235affa198e8bf00b2462cfbcd4fcbfa3b4476c8aa2acc97bf562b0ec302f3ed

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_ea1e1cfd043c209af266971d73349039_cobalt-strike_ryuk.exe
Size

796KB
MD5

ea1e1cfd043c209af266971d73349039
SHA1

90cf60d715371f9a1482415f8d31bab4dc3922d8
SHA256

235affa198e8bf00b2462cfbcd4fcbfa3b4476c8aa2acc97bf562b0ec302f3ed
SHA512

6745e16531128e8746b67f2e066688519169b3ddfc91a6ac075701974be90b486621cd34c932fa05abab8a76f372c9941e82c75504b695b019be29c36bc3ce23
SSDEEP

12288:pXDCAZzP/w24lhGMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:IANw243zSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4024	alg.exe
4540	elevation_service.exe
4568	elevation_service.exe
1580	maintenanceservice.exe
4040	OSE.EXE
4016	DiagnosticsHub.StandardCollector.Service.exe
2112	fxssvc.exe
456	msdtc.exe
2356	PerceptionSimulationService.exe
4560	perfhost.exe
1000	locator.exe
2092	SensorDataService.exe
4296	snmptrap.exe
1052	spectrum.exe
4488	ssh-agent.exe
4640	TieringEngineService.exe
3224	AgentService.exe
1444	vds.exe
3316	vssvc.exe
1396	wbengine.exe
4656	WmiApSrv.exe
220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91307cc146f975ab.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-06_ea1e1cfd043c209af266971d73349039_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f82fcd972988da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000825a96972988da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d91e9b972988da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ed08c972988da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8f10f982988da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000989591972988da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053e59f972988da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4540	elevation_service.exe
4540	elevation_service.exe
4540	elevation_service.exe
4540	elevation_service.exe
4540	elevation_service.exe
4540	elevation_service.exe
4540	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3780	2024-04-06_ea1e1cfd043c209af266971d73349039_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4024	alg.exe
Token: SeDebugPrivilege	4024	alg.exe
Token: SeDebugPrivilege	4024	alg.exe
Token: SeTakeOwnershipPrivilege	4540	elevation_service.exe
Token: SeAuditPrivilege	2112	fxssvc.exe
Token: SeRestorePrivilege	4640	TieringEngineService.exe
Token: SeManageVolumePrivilege	4640	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3224	AgentService.exe
Token: SeBackupPrivilege	3316	vssvc.exe
Token: SeRestorePrivilege	3316	vssvc.exe
Token: SeAuditPrivilege	3316	vssvc.exe
Token: SeBackupPrivilege	1396	wbengine.exe
Token: SeRestorePrivilege	1396	wbengine.exe
Token: SeSecurityPrivilege	1396	wbengine.exe
Token: 33	220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeDebugPrivilege	4540	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4556	220	SearchIndexer.exe	121
PID 220 wrote to memory of 4556	220	SearchIndexer.exe	121
PID 220 wrote to memory of 1936	220	SearchIndexer.exe	122
PID 220 wrote to memory of 1936	220	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-06_ea1e1cfd043c209af266971d73349039_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_ea1e1cfd043c209af266971d73349039_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1580

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2200

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4556
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0fedee533d8b78d116f2d0e300ab9499

SHA1
2d3c82014e26c484f6d914cdba98dc151752da2e

SHA256
417cb02b56444888061a324d20c1cf45f3b92bcc5287b33c3488ada5ba40dc15

SHA512
b5894b98863387f2bc011e828c82c19c26f52760b6f46583523eef1fa937f96620a07bfddf703d5dbb2949cf64bae5c8a5f6a3727a3304f2adb7c17743ef2608

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
8d5be2497c4efdab012795c53848121f

SHA1
bb9d0ddcdd3e9e88e485376b78f076b477d7ff7d

SHA256
4f8c3f2594b4705b55ad45674c98feff4018da7c9f693902d850502c144d9bfe

SHA512
49486e1d90595bafc15806506516c44514849ac8a5b90a341e893f68e967d8022f66eb7e35d7ca2e34e12a7338a8371572c2d4a3fe56ffb76503cd50df1be9d6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
50b0d4af051f20c3ecbe7f219115912e

