a9da39910044c94074895428991a1e707baba3da1f8102f03a909be33128f526

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_eba9095d483a05bf509209944b8e3869_cobalt-strike_ryuk.exe
Size

946KB
MD5

eba9095d483a05bf509209944b8e3869
SHA1

a125032208d5e119f73411f0aeb48c26168f01d8
SHA256

a9da39910044c94074895428991a1e707baba3da1f8102f03a909be33128f526
SHA512

b3e9735f26fed25158d4aebae04a3b9b776f4d73c6a2525d9eb628234cf98f4e5c0161a26600bf82335a1d91fbf5340fd88b1a2b8b6e5d734b0c93bf6c5b811a
SSDEEP

24576:zTgnpwJ+Ru/i328ab4F+rM/aXq6bJfBUam6:f0du/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4368	alg.exe
4624	elevation_service.exe
764	elevation_service.exe
3228	maintenanceservice.exe
1636	OSE.EXE
3100	DiagnosticsHub.StandardCollector.Service.exe
3224	fxssvc.exe
3656	msdtc.exe
3164	PerceptionSimulationService.exe
2584	perfhost.exe
3616	locator.exe
4516	SensorDataService.exe
4288	snmptrap.exe
5100	spectrum.exe
384	ssh-agent.exe
4036	TieringEngineService.exe
4904	AgentService.exe
2108	vds.exe
4736	vssvc.exe
3296	wbengine.exe
4720	WmiApSrv.exe
4732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\49bc6b566ec4f27.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-27_eba9095d483a05bf509209944b8e3869_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092d9bf370651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005312f9370651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fc4ea370651da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff62c9370651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c4951380651da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d78bd370651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bebf1370651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6d7fd370651da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1976	2024-01-27_eba9095d483a05bf509209944b8e3869_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4368	alg.exe
Token: SeDebugPrivilege	4368	alg.exe
Token: SeDebugPrivilege	4368	alg.exe
Token: SeTakeOwnershipPrivilege	4624	elevation_service.exe
Token: SeAuditPrivilege	3224	fxssvc.exe
Token: SeRestorePrivilege	4036	TieringEngineService.exe
Token: SeManageVolumePrivilege	4036	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4904	AgentService.exe
Token: SeBackupPrivilege	4736	vssvc.exe
Token: SeRestorePrivilege	4736	vssvc.exe
Token: SeAuditPrivilege	4736	vssvc.exe
Token: SeBackupPrivilege	3296	wbengine.exe
Token: SeRestorePrivilege	3296	wbengine.exe
Token: SeSecurityPrivilege	3296	wbengine.exe
Token: 33	4732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4732	SearchIndexer.exe
Token: SeDebugPrivilege	4624	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4392	4732	SearchIndexer.exe	117
PID 4732 wrote to memory of 4392	4732	SearchIndexer.exe	117
PID 4732 wrote to memory of 2268	4732	SearchIndexer.exe	118
PID 4732 wrote to memory of 2268	4732	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-27_eba9095d483a05bf509209944b8e3869_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_eba9095d483a05bf509209944b8e3869_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3656

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4340

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:2268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
122KB

MD5
7c4ae9cfbd2b72938d4ac77bd410a83a

SHA1
3c6cf1f7c6f1bccdecf9ba217e54d2e35b0f0671

SHA256
57909ba0ad101a3ab872cb7232a06997b0088d76d506313ef05a2c022983db79

SHA512
d80d01bad691e86d27057d8377d300e0c9cc31b6af82034e7cbf2bbb7808338d452773d5ad60ee2e97eb4f85542eeef1de8c700d5f41376ca00875fa4dc9aa2e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
204KB

MD5
14a27204e5bcbbc83f88ee3c4b0e60c4

SHA1
f26e9305ace8fb3882ad739b6bcc49468a3f0f7b

SHA256
17715804c3b7819b2fe2564b257a99a5dccb6638a24d0825ffedbb80dcce6c60

SHA512
0937abc05d10ed101a5907208f7231bb4b1333cc8d05804929f72e0ec9f4abd99efe392f57c59edf43430d0b30986f46fe80fb2caf3ea375557be1c321e80620

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
165KB

MD5
3f156a663778ae97d3cd7281696668dd

SHA1
d8acf9f2e6d05c4fe9a99df98dcd0d79f522b2cf

SHA256
b2d64144fc44415912eea6aaed1bd6dad43c362ed743675bc36cc4e908d743e4

SHA512
7c0297a823707780e22a455ec9ea7ee78628043fbd1dabd7909f354601a5e04b1033e17aaf0e9f40297ec33f5d8ad0855514543c984fd787b4b73f2f3d1ccd72

