c1380929e42ef06215ed209b30a6afebe1334ad41c6b14220feecc49113fd208

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
Size

1.1MB
MD5

f02c276203c105d1669990ad3e3f8660
SHA1

0b2358138ca58f83d886c82a43e9a5d507933cf6
SHA256

c1380929e42ef06215ed209b30a6afebe1334ad41c6b14220feecc49113fd208
SHA512

6e6939df32b38ece8ca69f6c656606c511b70ef409c81fc6a97b7a44f7bb544f73e64badc2f24ce61ec03bb80e2cd846baf2470238160b203ca9f18b6bbf60b5
SSDEEP

24576:P6hsTO4NnPvZ99xKpqGm9+JC4P6otUmRkM:P6hsTDPVxKwYn6qxk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2132	alg.exe
224	elevation_service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
3516	elevation_service.exe
3732	maintenanceservice.exe
3420	OSE.EXE
1736	fxssvc.exe
532	msdtc.exe
4360	PerceptionSimulationService.exe
1420	perfhost.exe
4948	locator.exe
2668	SensorDataService.exe
4900	snmptrap.exe
3208	spectrum.exe
3144	ssh-agent.exe
228	TieringEngineService.exe
1880	AgentService.exe
4376	vds.exe
4248	vssvc.exe
2220	wbengine.exe
3292	WmiApSrv.exe
1208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da12f0da4521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1d34945ef02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036837945ef02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000731f9645ef02db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076d26845ef02db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bf78e45ef02db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc2ee745ef02db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000731f9645ef02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000160f4545ef02db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5108	2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
Token: SeDebugPrivilege	2132	alg.exe
Token: SeDebugPrivilege	2132	alg.exe
Token: SeDebugPrivilege	2132	alg.exe
Token: SeTakeOwnershipPrivilege	224	elevation_service.exe
Token: SeAuditPrivilege	1736	fxssvc.exe
Token: SeRestorePrivilege	228	TieringEngineService.exe
Token: SeManageVolumePrivilege	228	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1880	AgentService.exe
Token: SeBackupPrivilege	4248	vssvc.exe
Token: SeRestorePrivilege	4248	vssvc.exe
Token: SeAuditPrivilege	4248	vssvc.exe
Token: SeBackupPrivilege	2220	wbengine.exe
Token: SeRestorePrivilege	2220	wbengine.exe
Token: SeSecurityPrivilege	2220	wbengine.exe
Token: 33	1208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeDebugPrivilege	224	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1880	1208	SearchIndexer.exe	122
PID 1208 wrote to memory of 1880	1208	SearchIndexer.exe	122
PID 1208 wrote to memory of 2552	1208	SearchIndexer.exe	123
PID 1208 wrote to memory of 2552	1208	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_f02c276203c105d1669990ad3e3f8660_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
665dbe4fecef63502901c602f8c0973d

SHA1
19ab9ac74aa473921c09a08f6b1e05a37a5f7f9b

SHA256
61414227127d85c6e1ba0d0152010498f880a9bb8a3d964a32b845ac95650d23

SHA512
ddabbd39f62df5a7a559c27c0ead8039af62d640ccfc98d77fdff503c51ae44e5ed6a4bc3a04eb69a887c8f4da0c129217106c915dd3e29cd356a7f211cb5674

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
f996a0eeb014f232f3f43b454d09efee

SHA1
145a0b6fa6f04684d18f63f4f3a7249010ff2df8

SHA256
71f735dfde4faa490f10c46885bbc7fc2e036ee30fb9d7279d806ea53f130bbe

SHA512
65dd8ab73706204582b32d35cc05cf286ec9b6286d73e3df1217fba8e710efe666f7f8402aa74fbbeb6fdc9224dd1c33b4ed0676c53985002ae3da51c9c18294

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
0d04a069e835ac704e3d38c6af3f0a79

SHA1
6cc8eef185434bb11b163dd809e59afff4fdc550

SHA256
8a57a8f98a43350fadf9272e469ddcd94cd5fa08ede05d0716730c0943ed1adb

SHA512
66bf4a9b83f7acbeada79b5e02b2d71ced2790d516d6b11e765b5c821132e4e0d64b37dcbb9ee48f19aaa8f1bb6cf2c35565deb721d2a8fb898ae7c6296e5011