SHA1
c4e3385b7ed644c617661dc476113c0f4d6a1c26

SHA256
cd07f95284da590482fa7176b1c85024e707f89642bfe6c53a02c52d3041e709

SHA512
e0dd6d21c406bed7db80837c47a90c9d62c7677a26d1d3c66853e9562dae4d38ef7378289f90858d3723f0d52a23514fecf38aef2320d75b3a95cd302f603429

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3d5a0d78c34b94b24bafe1fb169191c2

SHA1
2784a0602a504466d6118ce8a5d6a81d1f1ea60a

SHA256
2b58a562c56026b672d355d5ce934eab0c682445a12f93db13c46322f5e83bee

SHA512
16cab21a82cab21023dc78c348fcab83883a64ae5f3e3ab17285a917130512d92112c8fc350874865a8401f91a2c7a9353ab592511036ae6772cd43824876993

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
21d91c7df3704444616f8d2f7cae1f36

SHA1
a58b74f701267b3dcc3927933eebe04bffc9eb71

SHA256
d7627f7f7efa2e5ecf1d0debc1221d120e0a7de20d28dac0b6aa37bf23a640b8

SHA512
b55148b7fb3c29dc7102aea78e7473d068f9abd2eb3551d92486d9086ff67312d0b52906711d1159462ae6af08c926185b437d742d6a6f80f669382ca1230310

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e8dc7e0721072a50113cc8abeb7dde05

SHA1
30558004c127942f0583aeed7b81608853f3934f

SHA256
91aa77707e687f85192ee418c9e4e067a3db2e62bdfdf5aac06641bbab4dd091

SHA512
50dcf8000941a7aaa2089a4166b50e3b8c1891eefd1836537901a830f8f76e44578ef642c5d68a7d0083079dc4f439a5f9ba3a352bc066e961f1f1834a035972

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7c86da4d48209d6d079570dc50a70aec

SHA1
207c232d0b483fc5138d0af3389d99fbad3c4b28

SHA256
950ad7aa25b4b40b629da15218ec9634ab2088ab176c5d952549d0772962bf18

SHA512
614e47fb18dc2e07ef94b80deed2e8710db6f78c0f0503f03451eace9b55083c41f8ed3280e3fe02d1e25ae5e9ca1f51936293a09cc3f753db5403f24c922b50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
707dc408024b90bb66674ecb0bb6e1e9

SHA1
b12722f0297e89bf78fa8d422b84959d663463d6

SHA256
27a8eb1b4b09ab954179b7bc5607e94a89d27660add254a7cf0606440f3ed357

SHA512
b1caabb88532820b89d012c786c1b1a121791141d609c703f2bc8766d6cc785ec9c77614ce0b00b4b962a0a9c4940f88c6d6a1dc3664a05562e6a3fa79b1ba49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
2dfddbe4f6874e868d97634f63b35058

SHA1
0d169d0ad29a511bb0bb6c71b2036b65baf2d32b

SHA256
3975929088846df9ecb691042f31bf977c72f50d386389be30252f446eda8290

SHA512
9dad49f1353eaba424a7ab36e7f76de5f42207773ed69cbad0036789c5ab8048745a17c710770bea256b3f1519e0d7cee248a96a0b39faaa96c827c6d40b8350

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5c2ef178841b29fb11549046accd5f95

SHA1
d62244f36aa78fbff9dfe7374d36ccd5c1e9676d

SHA256
c56301bdb4b3a99e307a3230fa829fd4059b45a898b6e5180b628d5888f2237f

SHA512
7149e98a277885c7b18613878729ac29cc6b4dfdfea966d1dfda42d4317c813b841835fa2234c7d121a9c24bc5218a549fc2909a08e0750ef8ad43ccec7915ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
be4b0a8915d4f38ef136043a1f3cad4d

SHA1
9e56855e3d26b9b4ced34c64ea069d4165a19560

SHA256
d3e930020716c73895bcc09008900b4ef94ca54b0cf904d3ae7585481ea372f3

SHA512
b38045fa66ce9b306a8792675b268a4a89e31686c1179fcebfa2976c2b2011030ac8b22ebfa7dc4c03f15aa48d8bb35e04cf76ee74a75332009b20f007e80a7d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9d52afe6d5a59c5fba82cc2780b52a28

