ad48b688e88e4a727d58eb044d167488a748047af18c21cdde83275bf49e72a1

Analysis

max time kernel
36s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
Size

1.6MB
MD5

8ac9cc6b275a751af7ca47db93df0158
SHA1

46de7ca93ab8af08134276077fea46f2615dcd75
SHA256

ad48b688e88e4a727d58eb044d167488a748047af18c21cdde83275bf49e72a1
SHA512

7fa32c23590df1007f609ced59cb5c1dbfd897739f684f928b04b4e336d0a539719a34ef59053c8f7e593191008853664a50816bd77362e8d3e40e1911dd9f99
SSDEEP

24576:uPt3+TporGvTWQMSBhvn/+r18Tgu5sdLvK9OV+umJXeetXY:Ct3+T4K5dBh3qPBZK9G+umJXD9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2804	alg.exe
3928	DiagnosticsHub.StandardCollector.Service.exe
3004	fxssvc.exe
2768	elevation_service.exe
1988	elevation_service.exe
4568	maintenanceservice.exe
316	msdtc.exe
1916	OSE.EXE
4452	PerceptionSimulationService.exe
2300	perfhost.exe
3344	locator.exe
3500	SensorDataService.exe
3468	snmptrap.exe
440	spectrum.exe
4412	ssh-agent.exe
2212	TieringEngineService.exe
1972	AgentService.exe
2032	vds.exe
32	vssvc.exe
5152	wbengine.exe
5200	WmiApSrv.exe
5308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8fca32378642d83.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce93cf77f275da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c31bd977f275da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daf30f78f275da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3928	DiagnosticsHub.StandardCollector.Service.exe
3928	DiagnosticsHub.StandardCollector.Service.exe
3928	DiagnosticsHub.StandardCollector.Service.exe
3928	DiagnosticsHub.StandardCollector.Service.exe
3928	DiagnosticsHub.StandardCollector.Service.exe
3928	DiagnosticsHub.StandardCollector.Service.exe
3928	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4836	2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
Token: SeAuditPrivilege	3004	fxssvc.exe
Token: SeRestorePrivilege	2212	TieringEngineService.exe
Token: SeManageVolumePrivilege	2212	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1972	AgentService.exe
Token: SeBackupPrivilege	32	vssvc.exe
Token: SeRestorePrivilege	32	vssvc.exe
Token: SeAuditPrivilege	32	vssvc.exe
Token: SeBackupPrivilege	5152	wbengine.exe
Token: SeRestorePrivilege	5152	wbengine.exe
Token: SeSecurityPrivilege	5152	wbengine.exe
Token: 33	5308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeDebugPrivilege	3928	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5308 wrote to memory of 5504	5308	SearchIndexer.exe	129
PID 5308 wrote to memory of 5504	5308	SearchIndexer.exe	129
PID 5308 wrote to memory of 1532	5308	SearchIndexer.exe	130
PID 5308 wrote to memory of 1532	5308	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_8ac9cc6b275a751af7ca47db93df0158_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1504

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4128

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 796
  2⤵
  - Modifies data under HKEY_USERS
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
16aa860ca2148a98dfeb667720df894c

SHA1
fd19c14ce5061c443b462b9ae12751636cd2de22

SHA256
26f586c894933153b233551a6750049153a510a9217db7075feda4cd952dadae

SHA512
5c310b203b74c1a83c74a8a8695a806c50b1d26fa7c45ee382904a58934155deb26c95b15d98f2639cacb3fca21d272b43f52b24edeed3d0bc42ca7a803b1814

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
320KB

MD5
f6d28467d94ad2bcfb5137866d983375

SHA1
51302acee04bd957e8b790a1350aab56d3e1ef31

SHA256
1461309df6bfa51e17db053503eb0a67979bfb1e588882841b14e678a75a59aa

SHA512
11d611c066fb556d70d10a867221613b7e9dd00262e373808cbddcd9cbbb4d17ee462165cbfa950877d39e6915c652701d9d9766056e93216d418933c82bff12

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
97b83850ddb869c8353bd4621926f4a8

SHA1
825e60a36dac1f86dead3ade5e9a7ec10954cd34

SHA256
e5cf20a98b85590ee8539af0d34696c7a08dffcfc60ca5ffe64b1c7faab14414

SHA512
1c22c608f7bd67371a7cbb94e1754620f2e33fa2fb835e5cae5787241fc97febded9ba8c312b33c068e5d9709d6039f0a61b592a21d5d89c760298a710a616f2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
48900ffccf847f852be7f59726866369