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
114KB

MD5
b5eb139f508b3822fa48a22a04308fc1

SHA1
9c4bf6223e48fbcfd1267f80333910dfa8efc0f8

SHA256
2b6715b48c0ec5656e4f333fc88475ee1e80f521f7b8f630fadc0ad01bce9151

SHA512
9fd1737316209ce1505470f1a493b6f6db5ee8ee3b7e5e18d16ff8d0804b1bc1f30ab633f7997a784fe9ab4f8b3af52247e73bf5ed85946570bfcccee4eec2c1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
75KB

MD5
b04c2a6e3838895d11ecd0ee9bc78403

SHA1
afa680ce1f1b0ad60872cbb762370f0720e58c8a

SHA256
3680e85f754c9a7662dab4afb182c142cef73e24e463aa523f6ae695c32798a5

SHA512
c68b194fac5333406572a8435900f6966cbbd2730f4aeb051adf3cd6d036faf208b8489766759c449c54d60465817e9bd690bb29f76303fb89318608f377d6e2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
163KB

MD5
a1be1935ead012d528866714e1192168

SHA1
1875a253a7ffed0ab9fa44070c031c1d4674b4d1

SHA256
24c52e122d89490f1c1f43e54ba396993f411919402c29a88f62f6128aa6f50a

SHA512
4f161e5c3147822e01341eec8f8d110fc89405e3b768415f4b7f8e46a6dd27bba387e835ef9d22f8632e1d2ed884c5ba5dc1d4d6e3dc466d297881250b7fa4b2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
151KB

MD5
ac5037de536a8f0e0824679f4d3e8089

SHA1
0c02694de3c45eeadf595c5d27057c134176ee5e

SHA256
e9d098a62a7b85514c75e729d490c0e91e1c506fd026f6cb79d28fc0c12b653e

SHA512
191fe70e5b5e83e679e721ce237da340c7d1861eb75700841b63d2378f4549c66e0ff1487cf1f9653a59410aaec27ced1c065c0a5bb6a25234e266b1a24fc7ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
24KB

MD5
5d31979d78a438315a21765130f52bf6

SHA1
67d639649158165b9529fde05a28873a55cdbf07

SHA256
ba7c143ba5a07dc3aa7afa2b66df4528c651a6c4b5938991ed98951d94582405

SHA512
fe9aa80be576988f8655da19135dde61d29c552acf4c0e82da1d7b3365ae7a147d7a821611e843801a303ab751b5054389fe55bca2976cc57c4823c14580c1db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
162KB

MD5
9016f3555cbd0c151c0acd76db0c0f8f

SHA1
05548e0b9b7756f8b966a057090656734e632c89

SHA256
07ee4fac03626e59e93a5a3e65fcb6d5e8267589491de0c45c48b6ecc775f64e

SHA512
5977485be983d8e33c02f02c37fe30c5b3fc34408641b37d32adfaeba2cda018e33462d2b81dffbe9e6099a40814b326e4069069188363e20a22fa5b28dfce75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
53KB

MD5
10166b1671e78eac807a21b35d11abe9

SHA1
c6bfc23a8814ad69dceb1c1a3db8176f08a78ef8

SHA256
30b32a0b0dfbd59c32c0ef975233973b7b7078454a7f9acb15e3ab774a0e8e27

SHA512
215e714a6f3b588373aa808bf9fa6394598b21fc17ff502a51bb890ee5ae568c849773e1319d68c30c8384c1b2dd8405cee95daa47a6689d0de99dafced216db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
131KB

MD5
6a659de717b0f553a170a442fb669fdd

SHA1
a7a6df144d2d5f3555a1a9f70a2f270fc6e48266

SHA256
fd8b8991fb028fd88ea5f2c783a21963feb8d766cd7bc17ee823ec29b2f1b86b

SHA512
80bf3819846d16901bedefd0f5fd1ffd491c8fe168f1bbce9b557cfd7a7feb528b12b450d77c0451f989c71e47c8fefdbd3fed06bcfbd616e324ee9ac8d94b7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
92KB