SHA1
f5d2f2ec4aed934d24d6f1c912244d58092e4c3b

SHA256
75e63dbdca387cc8ea13399be00d602bbe596179020e78e6c996b7c032488cb0

SHA512
a0385a887b2cce531a4ccec9e258137bf254596046a8c63a80b15cc7df07062be69baa1fbf3ae28e22b5212208dc19d195d31bc21c7c4ea4623ae324a9c11198

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ed1f1b3523271fe61df1e566087b68d4

SHA1
e56ca55f10d752096e3be8f087f5bf01d3eff060

SHA256
f1837bf34635c59e3f107cfeb5447a7da26a83cb1747e4f0d81badba2a1f4782

SHA512
79b6acdd0a7f2ed929c354ebb5b982841115f576dce2674c79936b2fa262cb70eee5ffcdd65b8f180b390a959adf5b5b372742b060a1eca49cafa569e5913b5c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6ac1bebf7e593e66ea71087ae5909aa9

SHA1
47288e1f7591fec3f722a53988091ddc1b5427b7

SHA256
5a98341217693187a1cfe650ab2bd51a1605da38e821d36fd8e59cc6e7b7317e

SHA512
fa18d2c588778e5a4b00c1009664e00aa87f9a8fed01818a192566151a3f11e4c96e09014229c642f5c71d7252726c08c08467522639041706b22e42dbba104e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9623788842d2df57e1277cd5c8e153ee

SHA1
e2af2652633450ea76b71fc07b19d8aa6b338073

SHA256
4e0ced1eedfa310200cb111573a054c725bd98c02089e3a1c66e5589958a7abb

SHA512
42486c9642899ebf8e37aecfa495358b892bcd3d4c20b84edd65bae0a719bc9be10a13ed0affd2f90702a118ac64279417d0094bae9d495f7879d6bc67ab7404

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b28e13ad4188b2d8addd0f7ac2bfe084

SHA1
f79cfbffe101830e6d607179f3c5d47e751eca78

SHA256
2fd902af8736ec14e39fa36b397c0fb59bd08c75a9789af3add91aee561e4b4e

SHA512
685b9c1960905b1ec9520416839b20624e7584c1e648cbe8fe6d468a8fa8ff439dfbcf5d91c36c0682cbe63674d136e1a01248149b1a359fe3a7832af42c33ba

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
db148a245d003074025ed17b1ff231b1

SHA1
5c2dc42a0812193d5f5d273e2a383d58f6cf2058

SHA256
2d680c2536d7fa59f65e1300406924785ff0f19d50fb33b3ca1bbf50d7a8d257

SHA512
8039124aecb041ed0a4ded7386bbe453d776b65159340a8ff5bda1d0cf1a90f438d0324f7b70e883f439e03612ca16af5271dd728f961087924e62725d6a902c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3325eb9658779f1aa3f417f174bfa21c

SHA1
a8aa04391de801958eda35b56db139964d9b5531

SHA256
6d04b0eef2e2eccd60cef759348c35580c090f9b2ad0219a272a04dad9a0d463

SHA512
1858883a3f49d148ff52a0a466b650b4285015f23766ad124b1897046589d8858ac02faf251194aa2f703d42abe31d1e6d7ffcc31fc6492f53d48d555f818380

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
918a1d8aaf05c5cc822f564911088694

SHA1
9f8a55573d0c95c91e981587418ed6ff843ba64b

SHA256
3317c2ecfdd19f64842ffba6857dc5a948c329b239f18580212e926b50900fa3

SHA512
bf41188e2b0f1f059c4f0553cd2b893589e9bd9c9d3f27f15d48521166aac334353fd24018a7d0e51e89d5f1fda3926aa179b35f99fe9b7472fc1102ce1b71de

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8c66f83303f9151503a2c532cb085533

SHA1
0081757dcbc68c57b0f1067524f1b10f55dd4f28

SHA256
b8bbaf55aa77142f55511cac8907ae79b957347023c220f98fc6a992e7725afe

SHA512
1dab649b804ad4d068708a807c60eef1a7552fc4174c48500cd483e18fb2487f1c2b08dfb74e6411e467455bc9b4f84701a0e91bc47c48f239937a2b07721057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8a33628501139c31adeaf200fb920b3d

