092a852b4b60a1f6f900483aba32b5ac7a16e41509db3f5c9aa71e648af406fb

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_6badeae36da5e17b741436e8e10c98ad_cobalt-strike_ryuk.exe
Size

994KB
MD5

6badeae36da5e17b741436e8e10c98ad
SHA1

9f024c70427880652993f77432534a584bcf9bf1
SHA256

092a852b4b60a1f6f900483aba32b5ac7a16e41509db3f5c9aa71e648af406fb
SHA512

39f0609be5ff5f0393d74cf34af3529d378f024b4b8b89a1d3227969b540729c43cbb6f092bd698be6040c5b286051e944c96a85441b6fb537bfe637f3c24fa6
SSDEEP

24576:WYRO7Y2cb+cREIJ8BPuTcVZ4zYAfzjTxopT:vcLcnR4BGcvonTxopT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3884	alg.exe
1036	elevation_service.exe
2300	elevation_service.exe
2540	maintenanceservice.exe
4824	OSE.EXE
3452	DiagnosticsHub.StandardCollector.Service.exe
5076	fxssvc.exe
3964	msdtc.exe
5060	PerceptionSimulationService.exe
4772	perfhost.exe
216	locator.exe
4872	SensorDataService.exe
1508	snmptrap.exe
2892	spectrum.exe
372	ssh-agent.exe
608	TieringEngineService.exe
4948	AgentService.exe
4888	vds.exe
4244	vssvc.exe
664	wbengine.exe
4884	WmiApSrv.exe
4620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-24_6badeae36da5e17b741436e8e10c98ad_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7935bfc424da5fe8.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9DB89034-DCEF-48FF-ADD7-3238A926B18B}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86593\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e891fca5e466da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a7846a6e466da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012a14da6e466da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8adbda6e466da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004591dda5e466da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b39164a7e466da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000901b1ea6e466da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feed5ba6e466da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c7b08a6e466da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1036	elevation_service.exe
1036	elevation_service.exe
1036	elevation_service.exe
1036	elevation_service.exe
1036	elevation_service.exe
1036	elevation_service.exe
1036	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2428	2024-02-24_6badeae36da5e17b741436e8e10c98ad_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3884	alg.exe
Token: SeDebugPrivilege	3884	alg.exe
Token: SeDebugPrivilege	3884	alg.exe
Token: SeTakeOwnershipPrivilege	1036	elevation_service.exe
Token: SeAuditPrivilege	5076	fxssvc.exe
Token: SeRestorePrivilege	608	TieringEngineService.exe
Token: SeManageVolumePrivilege	608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4948	AgentService.exe
Token: SeBackupPrivilege	4244	vssvc.exe
Token: SeRestorePrivilege	4244	vssvc.exe
Token: SeAuditPrivilege	4244	vssvc.exe
Token: SeBackupPrivilege	664	wbengine.exe
Token: SeRestorePrivilege	664	wbengine.exe
Token: SeSecurityPrivilege	664	wbengine.exe
Token: 33	4620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeDebugPrivilege	1036	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1380	4620	SearchIndexer.exe	119
PID 4620 wrote to memory of 1380	4620	SearchIndexer.exe	119
PID 4620 wrote to memory of 4956	4620	SearchIndexer.exe	120
PID 4620 wrote to memory of 4956	4620	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-24_6badeae36da5e17b741436e8e10c98ad_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_6badeae36da5e17b741436e8e10c98ad_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2300

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1380
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bf2c3d858a1cb5da95f13df683f3b36b

SHA1
942a534eb4f74f18aa0dcf3eeec63304d6decdd9

SHA256
010496569eeeebc0cd543b6a2a85fef630cf8198f3e515220e8b0bb6b59a0264

SHA512
c3e2cae6701e9764c630cec58a04bb47af0f83d3037fc0c3d3323f7bec50c1e1e1286d35cf425d55105914ffd7c6f06fbbcdf6e6151a968d0812e27dba8e1a09

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
64bbc7df486f7febd9e57574ca70f32f

SHA1
edb1a4e1bbe35829a0520cedd96c9cc3a32401d5

SHA256
b41a13ea02d41a2207162561b8abcf232871ded2c57eceaec358035dfc0229ac

SHA512
d1d80bb76c0cd3b831b6824316e0c760f2608854982280c56c8396e531e73739a04753ba0d09dcfc7001737e64e8b7966432c8444a7377f441f173ee5f0b7a15

