76a633787f7fd39a9cb7891bace55e74278c48d10ba8b137e83e876685717a03

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exe
Size

1.8MB
MD5

5bce471bdbb07f045e6712c0fb651cc0
SHA1

3f2c9e3f1f46734c83d652f3945518dc9226f2bb
SHA256

76a633787f7fd39a9cb7891bace55e74278c48d10ba8b137e83e876685717a03
SHA512

c1be3b34566bb1f19b7d6a11f3ce09b1233ddee406c5f6d7fd811fd69326a58bcd772560ef6aaf1c1340b3dfa980db3cae84830de329db93edd6829561a99606
SSDEEP

12288:CObJA4LWOsvAYFTf0DudXezE09Si/ckGHt6pshsPSGkYl2XIQCb+Lk1TWbPXQnAf:zdL3UTMgXe4i7ojhsP5Lgrk1TWb4AN5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1504	alg.exe
1092	elevation_service.exe
3764	elevation_service.exe
4496	maintenanceservice.exe
2200	OSE.EXE
5768	DiagnosticsHub.StandardCollector.Service.exe
5968	fxssvc.exe
4676	msdtc.exe
1568	PerceptionSimulationService.exe
5024	perfhost.exe
6124	locator.exe
3556	SensorDataService.exe
4068	snmptrap.exe
2156	spectrum.exe
5496	ssh-agent.exe
1608	TieringEngineService.exe
5104	AgentService.exe
3768	vds.exe
5352	vssvc.exe
2276	wbengine.exe
1632	WmiApSrv.exe
4596	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d58bea267489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007635548ba299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c9cf98aa299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a5d3c8ba299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec87058ba299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f10f2e8ba299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ec5e18aa299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb85248ba299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd4b298ba299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004914d18aa299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b50cc8aa299da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1092	elevation_service.exe
1092	elevation_service.exe
1092	elevation_service.exe
1092	elevation_service.exe
1092	elevation_service.exe
1092	elevation_service.exe
1092	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3464	2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exe
Token: SeDebugPrivilege	1504	alg.exe
Token: SeDebugPrivilege	1504	alg.exe
Token: SeDebugPrivilege	1504	alg.exe
Token: SeTakeOwnershipPrivilege	1092	elevation_service.exe
Token: SeAuditPrivilege	5968	fxssvc.exe
Token: SeRestorePrivilege	1608	TieringEngineService.exe
Token: SeManageVolumePrivilege	1608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5104	AgentService.exe
Token: SeBackupPrivilege	5352	vssvc.exe
Token: SeRestorePrivilege	5352	vssvc.exe
Token: SeAuditPrivilege	5352	vssvc.exe
Token: SeBackupPrivilege	2276	wbengine.exe
Token: SeRestorePrivilege	2276	wbengine.exe
Token: SeSecurityPrivilege	2276	wbengine.exe
Token: 33	4596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeDebugPrivilege	1092	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4596 wrote to memory of 5076	4596	SearchIndexer.exe	SearchProtocolHost.exe
PID 4596 wrote to memory of 5076	4596	SearchIndexer.exe	SearchProtocolHost.exe
PID 4596 wrote to memory of 540	4596	SearchIndexer.exe	SearchFilterHost.exe
PID 4596 wrote to memory of 540	4596	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_5bce471bdbb07f045e6712c0fb651cc0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3764

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2240

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4676

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:6124

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2156

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6323a860139331fac1a85f00ea149e58

SHA1
ffc3397165e6604e2e5e9e58bcb1e0066400a7db

SHA256
72960ee8a5c495e80e54901859e7a5f377bace0f10eea30444c06123c13e0c85

SHA512
01537fdfbb5bce8df27a8ec6ae1fd4f8ca928958dfdc421026e738859268099f0611c59df8a5c5e9d58172b371752ccc633e9c1ce44bc449632ff9c4dbd4d215

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
c971c7107b331777ae6476cffed9e215

SHA1
2ae96a7606120e8a2a4f192e7474205728527f45

SHA256
337a9558b773af4ff27b018b4436d609db2ed391e7edae90fbd79f30023198ff

SHA512
9adaf60aa9e006748b905577db7dad61d4b4df98108a5650a26cc8b14ff7cb8f3da5d838af8eb33335984f356042530cebf5b30cd257427635d6d7ea9900f70e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9a9aafd1e6baaf146be4362882aa8589