SHA1
190fc191afa40c48ca2948b2ed194a340f5ecc84

SHA256
818291dfdbebf776916803036bc23973b13a193bb8cfe7220c75d85d7f8d54c4

SHA512
14a9939da127d65386ca13e2b969e9cebb3070b185a6a6bdb57b1408f9a6ec5d56ed0cbb6f66926f3f88661ae89b3317281d7658e6ea93b12bc544678a4af5ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
dd8f22c720fdbc5c86a1cc05be234097

SHA1
682cc155999a71f46bbd6e05bde840d9375f4905

SHA256
bbe73811a3db33d3e48cf1d8e9b71ebe19f8ba6a104893c61a77a208331ff2fe

SHA512
7a6c1a1fd10384fc31f3f59a4362e76282cd45bb35770fa16df740940f99f47cc63e36859d63d7ac8f35f1a91ac6c190d9e12206e0b93a2f14b44aa1cee12b91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c4a891c78da60d0f348ae7c66c7ea248

SHA1
2230edf51f952395f3a363c506b888e51b0f75f6

SHA256
ca825ff4042f41b9a43def4b2507a131092e0c0c98af1dba5f5cb7dd67e1e3ca

SHA512
6d32d6da89d367b0cc07e6a36f46d357aead2d0a50aecef12874a05cf68c346782694010a6f1cac568f777770738a4921578fd830026f308ac73ef75e6f6801f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
79110103c6d56924e5c513e0e8fcb222

SHA1
cd3eb74e2aba45f09789e125dd334b4eb3b18ea7

SHA256
ef4f565947ac1718c0444cc895ef40f1747245b6264c8723101aa06334e4ad6f

SHA512
22815243d3f95d1e5e0b1b071929cfbf08dce01349e10f98965f0830e192c795865a9078f250478ee7621597c902307ce9a573faefe00f78305f4fb48f81ec99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6d348afe2a39d7a44c0910cf7e806939

SHA1
a986331efea0e9be328b1337e34672a88ee2b8a8

SHA256
ce5ab80ed4418c21c6b8982c0680fb125012c653e4ad334c5969e9d683fc26c1

SHA512
a641b6232e2663ba4c017b4ccdd3408a9587f932fcc29822373969d05b523b57fbda8dc522442d8d782948d5a3aa1f99f6deff175b94ce7c1125b64edd48910c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b32ad7cd585dccd8968a7ae54e7853f3

SHA1
64266e36b611877115fb0e4244719abed26ad6d1

SHA256
3679a88a749439ee07511c1f6d0e59e685200dd44574399b2709c6406edf56fe

SHA512
c78c3a6555a0177e670852d1bfee5aeda406144f55abf71065391411f43bb9adbf0cbfacc2d4d65c9d7f198ed8325bf613f40057c62b448a7d542922da6224d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
be8dd0b4496a4af3233fd4fa77240a93

SHA1
d19fb0fefa0a432f8724c3751f1f65b2ffe09d43

SHA256
1262b750e7ee116d53aee02961fed2d49683fa4f1ede688a71682fed4739ce60

SHA512
cb803b90af2f12aa5d685d7c669763918c8e6b80bb0e587103de7e7e943f977d0eefb9a0891cd55c8b73700c2dac19dcc20123c87419722ce6b080532dbc0b51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
593f88353bb6e60520aec40585d9762d

SHA1
d5c5d898968a6435a75c9e5d968b6560336328cb

SHA256
fd737a2c21c2dfaa0e84b9f35ed9f1b6b2a5b0a5ce7f55724330a1e4bf74d13f

SHA512
e07e34e833f49bc0258274d741f60ed857fa420d223d23f53ec0cf2f80ad565c6000557629c5d5df48e02d91f36f09ff8fedc865a17d5249fd4a0651e2e78825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b091aef683fd7f450f709f3f808ae6be

SHA1
3595efd164a49bbb36f0a49db01b4c2386184b67

SHA256
5b5d563095575dd1b7d3d6a5fbfe6c02a8b07a2ef55e7117cf94227723638c27

SHA512
79f6641b764afac879920bd8dd88c63d50f76a527172e3af425294085b22c0373b6b4b014ba883212f67350ff17f18b6477e5e80e8e0045d20fe4959ae071c4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
87420300d72ed0bde5f98d7e3ff8533e