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
611KB

MD5
2fdbf1d642fafdfcd221b7cb1cc7eebe

SHA1
e2be8655e6503565bff784f1a1015959910c809e

SHA256
306b05cd343d6ead4e22b392bc78acad8c4f4c12e99bc347a5799cbc3e6a1bcc

SHA512
4c368995f4ca77e2c95af78f61313c00feeb7c99cd408129af148d7ef04a92212d5e9bd47fad49a41303dd6c9efcefe53e0c583f00b4576c28f45703dd68afcd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
697KB

MD5
0ee709afa57744cb94f2147ad60dee8b

SHA1
b04dba90a909f93a1071a96c9e72dce75028c460

SHA256
7433b97b95bff88bc7882e9d6f5fdb6893edad39d20de5bfc0c9e2bf26758ace

SHA512
cf4ba39e65b0314b6457ff48ff854aaaf5ae7ce0e0e3f64f92f696b76dc02dd92df1418936e11037dde8fdfb2c307ad0107230a07279d97332a0ca1082654345

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
737KB

MD5
7f54b567224c3ad9df048b4b2e215ac8

SHA1
6c4d7708d09bb5736b3980c07ad9fec80056280d

SHA256
dca1835bc14c2c2d8f3e0e24be1b54380c228e2740a10d248167cdba62c80e7c

SHA512
e04b1429b1e4a70131e1f3089ca53880107239ffa6608e21ca7d3756335a9eb0e6a57c60391414f0ba8eb4beccf86c12460b39a31b80dd9b2b8c2235ffc0795e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
502KB

MD5
b57148da0a0bed26b2af52fd9deb47d3

SHA1
07ada108974d7c3064a695f25d3c1e5229e930da

SHA256
43fe6407aa88ebeb855da79b5b897ea35b548975b74607b8be2d9f33c6cf0156

SHA512
fed5dc2100bf1d7135c4ff14652ae730f02cdbd9af06e0890fba372510642251f8f4e4b48ceaa43da9099a1b7bcd49e0c590c2bf9a6ccba5db4b31bc164799b7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
184KB

MD5
4dfc72d3785f0c451f0861d3e78b97b5

SHA1
6bd5deae239bd9c03df528d61910f91badd455b6

SHA256
181b49da4e765e0d2344a80c81fd5413b81543ae0f1b81d58b34458c7ecc4ab3

SHA512
3a313243f9d48aa77baa43a39cd37e86716c7dbbb32c22857c062ce8f2f6027598ba10df518ae5843317da5377fd0cb88d5cdec540c5fd63af6fd70043b7177a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
573KB

MD5
4daaefd38b937741364c8fdb0f03bc17

SHA1
acd9f0c354ba0e5d97fb0d442d311a93dd43f90b

SHA256
973ccf535598e084ab3fb3cf7c4d9972bb56091de5122b8a10a63b1f31c4cca7

SHA512
f919f38e0827de2ec3d709b7baf9af3ff034c0b28398e56f4881ab80c43d00daed0c6cd2c158b3f2c091679d19b98a44a326cad91861a9ad29fffbc49f9ba70c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
832KB

MD5
d9d4c4cc55d524437cff2e6be0696982

SHA1
616d8890436651d060cb59cc8115873c05a9b076

SHA256
41d167c64dc2ea8eb12ec813684e40aef52e9c985c2eee986fa3c0755b2ff3f1

SHA512
d237e95fdaa90f2e53649102748b4375ba2f21f7b48bb4e02a3fc942c45fd27dbdea93cc8d7257f850ee167181cd0e2af176c08d09a4357b0f2533335eb9fab9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
247KB

MD5
530b1ee09e2e7214da556fa615e7fff0

SHA1
b15045d882aed933e14f29240d7acdc6be2ccc48

SHA256
d4af0594a141b6f8587405a565641f42f6969e6293926a8479e0866f65a2ec6e

SHA512
f1c7b2bce0aa751f3ec793c06cc7493120d4b20ec8242a642d894459afb0866026398bdad6abcfcf0e8b3670c4a1c80ce6f854f1911ed0a133f7e90ba1b4d53a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
220KB

MD5
355de3866dab1db47ab9ce0191c99e49

SHA1
6cf3ef88e12a5892666399cd7554f729cfce1033

SHA256
8dc78fcdbd420a7dcbabcbb8db8f7b7557a02b8f9d7718f0c82d643c41c75ea3

SHA512
b8f2b586989706c2b9e693f195f6e6d2d9ca74e592551848b6982e144fc8672f6b27e7fa27cbc236bb0546ba8ccea8ed4ccb1a110d2fae0251f97580a0429ce0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
164KB