SHA1
287f9e2357bd421ef16482756ebdaa61c0f85859

SHA256
fe95e9a3ea04d6ebbc258da9de3c8179b5c926c0fbebd2a38a435512a6bf4398

SHA512
7875f1d962801102d112a7b79a2ab7a0f0bb465993109b67075d51a9a9eb97c6af41a53841f4ef89bec9b9b43a176cd6c05d9a393c977c28bf390b0778ed5346

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
629d6aebdd5581bf508a351c09665f06

SHA1
daaae624701398983f824c35c91f9892f541f9e8

SHA256
9c53172a7a0e8a26622ae15e3e9333f501c1857304d1aa33f82f576dc57269ee

SHA512
2a767af446fed9767d3280d1bf1de4092f4b878af9e2ef96207fa9733a450c1344b705193882a3c6b8e80f5b4d915302e97c0b6a1dd5ac56167523e567490f34

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b45cffbb80022264cc7095058d922c94

SHA1
d2f441e4000cb5eb627e3d430660fcab39fde372

SHA256
56e15be09316a666011fbf470507285d266a073ce3891cf9bcdb0967ac1b2227

SHA512
8bf57befa1317952c34dd1c4888c591d9dbc3aea22148e997063b18ca4a9e18db4019037379cefe746d8ec013c858380e63fc2a1ee9f939d6f4b55e101f760ee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3dd49170741587e4f06cc667b8612912

SHA1
4f28885b2cc7ac38808f2a43978809dda6a16097

SHA256
9786b63341484511dcbdef07aa68a30bd5ef4e802bd11fcc90482b0f0f568883

SHA512
b30d0e15675f72e571db5c188448347ef79fe15ff29d69dada025d5569b885c2dd76cd1381ab5138ac80f72a625f2b46e37bbb8eac4062ed4d535c326329ba63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7b815f1dc7ca5de2331199fb6b99de39

SHA1
c5b9848cf74a930e638fb1baf4506ee66ca16b69

SHA256
2d0b745c61e89e70185939c3be6c45b6849b0fd86fef6787be102474dc6977a8

SHA512
0ecf85ea3ddd765ffbf6d65e15b9ae32319a42b469cfc87c6160862cda743d93fa855a5883087eea644c688fd081cd7fbb7fc18206a81ee2906655e28b29cdf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d389a8cc066c61ce2b2ec63eb35a8076

SHA1
be2b19599a2bc7f9c16250bad4cb43df75519028

SHA256
cb9e4797709c6e9c7c117fdc6d9fc8af25ff4096f57cd1e8ee6d828c90902a05

SHA512
c40d6a58491aa7b11064fd0addf7baedeb24bf7afa86b60723ef9d6942118ecb6bb75358935160c31204294fb5f981b9f3f563770a031844a733be0d154de757

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
5ccc643acfa966ccb7917567e7ae7059

SHA1
2e8f7671695bd98a7360e64486a528f704ab36ea

SHA256
b7898ae6a38666d3fc9add965ed9bd1ee0bd41f802c78f9fa4d48a05c9b1f844

SHA512
cd0b708c78d747022eae2529abe862486498040ede66da4745e5008ccdf9262e62a33a9644d54e0b104147bb6f20bee6800b23b8b67b5e9bcd18dafd8dcc04ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3defb2f90c1347eeca6a6fde4eccade6

SHA1
748fb07997d0cdec396964fb2ba22589d9d23ae3

SHA256
081dbda3388e83190380fbf1c5f2c8cd690fca18f33c1216b622e80aa398c9b5

SHA512
e5b44326820bef41c2e0dbd22bb2cf9ef14ee45181b43505c7371ae90a7585bb5c94857f65b4f9da9a2e035609813631e897f6059df39287a641383490f9fed7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
febb9c18486a7de165c3df7af7a38af0

SHA1
a7ca59dbcfe68fb3553e5143e963c1dc03ff008a

SHA256
6a0ea3a4f4d7370f42bd015270e4e0617c5507a0987da711ad51ce85a10483ec

SHA512
f5335268e3feeb055562cdfce38c985c6eac635227f12be968dcd499a4ea8f5ff488f209be134420695d30ff8ba8d42b8ad0f578a2791857ce1f3d6a6b046ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
90c12c358df7c2803c493297092bc074