SHA1
d377e167a2af7c18aea62a1f579d9b7791943e75

SHA256
f7943979021b216b64c18d08e9d5900150cb32c13c13eb42279745e16951e60d

SHA512
35e32c824223f50dd95d0f1777f94f8d6fd007a5a9c0ea8bdc89c4feb87bc51a1d12098a7b503b690676d1ed19224eef2d5c0c083746a909f0f85d1037d94fec

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7d1412289d1789d52542b4d273fa6a16

SHA1
ee035f158de2bb4df86738a08e14ae24806e17a4

SHA256
6d9c5970bde6dcfea217657ac4d919fec831c9348e5292390ff622253693e6d7

SHA512
bfb2f9e08620689d18c5e1d98b10e651d6f0df607ed3d0c313de41412d4a77f20a97a4839b5955da287c0ea8944d385c281b5cf26d87c1df9d578f253040d087

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2dd53d7fcb3ddd471fac0f2544d753b5

SHA1
9337787449fabc5cc14a7b93a3fd3bd2bf3b501d

SHA256
940ddc3e8f42d41f75bac52d2715cfdeef38919cb95f31d61bac4cae86da15e6

SHA512
3e2d27dc230d4f89c15468971a121a12abe3fc46357c8de0ec895c9e41d7781fff38ef46b595785932527f9027e890953561be2ac548953d9316b46ba2d3d925

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
dbb355eecacb2ba7cdaf4d2b9b25a0a5

SHA1
f27125f0e9da80332daf75451a5a7d71ac74ea50

SHA256
34f3086caa203b89a1bab8a82cc3393fd3f68f23665c02a0f9e8d4515fb08faa

SHA512
f073fc88624f88f37537a9c86bbb70fbd8b086a3e78429540e8fc9f6251adb3a634afc55892b17c480ccaae53dab51fe7b65b3c40acce9284e8e8a977b5ab019

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
dfad6abc36c7a3c8b3fb1ab91a9973e7

SHA1
c44c78ef02dc22c61efbdc9c42adf74e998069a5

SHA256
fb7aa926626204ff9d2ab441ee4c153a7967e571932a883e1ec89857a6eeeee2

SHA512
84b9a45e9e3b2d203c9ae749a9da4fcc5764b1155c182a92b9ed797365d15a4eb4f5b65738761445e0aac6cc017e3ecbd33302f066dd40a3b509d2866d95e116

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
91ef7dc3a5fd2b482426f1976ad80b19

SHA1
8c78b04561f63471369aacccd8dbaa582863dd63

SHA256
3794b896a07782558bb2958288beea0deb1b1c4f29c36268a2c08bedd1445dc6

SHA512
34cc9dca76cd539898e7b1d91eab105610ec57f554f6b3a3dd16982fa74876cf17fbcb1b9868a99e5fd65db4406ec1d36d994e2111fe76fb56c9b8b9740eadb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
830064403cab9123568ceb3d45e9253b

SHA1
6865cc550ca09fabce9109e500c350a1a8a35d04

SHA256
32cc89d16a68ad2ebfd0a372db5092972c52258ff0f43eb09f0581058c2366d0

SHA512
824c12c31a36caa7eda4f461e9e2aec50ac3390f2af963cf1f330e0f5e5d64ff8b857272c1f28d57ba251a8002b1c3c9c5fbc9d82ff37f086e9037d483dca12f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
4.8MB

MD5
f9a59b1725c6fc7f74d29a45a4b63e9a

SHA1
a908ef088e90a7421c00374f4f78316e1f33821b

SHA256
e37d5ee18f89692bb2cae66e65f4e71908e79c78292125b2d037fb6c0da45226

SHA512
117d124d50e261a79d6a4746ea52d4c89375c6ca9d4ad3902afdfd49e62c8d3b209ca8a129cfbfebfa146e403cac799bdb9cf87d6a72dca6368324a448c58955

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
37542161e1e34f2273b446b1914a7ee7

SHA1
9eafcab9481ab9c2517a1073b84cd1f852f2242b

SHA256
16d68bbb4ddc0f73249a771096b6aa1869332ac2a445cf2c73c3ce9b2896fcdc

SHA512
8ee2424169b42a910e2db25e1a1f7cdd2376cfab5549fb9678c76be8c307e49f455deec9978a63971463851c0d96e455c1b77cf1109edb730658833309397893

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e0166e4f3650fecaa520324add0e1589

