61b939120c569040fa60dc0622655bd3fa81a12bd95da833159bb446255ce4b7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_39ddec401952852598459d2b7de5f82f_ryuk.exe
Size

1.5MB
MD5

39ddec401952852598459d2b7de5f82f
SHA1

824986fd4ce70f2e286b616bafefe0686131d306
SHA256

61b939120c569040fa60dc0622655bd3fa81a12bd95da833159bb446255ce4b7
SHA512

025ba44f5261612527454c2727a2a1169234daa5db227c84fa7e496f869c536ef4a3d68c614c7512bcf0201f6b3e5ee77a8983587db403aced306fc1396b1c89
SSDEEP

12288:tObXA4LWOsvAYFTwUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:KzL3UTwatr0zAiX90z/F0jsFB3SQk

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
936	alg.exe
4828	elevation_service.exe
2528	elevation_service.exe
220	maintenanceservice.exe
4348	OSE.EXE
4916	DiagnosticsHub.StandardCollector.Service.exe
4580	fxssvc.exe
3236	msdtc.exe
4440	PerceptionSimulationService.exe
2412	perfhost.exe
2216	locator.exe
2692	SensorDataService.exe
3252	snmptrap.exe
2908	spectrum.exe
4724	ssh-agent.exe
3016	TieringEngineService.exe
4796	AgentService.exe
4120	vds.exe
1560	vssvc.exe
3580	wbengine.exe
4780	WmiApSrv.exe
3532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-24_39ddec401952852598459d2b7de5f82f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c494aeaa29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004db9c1530af6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fcdb5530af6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000baef19540af6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000307fa7530af6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2a870530af6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4947c530af6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c96d75530af6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dcbd4530af6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	836	2024-08-24_39ddec401952852598459d2b7de5f82f_ryuk.exe
Token: SeDebugPrivilege	936	alg.exe
Token: SeDebugPrivilege	936	alg.exe
Token: SeDebugPrivilege	936	alg.exe
Token: SeTakeOwnershipPrivilege	4828	elevation_service.exe
Token: SeAuditPrivilege	4580	fxssvc.exe
Token: SeRestorePrivilege	3016	TieringEngineService.exe
Token: SeManageVolumePrivilege	3016	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4796	AgentService.exe
Token: SeBackupPrivilege	1560	vssvc.exe
Token: SeRestorePrivilege	1560	vssvc.exe
Token: SeAuditPrivilege	1560	vssvc.exe
Token: SeBackupPrivilege	3580	wbengine.exe
Token: SeRestorePrivilege	3580	wbengine.exe
Token: SeSecurityPrivilege	3580	wbengine.exe
Token: 33	3532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeDebugPrivilege	4828	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2792	3532	SearchIndexer.exe	125
PID 3532 wrote to memory of 2792	3532	SearchIndexer.exe	125
PID 3532 wrote to memory of 1848	3532	SearchIndexer.exe	126
PID 3532 wrote to memory of 1848	3532	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-24_39ddec401952852598459d2b7de5f82f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_39ddec401952852598459d2b7de5f82f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:220

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3236

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cb13bf811b1e4edb31b11872ccbb5c33

SHA1
58045d681abd06bb2f730a8ae673ceb2aa565ab5

SHA256
15432c6a5111a5e20eae806c16c0f8f8a7a87edc51b61bb41ede09741e3b573b

SHA512
7afc375f32a2366301b970de6b6284cca0630db83d3988f5a6eae98430b9f42a2324fd0d321940e3db8d0adf4d04b20481b55287e0d21745f72bde16ccdbd263

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a247ecbe348eab4fffdb35e93edcbd4f

SHA1
ea97c039e1d36a03de1f755aa9648493b967ea0b

SHA256
456037dccb8a258b0e6f5d0ecde4ffb6308ee36743511beb1a956abf0e677129

SHA512
f25a712d5e0083982460a654a8a876035720948724241b05a6ecd51393a068a2d64c41326c24151f79e27c2d60465a3cd309e95dffc434e4c946ed418e240d56

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
414729c8d4d296228fd9dac48e53d889