SHA1
717f98a5648f80df8b5c14fad9d04bc4f0222537

SHA256
3faf1c9f0f03dae689148d9a8c03dbe017b5c59a90bec409aa7ffb262cb66914

SHA512
c5704e8d1fb0c30f5804365639725df7cdce0f583e034591e44719d47a86f39f556e670a48594193d14d52982ec45ce2a9aa7089bd91b6f32ed65c6fa18bd8d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
21df36896061392b63472134786b3339

SHA1
bec989bf84c50d79e263f29e70ab5deec86ac6ae

SHA256
4e2ce14a334d41f999f3a099b23c53c0c3d592d33648482be3673cd9ef74a718

SHA512
3deca28e2f41d6a226a238ce234892663bbeefb2cb37afd8af3f1bac44120696e09b3bfe6dfff97c065da665a14d38243aab326ae87bcd0f1ff5eca0dbd02a6b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
4b4a39bcd01c42413d1883d6a834fe61

SHA1
a0cbac2f04d15fbe06c31e6ad63adcf8fdf4c8ab

SHA256
5abc3238d5863a0f683deb4a2be66427547bd3d6bf3bb21a787a88fc9105146a

SHA512
9c5e0ecad5c2f084921928f6629e215635b258b0434c84128ba21148894c327b9d98ee39ff8ea4c0010fb2269e5e73c35ef89c360cfa4832dacedcfa5684d152

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ce73b092abb3f45df7e39c2ffcfe7c98

SHA1
38b1712940417c6d6cb94f6cb44252c64fc0f378

SHA256
4843b962a47bece752f15240f1c8d71671cbe33bacdf468ced5ec552b421d42c

SHA512
bcecc1031ed3d16a7e3d5a2a38dc31be75cd8a51f45b6df58c6182fd1c415560d660f1886a8724816ac73bc52dc750014592adede7554919ad9db957257f3d84

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
015ddf0cd325aeac0147d2aeb9de8b30

SHA1
33a01144a6140b48c6c329e237ff7bb310cf599e

SHA256
333284345b6186d021bca9d7507be57980e2767b114e7199d0a5d1e1b0621423

SHA512
a8159a80988295454d750980d8cb0e3b6c6752cf9fbadc06bede1736d1af014c0272264a62930cf31bc924c021332884e7a07e4f225a60b8f5497ff6cac82a15

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b42411b53e2ebc6d80dc05a62326a507

SHA1
da89ddd2c268699b8d52efd290dcac3fb6a52c14

SHA256
b4bafe57df004a688fded17a7e19a3950f4f1a19eabf359af45c6d1dbd88801b

SHA512
303579b67663ba8ca2fd04fd6f764132596f7dadd1a2ab55029cde8db321b11d77595646273d8ef83c39152e80fe60d7f506b2a2e2ac1c897f9dbeef940b6aca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
a727a4ff39175ca59552784176353c3e

SHA1
2291c354e97947b088687e768c19603531a72c06

SHA256
1959c8e24ea09dca198ff015930ea0eee780a630b6f5f13ca13234e4cc189af9

SHA512
31ef28bd43d3459c4c2ca85800de1c580b5aee0e5071287deadf76970a72f8a3204512814f69eac45393ed2fed311d20cee52b1bd6e1150adaf442bf254064e0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
5c98d9a0c5fdc5bb23fc5113fbd1b155

SHA1
04d592ddd62a6f4622661895ad7db0051ac7855f

SHA256
5a709ffe5c0095fbe62ef9aba59796516aa98ae08db7b9f1d5ca5bd7786508a8

SHA512
339d5a42836699ca519deb7a14a8e40e806cdf88755ae385326b64ee5559bd5f84d33bae2ccd0ef28c63253e55db11af29fef63e896d91c732e610b0cf3a399c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
77cf1577a2cecf7f670880dc0ebdbcbd