SHA1
f90b2d9830b8355f37466e947f9d395c2feec7d6

SHA256
93a27b53142aa03b3c7d75a8422a675d3ac6ba07a2278e46ff57869ae905e18b

SHA512
7c0a11f0e7e81eb87d89e93e4a8886776e384f6c8002dadf6f3f43603736cee90374dab71b79061aa19dc087290d054f35871e916e76c33a028aca193194f58d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
46b5b94a13ecacf0494ba178bbbb7b71

SHA1
24ecebccb7f9229399e34efaf41ffdc3f58239b9

SHA256
6d2dfddcfd6e403e1b96cbbab070548c925bb58c3b9971b9ac7f0f677459906a

SHA512
83717a758e9ff57b3e17fc30a86cd1b0ee821d2e8ffaa8a00bf68abb4a4d76ba10412f39217b5aa5024c44632a3eaf3d058a8e692792969e17d1726f86167d50

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.1MB

MD5
2556d9095b9ef7572596e60dadbe84c0

SHA1
bad46c137e8c8db639c428e9169d0e1a22308466

SHA256
df7e0e3b96a17cb11796d64464a0a67d686aaeb395dc988d22aee7028d31079d

SHA512
0bdccc9f91dcebd719f2173b06bbae6787de41d9474be3d2351bddc61c4b54fe5b95fef2a5c92e03c0e865a28422e4b5717ae875b2a1c739454c4b226380098e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.1MB

MD5
97385bb7f928bdc17582d7c12bc9ea3d

SHA1
4495753c4745089c4e59b6b357baa1c753965122

SHA256
b07f0c94f2e8790ee968ab1085edcc2df2428cf6a5500083f6bcc255f2751c05

SHA512
f24c73c56a226e26c9c0ebf83c2a8c8671538a5b6eee8eb9e148f2591b0c8a3a0b3d9c91bd1fa95034a2601dae96af218b6e6f76bb1d8ef0b85247aed0074af2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.1MB

MD5
ee0e6881612d3dddefe6de65f5b5053d

SHA1
ee7bc77bd7160339a25197cbf787bc6499068481

SHA256
4b5dcc7d83bcedd6d7a2332ed2688b3511319b510cb2067faa2e3841dca23fc3

SHA512
2eeb29c45c5958b518164e52222863ca21cd3024ed8ff6a8d849ba69a48684328bf4dfcb6b56c3542bc82e9f11c319305cba6e26c7da7b2f48e2f044e14c3770

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.1MB

MD5
3b7fa394e01b8d6ae41e7ddf505f8c24

SHA1
de32cbd50b432ceb223efc45c3ba5438454501c1

SHA256
c6831dcfe5086432dd98d0275096ae4dd1ccb4dcf2ea49e81d416a1b3c118b88

SHA512
e98f1ad3b9838749077126afbcc68cad6c2c9538065f19c8dcea63830e733c837c6186878cf2a2302e16277b2385e5bf3152eb1cbf7c56f97a1b69787501d9b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
024d73d061a721247f99bf6dc334e0b9

SHA1
1717f70f82cf2c91329c18e38a093f69f6e3976e

SHA256
3e6d5bbdbaaad006e1361f978a1c0c58501291edf464e5ba12a701654c2dbac8

SHA512
2105d3b562f7bec4e7b89a1234fc3ea60bc0e9c4ae2a73d8f8173414381b0ca90293a24669bf88e71625b00acd5811c86f006ee0fd8bdd9453a2565490e920df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
fc31d4624e60aaa3bf6c5d36c7b1829c

SHA1
9c796e7ef1e648b596a3c7a96aa8329746fcc9a5

SHA256
47005f43f0c8f532cc0d2203a9224bbd4c41622a82b0ada37dcb93333bdf42d3

SHA512
9004267b49baa019b8bea1b42bb06526cf8ad922fa5bc1b1ba3ba521c4b7db707eb677f0efa195dc9532fbebb5860932d24d3168c04fba2dd73330574ccd49f6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
384KB

MD5
4fe58905790d99747d10eeb483b435bd

SHA1
843086f82ed0967fb2a3bc2e94efb77825e4e842

SHA256
4c2f4de52dcb8a7976edf9345a490d562c16573e8695772101f1eccba38c8ec1

SHA512
e876f1ed3476bda73aade9e196a48bb4d27ea59385d83de643a60fdff4276999b74161fe4295b9f031bae2ca164193cff2d56c82f25378646d314526a8c85e2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c4c7e7c29bb04c88fcfd8dfbd2556253