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c45c32841862a52286a7215f8f52a63c

SHA1
33a7fc9350103c8ee1ea01006a05b266da2d7e7e

SHA256
625eb5b8ace484de1272e21c00528263411cf009cb71fa7e8e166ad6c6c444d7

SHA512
343b3a14d8dab0a76c819d187a755dc4edd05c149fdda9d325de811b06027180daf4912a46573c668712cb1cf80145d38b68dbc6f8999088062a39e4b444fe2a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fa83b6a2ff7f5f5fed20a61c3f288200

SHA1
4a437edce2a283531cb2e3a8cc7316722ae0811a

SHA256
02fb11cf895c34dde93ff12896f6da14a880b0627709c92354c10c3802ff069a

SHA512
9fbbc02223ebcd65c48c3a5e8dc8aec99c49a5e29a6e1532aa108ac7cb4041c6c176b14fa3fe51c426fb4ab8f298d06755c3832eb5b69771c0c00939d42cce37

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
121dcc32517e2417961348929c46d090

SHA1
a0550a0f10c9cda158315d51d2d40e78e90e2f7b

SHA256
d91ce449e8ec5f548a6f4a59b9f8da71565fff23aa740533fa9b68e1a4021267

SHA512
2fa5b223be6474762ffbd0949561fb9d8beb42d4cdc76bff58f67a654eeae2d2dcb57c6508bf54c741df31a1f2e8d3907aa7fab010c3d6f79dd346d89d7c51f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
650a3f7b18027e8e7f8eac353cee2f7d

SHA1
470e7425dc424e3647bac5a7ddb50adb1a4db1ad

SHA256
2ee8359e41a27718d9b42276407bfade523002eb78cbfd49803571042838e46c

SHA512
de33dddf585149c455155887bb55d89bfd0da4db73cf1079643e483e0b1ea77dc2429c83ac456b6de557e10bc8bcf1b7e3fc106100f0138a4b0c4d200f5250a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fc0629ea4afe1f113dc62c48948f34a1

SHA1
5d2700a060b56a533a029dd045d039173e06f039

SHA256
8effe3e6a05607f9398f9b40ccac7938b556a42a450d3210569038abcba924a8

SHA512
1461d4b5e3e543cd5d0fa4eaf90b0021d8c7f893c66e0d6a438fb537a3812064e1a059ddf2eb2369f97b72b1804b15bd9cbb5776262a2428e3c40f051eeb4174

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
ac9929679898083857d94eac3bdc2245

SHA1
2cbfac3881578be1eccbe354c8736cfb7c69648d

SHA256
dd6d501fe8f339ad48ca8db53e8644558ee49d631bf2c0293f50247f50c5688c

SHA512
906ad3b0f46c27c5adfc81ac4cf07d2b11b616137b8b4fa6af2aa1c398c99b98e9cc21318b1945182fca02d33db984c96f2ce55af5fa0781a28c963206bd75d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d0f542d4ec6173aeda39870ed894f03c

SHA1
1bfc488c03e655bf4a70a61a0efe0edb3af0584e

SHA256
4dbefa6ae5c8fb3e50aeb62ab3369b88fd2959b6dd06bcb58409e7d40659fd32

SHA512
1f12b392f9ab97215262cbed72a917000583bac8d36872364b6fef2723928e6b8fa3094bd48dac708e7c851369047671913e86f0f3b1e80dcb90b96d7a3d472c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1ae8edf659fbb19044bfa89e0e1c4aaf

SHA1
efa48fe341ba13343ac50fde2fd8b673da3df108

SHA256
1403c48ea5a82ef8a1d6748477aad2288c8734088dec0cc229162a3838aad714

SHA512
8f5b6b476683d1f550540888d079a9047f1e8d4a59b4dcd1d24929c0da5822b922be6301ab1c4372b0b768af2378559d0661bc6ac3070fc4184cbf2378c55c64

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a409f2b26055d9f45f6d73a153fec596

SHA1
ecb7467ad59b72231fdebaee222b7fea2d5b9729

SHA256
16b2c5b36aa72947d24ea1a45f136426cef1dbea1db44a5796c02130f920bfd5

SHA512
fd1083b67d6a3e3173586fd71dfd7932baa09b0c96c0c099d8c761a4b4c1e5dad2930022a99259994c6970071f8100706272725adf815835fea470ce5302c6bb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
1fd2d48fab7ad44df44b047edbce8a67