SHA1
ab3c92b4e8f0c31701bcc180ab030bba0c6e2b39

SHA256
424c1e8e9786b6b1ea36148ce3ee20be1b794d8445bfd74832f1ee08d4166c8e

SHA512
2e65d9678a36ae82c665873272038f06f0d951287df6259cddd70e037ef614ffdb2800f49450efa7bafcaaa4e5d6833a2d8288e1efc3f3507b06b4a35dcd575a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
23cf8310aace015ec7f5d7b891da5eb9

SHA1
ca3b79fb8c5f8db65a21fe0ed08b9add066c9b0c

SHA256
741b6210cc4f19d161dfd681d70d3be7a26a229c6c1eea14d08bb9eae47b5f34

SHA512
82d8f4c053b9409d74df9446c7f3bc67c7531868a29bb34067765abb8786f11dece17060da786712e1792f25ac5f32d7ca0cbcdc33c0253013f6db04401bea4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
f431f493859c1aa9f3acf708d4fbf52d

SHA1
0b4c1499c06d138e4be8d2c4e7e4a7ea01521b31

SHA256
9c2859b345a91aea63a116b31fd3e31c9b80fdfbdaa503fc66128fbf2509aecf

SHA512
4c1491306d69a71bd8f28d471dd500f384af78e0bcfd2386810f5d2218b64d331d1b8f772000b9a44b874cb1d535291f08fce4d3c1569ac8ecc49cd0437e1a5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
df459234dcbbeccdcd87707e606fd85c

SHA1
ece30a6c444fc46f865a2f08a8a5b15421375f3e

SHA256
919f779bf6b5f6f42068f3fe0ada2dd041b5835573e4376e8c7b7f5772842bfe

SHA512
9f968320caf02342275bf28197e6d896246bf181415235b5821ba027c0c61732409011c42412406176cc055e8494526e99e9172f6b71e5f4fc535c96fdd2ed35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
98fc0364955d973e98ef3630fa639174

SHA1
dc5d35d0b1d60685f1143b7bceb5cb56d247dd03

SHA256
308244710f30d9350b231c2f0f4fbdc4718ba857109b5c66feb67eb450919632

SHA512
bba8e950f19c60e2cd60076b499ef2cea728e8f43b3b7e200084a0393ef0020dcfb6a5efa5e539dfae2de14b78e47ef4dae0185df2d5b61b3d17bb394bec57f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
64f07e9e613ccb15bd091fb608e6e088

SHA1
429cddb8f00db6451ad603031e0badfab33d907a

SHA256
d359f076f8a7764cee378378168f498c822d2c993fa3a48b1da5065dcbcf16f2

SHA512
fb13a37026b7649079e38572af723583e996fc107f142d770773ce46eda0dd56f788417206b9d109843882778aeebc2a08fedec061d219470a2d5ff7ad62d2d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b11b0c862af46a580b60dd4cc8e46f7c

SHA1
f9d34da66aa8ca4cb115cdca3465096c1558330f

SHA256
8ecfb9db44588493d92703ae6d305f1dc80310ca7c39f8d5b2465e70d2a4c465

SHA512
4dda5e2298c058044c8892d9205abea01849ebae1f5313d6736d07cdb224f58871cbba61e88f537a10af792f85ea884e19aa19f9d27bcba5c82de37b481a6318

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
9a1405bfba6bafef9917b51abca1f881

SHA1
1da5aebc9fb7c623d1e2a4205f6b2f11c19e1e66

SHA256
279e51fa9adbafd1e54826c9d6390d3a6b3dd4ad2853111a75dccb6b3adbc384

SHA512
76a507e1ea75cc75cd2ca8911164ad000a55c5e0fa20fd3f23274a4d78ad77a3669569f57b85d6607abdfccacade07111f9091ed1912e3841a00d4040c6e28d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
e0333d2a74871ee62f599d7e5abcf3e8

SHA1
27462630bccebc92eea4637740a6c8b9bdab486f

SHA256
c59eac5b6a31c1b9a64b87aeb6ccf747ab6c07f69ef07da818e51695f2630249

SHA512
391f0ac0ec233cc0e1a7a1392d810c0412676a2c6e46ac531de4c017a17dd80b2bf3ac3216dc0605db6178463c8043afd7ff1b1e9695f79ddd73314edb9a9ad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
1b317a2e2df6fd971a70a8952a7f57ff