SHA1
ea3413b90778c26aa37bd92d73b8598b364474be

SHA256
649bc18a37ab4f89e3fbc4d461a5b59d983228c7768073d52202985979458b13

SHA512
9261f55dea49032a6df7814cb9ffb3b20f91c55040d5038e0f4e763f6858f9ebccb4faee6731e8ec9573280e6c29dc2b39481c4bbac064d3d4a7d73b885b3ccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6e8dc4e38b624c3612ec7f07ce1926f0

SHA1
c97a3eeeb977145cc7cef656d61aeabb117487de

SHA256
bc8482610f5223314616f59983e6c17617e467ecf2da538a454bfd47fc3cec14

SHA512
b7354681b449cce696d0dccc5b8ab627e509037ee63a29208e1e79574ae33fcfae704fce27b59d5cdd5be4641510820b7263227d222b573779f0870ff7e41def

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e851002027d1e23d197b5ba1af4e6553

SHA1
a36df47922c55c79028b033d22aa09feaaee50b3

SHA256
4377d7eddfcda8ad7c9102e8e600fc18499130e510ecbe8cab932390143d1520

SHA512
7b1f31583295b3959ea603111b02e70b8b2b301c13320b6722ea74244ad6cf3fdec3d751196cb5a1c40691871974acd23c7c8b50d13d364deada5e733db4af4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
37c179416203ad914d1cbcedd6b4bbd9

SHA1
87089cd75f5a306fa311b3dbf12dd385455ba036

SHA256
280abed1f6a538b6181fe6e612aaaab493222b3ddca792ad3e89b02b2c2e8bb4

SHA512
f6b2fdb774fbd882983daf5ae40cfaf8f22cba620ec0296d0fff8e42ff5aaa844e59204be1be71e5585ca99ec343a5379ce27f0b0810363e12487268d7d0d25a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
96235aaf4b55f0c4aae098bd0d20833e

SHA1
f6686d53bc06fcc774103d0f5ce3509038fc02b0

SHA256
a014ab50f5b28e68425ac19bb6e0b193fb5fb8b287f6efacdaecf113314fd541

SHA512
7fdba73b05870fd5b1b47aa31b1d1a5de8002e840ce23549a17c2f75075d8639a213d77f30ddf35e6a3749647f51d0ddaf8e08289a2413684f4b9f32b2a18300

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4a53a04941ae9ef0c8c19fe1049f5f7e

SHA1
b02c37271ba03895392a0aa3ff63aae349601e28

SHA256
70b4ce20218112ec2c313b3ddf212284a0e9b2bac937c5a227918ec29d9bee2b

SHA512
6cf1b243fac1f90b12260a60a978de17c6464c3ff9527385cddad4ab31952a87093e4a0df3a58caba3aa7d2b08b103f230eb07531d033ecef29fe5ba9aa34847

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0cf7712ac4e05cf7a5fc69590deeae8f

SHA1
f4559df71f60aefcacfe97342158c9509c0e9f7d

SHA256
6dbff03b9bec5e8e8d937ad9f5033d5e687a16c95c58c0d0a2870109d7b224d0

SHA512
6199c70613ea8a8639b7baf5ea5d0d70f895fbdecd20b437edecae06496b565ec88346bf63826f29b7a43795a7bfea0245123da7170936963deed042c0ab9216

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
22e5994bba18200da7d08e7a7777ed05

SHA1
1498c72e2b2d8a3586b1c26323170fd13410f3f2

SHA256
72852437d4d6118c736726b3f5aaf4756c9ea6ae095087f73296458a1e69e3ab

SHA512
e90bd158649b82150a2fd461fd5e19e35b19c215dc941644a808cb6531e3d691299477129ffb3b40fcb78213e251946b68ed78068d8a7cc7fa0c42ad50803542

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
970264569f88f4e28e258bfdcfbbd4a7

SHA1
bafc76657a77f49705c9b0cec235fe251c256314

SHA256
0cff1a8f512cda429d8e699ea649ec97001533a802b674dd80b6b956efd8ae53

SHA512
8f73f8a81be879a4e380dfb088e159032bd84e4f0cb45941a13fd508c8778aa715751797670763070e3226b29ee9634e4db8cac64b215eeb67f259010197af91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
15a27b5b91ca8f53321616da85740a37