SHA1
f427726f9b18dba364642a5de3d9b16db310e4a4

SHA256
5657abb7ac3e423f6c614fb6ed0718800b47a314e27528dba77db732839a6221

SHA512
b81a33d1122ff1fc8c98889a73863e160b81a33bc1c97e540a876692ca8ef8d9af5b415c92fd77e406d2aa267af9179f337a9fedd96e5e918e5fe9e269db5c2c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
27e1fc5d6b84d901208ecbc7c90362c4

SHA1
05634399cba50a2e0eeed1f4394f0559bc09c65d

SHA256
acd074a3881fde54341706cbecd6199de47bc0938dcdc979a6d21c7684d697d3

SHA512
6e90b61c19ae0ac497ff7d9bb689a13ce47c9c1ef24800fe96252fa0424aa3cc84777cc5b3866750ab1fe31e89f73ea99583b05c83b9dc871b107e2e8f432216

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
668c87a0f6faccb06c931595e478391e

SHA1
b9e75eee05ed1bf327eefbf62e9e95ab98b38e33

SHA256
aef079e9c1b49254e399f68f6a4a3a99beea298ed3ca46009a7ead17df7c1ec1

SHA512
9caf43b61b20ded93a4016db42af8cb63ebf54e534c5b99ba8a3235bda19068a6f7255e833b51a598d7d47817578a7fbe62f3eef95044c48c03003b6a19f9ea9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7a0b0f0aa12416388a4f60ea37d820de

SHA1
d1ea49892312544f015c38c48466dbf03ac8c75f

SHA256
386d82d55a5e71627871b721d0b5707f1fc9242a34bd2d4566ce3607a66ba250

SHA512
fee29d253e5ff3cf7e0a3cc40d8f29ce4bcecfb907b731be62c953963129c346671975ed1c2855837b6a24c7da4e1ece9452de963d188f39cd8d950d0a7e15cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e289cc786d6c17b3df0c0219839c56ee

SHA1
30ffa808214264032b5673c8fdb3aab044f78b80

SHA256
0c928e70a6a65be2a4ce1a85cc60d04a96ea77b380230ae3558f8984fd8b876d

SHA512
5a7d78d018c1a2f2751e34e7f47efcb1a96d31e7ad4c528a63016027aee2d736b7028fd09b8502ca1d050daf2c5549f041028da3f1a3864358fcd418098e8edd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b4cbdcf3abbc6fe37c2c8c3c00510fd5

SHA1
63eaaa06e09314f9f2decfcde509eafbac18e4f9

SHA256
9b12dd2353542262b19b6262981ee2029745e004ed6a8bea8773fd6172a83d66

SHA512
0ac8cad255d764777efdce591280d7264db00e3dd2243b6cfa905b7a90a547d151f349c8597a270ee4687e698c6290092878125fd954d9a36c4799a0806571e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
69ee5a0b47d52998d4700d52f9a76a6b

SHA1
27f96903c52d2ae1ecd0c602df07cf83b44611f1

SHA256
0f787c57602a2a6f3c7366d393c49ccc66ba14fdb24e138e6124c355da446944

SHA512
8222ca2440277d41f8a1ebed826cd0cd79fca40a0191022a1132a8b094312042febcb834bdf38c408b11ec10c4d2e2fcfc53d6ae8b1727a40930418c7191b810

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e9f35690d12f35e35b860e924fa2ae34

SHA1
16f833e6a386932467f57b8792be10d5f705a1ab

SHA256
d3dd15624921896fc9344e63e9ec27dc746b80b2c3543a190d96bbfd8fbf6cef

SHA512
a72b501d282e955d484c9c5e26a4077c8c35027d2303d0618dc0348e5404dca3b2a3a3864422e89650c3e2f4e5a895b67b3c633571f0e925b0a678848df3ca03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc8171e914fcb611674f74dd7626fc48

SHA1
0e2b855609d2d2397cb5cc0b09fafaec8ce54061

SHA256
128d99746cc2caa5404b7bafe2698f0e2b404d61a4d4e01e6877c718bab50085

SHA512
bef2127bc0e7c50745593c374248a7b072589f04ddc38e151a72fcb2d0df6e2b7d1633d1557fc6a501d99cff1ac117f5aa2578b6b5331f90c561ea58e101e467

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
239262563c3e85cec2f7daf2b66c2dac