SHA1
0c0cd3627caa2b300ed2f1d56d83da8c9702cdf5

SHA256
069db809f0aa5c16b2cefac4807a70c0d22eb3b3e45db17f6b72f3fdf7952d74

SHA512
c0463499dfea205747e57f893c31e8716cdd88f0151c3f9c19ee5691e2b465f7263a6a3affccc8724f05fc12be1c8f3379b7c43f47bfd5f2309dfa3b58b2eb97

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
cce2ed2ff49f6afeb134d5966335c2c8

SHA1
76c1f4f3e380e96064333afd02a02d588d7fe075

SHA256
69807a79477fa417df034cf276eec29ddf8cb801685089843ec009d1605a8b1a

SHA512
45d62863c51755c3503522a816a2b940706616bf5507536d3058e05e3c822b940afa30b76c52f727bd695f834f811e9b78ce862a9dc934ae9dae79cde3d5ca3e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6d25747206b36265f588892edcf66b48

SHA1
f44a499fb5d03f223889ce2e0c0da92716fea947

SHA256
d1444a0e9a84eac77f206609887a799606f1a851160bb456cf72a4e20e0565c0

SHA512
0252b568fd648750fddc76b72c1b65544af6637977d03ba202f91135268b3d284f749e867c72dcb5d82fc7f835e9f4fdedc77d7eabaec3ecff114fd20e2763cb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
fc823f14f8730f64614f3798974a3eed

SHA1
ba2e7c4243fc9de2f7dc03890a5de8b5fdcf2549

SHA256
e013b5c3c516934f6769489b1ae0a43c6d9d72928a3e8e19b562ba740cb40663

SHA512
895a8152a28a5d745b50bcbcfdcbcba66af978b7de0472e43b03f35203cf3da8253620896df4461cc8ffa037e1ed814d373d6ac8253728693c58de3c5b4f7b77

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4cea4ae42a3d070746b8502bc86c07cd

SHA1
0b4fee6e4ccf15e7313bb897d0b3f1f224bfa0ca

SHA256
92081e2ab220f8b3d8a36f7b13508c3ee1889f64236e4c31624abeb22f48b41c

SHA512
59744888fd7a486e7301b0b898c234a23a5a3771b32bf7326282172cad76a82eea6f92734b6abe0986fc3cdae1ac7128ae5b42b274f3c8428f33fafdc6ee4b0f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8b8fb86c6e9bd697f80305c97232a392

SHA1
63d257fea04aa9067c47269aa9828a2e350c5af3

SHA256
ade1b0b6614b1a14ac99ef625a3ab49880f284ff8ab6813e09c06ca3f0f17d8a

SHA512
02fc730c19ee5f160508a707114a9c3ceed4ca4a9c3d2f4548547cfd858e759f52cc5ee9292cf49e341aea90fbc1e35cd6d4f765cec470829f53709b0c91090c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1daa0bb3888848bcd8437d469ea0cef8

SHA1
ac2c77544bb1774432668f9850a743281c796d2c

SHA256
cc797d5ca83ccf17fd5c40240f599c2a2b570811e691aa5ff86ca13d51148171

SHA512
fe1fa0d72ab816061b5a2c9dfb686e34c1c81733297434a5fa3639fba0e13c2c66f2c7299ac8bdc457d36f821e77ea5c941cdb0698441af393ad38a2cf2cae2e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8d025b9c2f5ee282ece089da74495866

SHA1
3bd59d328a76c44cbc3c722b3df2cad6ce72d866

SHA256
7d5cbcdcd37679e1d4c63b6453a12261e826e748aceff4c7cdcb7c2bcbdb06f1

SHA512
5fffc0ad6f38be67f06b18c95c9c06b20ee089f469f7c1fef8ef8e27529e5f8180e1af727f0cf4d68b1a5378e389669c796ca43b6a714b0288875d9bf126cb4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
65e2d89a02e88206b9630487e7553596