SHA1
ca3c511bd7d773c00fae114e8e0ee8fe3926a304

SHA256
8e2b6317c1cbd6d4730df9443c84a3f3374503c321737c92e791bfd1ca87674b

SHA512
eacf2377848cfb84574dcf58ec661fae7a3fbc01f867f453df0871483738c7fb6a3feea6f82aa2865a82c9a1a6f4400cfc1f8f154a2eaa12f3b3fa2e4f5b3ddf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8286e47de77596ac7fa78e17bc818a59

SHA1
16297d9d67d4bf4c49eabeb4578a2be3df55ad3f

SHA256
02e299698f63efbbbf061f23a52ca47b5dab8a61725a23c839d4cf646414a97c

SHA512
ae74c2829fb8acc10aaa3ee7d183a0753c5bd1b733de1b4c814ddd1838f78b5ac88bd5fb4d5d3e51757ff56ac646f448204a916bc0b22801cd48fe90eee31efd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
115KB

MD5
d3ad519478c3400298dd43cbfc369452

SHA1
24c5af493dcc5b47556747def6f1f8fb97814f0d

SHA256
1d40c1d9c159b5e3706140f45fe0fe559e396663c70e7d65e31d3327aff9f4d8

SHA512
6c180ac4aa39528db458a1fc1f00abf39ffdf01f38459cd9001730fd94728c551e96c9a78e123b3b36d30e3b1edffe5bd2d933316fa3aad77fda69c42df6b90e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
320KB

MD5
d9432c33d6e963218fc84f68160df87c

SHA1
0757fc402141ad18b78f370ed2e4a8ccb0661879

SHA256
6f79d350ca1b6d0456d2937bc1b97744385305b65b12f2c3e5e95d56a39b7a87

SHA512
44fb96f53c5ed2a4a0458d8fbf01228e2df5881c12836a0a4ce9b37e29c10050b83e1d8ab26ac919846df69d10cc74e55d044969d09773daa25171377c07642f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
115KB

MD5
dc3551e0f664e5edf3b607856c30c09a

SHA1
4fe48026ddd96a03ea0827a71ade57d8e175ebf8

SHA256
77532a0083ee3e2e4ca5b2faf72eb122775c45a58894702417fff671c5667074

SHA512
4e82cd0d55c3d91d0c62caab7de12bd0ecf8f8674ea14bf67af2f26e305fc73212b9cb5eb94b1fd6a60e80bb1772a234f01171be2df360982275ea461f4985eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
115KB

MD5
923e037c234e8221fe3a6821481a41be

SHA1
ca4741d7976cdbf8d9af615fd390eb8295973c46

SHA256
e4150e07bda89aaf8f7b91d276493ea434b1421e05c572f875a841b35dd94c28

SHA512
c9ee70393d867b055fc6929dbed3c9c67252a83c65ab39e517d7e290ff273c2483aa254b694699060711fc202b92b16caa68200d20acdbe624faaa86e4fffd33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
128KB

MD5
865d143472f319cb72e62bbe2830c64c

SHA1
d09da92ebb6921dfc857c74a63732dba76a766c5

SHA256
42117f08e2cc4466b8e502e3ae6e00b8c5fbe2a77d8609230f6e52ff9831b5b4

SHA512
5f7195d882609ed749898fd30f4ad29c4ff97397e85092e6215084bb2c1cc1d0b6997eb001f0526aa22981d779e84eaffe4663f7f5678127388803e1a183afa3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fb0adeccd02da5b260a2e22ed9c92757

SHA1
bce9437e1dcdf6be86fa453b43435c9f0cc09885

SHA256
64b48b4afcffd1e008127c6cb112edf3d1fcf8dcf127e233407dac0a00519fae

SHA512
56ec3f53c647e6640a77b1dd8924e20fe7d77d5a42dbb475231ed4c2ca3d65e8ebbcd9114b2f0b734763b04fb733c6bd7f2d4a3e8008437a675c41669da9a026

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
17022b247737db9c1193a3385b8d7045

SHA1
6f690a569993d07b5e1ea3b46fa92e856593d736

SHA256
f1db2902a1acd4444461a0b69f51527ee9afb989184da4d11bddd87584376125

SHA512
0af2b78708829b5b9386ac4baeac77d5db9dbf484c034c2be060a332e12936566b61115579707b65f8310e8dddd4782bf7bf17f1c767ec8fc28799349571d44a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2c51380abf07afa13d5dc81f86060389