MD5
5ac74f295afc99cd581c8c385fc87b8e

SHA1
c7288ec81d95ac32e22b0717c528ea4602b3f613

SHA256
760459b75a5b1d5f20e72f5676beee70f8a1f0f0acdd4de9a7b791261d423704

SHA512
94957038013f99a172d28fbf7f03ab7d1ba4ee7cf938e3ab81354e47460d25c5e79c9c87c072f4906fa8c5df4ad9c997dee2ecb84023a4b7694e2a5efac10df1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
172KB

MD5
153e2c9a9f07d53f464d7c2414948828

SHA1
6f2471c1947723cf1a06e67a009af30cbef12c84

SHA256
52b40b90dbc3f87de6d698109fdfef30802b2695fc179bcb3b13482f0e2aa766

SHA512
769af7871b64d77f03c10684b17e7820b8b669d9a92d747d80882a42a601d87a5ec9134bee007edd4330537fce89c969b79a92f1e1d779214a106ed482e9b9f9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
460KB

MD5
b1dc1efe23c2ab2a92642e0821510fb3

SHA1
ad31490d248f77d2f17e8305e490dcd6c6698ad3

SHA256
b77fe23a78d57429b7819a5c4880f20d63e219ce36fdc5a49d685726a5000e15

SHA512
772a69b56275cab394975ebeee8eb7b6949662b14a6cea3b2e34adddc81ecaf8d551c7ccf3b40150c0ca0c1e59ff49a74d64dd2f22d104242724b121a21fc0af

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
186KB

MD5
640b091e7714498d720e2cb6aec95eeb

SHA1
2ec1eb189f8adae7d277400f27ff4e3eebb98f19

SHA256
445a2c5a7a83419e15cf5fadc55c7477846fefd8279c065270cf227bb08a830a

SHA512
19f23a5d385c02714b68d1e54e7d34c943831b44716528416e4e5a3661388f4796428f6400559f49909753cd610574d21c351feb246ea38bbb6f562bcd1fc669

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
95KB

MD5
9d1d2318f390755f008a9e8423ae1a90

SHA1
8177ddcb575cce98b40eaa926704689c02da55f5

SHA256
accff8094fa91b66d07c2200b390e3d5a3a4dfbca0e35983f4ac2ac62263eac4

SHA512
14f676a547f7f73735e38edd04b860707d69ac195c698047a01bb301481cd97822f4eb87b6f18bd5d9cda03b7665fb0eaeaa8229b738f793f300a7397bf08f1f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
171KB

MD5
e320bbff85c5cc28399d94bf97ad0e1e

SHA1
60a1c7a425f4c7a1811bdd13ea483dcf69851473

SHA256
d53e32cd34596f93b00856831a861421a15513dd79dd321f02cdf92d634f8a1e

SHA512
e2b04092430c55ca44aab0873634c7a185188d86ad8fd73d40527d4997c3d8407ba8fb7d8ac08ef7763660efc5be43d5fe4feb4ead6c6dfe67427819c1c59905

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
92KB

MD5
033b97466e5ced2b12dbc7896b05683d

SHA1
894dda8380739989d2346d951a7eb2da4f6f57f5

SHA256
9f6ce87e50644954bd3f4317a8726e783e24079ddc6838080f0a078b9dc9e930

SHA512
f4029500ea59fcb0a5c5c517e266e4590fe76b40945b6a6c38de0bbd76ec071a18bf13361bc381405a69c69818afeaefe301ae592876ba9fa5e6e41b3c495bc4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
254KB

MD5
ec42019dfdd58945c06032e7ffede521

SHA1
81a8ea440dd1188b527a2758b29acaf7fbe99e31

SHA256
201d07614aa3051745beda6e1c6815f7be7ea0ebc41420834c1243c6b47665f3

SHA512
1731f0cfec0f9bc603fd3b671dd6b22f9455ec0df23edfba48f7c65af674d6df761a06d65f6ca7eec79a2c66093a1be0f60247a326929a21e4b39a16c35dd8d3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
47KB

MD5
958e191126ff02870add0168606ff4a6

SHA1
c179d2a3ee3b972e1e0f29ffb957be897bd3ab79

SHA256
a096dc266ad1acdc296681cc1f3626fe725ecf5c19d7c8d17ae146b977b5b86d

SHA512
db40bf295cc71fa613e1c4b38bff33763e2b1a088489421f227409827c46ef18a9652a3469d5cd8135300e1d8adaa155fb77930e59b257013e8687538612cb99