SHA1
25f0b7200064d54a3de5caf5e8ef12b17513739f

SHA256
7832f3e2fbf04f3985917d933cc330f56fbaf36d06018bee4269ff8949a9a835

SHA512
f9a909c071ef2d15940c5d1c843bdde40995bc594457cd2d1c4b3452fc8dddd3755e33de008d1100be2660fc81f48a6fbd223d4d065b81473f23c3b8591ad3ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
4d36c82b1f3444ccbf5f8402cce78840

SHA1
b36aef154eec2a978bcb04db3f926ca9363624fa

SHA256
62e2e5cab7ee47b9a42afcf6803ebf42d621a05c18d649d972be172022f07541

SHA512
4e85c169a8ce63a1f91831d93ff7ad02804b5d9b798ad0e5f062dba53e5f2a460bd6fa0f642425fe29b1e458249a61334aae5727faebac702022c02a085b814a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
a5eabe43d8f90c5afc04b9809618d392

SHA1
4b30e5e59000cb6e31469d27ab9feee3f4277988

SHA256
bb345bbb18a55c902bd48e3e4e213442ee2eef8d55f9dfd8ac7a10b22ad03e99

SHA512
46d79e44fa9ce44702f8c6f8a022583d676659f61a96b3884a8a685cda05dd3dd99f8004e5ab21baf584b3a2acd46725d2cc69d1c763517132332dca8df4140d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
7fdcf17ec545eb567583a48c0f3ce3b7

SHA1
0a3716800908454fdcc6588884e9a6c6b41689da

SHA256
3a7260df914318e613235dc0c02ac986d25422a4eee172ed49e1b6481feefc38

SHA512
a7caa3fe52158c881ade7a1ecf87c733b52aa8b35398000272b55aa300d39964c18ebf125d7cfff8123f154b9cbd795540128841a6e5ad4f7a90c3f6aea125f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ed846e26cac52bdffd900592ccfda695

SHA1
00cc6c1f4b71a2cbfabe126b941bd6f340e1dd52

SHA256
edf7d945bf08380e8c0e1a5459554f067b9b1d594b99b961e2197e64e166c75b

SHA512
f838193e31a002cac6b16793b876de836f7e539baee1a60ec83571295da065075fe2c2d49583d8006e077da867f6cef3708acebc30ed2ba664a316e384476da2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
e496b38c89dbffd1f66bf6c3224cc636

SHA1
a618113dc02a4b8baea8702b950375b51e596783

SHA256
792c0af7e52ba72eeb1ddcc1086f4496dad027a9fe3c1f18628608f23b529e7c

SHA512
ed94d3bbe99911b1b2d0fece4f93c0659a5f2048d911d6ae8fb29d61e9062b4998fd09908a2c3b7185b063038accee0745fa97a0af2af4255bc1d3154ddc9c48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
1c227440d361c55597bb2588209acdc6

SHA1
e2e0e8a97433005813435f898550bf8b04631e75

SHA256
69e5276e6f5b0fb218c0a54e252324dcf3d5626ac596167b0c168f23fe244aba

SHA512
4d459b8983bf03830059b2a53bab9e281c70b409d92a515110eafdf26d31f173ee252de00f91a224720b091f2cc5e07513ebb5226f0b5f4ecfe7834012c64188

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c5b2fa6cfcd7d248314dda6bb494e532

SHA1
542e9fed4d738dbb7079c9218ec26145d654e481

SHA256
c59a20e968b42389031696b4805452ff6091e30ac626d0bfe1ae9176402c0f31

SHA512
1cbf961a8534b24a56cd9ee6c87c6aa994a111b341b2930248c180771bf9086e2e7e1402752b0165e76cbe7715f5d02ab762e97888d1a0d31430b6bb3cf882b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
8ecd6fb425fb681de185e5ebe926629f

SHA1
f78a820b8b3e346bfc63357e946a4546bf903027

SHA256
56786ca61e2d3a9d4fd0b93e9a29587ae3460c7cfdc88bac2905069aa70c268c

SHA512
b9ade080383f692d45a0b9639b311fdded7dc04e9e8e3510cd222dca0a3911483ef96480b5f6b17ac864b8ddcf1d758ffb91fa86725f7111c0222fa7d8b3a996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
ec72eacfa41e0d69609b9b14c9c8dee5