SHA1
0a50655a95a3b3f851168f2ad943855cb8bd9f89

SHA256
36165a07c0f68d9299b99d0d5a7542dd7c9a8990d8dd42198ba1462d20281645

SHA512
feb4903054db3e799b821d22f7bbf7eee939380bcb46ab69450f987f561a7ac200b974727d3a84b3d3e93d76e1bfcfae1f77457fd39842a1589c0ffe6aefc1c7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
960KB

MD5
8eb2b02d887a724a9b80c1d968751436

SHA1
ed2d5d01fe070bea1584d6f3af3e0e3c5afd6f6e

SHA256
6737b87e3044ce7b8b03bb262580f1cff4d5edc67d1d5f515428fb2592785299

SHA512
7f37309a634daba834956515b8a023bf9d9e12e19d9f2a8b5a6e0853f3644c82ca432171ee9c28c3e1162ea02c0406f09d8c3868fa1ab0d9adffec9b467d0fad

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c6544e550705f7d5469455f220ebdafc

SHA1
11aef885e3450114d9c632f4ae5796701329ed7b

SHA256
7001a4eb7a65547e5c1221721bc85369cc33771f2f6300ee893232a112dbc73a

SHA512
c6ff3ee50d10f1d081a4c64434d1d64626905a997d5f663ecd8aa1e112630b2ef6e24b07abf868bd2538fcb2a1b7d3b4615b2113555b36b3a5a955843bb572f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a53daaff51aef081fb128e8c0950a4f8

SHA1
b37385f750e460eca39fbb63566f7c8fc2d03be0

SHA256
c0b3639745814487537a70275a3a94043d8d1b5540074d0ff3431dbd743a8fcc

SHA512
69f92d4a13891836dc698dddd2459efe72396531422762cc7380ee4e2319823de8345243070a31d3f05d2f8733778777ff9cb6d0807d87b0baefc135b8c9e8bc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
896KB

MD5
f4baf4760034cadd00c40836f33c407f

SHA1
552dc22fa284c1f260350834fbce1ed4c056442d

SHA256
a844c295ba0cd3bb3ea1123b7b41978bf92ab32d5a600405040931de6a691f2b

SHA512
dcb139b15556a12cfd5705dd92139234a43ab4b18eeb67f05f73c4445ca476107b42f05b65da39792dcc0fc895c85ef44f1708b3de5aa13d719bba599eba02e7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
fd79db6f85a884971bef0e307c383a8a

SHA1
353943cae529576aac5bb50f423c7ed953389e13

SHA256
d172a4e8b0544286377a6b6e27c6d2dadfc7a08cd697acb944ffb354a050e2fb

SHA512
7d12436131c5a6c2f13ebe1b0670bc9519998398b3a37627fb345bac78912e3a56b0987ac19ad721b9e8af62b9a9c966f5f0166000ae2408e7c1a2e58db996a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bfbab1aeaae29dd5886394fa7f9f576d

SHA1
8761e70530624575794bd9df279ab3115a5f2a5a

SHA256
942f8f2df07f2c39dde0356a9297e970c575087d6963b28449afd5029b9e3fa6

SHA512
afdf1db25f464e814a71a5fd854b933bce90563a34991935934ec2431440e13dfd2fd1c865f361097b587205d2d68c448017cc44188ea335f3583daeca9c5811

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d25efdaa7de74bf2f0cd9d019a97a39e

SHA1
b7f34efda99f5ba9416178649ab1c2aa8007e16d

SHA256
480cccc52a53815b7e75f65debaeb4447fb2b7e7b244af8f745a47cda3983301

SHA512
99d96d1a83c719fa22367684d05191005cd60c1f440c4ea84a3de9cc0aa7c2f83c7afaeabea6a7786004c3850920a7f11fe9d6e907925c3a8e108581576a631b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
128KB

MD5
6bb43378dfd6885db49b9e887f44d184

SHA1
bb4b0e0d2544c919cdd3299d1e0a48e99c43dfb1

SHA256
e43e0f6ca0e94c08f46602c94a9aa241c1dcdf2e9340cb158fc7bbb2b4124784

SHA512
d56ba950267d5696f06331d4334b72c144fffcb0ae50af05e8c6d1db827e647dcdb12cd52a126b242e4be8121cadf30ae49860bac3593618c1465e36b0730d30

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
991127cc4db94c69c8fb83851c9a82ce