MD5
47a2f92e5a797490e56572d36dc29e8d

SHA1
7831cb06065568af4435875db0dbd0a9255a5e77

SHA256
47b8eeed06de04dac095c4d1ac6077f59f4402364831615c85c23be3dda1acb7

SHA512
5ac0877aa78a8b80b4a8a181eb8b71080a72f561c2e41a89d6b3eee042296b351f8f056a90f601e07ba464b73ab4ee13f0ab22c78e2a93f4636676bef482a52f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
142KB

MD5
6eac824a672ec68e709fe1587cadb48d

SHA1
1c4b5d8c7d959f564d38ba23032d2b0a9bb3bed4

SHA256
06302a10379e6e5283b8067fc8301195e874a8fd584b175bf94c1ad7d1b520ef

SHA512
e08559144ef6675e58232b965ffe05d21fcfd68d6873ec54d8a266d8013c1b019b3570b2d562ce3eaf9876c69d80707b70d0b4ef7e8687134ba9883bc6382a04

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
465fa535d21bbbbd074a9ffd1ab13331

SHA1
aea4681700272a4692d6f6dc5a8f9565bcd4a07c

SHA256
70d4203bfc6f03d72f23d1fd762f641e382d10178e14ca192cc057635dbed867

SHA512
201ece0e7a8c18758341dec4d9079e8e5940d02e2a251ab74caf0e92a9e11b732e6ebfb41a33053848ef5f4f846865fd2a58ef4aa80ca7b334b711309b0bb4eb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
621KB

MD5
0a717985ba35a40f9ef1d2ec89f1f407

SHA1
37ade20e88e9cd6b9cc41f9b68c8d45861287374

SHA256
1529a5098385147b4f75887d1838a1c18e3b6747b304a0447fcd039e84c195c6

SHA512
581e1f4357ca86a3cf8e3730557502729f886112976282008555520ecfbf4aa9c788037418eabd07fa3454a2583cacd5855fa3450996583fd9bbd2044ce24f98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
333KB

MD5
0ba8c0701d667c88bebd7b30bf95293a

SHA1
b3fc1c2ed399d085312e7ba36af505054f554dea

SHA256
b45bca0e5f7250e18b4cbe92e0f8798352474cea7c7fdb9c4471d8f4bfa1becf

SHA512
e50a5ad1360eb0ffaee71d8ffbb5393ab498aded5a2370f748463c1a428cf5d298727f445c5a748655207e53e4b1509a6eda9f7ca395246c15ed49d757a43277

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
132KB

MD5
56f0fd3207e4823c9b8723a8a32336ba

SHA1
b656dec5ee8207e916026924feea62c5e95ee04f

SHA256
284d9cd3101c870c31037b3d6290619a3e58109ca735ad0f1fc9f9bb5d3e73ae

SHA512
01143972f25332ec182fd5c5129cb617f7896e0fb1f03b6f6cc77e68db002e513b6494832ae938093acc3361849c17905cc9fb9557c379a3ea2e2aaef640b416

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
518KB

MD5
0e700f372441e543171cce1ed4d9c6b6

SHA1
7b83bf427b64102b2b637f90d1028b6d29305885

SHA256
5dbfa423a4f361c7d14caf859a0a204a0ea68adc492504248ad88a1b51033e4a

SHA512
cc839b24f16e86b7da3f099d1ecb1f98abadbe0dc0ec2ee89f92122e13da65a835b02b7993764c4828759b3eb3309a34c440d8ff74ac9a0071a7de81f6affaff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
36ae1337ea597616624f37548e32b927

SHA1
578324818235845d67155621e3ed0f98c25baf57

SHA256
a7bd6779ddb33977d2feccfb085a2556259d9c4b32cdcf0b47e2c2b110761ec4

SHA512
b2c54104a5d36a1d854ceaa5f013f5caef9dfec7c4a51df02fee3c8bee154ed8250c5d474a4220a7467e6e9c5be43b9ec53bde41332ebf046d722965cd80150d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
360KB

MD5
004f0d20812d5efa574f9cd9b8e12323

SHA1
bd396ab12087fe6a1cf8b5b563a56cfefb6c3469

SHA256
1ca5bc966900e8b0c221208e9403326f8bb070f48b1253f7c5b0fc4319359c98

SHA512
7e0c4b4fae7835d51944f1cdf2eef3b8ce89bc5b431af22bd80b50c84d1cbe837380866a680bcb1ee3edea0714303e4fb25cf0ab55fc31ce69d615a4d4bc6a64