SHA1
6ea6a48e668de75583ee27f029b0c2c02f10de0f

SHA256
e49d0f55d49e34fdb6a4a071f2ef7660ac9a0400d8fc4d00e7e83e94c0872cf5

SHA512
cffaca52715b10dd741d90901009a223828e381ceb433d73a1939891f42aa1bb1baa5ec620385cc8101e90ff8c17ed316b71830adc782648aa67403c597bba19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
ccc811e29392358860ff35d781335796

SHA1
a3858e55410ac450cd787d4f838476bd04e7dbe4

SHA256
ee97f826e2d185e2d8fc48db96bf0975e8f826f119256399b6d0afcd536074c8

SHA512
a283e66e3fef6bd446defa1062e9aa0dc1adaf8efd6b57476ba72324d7d9e1618742e05ec7dfc905ebc9292dcc5205e63b4b815d83a7b374f74ed9a549a8c82c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
c9b2dbd99844d622c628ef6f665c732d

SHA1
57bd7d3a56ae24f4aed77c6e0229c476a146f7ff

SHA256
cd53d85b8d9df9059282cb183960ae8a80229affd93ba07e9a1ed1297cabbaa7

SHA512
867fb88f23f379408dc37dcff780194dbc0112ef60877a25c4d75143155216ea4f4ff9816b2a9eeab9637933f6da2c9fa219243c9a6b7b0e2f7d5074a482b355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
e5ee733e67c02a9f4d937997d6e46ecb

SHA1
0882cfd3a202797076a0d0e4d5511674b14af7db

SHA256
372eb103258884fe672c7c86e7aeeb8e8d984e1b8195f814b0fe8cb2701eae59

SHA512
207a46e53be53b5e7a8e5c09386bbb57a00bb1c6a16b374045a81ee2eb3518a3fcca4383eebd389f1a1f4c4a8b51f62f029e47b8b8c86c5851812bd917a51c83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
90fefc5fb5d70f8051d101b56909fcc1

SHA1
0e3a0a36f58ff5155b8b7702a618e026924a4ad8

SHA256
21bbd68547afe1bf6c049ddff6bdc9b0e63e839a867f5c2c7a67309b2a529ff9

SHA512
a6e419fdd86dc163939458db4d4e556ab5ca3ed23604bfcbfdecf67fcbd932f703a6fd48a8624893473acfae108dca8d9d28495de75fc99d80d8a5ef43cd23ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
c86095c4347332fb122adbf999b4dde5

SHA1
4ae11a3e26327298ce23c8f61289975129a1c229

SHA256
a3f3ca5ee68e7232b3414f03651e73c7030033e74bf7bde7a79f32be557e24b3

SHA512
27b18db212b73a2941c7a99a1d019e9564a1087871675994a62ec5b209d69394a45b60afcbc4cc08a402799a2037a121b32ef84e67fa9a400f34a4bff4afbaf6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1e1b159917b165b31de9a08cf3eec305

SHA1
39153438aa6ab0e030a2e1415c6224a248216c7a

SHA256
d82178be261b2f334549c1fb444a3a1335fc70002aa44875bc6274568d9c1a6e

SHA512
52dd98dd5cd9e7a6bcf052f9bc5ffaad2b295a159de875b5963847c1748d449299bc8a12eedca6003467c347c7f0324c65a4cfbe28c3f20294c569b24576c7a5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
3b156d0d62c3b83aa8de4be25fc3ae5c

SHA1
6b9c8989217a9dae90ab527d53b0ba20e289cb13

SHA256
50e2f821f6a2dc594e44d91b48ef488b358d3b7e5db1b507207872f1482a0fc8

SHA512
6bb5aa01f8ea34d5aecd05777133d2eeccf6feb95abf438db8ff8005c59026e8f313361f1409484266b1d008383fd77a726d87ef91254ddc917bb311c10bb756

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d9abe644ef7a129f2cd48db393edf700

SHA1
70c30c5dabfa60768ebf36ffc93b04283d50764c

SHA256
f942fd83ca7a0e13d7a32fac01ec723b8ad1fe12b8cc206cb27abd79c37576ec

SHA512
8aabedc9034848535d5bef2d646577a325bffc2b5ada84822391e7925858973c34368f3cbb662d912a425eac28c18ebc35a5628420c130b6cde87bdd387f367f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8959755829d609daaa6849a5ac8120b6