SHA1
7e4f38b415990ff9c5e0f78a25f9021e61484c14

SHA256
273316ac82da90d91e463b811f708b12c9e22562d40ca7cb8bfdbcbfaab0ffb3

SHA512
5b8fa50ce062e3ba42a328d8f3128f6cce5e584de476e908c71775adf7bb66a852d3b2ed90b68e5290d70d181b101a8465e69ecaa8c374426c30967755783ae7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
21b4d1b74d3a8b0ba671c4fd5319e47e

SHA1
1b610a4e31fcae199db1d48c85a438c13fdea20d

SHA256
ddd727d61fbdd8c83b60f5b0d4b440fce7b7dc00641a46bc497363aacea17c46

SHA512
7d795bf32b79fc2ac451be17915c94260c91231a300d56de8eee1033f647a75329abf7e3f786fc69cbf32258b4953731034d27751d0382b79bdc6d0610f908e8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e560f2534fddc3335f9c3437322edfce

SHA1
d561a6d0d4fe043d96a34572bc0282bb8b1048b1

SHA256
7d6a1af64cb776fc76a0e9fdfe3e6030fe0fb2c66f4623ee9eec0fad1d6adf38

SHA512
3b0a1b956ba71f7c57c3cb4da64daa0cf4c90ed024346595bc0d00e652870e4705a3abfae7634e6693db4f562057521f9adf7727511df0eb9126f295092d78d4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1e90ba33a1a9301f8fe1411b07c2067f

SHA1
b5b36a50c438fd0f1ebeb022a4519b234061a26f

SHA256
79112673cb4307931109e557e9e7c519fec7d8eb9ce9f494bec86b61bbaac60e

SHA512
43e0d7e752557b427e7b1e3aff7574d8d99cb7e71dfc90cad767cd648028c5c0f041759d645fabb30b2382d8cd2456fa0123a9731e1cdfbc7ae36e946c1de52d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f788dd512fe198902c0a5612d9d73285

SHA1
dd3a20e21c9f844a29fd32afb800e2be858a258f

SHA256
4929f6f8ea0c7804637dd0c3ab0580ddab092a2a261e4ef26f8c8ed90e2bedc3

SHA512
053139daee358a52e721c6ae6be22fd06215521d68e51b63c897a41db7b5d0ad592f8851af282ae25440c3ba83c6d54ecf206a8f30886e4558cc39326079a2f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0b5dd9a3cc7b5e5207b78907ea6af7eb

SHA1
5ec633019e4bcf1bf6721391ad1b688feed30157

SHA256
5f926501e1893c1e33e1ef0fbf90d9553b861d6e8f551c3f612a767692b13751

SHA512
86cfda963ba428bd05742893d274fdb97cda28d50441c647b68b80d6bcf2f7e6794141f99040dc5e0f9622fbe55ff03b152869b87f3f83203629742034b1d27a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
cfbb22bc483c73adb903f21cce1cda77

SHA1
1ab283604b102f8037e543ba28d6a09411dceb0e

SHA256
8d4e4db4df1e3c483701a5c6940904f987b4efe92907de0f38fb0fac7c734902

SHA512
11faa3d32e0fea1bb76ce115c3d22ade41dace1b9c815d5a77d99f993c6902780c13d2a7fb12699e781ac7e7bef383d457a29a7b23a8eb907715d8405ba4cda8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
a41a7db1410774e91a65b30b3d816086

SHA1
31d6c4a85dba9d92009a1a69ec1c60335db06ee3

SHA256
0645389377608c2a5ed45b21944d48e7933f69c72eda4882a579711985694ccd

SHA512
e10dc075dc11145cd2d4fa64cd864eb0e9f7151a786740754f5fce659ef3a50fbfc3d06bde096bdb2092501f8768d821eff8b1fd10d424660d40c5d7ae630fe6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
dc614144acde0cc6332156055b72e591

SHA1
a797467967b5c3d8ab1e390af30a1533d22b3feb

SHA256
d2080494ab17e5ac30f8c48748f8926405ae60ec6de55cea68c0f3a3e916a9fb

SHA512
2c171550479689b1cecb5975d5b7e50e670002a79d43554b53e60a9022eb5c8a5582be1ee4e463ec1e99127d13c939d92d5044c9670f86dca2e47c77effaa0a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b3c13aaca11dd3f49de71f26861ac10d