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
129KB

MD5
1ca26e1f2c3db2d0543a17e26233f1a8

SHA1
e3e871c5ff1ed4f23ea04136dbec9fd848549cf3

SHA256
c573d4bc94d7b517cc1b9a6059330f35cbbd30dcb718982d22472e410fe40c7e

SHA512
c3c0ebedbf36acc64dd4951e8726077a403ff0f915d5b0523cded312c1fbcab9dffb26b86afcfa3f72751b70ca82867025a6e8caa14d9b289cab89b1732ae6ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
47f60d6b15bdef53f923857c9d0e3402

SHA1
4c263061627f3053e3ffd99ab45aa0dba6146479

SHA256
f7302518f94327a4d76a308476386edde61aab48928bc09c3d5fa0dc63da2c07

SHA512
e7a159c76484d1802698290b851c29d9b1f88e8b46c5562163b7698eef6dbdf30ac92b6c7671ab2d6b00a5678368b94214af507d780bf9cf8f8539a80806757f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
cea6304c98486b591e3e50a6a7f67fc5

SHA1
e12f255383ef9f7057a087470c009fa4ef53c043

SHA256
a879e085d7fafcbd9ecc9ae6d0a16253230329ac941fa654cbd45a9858833f24

SHA512
a8bd25ca3cc63b584798ecf26588d12bb7ed9601ef1a05e37eb08cb7a24fe1107e4740dae9afa82a30adf1f727acc5f50faf19375fe035efdc88bd25963006eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
549KB

MD5
5413f810963fda2ed11a4a28bbaba203

SHA1
65cb0c881b73485452e93b0209ac2edf23b203d0

SHA256
695cfac7303dc21e36cbd8bdbe6198c13be81dd617c83e34effae3a897c3ff75

SHA512
672c2ac89ced8e5a8f41e071a748a6d581b1911b8591592a13254acfa23fcff45d2d22a125e2a475a6e9c8c3d7e7c2dd6298fdd5a46c5f9689bb1ffa0cbb381a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
532KB

MD5
99b70dfeb0c339d48b92dde54442e3ea

SHA1
3fc2c633c4b609282d0541f4383aebb17b694558

SHA256
7ebca7720f35771ea748f7e90307eba5afbc3976fbbc71d5793b5fc7ae71e148

SHA512
4448c0131d7aa9bd317a54b328047072d9e4e0c18866b4d792729c127b62797e176c23a982b543c8a10e78d6e283ccb9a6c8bcc602c668dc022578acd98683c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
411KB

MD5
fa03fbb182c7dc4eded97122e78c707a

SHA1
5232f6d4828c480ca4814e4c60b9446c5f7fe507

SHA256
08d8a867078b6d53b6cc966542134fad400e64ff6f0dc73d7b71fb61ef2a302f

SHA512
b1248ba3ab2baab95c72374bdd0f02d1e10f8d090fd8c499148fa8f1dcc4e8b02772b5b8adacc619db9091a984c7e7fc771054b8eccd9e29a2459fafd738bdf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
435KB

MD5
4effc13dcae087b2dd90e92ec0c21de8

SHA1
2b8babf26c10db151ba2f9e681cbb3fe70e9b67c

SHA256
ae812e3e34cda8ac8a0b0af613ad5e552cc053ebd448f22b3ecbbfc966dcfb5d

SHA512
cd8f8c58eb4a03d6922b46224466833a1622370a24d529904bae3a913c3a628f0c123e81bd9c06a6ed68689098253c2312a8474d63cc19c5745b9e62a931fe9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
552KB

MD5
563f1e4c85f6213445bf4bb57905191e

SHA1
367a76b2ed0532a594bad8dda4e8000bb45528f6

SHA256
9ee9ae1d181390a9999dae9fbafd2216cebde5c25b19184ecfc54f0e46d24559

SHA512
907e5dfb3f4c13cca9a487243a193fced80983bc9095b321c518fb001004bcf075542777acec1382473a28acac1d501a324ca5bf27bff901ca5738b6af8b645e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
640KB

MD5
a1d17b247133a249fe1864bdf4643321

SHA1
ce8f3926fd152b89c36d61175e8c9040cc169976

SHA256
d6c2bf0ed976a21a891ba5b568eeb68e89b9e942aee17ea4eef9093565830750

SHA512
02d2263715f9d98c810d91f94957c00ea102a42211a277631b5f5c49705dd15e1ec12684e0f2922164928eb3a3cf0ac4379f0dc1b24dbd97b111856a8b9d028e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3a84df9276fd063c1121ffcafdbe9bf5

SHA1
eb8dfb906e6329697c0f2f140df274b5ff92a9da

SHA256
75ad1de3e0fb9c98786ccecfe35af5eade7cbd48604c652fb257437a66d61d8e

SHA512
8908681472b520fc9e6f16dab43069cf6ae22e60906cef0c88f23ec82e42d814608d58f2d0d8c0d1693f9bd474bdf2c78299cb77bec25f1d29f09cc4e8c4d8db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
410KB