SHA1
53a6726f6e5b457a92712215dfb8abcd7784da38

SHA256
81d93dbeb2400cb0e63a6dcc9b3f79132c96a78d2f073c40ddce1108ec066e87

SHA512
6cd40699190163fa6b09e49378833bf6750c9c8d30bee93054a3267fa587997b39f5ea2e96e231f61e70dfa265e5e933fd1d8cb06cf6c3dd70a5da05e6099b71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
f294b617b685ef6b782cffc90c36c9d7

SHA1
18eed3907ea039d11b0c9026fd2376bb3e840fa0

SHA256
b82c8721778b1f82fdc01e00500a98823002240f9bc2f2a885b680781af2ee59

SHA512
6665963190f26db86c75c356b0495b4bf48dba24b75648f1dc08da0ae7f025bb80b589c772c3c3ed6213761deea15ac7a727a5088f32e557b77bbf086b72dfc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
14e2dd4dec15f72a38e2af4aa5911a1d

SHA1
34a74177c47f334211e3603835fa928820bc6272

SHA256
7d5320a6894d37426370402592970bf35f1850aa27e743d1e8212b042d0a366c

SHA512
aa51d44bbfcc6658bb7bd4eb4cde975445ce00695fa5d46e4b49ed0e63b4668b7efcea83f5a4d4086774ac4ef4a620e0ede8f4400eebc95de48be87357ab2feb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
12b3b32888987c5ac19b74fc4eee4ee0

SHA1
1485b9943b056037fbf5a72c83a27ce31bbb6e57

SHA256
399e63ee98d11a742eb9774aa53adf67f19326e974ec0754c4f32b78d52980d6

SHA512
0637f2593d01e68a0615d44c6c40083226e501e7679859a1ba9dcb9ed3b039f08a34c706a6c201c7863a995ea8fbcb4f71e0c5ee22e3c833f72b8f5b5ea0ead4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3c218df51949595f19a1cbfb87a17abf

SHA1
3993e882c2cfefca372b16fe8d17e349f6d8d46e

SHA256
64761ea38e5fbd4012dab69ca23036d8021c1aa63aeeefd845ac14eb48fddc9d

SHA512
4a3e8c56a5a103274cab9e57e40488ff9363b4d56219cd5139283d2842381195bda14dfcf547d9ab7742d575a1142998d470680a2907389a7343466c1ee522e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
d39f7702cf3a42b7245717d59f60b037

SHA1
cde119e048d8c129124e04d4728f23b2ac9e5857

SHA256
a1f11af2d7b233331c002c562d3c832ccaf1876dc7f2d24c50f4c6f6a8fa2499

SHA512
8ee80be67144dee0737ec13bf5052485d3c2ab7fcbf06510e15ad240e41bc5ed241c087ae4d28bb3dfaa77cc15deee5398e6cf91b674e595248111f61add8b6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
aa433cc956b27afd8eaa52e1013ab923

SHA1
8faa08838ccf1d4bd80b0ec7cd6f1355c044394e

SHA256
bfb2127c8e1eeb7ddb2fa3b369eada27c7c4d7c8dcc8c5533289d6d747938176

SHA512
60f74db1cff91806c725924459d532a37d134b746ab2aeaf15b6eddb0d24d71e01ac32ee191d3ee303bc9dc40e57bd27e060bc83b3c8e1ff649d40311ebdb3f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
c2dcb4e64e55f856a577013245b2544e

SHA1
c4f4e5243b535e12de16af64d18cfdca25d32b43

SHA256
2a44a8984c25490b9abd260f7418a67dd5d674f16d3449265a687d84e713f8d6

SHA512
2b87df9e57711a28928e72ef83c1f86acaf571b2bc48d7099750cb4c0827e39b20ed3bc83c0b7f96d45168e20d133d3e688b7338c5e0463dbcb46c45644629cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
9dc595e13011eb761f09747cd697880c

SHA1
66737460e0f26a036a2411381ae51080a7af6210

SHA256
c21380e963fa355b313d69ebd60f2182bbc02b96e7a86e2e8cbdc393b0b71fa6

SHA512
1588355eba87cfe771e8900fd5a881cbde07fb49467f0ac09a461ecdb26f6bd987daab309846dd72cf85e71bef084a239aac386bd15ce5ef15c629ff2a136127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5bba552c1994f1eb8ace25ac19b9ebd8

