a9

SHA256
e152e8c7bae38e280c233e36b592351f37b28b65f8333e1d53948473ed57b43f

SHA512
b7ef09ede036c75b4bc6e691aa976c6850d83db6b922806c756d132f47b918935dfc41fe4338d875b9f2f8e5a06c1f0a691cbc4548823952996ce92b3927ef4d

Download Submit
memory/60-428-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/60-314-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/624-630-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/624-356-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1068-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1068-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1420-1-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1420-25-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/1420-18-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/1420-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1420-9-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/1420-0-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/1420-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1468-441-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1468-629-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1468-329-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1788-256-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1788-254-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1788-248-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1848-634-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1848-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1860-341-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1860-625-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1880-36-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1880-38-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1880-238-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/1880-30-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1880-39-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/1880-237-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2152-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2152-260-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2152-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2188-300-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2188-416-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2308-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2308-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3012-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3012-236-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/3012-235-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3012-24-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3012-26-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/3012-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3040-638-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3096-79-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3096-243-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3096-71-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3096-77-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3700-289-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3700-404-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4220-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4220-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4428-367-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4428-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4464-392-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4464-274-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4564-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4564-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4564-242-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/4564-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4564-51-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/4564-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4732-347-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4732-626-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4896-637-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4896-429-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4924-68-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/4924-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4924-62-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4924-63-0x00007FFE07A60000-0x00007FFE07AFE000-memory.dmp

Filesize
632KB

Download
memory/4924-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4924-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4924-69-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download