MD5
3f80322ee4fd75b90821d0a6f7562852

SHA1
20abe86dc758f7311b7cb1f2138a97443a3bd52c

SHA256
433201b8af0e8084ececbcd7feea8452a913d9bfa16987072d6fcfd228a1b985

SHA512
8b97ac02fd378e6e4affedb7740ed7a2c0bd214de3b6b3df39c44f225ac4aab35aa6136205051661f06988d03717ef844471eba90dd0a1e1da99ecd39de8c7e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
355KB

MD5
44aa137c98892117d6cba186085fd1bb

SHA1
e74aec7d11f11a3e94bc820d636d4d754b15055a

SHA256
e750f57f51fd376555c50b5b4fef3331d9a49295a3808a5f7b01ad063f15444e

SHA512
df9a2923ad73901662e58c1c35e9949d98079f98be62a3fc01bb305ff81138878060be66571ec35e159d0bf583432c5d53193d9b73fb7ab20f83dde92321282b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
530KB

MD5
5f9aa44eb4ed740bf908c23bd3ed8a49

SHA1
4e5d2ae4a58d9189e7f09ae8b0e754635368268f

SHA256
ee2a9463c74c956fb7c9ffda689fc06f5be624a04401669e955a1f48535f4009

SHA512
8c36aa7de587286718f643011e23d10810a8071b1bc65332984b77365b54d050d42ad41368790a80b25f8b29bb49301fe46586123b508205f81b15be4d18dee0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
524KB

MD5
8463eea9a8918c37bb177ddb1d4caf0a

SHA1
68439ea69e7327d470d9ad8e1eedc23345d0bc68

SHA256
25efbefafc34990f3aa31265db587776153e27ac355cea7a3813016a9149d164

SHA512
671ad791642764a52d9f5f76ef79a0d868a1c1ac71fdce1b4bb4b703d1129076398b22b51c1ead2f8931bd747c6fd324791552457fd17501b33b3c4bab360c8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
537KB

MD5
2b5a14d680321199ccc7ffbf68521891

SHA1
5003c6232e3f1e22e1e1b628a8e87bb5eb42c1e1

SHA256
c8c532ba72e2c2984c760bc8ffca9468d3002adb860d4d8e42f62e5b51d17c07

SHA512
06330254bcdeaa4b2db9e1c9df7bce93056c30b5649a3daec4ab1af2e372ac1d64eb036f8d6664bba9e6d1a6f2fca1a2bb0341f003858039556712fd3db16f28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
360KB

MD5
ab943e6e2d356bedbd5e68cb56b5e597

SHA1
2c63590ea59d4ed36ed6bdddc388fdc562ae4256

SHA256
856cc1a30e06e21e6e484fd9059403290234f49f68e19ba1a0cb75d001d0989f

SHA512
778c0ad8782b876f9582238a46d0545c312ecbb886375cc01668312a68ceb49be07637bacc36642dd5d79848e91a717e0cd68ed29b915ba827b9d9d73fa3d08a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
466KB

MD5
e22d72b4e62424b04c697bcb69149e49

SHA1
2d78b0c89c0e7328d3c78b92a61c4fa457079bac

SHA256
65d2703a01cee53feaf844611f1fe6164273bdfb3f7f4e1583e067da5190e7d8

SHA512
536e6764c6b3482737acb4cf1cef5dc3981087bf3255978301b5e646e86386b264c2b06641c7ab2148f0e4f8e16994d1636a8131f0b19586130cc673cf25f729

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
526KB

MD5
36f33af9463577b8b96f89306ab61e04

SHA1
7e6d94ed0b34495fcc269088ee7806730293ed6d

SHA256
36f78b63bead7f97280bffe22a06088b85e75f15f58ba63facfafccbb55301d6

SHA512
5a6d2dc3b60770b69367aa2d9421973357bddc1cdf40c0fb1b10199a12ac42696405cc471bde2952d59753db07072169ff9dbc3e30f54b9f17c454b4461d36b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
132KB

MD5
135b774469b4a6ee5c0bf5197454a162

SHA1
63a02e5aab94dc2d070c38bf30ea5b79ca6d02e9

SHA256
b4572d3a04cee1a0ec4b9db2c3d71a48704ec0d3e9d193b9c1d5584a05377b32

SHA512
4c126184756edb605378cecc5187afda55dac14f5867c54df3ea06aee283af01ba0730f516de83b7b6d2f79d79e7717b2756b9c4630a7a3787033f92a723e119