SHA1
887fa808fde68fb691d3a7eff5b4f89891b085bd

SHA256
867f7e58217f0e605ef0986c8087995a4c11215b1ec8c8fe308141b364966df9

SHA512
463faf3b1ff67200832d2ad685c194cbb34696c7719483046f428238ff4e4376bba0a1d321aca28ae66621a6fd2c3dd4c5523e607ebbefee5a8c0f7c99e63794

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
1826a5426d5942bf7798aed67e591502

SHA1
4c16e73a221d5e56e4c0b5b53c41d15640f5f763

SHA256
0d93aac8a7198592fb1a7a8c2ae61cede20f57a0e7a8656b1b6d35e64f57fb5e

SHA512
10801cc6627a2cf50f3552e82706da516da2239ff4d20356a4449759fb5947987f56c9b2bb5ab6a12501b2ec63d9d9637a8b3ad0969f5a2b758083d73f280c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0c6340b296c19a90a99c8f9ef9363d25

SHA1
25592725ee686cac8d894a9f5f354ff417e1434f

SHA256
d84d0052951fbe220dd03870e327b885f482037f26108a661e48d4b88b049669

SHA512
46967bda443e1fb1cc0befb1389a7af152b86103d3ca7c268ce202783b08bdbd86cad91bf19dbbb1ed9c61b216fe07290fd9746615e7d7ce10fe4f05e93689db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6bd3f30dd42142ef66d383ad828fea71

SHA1
75fe43f843564ae64f8f30b7e8b36021e11a65ce

SHA256
2e341ef9696612c472577877cf67fccfbedb29d005ea809a42569c9d44443c94

SHA512
6f671119923bfa0e810637e2b8bb1c9ef041057e4b6ce924e6da3d8def266cd88ac599bc6fe93b95935048a11021952f57beea385b81c6be36ecddbe9ab9f4f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
491764cf80582eaef6c47d256d8e27df

SHA1
a286b7e0723f6da344ecc0dc0c4b608d1027af59

SHA256
b15967b970fbaec9ad2af814419b7899ea0352138b4b91754111162f3065fdce

SHA512
0f584121dc20e45f2e890c099d7e94494aeff11e1835ccbd031d7be1d4bbe29299dd098f361a026e24a3a0de0c131aeb94ffc6f6b3e6ca23a013145e860d5961

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
669415e8f52b86c69c2429871e7a348d

SHA1
be1f4f3c661a7e38b6ddd77e77779efd4964eec1

SHA256
02b260b54b4ac01c04cf8ee60b5d90becfd39b33098e31302a5bd1edbcb5605f

SHA512
3b2c5517a5e04b89ad54e4b970276e221dcdf4450e0f92aa1326f4210e44a4fcb5ebe24de249a4b80e95be9aa66bd548ce68a01c14fa7585b8c86fe0eb88fdfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
53a461577d46b6683df10d7a5fd78346

SHA1
3d2e11611623cf4c872832aa7c1b53d1aa2b99d0

SHA256
19f1d01f22973819f04cf071466b664fe575c182f5c0df6d71258e1c2298fe42

SHA512
24e31cade545a4129a2fd731b6c70b85e8508cac9431620fa3f4861dac549325073518a8a033b7696b09833c78db097692da14c1900b426b78335d86fbe5f321

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9c7bd3a1aba708eef97d0774a24464e4

SHA1
af17fada811e7d17626d2a0eb9f4a1787cb4b74b

SHA256
7f2e8b1b674d60e8f96ecb7f900d8131d59b0083d037cf461e3fc795ba02d499

SHA512
09d20b63fd139ee53cf284c6b4d281b69901fcb51b02cdabd3e8be0654a34a3d12ab56312a69c0eb7ea27a719c7f09e5404e81514d809161591c9e06ce6090bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9df201a714f04eec80e1294b6a0dfb5e

SHA1
cd21c6f739331dceda392b6614fd87513270bca8

SHA256
24e530a98ff423717ec7d3ee3e02f11a63810d750d9d047e342e86e8a6274d8a

SHA512
a58461990530101bbc9e46fc9fe4f761e82e467f36c535539875b6b9d5749af7601834b4503947a9f0677516bd7757f419e3e1b70ae6f92fa976328c204564ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
c6e6eef4a938e8c2aaa7e73c380265ff