SHA1
2ee3d92470eb477fd2bd80be4f927400031de485

SHA256
a4828f70885b593cac14b6e6df5f10a083a8ab18a0959e878302824f33c82d8f

SHA512
1ac59770c4e748123e434cc1308e02412101f7d6b1914f1c335bfd8564deaf86ca2ba353f00f4b4ccebd0ce215291f11b32468f4cde7bd0011df356637b094bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
67d23ddce3e1fbc0d749c0be897495ca

SHA1
2171a6dd7321c860926482e3ab2047ab6faf10af

SHA256
6e9d6f09b959550c3e222ff68c09ca60b4631cb72d48689e0cdcc74101eea112

SHA512
de41bb6255ef47cfbe508e471f90a087018b583a98186c31230ab8bcb096ed908f6407a45a9b96cd7a36d61c756169335ab139a27e7e08f56162e0245eadf78c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
1551238cd9d41845dbd30b0793441fb6

SHA1
db0ddea12dd99f8f14ab4f0dda6f103bed4fd9f3

SHA256
abfa8d3d7a930b9b2cab215886ddce5d97ec63c24bf4eb6cb0f0215d78026eb5

SHA512
838a8846bf7921b2350006a7fdafc190d5186dae538645fc959d3a3e76fba0428abdd975ab5cb7e735698390aad116a1422459514516933fe5787549003f8422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
54e86267450a8c167a2c679d68bd7230

SHA1
2a64c960f0cf14b96f28e2837c79abfd95c192e2

SHA256
029eb8f40a2479e2010d4aad4f03b00b022ede0d0c1977041d1324352504f582

SHA512
0a31c04ba6162ef259fd4eca14ac8880985cc5b3f12f214fb077150886dc36582b86b1ea9908295761589560f66b854482909f97ef573c6e0720e690f6d9e73d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
c3d650e48e84253a4f06d89d371a45e9

SHA1
905a6296ed53f991913f79cf4a1519caef40ff9b

SHA256
f77d1736572eb7594e7b58739d8a5010402f1db6d6c16f63cd7f0bd958f35e45

SHA512
248483f0a00b37b47b2e4bf830ca6515546b6fa7c7ef4d1ba950803e806472ac689fd9fd0f4e7e0d73a8c498b8be39d904c5e642971204f50f42671bd1e30178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
84e12315136c89d84a9d6d8cacfd8976

SHA1
be5ee403fbab014e4b49fdde326dbbc7c12f87b3

SHA256
6d5dc1bb1189f28d260b29fad04b4ca51092cdf51f5f06659f673f363f9e360a

SHA512
f40b4a5bd15998ee19a62a8508296266478be0365345f0505bf58da4c147726dd7a3a07b70d06303bb8b78eb90b848e2b0cb86fcb46972248480049c0d146eb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
0a9fb927b8bc76ff2d333a5736f7aad5

SHA1
bdc6df58172eb63707033f6a34ef0fb20227367e

SHA256
b64116c5b02af9f47c1faf13fcf776c2553e7e86fd82c3b379ff85b310a213ab

SHA512
5af913d3803f6984e37349b8869337cd16e5de1f64c55239c6b1eb9ec9219c2107419ea0adb67b1ac4a889de4627b28650f8e39d9df13710a43ab6437e2b9f7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
f027fc6bc137ca89403f0f407f3d3d75

SHA1
a4085981e72b7c7deb68fe22747245855171b2b2

SHA256
13637a7c25cfcabbc484393e3490ed43099370e1bccc45ec05cc2f189fcf65af

SHA512
95a31377b5bcb918202b4d69d7ea37148f4ed6a1ef8ebbaf9e90cf79327660f52e34f0c091ae0e8a6943746ac84f61c04abae54156c3dc67f458e38fe44050b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
a3fc7f0bae49d5b8ed5b5f6bc5849c1e

SHA1
1e1ac86cd341fd5b611839c528567426603e5b6c

SHA256
d002b91e54a2c7cc126ad8f56663f2fdfcda4e3b8aaa81a1ba032962df2aba08

SHA512
fc989911d5f0d2c2fc27cbe1530b629aa1cce820277a2f776a3425e5903afe44f57c15f24b1a9874c1a2192557fc53b0ff972c6191ed7fbc9fc06cef5b146473