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
79KB

MD5
8c727a591a5cd28f79bb816aa460c552

SHA1
7c724615ebe4d8a14fc75ce4ee4abeef4110485f

SHA256
4fb7ff346f7c8d3047eb03793f53b342ea88f1ffedc75c2156da7eeb291a7d7c

SHA512
f3c9eda5d3c946d0f470cafec84918f953dcc8822bfe0bc409533817911619a0ff76f0e30f60a02a94079f8d62d80e12fad0e33fc8a8ae196d8b53d7fca5eb8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
73KB

MD5
8845d9df323f414e4563b864e752b520

SHA1
7faf33a67822b520b5ca3ee6585ad5ff76402c48

SHA256
9ea57a83f5cc654213d75e78982b5bcf470b1142780918f25d011d83306569c6

SHA512
ec4a8651625ba64afeefc22be3ab192061344492476610061942e777390e7e9bd77e1a56660c9519e2deee7b61967a03c1ca1a4e3547d5747c436593ddf351af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
65KB

MD5
ad14698f07818301ffd71039a189ac4c

SHA1
6c53b0b794cb67ab08e92c1917a5bdca23f42845

SHA256
37466fccbbbee8b7645d646fedc231c4d7c34e84432f7014c5271e676c047c94

SHA512
8eae2fe14ca350b0c403b4d576e2b6c2ca32ae9dcfa869846914f2ff4392866fef442abe0820264f00d16779e7df59bd01ab1027e4dd72267a2ba3b7bc438f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
128KB

MD5
883d46d0ce7df9fa4593f518233761bd

SHA1
f3fb98dfff059c4bd662313783a6ae195cbb8598

SHA256
722137937d2cc70ebeef4c8afde60f86ffd6c0ecfc51ffe80e37e5063dca6879

SHA512
fa0eeb90ee3da27fca9dcfec8b126cdc0f3e8260b20218e640451709ce433805f5069dc1809b91ff9c584b54c246b82199ce7ea9f72185436d7dca6e3194f9aa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
391KB

MD5
ccc41b9cd8a51628d48db6a9ad014de5

SHA1
bd0a0853e8a513f372f869536e0ab075341853d7

SHA256
b658cb258a007b91d4f1d2d9e1077d3ce223cf033a3f380be52e7689c76e957a

SHA512
75a5326d7d48f17d6fc2db72b4848dcd3843e20eb457f545d916acebf3100e73455cab18621e3a4963a899d83fc3ee0c54aa1c870a6d11ccf722d3037ae7fa6e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
88KB

MD5
ed75e7a39fd2d6b2b6d2d6962472e831

SHA1
70b0bbf32e6aecb639fe26ce839daa655c9df17d

SHA256
9047e59c1c0b8a8df565954215bdfe786d83b0361ac708eae9724c320b6483a8

SHA512
dab4a1c7986764bd3fee6f4dbb6ec80e0cd6de6a7a2b66e1109d7bfdec9c040a7b1f97aa41d6f77220df25ada5570d6007d4e8903ed9fd4d74df63db687e39c2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.3MB

MD5
1d7c358d57e7fb1258be9e863c146a14

SHA1
aee08edd0d5cee1ac413c750d9f9666f74d742ec

SHA256
3fca34248da55502fde3c7e16e37c0a99807f526e97bf3d86365b55d604e7a92

SHA512
f777bfa5bfc28c5c9b44095bcf2b05f72ec0f160223ce9633361d8b927bc639262b455083cde56bf5f02904a1f17c2141061cf7d196f5ccd696c5cdd160f792f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3c5f951ada149ee26be09edbd85971de

SHA1
077c41c8ae9206b85d2837f02000d97a4b62147d

SHA256
fb138aac5104ae3dd19448822bb504dddbacd0b4ab2db03bc91f690e1fe7de65

SHA512
030cd7e50836a1a61b874f37228ef40082bab740ed9101a521aeb282bc3011829e2dce0396af38c667e20a702c935036d8ed73586d9e8e518c568c219a2f4dd6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ef5b948daf0ca0fed8690d563a511a9e

SHA1
c6757ddf0b8177321dbe08a4dd84e0b96d699f7c

SHA256
89ad85b38ec1ccc1c0655b0600e47b247c76b667bce8eb20319e1dbe9ed5b13c

SHA512
7c251a9bb5db2d5fa0c98c505a854681ad66bb64716fa570734b2bb25a181a78e90c1a48ed40a39e44ee947c75d5130ab011a3d3b89ae019f12e17866b4a499c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4f165f4cf1afad193b8d4cba8fd90e71