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
153KB

MD5
546d966944daf8c53798a4de21781a19

SHA1
3619a236bb3468eb8fef901d085624b1d476fb5b

SHA256
0049426be2510509317fe8b7243ef9816df1f89fc188a15df43b59ab2951aab4

SHA512
d710034ee2e47382766118d1c0290ff84647b342e20fbaa33daf4c49f68a2b237a163d85f87cc68d5a9fc9d21a7a799943e44c066661398b4368e42e78f64575

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
214KB

MD5
29a000acbbd6d91c59caaed76821eace

SHA1
fe998157880a5339f323526efad3ec77af401008

SHA256
335139c5aee2de3477e70a1d2403caaaf1f7425ad049999fdd8eb3fbd8dfab9b

SHA512
f24d5ae57d0d97bd4fc333b57d9797a6573aed07b1a5c02baf074d960b7065fb842ede5ef25602a2e8c633f42f39836349a3068629530dd60f85511d39bd614e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
176KB

MD5
62a950531729dafc8ef72a712a07ab68

SHA1
aeb88b50dcf35ca35847e0cdc598a6e7adc414d7

SHA256
d73ee373a1d728707aad42b434dfe46e2baf8aafeade383d21dd2c828979be50

SHA512
540d0ce676c1decd1e31d4fc891d3fd51218d39cf82fb7bc44c72f8ae64d4c71c2048f786a5a0acba7456c564e5b5ffca042d8182818abbc292393f64c8aac4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
149KB

MD5
696a722d6f25453eeebbb076f84de335

SHA1
666857f8ecad67d71a4930cbcde0cd6d01e64f10

SHA256
778b59a89fe46e2889c245dc44f3caddd16a186fcfa85ecc70c44f316664157f

SHA512
372dc6c494bf66642a5ca8f46b2882e50a6e705d2c72aadf57889f4f6fc819da92f4f27fb3b7c677c5d1b5822fbf942acec55bf8f92aa3fc45fd3d7cff994f23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
59KB

MD5
469b706d7ea056708e28d8d46908db54

SHA1
d42fc8459e9a61d338ccde486b62ecad5a2d169c

SHA256
1ee330428bd85c786cb79625d60cf475fe5502da2efdfed4d756fa8ab9374778

SHA512
8156776aa136533bb69d357daf17b5dc95db932ee6d6dd35494bf68f1463d08eef0c6121280312622e1bff2edcb03e216fe3c8c61f55f5ddaed2469366e8ce9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
80KB

MD5
10c10c0f9feedd8983fdd2b76ed63bcb

SHA1
161781f24f889cf6123bfbf5566b7b132e2c8827

SHA256
13cd9199a33b88b822f9f679bf18ccd02e51d3aa4270a917d9c2847fba71e5bf

SHA512
d31a28a30f8cd8d269bd9c68d98db30ffaa5d5c0c956593464352b3c4cdb678bd9eddad8705049892af44a7544b368fb3cd2c443a4c9ec3f9e2816292cc1f568

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
143KB

MD5
a8901143356b348881dbc87c1ab64674

SHA1
36ddaf661c04f1e16c9c0158618672f80de456fd

SHA256
296f2a6b8cac8e9fc337283b597cc927d566b3577445b358a76c6311df4f005e

SHA512
084af6389565fe6697a9b47f2b2d92f3d43b67a7281847158c04ca6aa7264bf8a9df7d867be9b16c0f07c4bcaa05738b6fa8a70eeffcf9bd8d81d1701b6bc18f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
177KB

MD5
bc1a7c0b55dce641b8e434c27f211420

SHA1
649bfa1c9281fd3a75a31f189ccb5592d17505a8

SHA256
262f7422c7dbbed7c934c2745a6df1e4c1aad5d342468f01e8b9ca4028589d41

SHA512
82cf380f3a98e5f422f5b56d9802889529d847e88807de4c9a259168ea4c838ec4d5cc1144c931323c76057bc31d6b6bd7497cc92bc0b748a9d822f5284321b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
142KB

MD5
27e449ca919aef2ea287b020ad19c050

SHA1
1a4569a772afde94213c1682db7554f2f279fe35

SHA256
d7c3cde2a1162c264e563649163e56cbdcad0c9b245b7622d6ee13ed3c520f56

SHA512
509dbb328c6489b87aeedc887aae9875fafda4fc4a89b6ba15c2eaf4396a9de8337033d712a27326fbe9c698f5d87e6abe4796683427aa677c88b076798d7976