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
25cd50c3222f61347a7b579ab9965a80

SHA1
c865aec8ec4ddc498b83ce018d8c60b2175c15e4

SHA256
a7698d9be21cc34de9eae0a0f73e149a6f6bd26c9b5c2be0e7255cb3de573301

SHA512
60c82002fdf99407e8aec5b3b288271a9facb3e42f3657577e096558ad7f3adfc787ea4a73f6a296f0df4d33732ad8e332fcd23b1baab96a47e7e00b69ca007b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
021755b55b28a4fcbccf9158a8fe98fa

SHA1
59cf54d29fdfdf0216ef48482aba9b3420014f37

SHA256
fa70126349a6a6f5fa9e4fcee8d8a81d3ff3154e56c0eae41c27f8f9db068a45

SHA512
fb7a4c16e228861e677bd0112d0e76ecebcee8069d243a41b71bf1457fbf38c991884e7000da3f00c36e8b583682dd6532f656dbd955c892971df8dcfb653e02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
f632207332d02e8f674b52da879bd3cc

SHA1
ca5851cbadb8a3d0dd3f6e54324b118cc5dbf269

SHA256
ab2ddb1343498441c95935babb7c63b32c72ff99b1b8d22922d98f75d7d4a60a

SHA512
9e03fc7ae16ecb4cfd59c9617605bd274a2bc2c9cd5130227f36814b9693a2632c70027fc1e925ae72df657a94143d46402b26ab7b1aeec289b2af75cf3673c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
baff1cddc5d68c489f8a88b6b48980b5

SHA1
1c240e82f8a002d4221eab4b4fd28c8e748c8332

SHA256
3ecfeb7929aac60c794032e249b0e966d1d52e48cad348945683f89424787cf4

SHA512
4a2ad54123154fc3ee45c8b090031c2909da8e8aabe366bdb040e7f84f4fcbedf116ddc189d23de9b06a4f783fc01c088e24c118ff23254a2a1a201c749f87bd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
74d52bc3ca6157c8b3598f0cc923192b

SHA1
27d81ad1d51ef9e12f57991ff70ce2df67a34888

SHA256
7034f8a744a3cf9bbff81185349db1462c52060359f681866e1ca09737b148f8

SHA512
7b5b8b1d29e5a9aaa2ac39bbd5d4535583c002dc221cf44d8b34c0c6bb06ebc1ca0e83c2877b2ca5f43c41c92b8b74c213457040a568f3c054d4b8bc60873dd4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a576e09fd92d3d0cb2e55271f5ee5776

SHA1
2e6fe5f7fa55b783f8d1804a8c1e2df043cce130

SHA256
2ea92109d1cb4cfcdd95cc6a86991a50539480be9c7946d1d21d83f79d74f7a5

SHA512
e31a879c50f67ab03cc6e1673be16d9067a363fed9f65b48cbbaaa85ec50a37a84de01a2e101e401f8d0a4e53bc7896f72c47feb239974b7c759da9d0701011c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d0942aeae618b941e127f74a2e50b7fb

SHA1
2af40fd9db197a2ea93248db6a85fb4e64ca27f3

SHA256
30bdf3ed1dfdbb43e25ae71aed228ffb6bfe171cdebab33928ca44edf38882d5

SHA512
c990b0e0f0643427895c9ba93a34bd0f63a5d05150749422438a3abfdca10783b70773c7e43f397fa19d1e7522e53ce1f9f9fc4dad54edc1cbddc96cd2299dd0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c53000122496919fd450a4f6e32c4af5

SHA1
a771f16a0e39e3205d80ec71e122621d7b72675c

SHA256
a5113a1cce5331c9e70e53c7744de8bc4206966f488f88c03ec54411c261d113

SHA512
60c6cc0ea309b062d8fa41b02c96eff870424b6906475c13b301a27d4ea591b9a6051bdb30cf377a2943068144f3537d54b9a9e07ef1c64f0c4dc050f321f2fa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d6681113fecf5b10225f818825aa02f4