SHA1
b5c8e0c54e81a0a6839885ea4edbc79ec33b1e11

SHA256
447cc02bc6f68373d829384a061ffbe5379805332124fff180a0e2ac8ecdb017

SHA512
8edcdf0460019aef6df8226746363e6e1f584720fc8fe4a0ffdf25742477b06b15877020183724c0208f38fc17fd457281063de566f5a79aa46925f909096546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d8227decca4d26dbf9b80db8019b7ee5

SHA1
6e942d09e462254f79edcd109d31398925938330

SHA256
b8f75de93f1dac1dc954b088160dc366bcdcb535585da71592e643b44cd0a041

SHA512
2e4667ffd052a213e1048044fd81d1e6d40de2988cc47364f9d2aba1fb0da5822038f88f0ba1021c10d2b7dcf1af2ac04a2a596887201b38b7efb3d3cd08a741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
aadc30c0d4e405aec8d02221b1ad8851

SHA1
8a9e37f0c30a1fea20211f5bcc35964a2013ee54

SHA256
be77241db51cab7df9bfd79f5de2bb3374ca7cbc0e976c57cd4766faaa9cefd3

SHA512
be2be49973d7bdb8669a791fb10682ca8df04abafbb06b3d05a4bed62e0a5577a2ef784eb086e35c4edb37a0b5bed5c0a7dccfc3ccc0fca0f7680bb4e663738f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9791a95cf267d1d8be99fa5f097d6f86

SHA1
8bc30458012344b5e23fa4c37396576206742442

SHA256
514c30fdf19dddc39671eaf5a17c3d74a7e9a1f0bfcd7fedad5d54b0253d390a

SHA512
2c6e853fddb1bf3fe76bbadcab3f6600a7653b013be269abe241d5828ea1da24445b988475620c4d96c456d3443e12710354e3cd36ba1994575f853bd5817549

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6c52f43ca0dfedab1c9d5a71ff107acd

SHA1
2e36d1edfdc74654eff670c46b38b6f819afd3e5

SHA256
40132be464e8063e6b2de13602c91da8997622ac7bb0dff80329ce4bb8d0ae01

SHA512
b09f5451442ba56b762874b5365b6e9cad46ca78c8e747b94e324db0e2ebc1ef4965e5cf47b5f18b6e0c41b269197e70875909e1c7b7263a701c4d10ff1278e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
fc428f31d9348789e54f7ee2b9b28a68

SHA1
3bc1f66dc81865abf34cd8aafd83c8f0e2253e67

SHA256
a2ac3c000fa724cede3b3a76b3c8c65eabb222a985c2e380999f2727767cff30

SHA512
e65418791709babcced8bfdef9425ee71871e444f76d1d41efd06c5df4a98224b8f1bc5286b39f447414cda2afd32da2d921cecd9938c256bfc92915c498b9e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
39a0d421830a7953e34dffcb166bd68c

SHA1
136fbf9b63f56fabf5dc2a1509060bb37b0f1b18

SHA256
31594ae307ddddbda48611d3bebbd37107f7edeb16b6089523355b94e0acaac0

SHA512
8708326727c56d45ea2b3248f2ee0ec4070c4e98e8d0f9ed4b845ca9b0194156169be5b5334a62f8170c093d80d3d4aab7d4d1e610df322af768fd41c07bd2f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
9f0356ae79f95d8df64cd0358c47d1ff

SHA1
3b55b71a9096b56e27348c62f8df161ed42cc83e

SHA256
3f0f7bd0617492c75e753d54d0f62bc992024a3cedbc588a0f1e60f1910f3ab8

SHA512
2ecba8eb805fcb3e94b79566890e0289a716f0a09ad357bdb8f0fe31fc332c8cc0578dcb555294c10f530bd5ec11d864d2e53a87690f8f0276f7cfa740aef1ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
ede2f90e219a098194021bb3fad8ce48