SHA1
fb779d89685eeff8c2a2fd7fe27c471dae5e6f20

SHA256
e2bad7f424bd57cb8be2a9a62f32ec006c837a089474326c07e6b569f580da5f

SHA512
1ed98e88e24f26e577030d897e81953b1e0e3f369a15866f69740879b8c896607fdafcbd4d3ed6c58fd7ad8e2aa3fa03d736a46b98893691cf4ac678431653a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
527KB

MD5
7bbbd20d9cfa2bcde3a70088aa03e878

SHA1
faba74ba8e7579932d6b6f419505a2422c668b74

SHA256
aea2b5319cbddd32f8363672b962cd0fd8e88aef470a51833df3e4ebc2ae2752

SHA512
841b25e61d8c4970d5d2b42dd33f4ab9fdcaa09ef3f60ceddfcc37b908523df32ba3e63a21ffdff27593a52ab4a576eb5633662eb23c00cb364dcc9b2191eead

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
606KB

MD5
04d3126f0ae1cd6182aa29cff79f4ad1

SHA1
6e44d185728770346cddcc024329f4036f310028

SHA256
6a8664f64b561b4b7f1bb32f32bd0ff6056a8763e2af7f7d0bdde8c259ec1f33

SHA512
d92fa46861a5c71b1d4b963bae5229deae4e7c07d56fe018352d0687f37beba1783b110053e617bb545b3bfefb52031460de77b8ea17fcc6dc6345b740a0ced3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
631KB

MD5
cc8e31a0034f40868634a1d3c002d6f1

SHA1
868f9c3395d8eae07d47aa3aac63cd00347ce3ce

SHA256
378e0aeb488fd093eb1a6f99959eead79d21c53ef5a3b60912eec454e1182107

SHA512
09db584cbc2d24b003fe926974061c1fe6c175f491b724365a84ceba3811a1ebc205d762d0b04fec93c1b18513507cb21111d174c511ab56a8cf7f0a432a0d0e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
563KB

MD5
296c84a67f876ecbc1b661b989be23df

SHA1
ba563c8cd9c3fe616d92f8c9412cc813c07acc81

SHA256
9a52f0193ced32bef23b68b6e7aac190b2a511555460a20607a41d5e701f78f9

SHA512
49ded27c8db0ba031cc45512a36e10b1e2a6d4fbbc5878d337e0812f6725f18c5fc59ecee1e167ea9b495df2b5feb597efcec9de9c230b725a552a9bdb1ede6e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
967582dfb2be8af53c2366ce3acb455c

SHA1
f8d93325dfddc6964cf8ff4c8910cdcd4c9dc36c

SHA256
81678d378c71f6d4d768d47b3a5b353012a2254e314ed7c455305702517aadd2

SHA512
504b89c64f1d541cc6dca6f2cee652419d23e3a1e935ed9e2831fe725159518754ac718f4f8674b4ed7c6e97f95d6b0ff87b4c80289032f726c5064512ee19fe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
940KB

MD5
87115d8567b1df03f9537290007bd335

SHA1
b7a637d33cb2170acf1751fea7f0263a6e226c5d

SHA256
d579bf53a7a5d9780cf5bb9e4fb7462cbb405d504ecbcfb80ce0f647d40b8bc3

SHA512
785b30083ee14484c58388bfd310c56d4890979181b4705e38c99ae4c25b308d83565379ed118b5c687e8e8e26d6193737942404696035f4dd2953843f10f12e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
62KB

MD5
774c985274b133579d11932f26eceba5

SHA1
dae4aa5af8575799d11b443155bfa04787df8a4b

SHA256
51a03906fb21822d419f9e5b6d1844c4d692fbb7e8653f66245cb5793a9e5088

SHA512
8107109afa972b489d92582498323605ea3e368a48da7e0f06ab2eab067ff4ee95a9e9b30d3b5953d3a216cadc9f1a0e0a298caebfca087f78f3f94458ea7329

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
998KB

MD5
0108135d5641cdf7b3c04f53f75be34d

SHA1
c04c7cc8aa2a486bee093d97716c11326c85cf25

SHA256
dc2d8e65635e822ed4b27cc651739bd8785ff84fdd57e9c21b4282075dac3694

SHA512
1dc416f7e84845e4986e34197ad0549f676bdb22e36ac4c661f35f6eb455384c487ddbebc88c674d471889c1f74e4dae47c4bbefa1005c58896d4d78c2047875

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d85ec814c16a1603c1f98e602ff9ae66