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
86KB

MD5
c8e90107405d7705ddfa3c596d86a826

SHA1
e22f5081f8161c84e4797f363405b9b504fb4a62

SHA256
8f9e330b82b390694f34db343f38924ae7f26245746f9c458d0ae50f381b81a7

SHA512
e558568e54a8e1cbe7174c1ada283fa3c4b4ebea6236c4e680f21adbf3165c583886d9d1d51118aa12d1aa807e1d8dfd72725b1102b8e98f192ef6868738b581

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
91KB

MD5
263edf36496c0a60d028e1b49fba159f

SHA1
c0d9d5562a849a4c60420b243ed7eb52e4deebb2

SHA256
f13d032ca21aed6b6d02865fdd0d02da843b234a83ec5c9ff7e76d97b9d4dc29

SHA512
1310e68af031376eabb9f1430bdad552512980b8d3feaa96dfd46a44772a1e1441e49292a2d0ee140a833345106b7daef207b9785ec27cb530e25ff0e5f673a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
116KB

MD5
3ec755b0fe75664b101689ee0a1974e6

SHA1
3eec30599e3c836e203745203d4d3fb722b559dc

SHA256
f1b595f5b7de1832074250e2ef76e8baa9b941843e6fab8f4283ae46da0d5264

SHA512
b30785128e75c7e5bb7e7c90a5ef4675fc4b035b761f537c9fb2f565d2428710521038b23c453f3525e50e10bf32a15db32639672252c9aaf53ef1a70762272b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
104KB

MD5
b1cf9e910e8fa0e77f04365e56db92fd

SHA1
45978fca1cff66982e785a79c6797bd7a9f01297

SHA256
786e036d4d59bb0ceee32126149f2743fa352c1a987f5ac85cf4a0ed2969ee08

SHA512
b65c6eb8dd784944bfc9b3332df33d9d2788215eb10ec909bd30cef16fd5f9bb04c13860ed06541cadbb62f1c48e269920f1fcf1542f489433928359e81d1417

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
76KB

MD5
30de8bd77bfafef5447d8851faa16f68

SHA1
effee483611122ebc3eb3ae606c00460e99cff45

SHA256
43f23b8b9cf6f808c26094e02a3d1c75b5336f3d5e60c9b341d277332b2c0b5f

SHA512
b998cec84bf98dea4c23aa96055780d54a4787299864e94d343937bd926db84d53d27c1c6e05d6d2ef5fb6149433ee1fcbc2f3b6975b3a5c21267836b57c9c6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
26KB

MD5
018203c9f137c91d5d463ef42fd6ddf9

SHA1
b884e1ae323744c0889ab0cd1606cd231ebdb455

SHA256
377a56b57720e8f17c8c569ffd99e3a97addc36a8819670a992fbd16a7394344

SHA512
ac4f9afc3454227b22592d7c9cd7229bb7544cc840e57c267275d80b11c7919fba2194d7528856323bc8909737626e8a7dbf7f1803b84bdf5b87cfa840a20626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
164KB

MD5
27b716392492ccbf0f58fd616e8382b6

SHA1
dae24be076681b4004576f9e1317aa2ba6b7022e

SHA256
4988d0cb12ed96b17e44e0d235501be79bfd8395c9ed2ce79b27fe4e53ede476

SHA512
fb8987aa2f24ba3975332f4df9508833cbf8bf183cd96fdd53c75c583550217b6ed28db5fcb0b282d9e09dcdab15a5b820335b264b2d40b7dafd9e63a14f7408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
94KB

MD5
2d1e1a997bc22ca76aab801d1035d19d

SHA1
058f1d995a0bb7a594e1d80b38f60247d204c03d

SHA256
158f89b2c0457702b3283a831500391e6e6bcb8018a26f1339434c3512720059

SHA512
c9ca3b444e7566309ed5198795c8826f07f913292ce87da118c2b8df6ea18afc1e16930dfaa165369b07e1b58b870c23b69cd0b3a36a12631155cbe15af17d22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
15KB

MD5
cc078055b988c9727ccb681845bcc6cd

SHA1
65f299733f6243b559e7ebeb470b5c88ff2d7ca1

SHA256
0946d0ae03d1bba7e13a2c9b8bf8bbdd053731786a6ca886a93e12c0473814b3

SHA512
f42cc16bd9bcb4641003ad22f76b277974e09de72e1257231e18e92bd6e7d7da06667300f100271eecd8ec0d68d4363c227c464039961730cef2cc43cc6065fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1KB