SHA1
69869a84651214affc854f10777ab5b69696a21d

SHA256
c54af2be0a4b86b11e677fd7afe843c9c14326bb8ff2cc0048a87b5fc455f407

SHA512
d96bfb8838a476e10e2fafcc074ceee28c3c4f50989f7195e1ed0c0c9d15a7b721720186c976700a66a843ba898cc6ac25fe88cb7b151ed723b4796daf32f775

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
9e4f8fef2895b26c0af1ab749b7fcb97

SHA1
931553d2ca6900892fc7ded6cbddd1c70032c211

SHA256
55122fdf7812ddf95cb34c909ce414ac4f3787387caf551765ef7493e9fd9acb

SHA512
3128f3dbe599b00809fa86d55439e627be7925f87496a0a5a8be08c7948d68b7b13dd4492ad0bbce5539ade62c47d73d30c34cc99ae51ce5d5dd98b66ff21afd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
4b61be5020097e5e932f8b6ca608f753

SHA1
7bf5168fd6b9df351f7360b612701efd881bb311

SHA256
280a3c6a4380974914b337e15196a1f47110357ed4b625fe001c0e7f6849f7f8

SHA512
19ebc7f38221c5c1b95678bc369ac14739e34cfcdf5f851e56c3bea47b4fd4d8185a03c04f588dd4e81c6e5c991e39a56e27e03c59d54ef42a835d6a5fb2e840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
2cfbc25712c645974b8b449a1d3da953

SHA1
92db43da641e935dfbaae466a268345c85f8bf27

SHA256
9b0c766c995978128f29ccfe92aeb9c80a383bba35916be54c01c4fe9a6cc276

SHA512
99c447e8b2bc198f8e2ab61f6f5dd7dc019f18911fae753de526ef7a5cc21cdd09ee0bf2c1ec150052171d6972804c4895a1b158207bf6fa0b6faf9c5d86ce63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
5311c7d1fb525ad1850187bd25950edf

SHA1
d8587907ae9389a25c2946f0fc10e02a8c7c54f7

SHA256
0820e9846c329c7184c02c8197c6e00f06c3db696ae3639ff7b855a677149314

SHA512
e0cae5815fa8fbb388b64b1bad3779cb951fbaafee1c2ebced08bea61dcda7badf5030cc2e72b17ce62e3db15c729ec13d3568cb0b6405395338baad82ef2150

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
d84e214c75473575b56e02c841f3bd57

SHA1
4e9a469a04709439108d986aca3dbaa47226fc23

SHA256
5bc28454e961341ef6de21a274dd6a0d45fb6a27676556c79f2310be2a48b760

SHA512
57f1841fa7666b399741abcf123c92b714e42a7bf39d040de3a27522f162521d10ad35787f41d018286af1dd973db330ff24646f4c0e717af8a43fab4fe8f694

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
88c45bdd7a3f457d0571c0d5e663e07a

SHA1
d3009a71ee6402a4342f29d15ece698c8d0bc886

SHA256
294a37bce7abc21c75a4a5f763efd9e7a5da230c232775323db917c2a2797688

SHA512
7b5c58ee163f46a771dea3ba5efd77876fd80743dc600dc57d6a0acd2dc0844b720ebcc34be8150344187398af630bcfbc5cb8039c2c732c7b66f098b5ae5810

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5c102dac527148a62aeaca6276e7d147

SHA1
e0706c969cfe14d1b346b9c5069dd20c0c06b413

SHA256
036a0f230eef719d6c037a684064c895c62997416262418847cfb4cda5826fc2

SHA512
e524e9b38ed1a9ce89145ca8b4c05e065d979b9cc245e3cd95b03cb1751908ca195155ac951d44e0ca7a82196dbbe45d85378b1b0275d96a0c16f564940f5afa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c1d43754f1a27ff5e99a0b866ad8b2c2

SHA1
2847a178c130eb3964b96172bd6f398244d089ed

SHA256
82ad2682c5edd3cc1af6e59b1e83374b6cc885c56ee7cc7333b95fdf4c8c025b

SHA512
e7b8acc2d122c71a7a1c03b9309722c34ce12aa13b5bfa8d48d7d3d4d6844d0a8aadb351ccc0a435809512279e39b5be75f7371008f885d17c1c8d914134d645

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d3901e2e7b692ce06388f827d2cf77a5