SHA1
5a7a48d3cb7ce3bf14fa2ea5960e574a477ce877

SHA256
2467223875cae09488f70abba0b713cacc0b8601f99d1f529c4808dfb62c5943

SHA512
1670635f1b95ff2efc4a1d0aa13edcdc1b2eaf04bb52a9b0f91bb5c6effb9c72d29213de405c5ac2d301f5eeedafaa0b09752a8a4b59aaf37c896cda186511bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
646dac222416f5be726c68ee09f7e487

SHA1
db3a38d4423f245a44f21c653a1cf3f0f7b69d71

SHA256
d80f8b4ce0e928cb13076b7e7340758d578193533046853c6aaee1cc9a818fa3

SHA512
0f5134eb22a080de85c32d41a577cbc0ed40e259e0d53f12bc41ab3223ba384bbecf50803bdeb44128aa56a66aaaf0153d3b4641bd2e52bfcbc06e91f061b1ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0990159e969bc02107aae3d2d5f70599

SHA1
958e799002623daa806a1dd450b97dc3a60e9cc5

SHA256
48e4e8728e91538b4d86657a87c8947ab8f70f3152aec46182981a23dad51b12

SHA512
b6d87cc48ed271d507da6abd704e103e6237ef3696d245f929d611c6e8de1dc30333b9c2140420386be120ccf0b51107e29f212db89b41a7a85ecf760de2a4a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6a4c238418639e93826a5b90ad951efb

SHA1
b80f67443442caad5852ac5b1219c6a9f567bcb5

SHA256
f2ffa75bcbeb390c586a2550256f58cc869ef0513863a80cf2b4a44d81fa751b

SHA512
59d001f7c0107ca476eeeb09d3f56e51c9ec555fb7443b4f35b19c59860e5645331d0e10518d92f7d15d4c8b2dc55c7733122085c4405fa5729d555e92c56486

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ce78771a243c8539595ccfa295fc0b36

SHA1
b07c71c1b3c667649993dfd915030fd39bf950ec

SHA256
732de0a7bca61195b52cfb8414db7a4b75b502266b4c19b6aae5473a6827555a

SHA512
933540b705784bb0b84d89aa5fc9a315c297c2aae3c2754145f9d05b1caef31263c099f13905829d65b2729b213563e8f213a88bfda8e62819d739129e542f2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
15d8bc2c9ea9c3911203d73e2d81a4b4

SHA1
b2c7af943afbd696124575a7e91e3f265e1abbf8

SHA256
27eae842c5568936bdc2a0a01a162e41709d35ab25972f27dd705674c07f2a81

SHA512
289256110f787b460e441c78af3989b5ceb2aae5c4ba0412762b7642019e542dc60d5f41e4d8c2a95b0ca2f983dd9a6d44d04a22177af5b3ddff3123ee9a3172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5d3a2427566824b936ffaedf2e663773

SHA1
27559ca17f967fd2f20c15bdd2fd83c8a7ab3b06

SHA256
aaf109fd4bdf6696477fec9109e1a0823ed72e91976d85603cb01801fad73a24

SHA512
3e6e5dab640e1bb2531591c4027eae302d1a5fe70d320e3bb1e16736bea00afea78c90d3bbe426cb46a05051b48aef0e327b054985b88ba85c5f53e55c4a156a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
489d5721a1a1d2189f8544b7164c628f

SHA1
7b7eea8aa8f625f24e68cbb06b1256fb774b9ca8

SHA256
c885faeb2ca6f34915a98fcad4c6f23eff49f8327418f87f8d3339bf3fe9f4f2

SHA512
c8d66e314d860a6d0fd66667f21b3654a5b48ecaa91b813f55d6559dfb15e9c084983e9b95e55e7890d833c1ac81091d7f9b4fc90e831c245ee503134394a51c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
c3a32a3d8a51f46786c844f2044bce0d