MD5
323d314cbcb54759515b9b243a15d2a6

SHA1
02e2297f8cf2d408e74f15a44d40164f1e548c3d

SHA256
d5d59906a8c280a11d6d79e92ac865c48af726acd01253c093a9c9732d4610fb

SHA512
f1761e7a9585209190e179d762896a704d55c61c1340a30b316bdf2629b75d759a12024799c28b5017fac0bc15c3e8c5eac0164e02eba370f5d878a40b5644d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1KB

MD5
e1c7fe351926a435a2420148c21d7333

SHA1
22727d3715c8ff8050170c772573b56ee2794f71

SHA256
c271ce39efc2909f423f4e9631e1bac73ec6bf17e570d213447855c3bef6b4ef

SHA512
a22d8c0ae0c9629fd147d6844554d42a0cef42a01c2f8605ec858bc22765af3579c4dd4a643a7d40b158e17f0275f849e593ffe42ec2d6219cecb2f92bda120d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
48KB

MD5
6012b6e547aa2a8e17d826203ae69c5b

SHA1
4c7aadc9cf64c09428935421e9c986c14453321c

SHA256
91b6e6053403e286d67ea1dc53c412510c1ad5acb134051e1189150ea7c089b4

SHA512
d93ceedd8a0b4e518030dc4e7d0aa63faa652b548f93722b5b1b112f5cb82a312a75fac2fe7be95eb4f369f16a67575838a1c800cc2f58b5373b72630da4ec35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
7KB

MD5
8d56ff670cb968e9efd8a59806e2ef5d

SHA1
115e36e108f8392bcfdb41bb384896d7101415b5

SHA256
324b0e86d110647a4691c048ffcddc546562449fb741979c71e252bbb7b94287

SHA512
f789f40be15519a766c4bebff40d235866e92dff7e08b9c2d97c437b9cb1e0dcd7bd9e4bd5c99e9356168fce073ef0e41e1bdd3fb1895281c9791f4902b1ebc2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
71KB

MD5
fb5c48aeb410ba590ed8e1f57a0eb921

SHA1
6eb68bd1091cbfadb3a34254fe6f0b2ce353325e

SHA256
d3e7ba131b859cce2453daf7c41f614fbdfb32a8dd284e504498d6190d4ac614

SHA512
cca76affb4bb04748b5908d0cadb968701a92c04dddf2506e642a7a3253025c1c0058e4a4fe2dec402a63024103b055eb75e5526bca97cfc66b46d8749d48904

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
74KB

MD5
f9b6c12b1986fc8b3ed80c866141a559

SHA1
cc6b17ebb0b55ed750ee3a976eae9a4ea7d2f53c

SHA256
68da9f2daff2f4fc083a3950ab4491f824817e6ae6e9e47dc03f289c1720bbd7

SHA512
46dbd09e71845d853638667bd230e727519f99f6624f844825759cbaf4bb6e8b6b7262e989355fb6995d1c53870b43fef9a11b8bffbf67e75e656bcef747a301

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
83KB

MD5
6bfe3b02464cdd850d99f1a882bba436

SHA1
a24a1465b626e1b960855e2a358bb7c92170f6e1

SHA256
6f004305b877fd847f58793952bf2dc0be0e6a36c3787dda008b76e4119f3888

SHA512
da8ce785a68763a991fe731336ad2c9118b4cad623952a5a94ac2234f157cf21cecdaa5d3d79cc48c347a5c08872d2d8ac1bb8db2b6b0481b2fae6bda2cc6d98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dbdb86644dba1f8287172f5fad9375b0

SHA1
dad9da1ce7cb82b4aae95ee817c832902c92f185

SHA256
3377e609fea3ae326cd6401d0337ce61ad26a8a039f8389358245c5f2beba4a3

SHA512
a4a27baac9ca87b4a1629bfecacbe9f1d32aa4e370ce9c3d9134a5d5d72b93042279969eb6a201bc1ffa7dd1f3bcd000b9f8117c6703c100d373fe7c10034a2a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
262KB

MD5
db90ff68e647f12335f1855c1ef5fe68

SHA1
a9c0ae5ea83dd63742453d208f9aae25d09a962d

SHA256
1b35695b7182174a5f955a3090cca46f9f449cfe52691644f3db74f98070e882

SHA512
bd71bb500fe17da80797927477bd01b64c4f316b273fd95ebeb799caf7d66f96d2154dbbb9b73e2a953b344ddb7855ca925a27359515eb82e2e04b56f35689cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
88KB