SHA1
86ee6561fdad7e238ac273c000d5d40c1462e3fd

SHA256
b766e3809261ffe05e4b1e6e6ae239c6c9a6c29798fa18a761f221c3bb108cea

SHA512
b4a10ebe5970565b8ea16187880cb1221d706fd8057418e5864eff8121a43fa492e734d3465fb45e18ef7e6e670b28b983d46c83557f2f5b96bbe71229a0b556

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5dc27879498adb3c69fbce22af04e7ba

SHA1
3cdb808b332c453c661a4ab8a2810365f10886d3

SHA256
bf2e3d93c675a0f3ef79b969846c11f2b708ec9c0c0dedbf710fd593a8e102e0

SHA512
37475f6c23e3e3147e30c65f83223a5c951eca8a399b269c022bb9afcfec2f9fca4c2119820575701648857ed404a6a00090cb913ff3f98419258818fbb35497

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a8eb341f573461b1fc3a03ce9e278b32

SHA1
6674abc87a40938683255b91ab2244d970660ef5

SHA256
206660f1507335a7ad1c93d3797bea29887478b37056b9f5ccf38c48a3d5db1f

SHA512
bd7049201c99ad1971d61da608bab6e338684b47bc98f2db56eb2974c107447dd9d01fd954a2f9ef44c5e9c73a453a8fc00faa9b2988aef92e106342de3ee2dc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
331d1cb68019cb23d280d5d6d41105cf

SHA1
fa0204b2719bd5c5455f938ad143f17047f3fb79

SHA256
95aab8654070222411e351f6972fbb709fd408ff7af32958438f6fc496473abf

SHA512
043ce3ded100d461095db1b1c7ae5c0d226e08f23aaee6fe13733c57af9ef9c289a7be5910621e7fa7c20fa54e822cda378e72eb0a4ec4874b340fa1c0edeb18

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b7ffcf85ff9794dd9d20af61e452320a

SHA1
ca204ce4a83485fb37d8a13de477755e9b84c627

SHA256
c6fcba0454526efcbd399b68772d8ba7b24683bebdcc04209102750da80f2be7

SHA512
98ade146fee32d64f46a53907094ffd22667123a055b633cfe1dc057481da1185f5d245f33d860d058b0043d19d0a92d48a93f5865c749f72cf04755ec3e14d6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b198a3c3d3088dfbbe4d903c27ae7cf3

SHA1
d37306506cbfe347624fb21b094d8d9bc8d12c2a

SHA256
9c6da441a510ce1374326318c8a113207dd00366543d0782045bdb3fb9688e84

SHA512
ff560db21c50d1058a5e11ebdc70701e79e2ba95e995599da26e2075b63fee8e7ec5ec5f0394632244b044593953cff78de41e9da2d2507fe19a4f9f97363691

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
65f51b6dd8596b720b3c1bf88791747c

SHA1
8723b9485bcd82ea0a20096c6e6c12dd87358193

SHA256
94253849998f01da5aad824d1d5af41be380826dab980ffd182673f1f40bc1a1

SHA512
748de95c0794decc104a972a5e183de7c90a1bc9cc5e02b3285216aedff41fac4bb33da8264935c33221087eea2a3b1d342db72daa356642346efd3377f6e2e0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0e88c7640664f7c19d86bc8e68c895dc

SHA1
6b85908172af4ee1d0a56d3757d9c73107a9aced

SHA256
1bba1cdfb42d21b16000bf1a964b5f8aacc89bcf21b387658f847f801c95771e

SHA512
bd79fd04dbdb6146b8c5ffded6ac15fc3ee91cba2460f0e4e577899120317a7fb54bed5f99c8b90d152c0b978ac4e3779b0afb57b6ff88848fc499ea557f7a6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
15f5b5eff60990220792a112c60cbb3a

SHA1
6cd15f498375269b43ad2dfa966a36d6745c07e2

SHA256
560cfff3052d57cfeee274857cccf4f910d99fa6385189914d0cbdd502a10909

SHA512
b239593070c5cbe0c3e5c3026eb314c931ee8a23f6f9ccf1fc2634b8e75f4e8ee96ed0ad96c358f30a673d592e627fc671ccc2a893bb5ca242393d64453c86ad

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
43cde6ed6661542047e597d04147f5c1