SHA1
f41f14a7329fcf347f28cfce45127c91d2a305be

SHA256
82275643e40b96e9be65b4b3c8b1e525da31c6c0b59cd93009c00e5f57d15001

SHA512
a8127db5a5bca918d4a37de2fd18b54a31d4ca85dc2a677e1b71441f313895750c27a7305ac4173086ee7c5a5e9f3278d72e0a6fb200a827887b14eec295b697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
dacbc8f4e0edbe18ca6a9b46179a15b9

SHA1
68e440b643808bc992ac5de19cae1200b5f5c6a4

SHA256
e5db54dcbad23d0b85713f0ad7a0869565d71c8153b89ddd81bae906f8080c28

SHA512
90fdae0c9ad671abaab1c92cb08ab364c88c79ef309432e2ecc800c02cbfc4b85cd4c19d18f26f63e6ffaaf8967134e2e3541bd99db8aa9fd7d878891d2633be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
952fed0f172f7cb92226ce837e5d4052

SHA1
b3b3d3236999a017e89a506235de60db47abe60e

SHA256
2e5b0db7946494d623f02cddb95b901c57772512ef88a6501882e71574f9b9dc

SHA512
694cc8a2bb3de31dbf521d3bb5eda7edce898b3ada1489158d787378dc5c9ccea6291229cfdadb4218c830576b969d6d3d5bb73136af885a9f7e61b1556c530e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
340ea6cc6eacc89af80265c12f980119

SHA1
bf3de126b9f5edbb90baf7c15ef6b5dbf6fd4b0a

SHA256
bf9d5cd4774f039c572002c5e221d33fac8d2c0e78242b5b5adb49997cf62a49

SHA512
3b954177fde9b732a8cf3bfe55932e264fe6516d62351ce5da42a6b5f5818f707583462309dea021e26737ee6901c5d51526e154f1a61c7ca99714b6280b5327

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
df16441f0cf0176effb400a76155ad18

SHA1
93094551d84a80c16d72819c78ca44148b2cf5b6

SHA256
4920b3411cda08c19fb181640a55ad0c5d0d0988f3fc9f1fa0e765edfa585d4a

SHA512
f79ee837206650d67e199353a8c9f6a56e350fb85078e67e1d8e417171db7ebc3db47e591772a6890c2ea0baf937b0b4a50534495b878d675250ac43bebe3f97

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4cf4c25c00e3216ca115fe48677706c0

SHA1
150847319b06108ece7948caa487b61ddfd33d77

SHA256
7a056f542da0a7bfa7aaa3bd118805f59a42fee512bf2387c071450e486f2c08

SHA512
3bd456013e24b3de29ba0b21ac4d368a16b125c5cbb68bde38ab54381a9ed0a3d14e168110bd1aaae60927f2a89f5c3fe47d9c90fccf2543ac746ab07931b902

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5ae99f71e28283744bcdc169c532b772

SHA1
ba8df8c2c807d04ffc12271718bb4018444e7b08

SHA256
5e3cef8bf9ec00115bac42882da5e4159e5dc1de1687eaf6cb950ae6f33f70f6

SHA512
37afbff1ce6ab4a9bf1ba8f7ade86fb275688461f6453e38bc589f01827e8f9b58c0a3a06a9efdafdc506fe678dd384c2aa228ad1118abd6c6840be4c978a6cb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1d8c3d4bcb1ad19c1094b390c7ab9dac

SHA1
2443f9b392ae432911e41bf8f85cdbf3d4ae2156

SHA256
c36e16c6c45536c744950b7e88268a497ec34f6d09db335bfb4ccb3efbc450cf

SHA512
1a38e649d5408828e3185a6e6b77e5683c0f19a902b45561afc7866bfa303400420f38f91c5742b795f7cb981d46dc65b843afbb2c1f85cd8d0f1367e3b082ec

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d1c4f574e631460cc6231a9971d4e63

SHA1
44570d0cb4368af5ed11f5639559d93c02b15d7a

SHA256
b59e28af2e2b20b9db46f019ba049b74eb8aaa31d36d837c14bcc6b314a6cf8f

SHA512
1a01d4135876f13d58dd7f4813a1b8a493539a90d962e6b7d349e1939f7a526083348c440e0f6cada35428305aafdf0802d4cc4eeb3039b148e9ec963aca86d2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2bd13d2511a543985f728ed1113941e6