SHA1
612880f4c9aba2bf660c0803e30d6785aa59e49b

SHA256
7fb6883981dcbaf8dcb3b22f84f681203a9d4bc1232620cc4e7fe790aec364a6

SHA512
c6711bbbb69860497b25c28695d47075acf406b860179b24f2aff3dbdbb110d4b20aa4f291f412f45bfa17cde82c0b256887e187e2be0fef83f74d27b471e937

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
289ecd2e9d1eeaf765c4044758cbf43d

SHA1
1a6c17481501579399a1f09e3a2f6f320f1817b3

SHA256
8c8e8396bf3b6aef0a2e3c02383f4a7ccd9827db5cf1b72528336a090936ac04

SHA512
625fec096afd5be6f032642d78dcdaddffa19ffc8c5a5eb88ac8b51dcda1dc85b1dcbdd0672da56efa4892d3e221d40f758c40cb98013ff51f7eea78981cdc36

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
25af83a80e93e9385251645a4ec22c66

SHA1
e93dd3f44647089300b5f5caefce56a88bf05614

SHA256
985cf2b49bb9a57c691180cfa719366c021b3e68c7810e2b0467c4a9082214e3

SHA512
a5ca93de13e16e7a16d069013f5a82312f36c9cdded17fd978bbf7cfd79793571f60082c9c78624e8830a567fad6e546b5c2b66eeeff6e518722f29aa0f3cb33

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
fd04517c5e42f8f3b4b9a859dcd5f320

SHA1
255bac6cdb3bf8d4d9ba2a6405b6977f06c5c39a

SHA256
ca96d610f48978278c141fa5899abae58c5304c880d876fe05afa665661a2e39

SHA512
62910dd61a0f96e4a0d6dc20a36d37c0f5e63d5a12ec1f102ec0b79467e7b0c49b36029585702aef4c8e68094ce7b43c8de346b44f9f3e67e39287df88c43e0f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f0546147f54dd0672fe065a54c959ff8

SHA1
ebdf6fd0fbf5bbad56800ca11357e99b72fa93c2

SHA256
5c4dccf869236c46f3b1c4b65eab11adfca6e959c612de0d4631f4c7c5586b98

SHA512
a08cbd876fbb3fc186a983e236555aa4ce9a1167daa10b295738a8614620b5f0989a8558cb64ee25f418433b4ebcdd49cb2d50a268e5ede4e8ea434cf173e222

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
65ffe3c17c6865846be05a4b83953701

SHA1
24f7feb0db74182fcb42bb06381e7d6d32a2c93b

SHA256
a041a12d5167858f446067edb296e27235c50c9eaeab2c767f4264631514ba85

SHA512
bd48d25a5dfa04308c437931ef22e625cdf9c7f8002b4e053359ff73ff69da41ac29d73e7e7fbec823a8e1b730a885db9e2b09b03be29e9016f369567cafdcda

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
94362f84dd5f35ff48744ab9eca9a041

SHA1
e1aa9016417013a4e2937e007df42f945ca1df24

SHA256
c8378ceebb068ac980855d73afd0d0a8ea8e7be7fa6025e26c424ed22c610017

SHA512
fb64ae342921e38b17cd8e25d76337000cdf8efc2816bb02b5dacfdf6bdc8bc63373fc0740031256c18b5726be51833c0231088f4e5ee17a71c7bd50f51bed07

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
81ccf92a6b3c6793a28b9427299a76a7

SHA1
a50cb868ee24c5336876e33e5e45cd4bc6859a8d

SHA256
8e5f1a69c91e0b3f249ba42d08e3933c6a938502768999e698b35c32e398ed42

SHA512
bbd06b690a2d1e18d0b9ffe394e85382e7d60c0ce27427a0d017364085d9720fb4b3b2b1047931b3a3d3272990fd30ec751e7a4dea4616c8d8651d7a935b7488

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6b675fc1ec7d076a0c4e74dc015a17d0

SHA1
52b78090197d884cf436355c729f5016d0d9c0c7

SHA256
223fd2dfa273305eb4d343c0711b98c864f3f391a1b99e0ef2d2ad7fd028040e

SHA512
fe62ad6c8695f30ae0b241015ce531755cccc394f4fe99925810f865ed32b189a611787ebcabb51ca7ddb74cf707c7e73e1c2da8a4259a06d1844a21ba99210d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
75f3a194023f7112676e546d5aa38324