SHA1
8e6ad2f4873392c1cba3fc839d595a83e64be4ef

SHA256
a9113dd9c7112287876f7db841e1ab8e43e995ebe2606c69d6ab539202c706d0

SHA512
8faa00999ca4848bfc89bed50d758c213d11c3a2651e4425cd80a43539bd8a8b576eb0ad54791feca81a7f9ef4b3e52e8589b358ceacbea167f1e2b39cdd81a7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d1980d5f3c6bb6633125ed6aa4c469f1

SHA1
3c1ac113c8504f39e62e56a409d91d4f4928a774

SHA256
74cc6ab715659172bca3410a7813fb539bc817ba41debe22d09296f07c44743f

SHA512
c7f8c5455d5263433946b12e57ee709ad63a1fddb400b9fed43aeedaba84ba7e447f4bf871b7eef1ccb96309b9df2c607f933106c8990d38ca4e34ab0fc0b4eb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dacdee9f73e936d93d394e93fd6abb02

SHA1
2bba7cd3fafdd4df043f20d05b1df56d1d19b2b8

SHA256
c11fb33f1a6e4676d6cad003fa6fa2704e10687289ba163d5a8152e3d1716d30

SHA512
8959190894e6496142909baabddf4a02646f883ee58195243951094d776ef18562e4a6c31b5482b61d29059a8bee100acfb55415b11e391f72a31f1b1b20f604

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d421c5d79126f62cd7ca64be47892dd2

SHA1
717523f1147bb5f39b323a327a89f80e2ad22d7b

SHA256
2be799bf024b9935cde5244758b4413aa1c2c4d13319fa05c2eb9dd9d58376ed

SHA512
985ad6e8b7303d1cd618c9e6146bd5db64d9436b47fdc7ea714ae21ae0a35c4fb717b84474b4cc00a7fa496f640a2460658eedde2228e1ae65ab5dbea49a8c5d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a0f3ea099c9252d73c8e7154a3132497

SHA1
135cf5cb9f7de885cc5f61978eb69ea8fbff1542

SHA256
1be29040872b44b5e3ac588ae02dc58312aa25401b3c7194bab1ecba32a2b5e7

SHA512
933ea4e7a824bb4573a630b705fb144063e4d7816d6525421a2a1ca739e5b90951c038b10bbfe6ccbe2e94c75e3b7d1d300e93450174bc2a7552a980ca098d53

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a32bf7bcaf141229a54f034df5014013

SHA1
791a642ed75ab56777924611101fd29dc0934643

SHA256
88e005967528357b6674ee3b77c60b1260b1f0fa4dc5c55364d65385630918c2

SHA512
6a90a9830d328a9726c39875b78f057a9618fbff93fd035a4b39d34fc785aedeb22a5e3e60c9c8990f459f3688f2b2dc6e687b8ca525d71376a6a2ff40d6d697

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aecf1bd1741f14446fdebddcb324387a

SHA1
adcf9e04c680811384ebbe031243064d30ad3bf4

SHA256
b594b5023ae866ad713489c2c2d727d9c6c407407cb02840c8f9ef2dbf601712

SHA512
287dcfff180889ac3ca411cfb2875b83a704193706eff75ee79519cfbc1958d2ae9419e0080292a61fc1a68cc461ceceaf7e0e138288c89af506a4dfaa109fab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f2d4808f97176cf3d5b2672699b763a1

SHA1
0e778b0ca399146211e25a849aa6c3e3a9a26862

SHA256
c68a36809a9035cd9a5dee2d1990decc7f36c9bb6e03adbefff5e2990656b7e8

SHA512
f0b759294b73ca62952339f90cc438dc255db83a2334c8ecaf8367c78f8ec34bc98441304db16a63891bf12567feff536d4887d26da3350c08da2f05044a726a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
db194c7691e9f59f7dc0f522eab1214c

SHA1
1980a4b9d820cf440e0c8e999cb2315c7363c931

SHA256
926eb41a4a52a514fa8dcd3584662ccd5daf8834f89b45e39ae82c5397783b8e

SHA512
cf021cbed96473b73ca11f4fb20f0252e5552caff06b8740c2d9649f05cb7a62bbfee4e121f11b5691883bbaf9c740aca8dc082bddf7c6a4db5bd0f48545fcc6

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
8bb7182d67bf32df62393e9f97f56b4b

SHA1
d8311cfaa09e46ff882124cbacd6cc6aa1da52e3

SHA256
736d3511a1ee2e249c3e78da8f971f2c419b5f3b139d1312c59e17fbcb3ee159

SHA512
9c00c2a0f9762ea5e678e5701b53d0c6049fdd4023ac09020158d55fea5d33948da9a34722980f17b535a578769203b5ec7e4929ef60dca2f368fcc2ab09f169