SHA1
caae0d6d81e9a4d280af15e8e55a2cef34435483

SHA256
0160a9aa4a6d23bcf1a15e7700b7ed055da016c03c7b97a9c0fe37c56e454ff2

SHA512
29c11113eba35690b0af9fa464b9c619a5b5a18dbc0d91817dde50879e524900248658ed9c2d9f4ded67cfcf42be53e945dc81322d5132e535577300abd060ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bc756f10e439f0306c14d8f0bdd3ab6a

SHA1
ab12e7c5843c9ce0ffbdc4a18f3c8cb8d5283a65

SHA256
d4db653233478992ddb7fe6079445c0362344ea4d40c13a125486cfc73e1a1f7

SHA512
fd5ca5d75839f0e7334745b8f39ebe9372b5874739e46a78ee0220e2db310493e980acf8deb37e382d9a7b142b1fba834e1b851b50856727e2e244b19afcc620

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
dc42182b0cc2dd67a7e89cc2df4270ee

SHA1
bab606222cf91255012ceb6cede6c23ed5a4215d

SHA256
5549802b4ee12711e11fa619afcb07ebe07d6d6b060a77635dda426ef0a8748d

SHA512
7da3ee597745cba0ac93f59e418be854dc1b89a7ad11c541fbd1b1fa206280f4a94ee0a2652bc4b7a8719d52d836d27e763657b9067a6cab67569506d9f6d675

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
94e84e4d3f45f0dacadae4d7e07d0a9a

SHA1
7289a3d2d7c299f077230c4f9467421448023766

SHA256
81ff2aaf541947fbabc95a40bf632a06f9c339f0ed041976a675be9334419ef3

SHA512
85851f5b79fcff7272b272242f7a15c668c33db56a95fbcb0a0239ab44403d5067cdc99d3c0549d86dca0bb3d7ff8240a7d8e5c1eb407bc0f721113807a4d449

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fe2a382f19643ed1c45a67bc8ad69309

SHA1
db6d1ef9d71a866322d0d53d8201f3d292082d88

SHA256
a393a639098304ca8c2362876facc3e0f9944b7baed178f7ae987f98759fc90c

SHA512
4bc649a7f77196ddc837568779cc4de4a6adcb35fb15e0b51465297695d14fa2c9fc6daf5a4db4241ad09010f59ab596a84b0330211c5ee202cd51f7e5d0c54b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
70d145ac2b77c551e14e9152c847fd53

SHA1
641865806c2dd2831c3dfacead07ba594c0b7031

SHA256
e0a6172d92fff00467d62602f6062961a1c35b5fb0de8f1bbe8ba4e0c0c4f22e

SHA512
f6ce1bfc1920a79445f54f6b2c767ffde66bc877f59634db8dca367882313f55c45d5491c139af09d591e6056f899af2efc5145d2872c348c4eb362ddf6c931f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
93d4b65b201029476315c5d02cb08f46

SHA1
09aae3e324100fe310a511d0b987e1d4722b0476

SHA256
b44c71bc1df2b1084b6f520a5c27398004044fccd8daed5e549718912d3206bc

SHA512
4beebb657ff1645dbe081035247754e74c9bcaa1f9e672852a8354fa362a229eeba7da694c7be5fd7884212078f6df7f9a031f2c89d89157d7dcd81d1a069acc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b43f51b7217494110294e559498ef228

SHA1
4de4101f049bb6f862b2fc7500aeca86436f94fa

SHA256
b886dc3f0b0b4c426f6a64a17cab20e7091c469c6a6d6e380a55d3eb29a4e135

SHA512
a52d4c893b88c90bf031fd72990b6fc2761d3157bc54246293694c32144b97eeeb29dcaba3c81bc8a5fe7c6869377552495343591876119cb29a21ae0fe1933a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3fe29c7b7dc931c2838145d2ccf679f5

SHA1
02168a19d0b8ed9fc9ff4f5f2f77dff2c8ee76c5

SHA256
78cfc072d532e12812fb0c9817caf6da239a115f0217217f8928bf7468fe5956

SHA512
de9d8ec9cfe146cce06172d524e916bde9682c670e254e9061fb57c1f7e3b41a756e0813f5a20f9108e361cc6cb2e0d940417a3f33cf46ae08d260a7f28bf71a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f743d9213a58bff589980064c75f33c3