SHA1
6ac4f2c87e808fe7314b4dfe15e2da9638256539

SHA256
31be461826ed0206c4961f0ad134864de23377c03ad0c15f4e1f29f3cde656ee

SHA512
70fd17bb18b582af3fe0f3a7b3de5f3b4ff00ad1e8ab6a8dc07a693559d773eaff3ef9dc7b4b735c4a5306a010a8045c0aa9a29d46e6ff97df22be5a0dcbbf35

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
cf8453bba3a4afd0dfa866a252606483

SHA1
777d266f79521af907f3804e10e8e2f7f830cf9c

SHA256
045748975c207ba66002a3612cbcf083c33ab90acbfee7f7efa938dc917e961f

SHA512
8cbdab0ba149970ffc3b81540899fd3595e366ebd9263cacc510bb2d702118f10a7f821f54c44d4c827e832795d8d0e6c5f932591f517fe6dc6c470e031b96e7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
90476a4461f5680abfe24fb00a31465d

SHA1
5ead6047e460155aa79b0dfbf031bc188ddfb8d6

SHA256
1e25977bb8c2e38230c0587b98f5baab0e2257fcd329ea8d206abf2568ba913f

SHA512
3631302c9f8e6c53cb3efe36ec5f25ef70d2f89f1a2e03e753a5b9e8afee443758c1f6d990f4dce5e514a930a63e866109521de57b77d6691cbd44d4766e991d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1801990840fff4af5ced3ac2057951a3

SHA1
aa01840fb8ff41a191b9474e6a6f2baebb533693

SHA256
5da33a7938a07b4fc5b4e2ab90dcf6c95e85f698000ec20b5d485ea978bb76ca

SHA512
a4a05ef0dcd267b09740f91bbde59e37ba3d72c21a3780c031a6e5e85d7e830bfd0ee3377c87479918c00c58668b2db5de3b8e9b633b59339d78842737b6d4af

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0c2f5ce587aa8fdbdf43325556e57bb3

SHA1
bf2d21be1c3f6f22bda9ec20761c0c80fca8124c

SHA256
cecd0e92af70fc549ae8f1defc3217e9b9d2b154f2a14ecb9d588811a66ac01e

SHA512
001b4e664e64e7b2144d1bd2dcb4b3cf5f9a600a4b5cb3cf4fe7c2183c2b0df088f1614bd9155964beff0aff4b8a72b2eda81ca553a788b20b762616b0768729

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2dcb15546bc395dd1225f38b2bbe58cc

SHA1
d857e275e34fbb5d2910692efc6fca27f3b87acc

SHA256
25686b5d1b7f6ddacc752f33a32b7a3f2ee5e81102cabbebff86780a56b8dba1

SHA512
8d898712938abf8305be08bec998b9b81e57118f032a950325ffdea4d972e6065df021dfb02663fb8553fc65f89ef1bf6af53610ab823c3a10df4c08ca220c18

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
12618c1f6e197b2cbd39f6aeb6f720fc

SHA1
2fc041e1202908194ee688be0c2a8d9b24abfc0a

SHA256
32df1ee4c4d1b6c4f421d032cedbc52724075b0403cab685f7bf67459e52b476

SHA512
390210e1c65e3de9e4b8b73e7a2379f6911953ddcaefedae2e531d6cd2a2284b1fbdf73ca3b37dc99cc117c193d17c6fd378b3b0dc0195bb8530d58ba5b4e79c

Download Submit
memory/224-243-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/224-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/224-42-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/224-33-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/228-356-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/228-600-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/532-381-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/532-270-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1208-640-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1420-296-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1420-405-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1736-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1736-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1880-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1880-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2132-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2132-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2132-14-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/2132-151-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/2220-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2220-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2668-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-636-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2956-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2956-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2956-52-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3144-551-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3144-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3208-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3292-639-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/3292-426-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/3420-81-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3420-249-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3420-87-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3420-93-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3516-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3516-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3516-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3516-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3732-91-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/3732-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3732-68-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3732-78-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4248-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4248-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4360-393-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4360-285-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4376-633-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4376-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4900-513-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4900-330-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4948-299-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4948-417-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/5108-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/5108-1-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/5108-31-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/5108-0-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/5108-27-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download