SHA1
d8c14aa4875389f51c5994e774ac8e3c9ccec212

SHA256
3a73425b6d2e1c3b2ce3530db68827192bbc86cee90a1059d3194e01a6e7a0e1

SHA512
f9046b6fc997a3c6a6987bf4ecde873131b8d746c8a575d0dd7e3a85f79c9e3c7ed5182d5f5bd37bcf9d6551e4b460906dfc077abf98bb4b2bdd7c88accbe89b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1624fd5a8439a35c85375ecc19bcb3b3

SHA1
70109098ff9a045c780913f723ff4676c4d5c38f

SHA256
22a339a3329b9fc11174e8d514e18e08eb12c87acfc90e7d21d25813ea51b5f5

SHA512
b680fad2ba51519f5a31362c33722cfce4aee7c7b4e8dd4ca986de5b13926ff057cad70e1d0ded5d45468d9ef0c4bdc71271fe8e41b47a649d73090eab393b4e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0e5d6b83e66f89fcdae8fa3912e5b229

SHA1
302ed07a99590a356614cf988ddbb8bf8e1ae44f

SHA256
6c2469836575493134661ec5b437ddaf9d0ba7a438b0dbb073509ac61179e39f

SHA512
6bd86b9e2d6fd216b05a55a955556dd4a6c9e744199960fa16bdc015e9af561515f24a1943aeb032daee91911df84c0ec2ea74b42cb2b0f962445a1f72e123db

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
0dfe17852c770ca37d812be472f88945

SHA1
5b89e6dcdbb8fa97bf13640340db8779034f0f2c

SHA256
3cb6da09c1b15506b7cb632faf3a9656f26fb9cfe8b8782c156c2469d76c6fa6

SHA512
61b2d6a2072447d413a3506e0ed8a102aae4b96efac6af0903c4eafe850f86a51d2627a53a0cf863fda6d5c280f4811b57b642108581ed6727f4e387f069bb1a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
f1d60b6f09963bb85013441b3789fbe3

SHA1
ef0e607772e514fdcb8994cd88d2bd215272a774

SHA256
92dac6baaaa9ccd1f86eece2d208373c8f249ea8ecc932204970c63adc1f2276

SHA512
72b87a278a9754cee138ad6a243aece0799e38a0f4848ee43c512685c7e42bd697a9286a379f39a9ae60211cca60b511e8136a8fd748505792692a2128a9c101

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
588c64f8946a73437caa741edaec38ce

SHA1
c469f773167d2280b18e5b416a63f56871fa0fad

SHA256
6131779b57772dedd299d54680017499399a8deaf8e96db6d2ffedc4d68e9200

SHA512
8007d341631e4a56312192279d527eb337b95ca551cc3a94ba9013ca9081bd293eb7bdcf5ee0d0961a8706e85320f888c20ba7007caee91ef462cc689037afe6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c60f3b3c4b637c97da30f577da0dc55b

SHA1
6be13e5765695d668b13da7cb7bd17ed6692eb1c

SHA256
cc2bc9cb76d94db52d8fb76fd60bc8abdcb1024d27a07164d01ef78423fdcdc7

SHA512
67a018a3f093b01fe32210b1d1314ffb7ab2efc7dcb8cb069f8f4c3e799e08743964967b611be538b40f6155f1c08a024cd34211814fb09d740673badc0f188d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
247ee324263657d57119bdd14e999511

SHA1
e2c401b22c42745d88dc66da0aa4634d22db3402

SHA256
1fbebb0ed39e11766351a1a065635b2fd5dbac8038b8af3aa2a37f9dfafbdfb6

SHA512
6c489c128a8c22025082bab44f6fa9b6542b6d06d8ee9413f0cbf79611e0da71157e23cc0a04b22fa138b7b2b69cab2d6c63c6659b881ff2565c416f3dbcf4a9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
7b6cd3ecce259fef65d7bc67b322f238

SHA1
96bd15f96f2ae29b55e66f313be311420564030e

SHA256
02f9a2e80d810033c564b7eb74324234cab8bfff3903a6ed2cfd4b2807e1695a

SHA512
ce316bea03722c917e424f377f3136b243c078ed18916112dfd5885e2d742814a8afaa016038d594914216e7e4c271f6463c165de04c8ece9394aa6e5a528e1f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ad92f1d347566a00ed6a3d0af27d1e86