SHA1
5fcd81a0afbfbac22e0aeed8b75748d75388e52b

SHA256
d67222f38c72ca7952c96f80e1a0fe750ff66b52181ec607e55c3cebeda21384

SHA512
588057b1cac8ee8d8474c3c5cc52c0950c83c25c74fac207821b783b067c2ad3509239a98a1eb2f4ab0acea6eb0c02eef4ac04a499f6d64a6d98b92c80e7bf55

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
cdff5a97c6f8f61db7173a89352b69be

SHA1
876f0f906740e52a1daaec094853c5c2f1a04751

SHA256
59402e6e77678b70011d26ad43c85b4ddbcf965a4bbe8b04f3ebc0b88770a5e5

SHA512
0c228c2d66a7e817ea532e78e798abd538e211b5dfd1f86925a7e60ff41d37d8cb3274fae8623b14251daea3d4cb774696ab659786dd25a8ce17bbee8a6a487c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6044a5d753da4615980bdd848c1412aa

SHA1
a6a67cd84256b2f812fdbb7b93cac19070b35f20

SHA256
3f3e9486bdca6055f110201f956532b5bfe1a760cd6723047defb318740f2b77

SHA512
2fb140b2e2e9e14bad3d3c6fd11c1e3104e7d10e608dd1dab4a7816bbf8785124814a1d5067e8286e3dee2fc890977e18fd1768608af4ff5b5128de2fc4a3320

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
819f97abad8c65083f0849ad196e13fc

SHA1
2afa3a87bf376632de1a93a816a4f19c78349509

SHA256
e2616aaba63a71eb66f31d2e4810d36f9830befc0c9024767f042263bd42f85e

SHA512
987297dc91f4186035cef3ff1ec87e9e8fd786882572482a9b1b5cef2c572dee882120abd08459e57e5eb4f9d7155569c9d40e00a0f77ad86a1252fca86df570

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8477c81896a5dea6e61edd5176714917

SHA1
ffe9551ef20931400ea96b01d58974d802d0ac64

SHA256
3676ec16010538abe01c23a08ff3c4a66cac464643fd88c0e023755b1b7e9522

SHA512
31a3cf0ec20e5fb3ed3dccfe0f72500ac1cc2e00df6e6c111904089404125af37a74ce97f253402cfccbeb261116bb972cf86318c45013c8301c19a768d36e40

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
cb0bd7a68aa0061a3295adda0739e007

SHA1
eb32b7f7e7076d3cd7235d89b59abcc44b606a3a

SHA256
f937d165d560b9e54499cd27ccce230a33b0e8e2275e8e8cc31bbf038c7374f6

SHA512
29415abc2efe54b8a09917df4dbe4e7756b016d07c159c81271ffad83f503309a9d012ca32d7425b1a5cb4390ced84a1dbd96754322504cf691de941f2c4df7a

Download Submit
memory/220-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/456-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/456-282-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/456-340-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1000-379-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1000-322-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1000-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1052-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1052-360-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1052-423-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1396-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1396-445-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1444-413-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1444-420-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1580-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1580-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1580-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1580-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1580-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2092-333-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2092-401-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2092-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2092-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2112-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2112-272-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2112-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2112-265-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2112-257-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2356-295-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2356-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2356-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3224-403-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3224-408-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3224-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3224-411-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3316-433-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3316-424-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3780-12-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3780-1-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3780-10-0x0000000002DF0000-0x0000000002E50000-memory.dmp

Filesize
384KB

Download
memory/3780-7-0x0000000002DF0000-0x0000000002E50000-memory.dmp

Filesize
384KB

Download
memory/3780-0-0x0000000002DF0000-0x0000000002E50000-memory.dmp

Filesize
384KB

Download
memory/4016-246-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4016-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4016-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4016-252-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4024-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4024-15-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4024-22-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4024-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4040-66-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4040-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4040-74-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4040-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4296-348-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4296-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4296-410-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4488-368-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4488-436-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4488-376-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4540-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4540-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4540-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4540-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4540-27-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4560-308-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/4560-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4560-375-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/4560-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4568-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4568-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4568-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4568-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4640-388-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4640-382-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4640-449-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4656-459-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4656-451-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download