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.1MB

MD5
f47a366d0c4e6b5d341107558c812d43

SHA1
7d30cefed5222519cc8779a7d3b5e95f75af0922

SHA256
b7e7623ab09ffdbb7ebb84747b120a486e5ed654e5756f22ce1f5bf613b6c1df

SHA512
c6c4954f5cf1b2d4dc3f8f202f40a1b68948fb11b2b11c94a2a7f2478471a83ff5b8c2f45f1ec3c86c7b8d7c4add70274aeecb22ed8cc8ccada07417fb5de126

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
192KB

MD5
bff50969569d2aa6624b4e776818afe2

SHA1
644666743625d5f11b9beb21a98df5a845d7c7b7

SHA256
87537e89c879453497a81339b1ea3cce4c7bb985edfe42e30ae83cd174b6ed87

SHA512
8ce5b6d3f72796967d3fc8ccbc17c7ac36c9ff689f29464031392cf7ef9b9401da7c6f064416749ebe1ede9a36477b6add10858677742626f055f759a6cf7abe

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
448KB

MD5
bb892aa21c2ebfa770b6afcb4e3f4085

SHA1
779f58f75bfde1d112fc2d7feefbda0c61f3c9d2

SHA256
f63d6c857cde79ee6bddc32ec38a385968ea5241ebca65dc8763f90ad7dca608

SHA512
b77a2181eb60ea210e34b56fd84b9c016e0570f28b2827db2dca4a3219240d7eeccc6210c0248a0ce1f9f2fecbc7b0dece3fce3c39d633f5e6dcb085ca114deb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
256KB

MD5
1fde1c99ae4d9b382fc0fd740bcfaafd

SHA1
09b8f2b119d4e37ac965089e4997df018266139c

SHA256
801c6c7d778c36dd26fc7ca9484f5febc47fd74608e9c0e447fef8c1209843d8

SHA512
49c673cf115af95eee3a5b6b0cc60aa1f91afb9e49e0ee28dc9c2bcf0e1082646fceecc27eb3ac43a188b7d9be5ba7bfd64e7c0bce7e08e17f28f30200084dc6

Download Submit
C:\odt\office2016setup.exe

Filesize
5.4MB

MD5
ab05fd87ad9619509e6ab3851a8dc060

SHA1
f5e0883437de90bf21bb48e867278ffe55fc78f0

SHA256
fa41b2ed54de20726d33f19b0439393b893d64f7130e2197062fbd6854145bf7

SHA512
ac6a8ce32cfe53d0520e6f696859789081c441537fe72dcb9f0f3497cb5327283113b36e693d91c9a788c9db401b994c242116489490f24881cefc7a6f14f7b2

Download Submit
memory/32-169-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/316-72-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/440-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/440-134-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/440-126-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1532-425-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1532-467-0x0000024A52BE0000-0x0000024A52BF0000-memory.dmp

Filesize
64KB

Download
memory/1532-452-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1532-443-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1532-455-0x0000024A52BE0000-0x0000024A52BF0000-memory.dmp

Filesize
64KB

Download
memory/1532-433-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1532-466-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1532-457-0x0000024A52BE0000-0x0000024A52BF0000-memory.dmp

Filesize
64KB

Download
memory/1532-444-0x0000024A52750000-0x0000024A52760000-memory.dmp

Filesize
64KB

Download
memory/1532-456-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1532-426-0x0000024A52720000-0x0000024A52730000-memory.dmp

Filesize
64KB

Download
memory/1532-447-0x0000024A52710000-0x0000024A52720000-memory.dmp

Filesize
64KB

Download
memory/1916-87-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1916-131-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1916-80-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1916-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1972-158-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1972-156-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1988-110-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1988-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1988-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1988-45-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2032-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2032-424-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2212-419-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2212-151-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2300-103-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2300-104-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/2300-109-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/2300-154-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2768-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2768-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2768-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2768-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2768-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2804-71-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2804-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3004-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3004-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3344-168-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3344-114-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3468-122-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3468-404-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3500-173-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-395-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3928-79-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3928-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3928-17-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3928-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4412-148-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4412-139-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4412-418-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4452-91-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4452-98-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4452-92-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4452-146-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4568-58-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4568-63-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4568-66-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4568-69-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4568-56-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4836-302-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4836-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4836-55-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-305-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4836-1-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/5152-172-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5200-432-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5200-171-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5308-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5308-178-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download