SHA1
7306c9c6fc385aae45f169430edc10eeff60fb93

SHA256
167e088a43eae5e7aa6cb7a334a8c45b2739484c0edf4b0170029d228780153e

SHA512
0ddf5e04d8bd41c47312434be4de39db99592c19161b8b6b12e631f5e28b74f76d9c9a03a634bfe667b9b41c0b8610f6a35659480a2c6e0e95a9e3a14336ce05

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
792354f7954f8f40a3a654c2bd585bec

SHA1
762d05e6ede57fda863fb1619e937c0b5165ace8

SHA256
e9e8a27fd7e0ebe19a4ca2f60903fa582c731f27fa2fdf8fb0650d45b1a8cc03

SHA512
a15d6766ce37da812ca95f8ab98db1be5a826f6ce3a6d31a9604eef9387adf8252d04e5ffce19edaf2656c7729be92d551917a1178f7d8346ae6cb1821152652

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8076cc97a32cbe0a574e274b427b9cc6

SHA1
c181c37d8e633b0577ffe7a9e11f5c873169a080

SHA256
6b3ac6fe9d6340e4b7a6d8400e95be21aa29270aa8915b411d8bbaaeb284de8c

SHA512
db43159bb16dae5be9b65362da46ae8b6fcb42e66e2256a82c5c6aaf2bb4f207711eebd624c1d21d0161bbb22f6040f08cf0e5e11c04c3e931dfb7146822fdac

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
acd77954bbdf7f2cd5a601358fea6374

SHA1
555173fbff97afebe9c8aa991f25681eab0f4467

SHA256
cc673d657c4178e5951ea5e1e8737a47e6133564049ca3962703ff24af92290d

SHA512
3a7ccae2127835e2ec3ad0f928fa2e4820d36d679f2e80e3693332a554bfd5252a9b53e4e26daac39cf91479885aa8d3df4029beabfb10663f89ac48cbfc52b2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
709KB

MD5
b5de740200363ad4acfd6583d4517b0a

SHA1
25cadfc646510a1f641287ecd9750b10b968c6e0

SHA256
d60caaacf71ffb454521f348781bf0c6a67385e32a18d63549e74abd78f8174d

SHA512
0b45bbfcbabaca95866703eb2ac14153f67bbc8db52576dccf0f5c5630fa2e9e49bef333492edfdd2f517d7a2366cd7a0342753bb57d44720824da9ad0fa0bf7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
188KB

MD5
810b8e0fe01aa23e2683e9ddca658497

SHA1
978dbc6b4a748f176107b9c12faeef89df8ebc17

SHA256
d88c61e79ec1f683a4f8725d9536bd281260ed5120e0d69eac45d3f2c4fd76b9

SHA512
ecd9f2288acd517127cfc2b99d0d96800f723d2e6305c8ff0b2679ee0e66bb40e37a479236d0558c9f7ad28b9aea3efb1e27f6f5d5b11561e7bb62b97d6cb296

Download Submit
C:\odt\office2016setup.exe

Filesize
839KB

MD5
27526a4a67a4bfe64beab281c185ad2a

SHA1
f0adc3474a8808cf8be617faa70ea2c843ebd5d4

SHA256
50f7f6b8466eaa9bdd6d2e6bb6a464c0affe175ef0dee40861d9586a3d1b0157

SHA512
c72a1d19b5f52e0b359f4065f43e42e69b48d05e815d55bd53320328b13a07706f1eab6efe1d11f3032518dd07cdf14c78a776229cd25c2f61b5d2d9d2a567d5

Download Submit
memory/216-313-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/216-304-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/216-370-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/372-367-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/372-427-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/372-357-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/608-380-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/608-440-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/608-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/664-436-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/664-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1036-35-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1036-28-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1036-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1036-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1508-340-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1508-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1508-402-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2300-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2300-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2300-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2300-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2428-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2428-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2428-0-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/2428-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2428-8-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2428-14-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/2540-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2540-51-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/2540-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2540-60-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/2540-57-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/2892-352-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2892-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2892-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3452-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3452-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3452-244-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3452-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3452-250-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3884-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3884-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3884-194-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3884-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3964-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3964-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3964-280-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4244-424-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4244-417-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4620-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4620-462-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4772-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4772-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4824-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4824-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4872-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4872-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4872-393-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4872-323-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4884-449-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4884-442-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4888-410-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4888-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4888-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-401-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4948-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4948-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4948-395-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4956-547-0x000002CFCD5D0000-0x000002CFCD5E0000-memory.dmp

Filesize
64KB

Download
memory/5060-355-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5060-293-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5060-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5060-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5076-271-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5076-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-264-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5076-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-256-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download