SHA1
d52d60adc07cb93c9e47e1b3c6134bf3db454cb7

SHA256
a687c505a49d4593668e6c3e8a5d0cadc750cadc485e95e0b112ce7b4012449b

SHA512
7edf57395885a1eefddf8a5779501e400d05719aa9f7021a8614304b4d5130fe5a21d6ad35d26478bc81d37a47cbf005b8911677eb6177af04dcac89875f58f4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
06ee7f813e781b47c28b5c29f1afbe2a

SHA1
89b328e274c1f808dfa471bda3a3043c9175c84c

SHA256
8b799b6612d4cc01e3fcca7ace5aae78f65c80a57518a112276f3018ef59ca5f

SHA512
5d15e8079a3cd57d48b36fc625005c2c201b9c7f62132639befbaad7a08dc60800bb0ff9ae838e25678735b5935405dad09721622b820925709e700fd13bea8c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
efe11ea0f2da75f7339197db338230d4

SHA1
993df422b4d6a104ed34fcbd82dbd3e329ce513b

SHA256
c6230b723dc89a29ff72deeca1397c707a8edd443860e6d719620ec345efca02

SHA512
1f89528f70135e16b20e2981ddcb637fd412046c01439c526451b7e122b90795dd334c521f26f13dbfc76f408e3b43e874321525427182d8cdef443f41946007

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
778fb38a9ee34745240e3386bd39b6ee

SHA1
e16e412eec80399434ae653f724659df7653321f

SHA256
c5e68f7e283b1843fb3bf58ce99dce27fa298443439f35a091cdd9283f926529

SHA512
698773f56c6476cc9eac560a99dbe78ba26ef55d6228697eb5006ff798724173995bd41f1686c1f52d3083fe68640675f734910814b82763b9c8bac3585df79c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7f5c4b26a0acbb5018390e00ebce601f

SHA1
fc63570666698bb6af3ad3d87983299deba33742

SHA256
6f5be0d754689600eb497b0f9ef0026fd29dae3e82081afcea7332637a051308

SHA512
05694ed49c2eaefadce3aed32f0cde13a6696a90e2d108b6b30f63010f0c5c0c683aab27777a0df5b6f53e3db439f8d2510cb38d40f6f1be6ff99f5a4a7d1888

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a64bfe02516430aa15338eb68646b0d5

SHA1
5650efff810117485dfacd97f5d00604aed2748e

SHA256
7519f64b689941818ffd37d377eadb3ff3dd6141456c476c9874b4361ba505fd

SHA512
8ecca517eee9fbd39d1331709038f97318743e71d828215a3169380ec8e39238e683054bd2b0116938c05451f001229def0c0234fed94d41c295db294a838bda

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e245ccbfa4ed71ed635fb72b8ba17063

SHA1
088e2bdbe3f1e84ca1f7d4e7d751177aac366a9d

SHA256
9ecf1461d752e61d91ffe32816f1201fc85b3bfe62eee3f086dcc4ac3892da96

SHA512
0215ec7fb5d0e2dd29d519bdedb6b5ee91e3782496d5b3cf95612bc3b67e9db73d3726cfeb6ec8f7409bcf10ae0d7a1f5be6518d0495b61f527763b22f651fee

Download Submit
memory/1092-35-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1092-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1092-29-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1092-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1504-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1504-23-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1504-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1504-231-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1504-22-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1568-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1568-390-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1608-361-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1608-631-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1632-415-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1632-637-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2156-629-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2156-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-81-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2200-64-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2200-70-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2276-403-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2276-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3464-0-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3464-14-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3464-13-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3464-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3464-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3556-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3764-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3764-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3764-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3764-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3768-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3768-634-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4068-326-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4068-513-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4496-56-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4496-62-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4496-50-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4496-60-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4596-639-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4596-428-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4676-266-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4676-378-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5024-293-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5024-402-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5104-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5104-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5352-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5352-391-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5496-341-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5496-630-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5768-360-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5768-241-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5768-247-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5768-240-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5968-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5968-252-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5968-264-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/6124-295-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/6124-414-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download