MD5
8537f424f89d8fc65b9470a50b771db3

SHA1
23b68722cfdd2ecc0219cd428762d4ba12d7aa8a

SHA256
7da67c6353acbeada8a1d031885f2ddaea0c31394883af4b465206be2e0237d9

SHA512
0ecf3a973c742caf80c93c3d179bb3319e00e0402ee88231ad05d31c5cca68b084d6227d286b096746a1c054a06a3853f3e7d16022b80f8b268635e59b952b93

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
5KB

MD5
452cb2a7d71fe043e8c56ad1d76385d3

SHA1
2302f39d80a3a7149bbb9cf0b7a87c0d908a47b8

SHA256
02067a39c493d1a4b20436a0bfa74ab4946089195a777e86432fde6519bb2059

SHA512
1ca6df9d8fa77c782f9e1148f091568c60981d35d0452719ffedfee47f1b0dbb51f5459a14fccce0b33fe3664b8de34400d0dcd848a28f1d29cc0ea6ab9d9342

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
213KB

MD5
2f7f4d13b82361d1770967f10679fcbd

SHA1
9f3a66ffd6a7e6d53706d2f7b412e3ba506ff8d9

SHA256
2813e7457a9306436d8a542e1fe821d3f5e8d70a165e3abbf886a6d7135b8646

SHA512
47b8928a09f096a4db8f01bea8bcc1fb1e7d6a822525c7a41d4636413923315c972c6c4c80ed003ceb75f09710d42087d6db81cb37d23bb7d478c5e26a6d2bf9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
17KB

MD5
f86b384a8f4e7348f8dc1dd68e66c72a

SHA1
ac93cbd3478a39c3f8fbdd8b52227605058c1d32

SHA256
0848cc33c34afd08d891fda5d1f8669f517e3536e31b6816adaf1dc4b7e28fb5

SHA512
cdf41ead4ae52a7bd816c759b8e2883d6fe42b528e5f3e0eb751995e8ecbc49fed3b258c0c131a43787937116b1b0655ea9cac2bc4c0892255ec5c5a0ffc4a5a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
63KB

MD5
f6efac3c2ddf16899509cf30def11fe3

SHA1
82ec953b200b2e99c0f445ba6bc8d3024ec9f569

SHA256
1c5280880ce1bd9473f66bf59f5820fe191ec7981c66d6edcecf97602b4244dd

SHA512
dc1bfa03723f5304bf36dd695a6adb635daa2b5a580422a96fd0705b3940f61567c66b51f1a41ac131768fc5c552de2aa3208c50e2e1960a7592a8cdf7435b47

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
327KB

MD5
2e1a9dd2c664227d26b4a1e26e0c4a65

SHA1
4f4e2976695a4a0dc3578c7337b932f3d944d97d

SHA256
4df2847eb6cc7e8ccc40a83eb82aaa04c2bc986571b09594a8aa3827195e9fde

SHA512
1cf3028c2b864b640cbd7d8d2420d286d213be71a5a3409a039dbe36aefb06cb61e2f744298081773b7490f7c81f1bed7b9a825075631c936770d8b63f2c5074

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
189KB

MD5
2b74da1e576c8228b4fd9ccbcc9da767

SHA1
7994dd79bf9f62ce4bd1a74491c6e1a5cc0766dc

SHA256
a474abdaf2914942e20ffd30524b858617811f2bb0575f4e49788b6f680dbe2b

SHA512
ecf472f9aa620a7da845e12a4822cfdc2d5813d5a51874b62936ee171e2825868aebaeca428f61b9d2c7a626e1432867cf4f1b0ca54640ebfcae986378498fc3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
70KB

MD5
9c7a6ef9664892d997af16f3df723481

SHA1
cd769d79e6cb31fdde98d9dbad8de06652ce41d8

SHA256
fb491889515993f76638954763e65019dfa44c208a7946c4362ebe60b0146ced

SHA512
ccd0cbf6ed0ad93a8a82c17187c9fefa363208645aa5445e3d1a84c3d49bd0d6943ebc3d89c5d5bc99e4c71c19344be6faf96cf6be31cdf1d9b9314d4848da89

Download Submit
C:\Windows\System32\alg.exe

Filesize
306KB

MD5
72cc26d902921da293e6bc69ee6a6d5e

SHA1
2a73539c4adda889b32d9d1ab179a6efc9b6c609

SHA256
0ce4c63c544492f6e1a099f2bf267d578f49c7991abea74c4649b30f297eb8c2

SHA512
b37911f375b8f1d81bdcd6cc5396ec8be3ec6b35f5765bba909c1ce869d8c6281b6425acb3b281c2817f948234541fbaaa4f8886610e8c2330bdddc21a1ae31f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
150KB