SHA1
fba93c63e803cb90c0332c37796472d3aee76c23

SHA256
b0bd47e6395e3c6a973ce4ecfcb83a5275f7c09ad54caae3babb7a200cdfa1d9

SHA512
1d25a6e8f45856dfd57b45bef1c3cfbd7dbc37200f5ee29560ddf427d6bccbf42112425a0e793beaace1b5cf5a168dd13efe632ea33481614ddbda69450b640f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
232d7007f63c337142bf0f4497c7d679

SHA1
03e40d4ac9b2fa4a50a764ab56f3ef60b93a0cb8

SHA256
325da55ce7842e46c3b833e66cf4270d7ba9ad54cb4453acfc6b8e8427d00644

SHA512
df75569d16063302004c6e835a00aa751049c3bc6c97a468f577103b0ef5dd287b8dcb4e923cd4fa430084b834731aa2746722e6d58f4744b0362939e7231b28

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
49c568ac503264f2735f022d73cc122a

SHA1
b78b3020015d9fed69a305a7aec60d45ef61be25

SHA256
883760f1ba59c23c438c001f16fe795c086f01f5120299fed6f79786cad49d54

SHA512
12bc6d0a5f75beea1e6ddd0e76bef9be4adbed5ed2fd4daf15189203701e1e9653059d8bffb02d8d8a328ebeab01b00b1c6f8af1b1e125a6a7494262bbc3c8a7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
157bbb2595e092b78849970fa5d466a7

SHA1
f853bf249b37e25f00715aee2aa2306ac9fa2927

SHA256
0f852cee4793c509dfe525c09c1e90ce424a391e629e87c7d9daa75511f0266c

SHA512
2e4b8dba22df3f8d824d604847feb01da51f581e5e0576aa7acbffd88885f688d4670da47f9e43fce26ebf7286727b7072a8162111c35afb041b3d846e3e6a7c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b434c47f3e14673f30a30a24f262a734

SHA1
6f0530e2c86587229b501ec0ecb05fdbc3eed53d

SHA256
792cf7ddc66a6b62b64ad4c5d93a2093082c6f77025de7c14ba79c4ebb9cc489

SHA512
df4b7af589db821c0b9a71e8ef2745d229559f9f62833fe1ac77d2895e7db3c54e631d6f01610b9b195937bfece293ec3b6508a742ba10f31b33aa2eebd339bc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e543de56a6116e6a6ae41c0906662b4a

SHA1
b8e4632b4d8da321883c015b80e3eb4a3bc9c519

SHA256
b9f3ef08ca0598b6872ba02354d144b07167bce6fe2c7711f3a08a8620536943

SHA512
05e4d4dfc80ecd2d81f2d4a22a555d991fc2d4e1a24e6517b07bf6893bc2a946634f8be6d864ee20e2096be4cce0b001eb1a6fcefb8cd5421676a825d9f21033

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
af4bca5e27ef82f901a58f5393d03d40

SHA1
228bb5850cf213cf5d9b2985de2beeef78ec9214

SHA256
247f0d4dfab86a845326074d6d41b74f0ec9a187e25cfd00aaed0feb8e683921

SHA512
9bfe3892c996221b4e8fa3acab778d385fbe4cf48b6a0fc0f1c40e408bf1f815504e05614bec6ef690a8cbf9c12a0036f50cf845b9383d826d77e93596974c98

Download Submit
memory/220-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/220-53-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/220-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/220-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/220-67-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/836-12-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/836-9-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/836-0-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/836-2-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/836-14-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/936-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/936-149-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/936-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/936-24-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1560-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1560-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2216-424-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2216-305-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2412-412-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2412-295-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2528-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2692-594-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2692-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2692-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2908-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2908-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3016-590-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3016-371-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3236-388-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3236-266-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3252-521-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3252-328-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3532-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3532-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3580-421-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3580-601-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4120-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4120-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4348-69-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4348-236-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4348-77-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4348-75-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4440-281-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4440-400-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4580-280-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4580-255-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4580-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-573-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4724-351-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4780-425-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4780-602-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4796-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4796-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4828-30-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4828-29-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4828-37-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4828-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4916-362-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4916-243-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4916-244-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4916-250-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download