MD5
bc74165ee291b21336ae8e88fc9c0e55

SHA1
1107189ff8f9d33aadccd2203c9a526fcdfa2d15

SHA256
c9d03531703f4f799d7094997b3013c11af1d6a29a03875a471b1eb228389ed9

SHA512
61cb1dd506a8f3a071ee5eeab1ebec737982e87ca9643bdd0a520806ca6ddcf65962590cd2766a3a436d4e381758cb0080de60d6b3c56a25f924106599136978

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
86KB

MD5
693fc6d431468c5bdb75710cca27096c

SHA1
bc3f108f936636e4f004554d6fabd96e2015006a

SHA256
3a73fb6ade13a7191d4731b7fc534c8e19e63cb85474eb264062829a02260c77

SHA512
882ce23eca3858ecee508e4aa97fd86121fb0eca3f0c64a7b401e06d236a6144bf2f8635b09b0c7779a50e6d09d5f12a50cec87813916f25c28ac09b040c7318

Download Submit
C:\Windows\System32\vds.exe

Filesize
137KB

MD5
18f4152c6e4cd5f523b1c7a087464255

SHA1
5ab1e2cfcbb23ac585e13842daf5bd0ca899bd3a

SHA256
08e8a197eeb2b11a9e261839070cb4b1d9eade3e4b5d42db2d8adf6d9415551c

SHA512
c405ef29ffe7632011073b12acc682ee7d6311489af703fcb60c69c67e39028619e1f61e8ea098873219ee1f01397defe459065fe12b5d7256f6f0035a4eb206

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
96KB

MD5
c2e07b18af93c5be3c1ebb8c1a108a68

SHA1
f4d5e1edee3b2e439acf9c024a1ee6eae02896e9

SHA256
48a20242d31001599bca24b556fd8c5cd9bf345a77176f657bf28aa7c3e7dfeb

SHA512
e4ca397adffe02882dd20c3473a719af5b7f380900470edda5d903df36fce70ff77c9f4c360391b24c3f0c853b4dc88b0977c9293709b3e31b54cfcee9833720

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
63KB

MD5
1a52c867d4f31b8d8316a455c5c7ad3b

SHA1
85c13e20617c338a51b7631fdda291d2ae6f9e2f

SHA256
ce5d56d3c207e95b1cba8b9aec6ddcb86225ff04e09ad4e75855eda722264d52

SHA512
cc9ea9a39022099e068b1c2a26e5f8c9237e08efde5529172d0d8d37d14687f009e163839a40b6d5297d57e5d0370093ba1faa7e8baa22f5f1e771ab5f68a97b

Download Submit
C:\odt\office2016setup.exe

Filesize
109KB

MD5
d12e43559fb6a9c73748eadec4edd79c

SHA1
4826885807884a8ded32b3f6683c15fbf0496407

SHA256
01c8d955bff1b0b61d821cc64ef38190a1b282c71a34ab8028f814dcedca9b1d

SHA512
32f7b3e222d17db749928ef6e1bff5323d6601fa91b2b58dd5b04a2959fce9637866447c0856527aa82549a69aa327edfb390483dc04d33ecc33d7b626278b6d

Download Submit
memory/384-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/384-425-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/384-367-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/764-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/764-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/764-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/764-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/764-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1636-65-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1636-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1636-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1976-12-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/1976-0-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/1976-11-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1976-7-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1976-1-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2108-408-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2108-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2108-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2268-541-0x00000245CC070000-0x00000245CC080000-memory.dmp

Filesize
64KB

Download
memory/2268-542-0x00000245CC080000-0x00000245CC090000-memory.dmp

Filesize
64KB

Download
memory/2584-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2584-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3100-251-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3100-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3100-245-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3100-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3164-290-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3164-298-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3224-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3224-256-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3224-265-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3224-272-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3224-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3228-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3228-52-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3228-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3228-67-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3228-50-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3296-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3296-435-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3616-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3616-312-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3616-369-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3656-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3656-281-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3656-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4036-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4036-379-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4036-438-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4288-401-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4288-331-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4288-339-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4368-14-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4368-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4368-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4368-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4516-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4516-325-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4516-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4624-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-34-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4624-27-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4720-448-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4720-439-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4732-460-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4732-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4736-413-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4736-422-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4904-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4904-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4904-397-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4904-391-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5100-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5100-352-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/5100-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download