4c1015d370de063a0ccadc8a8677b2e7e5a30295e60354b17d484e730f9bf94d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_120300c38bcb64a9ccb759c08787e574_cobalt-strike_ryuk.exe
Size

789KB
MD5

120300c38bcb64a9ccb759c08787e574
SHA1

84de953922b046ab0e075680251f2ac6f3f64452
SHA256

4c1015d370de063a0ccadc8a8677b2e7e5a30295e60354b17d484e730f9bf94d
SHA512

eca80120d20fd249361983d2fce3eb960685fd33f9d5a2664da259a23cb538483845d37bef0f616703c178cc68a70bdd5b9fa879fbb7d60c98d156b267b09e27
SSDEEP

24576:+ZFwWuGZ8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:OFwWuUgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3520	alg.exe
2708	elevation_service.exe
1976	elevation_service.exe
2196	maintenanceservice.exe
2696	OSE.EXE
3264	DiagnosticsHub.StandardCollector.Service.exe
3940	fxssvc.exe
3100	msdtc.exe
3404	PerceptionSimulationService.exe
2380	perfhost.exe
2516	locator.exe
1164	SensorDataService.exe
1336	snmptrap.exe
3864	spectrum.exe
3044	ssh-agent.exe
2724	TieringEngineService.exe
2768	AgentService.exe
3884	vds.exe
640	vssvc.exe
4356	wbengine.exe
3980	WmiApSrv.exe
3568	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-08_120300c38bcb64a9ccb759c08787e574_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a5e0504e12d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000272246f6908ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6957af6908ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b484df6908ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084e0c6f6908ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003991d7f6908ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cf77cf6908ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2708	elevation_service.exe
2708	elevation_service.exe
2708	elevation_service.exe
2708	elevation_service.exe
2708	elevation_service.exe
2708	elevation_service.exe
2708	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2188	2024-04-08_120300c38bcb64a9ccb759c08787e574_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3520	alg.exe
Token: SeDebugPrivilege	3520	alg.exe
Token: SeDebugPrivilege	3520	alg.exe
Token: SeTakeOwnershipPrivilege	2708	elevation_service.exe
Token: SeAuditPrivilege	3940	fxssvc.exe
Token: SeRestorePrivilege	2724	TieringEngineService.exe
Token: SeManageVolumePrivilege	2724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2768	AgentService.exe
Token: SeBackupPrivilege	640	vssvc.exe
Token: SeRestorePrivilege	640	vssvc.exe
Token: SeAuditPrivilege	640	vssvc.exe
Token: SeBackupPrivilege	4356	wbengine.exe
Token: SeRestorePrivilege	4356	wbengine.exe
Token: SeSecurityPrivilege	4356	wbengine.exe
Token: 33	3568	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3568	SearchIndexer.exe
Token: SeDebugPrivilege	2708	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2852	3568	SearchIndexer.exe	120
PID 3568 wrote to memory of 2852	3568	SearchIndexer.exe	120
PID 3568 wrote to memory of 3368	3568	SearchIndexer.exe	121
PID 3568 wrote to memory of 3368	3568	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-08_120300c38bcb64a9ccb759c08787e574_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_120300c38bcb64a9ccb759c08787e574_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3572

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3864

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1472

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6023f6090168a3d77d1ca48a25deaff0

SHA1
f78725511cec7471e24bfdb9f2b832e482904999

SHA256
c9c902346d76d278239afb0a09f39110401cecf9e9455d1146f90278dae98ebd

SHA512
9c5540c00e35e4b91e61272fde0c40655c927f7ed5983693357cd4f53f5563765652a68283b907e01f8c7773336f788b017df7675257122ed8a2a87b4250430e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0bb6da2c5640894312f105c3256b27de

SHA1
584e820766cf168218335d376c612ca7641976f6

SHA256
0eff2dccdc2ae03b42409ae9aea8e9184af5ce2329a8f6d30d09197e2524a749

SHA512
92448e4400423670f0e5f55b01dd9050816556c5a9c7160ef47efe8bdd3b1452c3d81123787b35a18af02530ba43fdf97d5757435c0c84731a7cee5b74ee7456

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b4f99addbc39216391090af39b416650

SHA1
2b2400b3cbbca56d37ba82a76d85d3415f0bab99

SHA256
7ce560761485f74397cdaa0739ae49d640dbb938b77ff9cf6fad6b92864ab45a

SHA512
e82ad41bbb7661fb94928570e8fb2f39ff93d5809c6c2fb4b2cee3e313e458af5bed53d824b7234672131a85aa02331ba2bb91e015d4040cefb3c6f28e6ab8a9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b5e88cc544a1de2ac20a09b5f9d68bba

SHA1
6f29b9bc547059be723af48de43dac2c0e0f7ff8

SHA256
09e62b30816fc804515c375c02edb2720e8d95708dbeddd6fe2108c19cd68264

SHA512
7228016d4cb97a5d5b753c451b9a27a17468a96a89d3a8d5e91972e34f9e5cc2fafed5640848b500267be8ff4da93a2a99cac4dc988b0a2e0dd11a99ccf2cdb4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
12bc0d1e7e55e5f8b4efc71e4ee6f363

SHA1
28999c8de24ff9a9d39f41bd7aa586960b4330a0

SHA256
bca189727d6c9614abb294cf5b8fd63592654db014af7710931b65d3dc2c5edc

SHA512
6383fe6977dc37fbd257d643e543e9ded665fd44f5a42b3a0d8acd01d5d4310e8b15578310d1a49dddc667b741ebc926a30cf13f4e178855cada38946bd7183b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fecfc79a93c790f32351289b91d73901

SHA1
dc7ca6920639553428ee38bda6af326592544d15

SHA256
26dd9aeab7ce09e265ff0f503096121dbc4dd1f21a59ed012be14473ab5b52c7

SHA512
92fce35ffe3549607629e1b22fa8f5829833c9d597a76d953686a0e6d97d49e6832c1032655f092ed0b0151edd6b1bb0807f0afabe67c8dc526498cb946a4d82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2666e5b06f3ce4da25b58cf6bf7470a8

SHA1
86822122fdd5ecc83ecbc80d8f3b26696c938736

SHA256
639d5178226114ad774b0101febaa9169b1cce199938e1e7c6ff2df1ab54ce2e

SHA512
1ac55889278cae7c3fa8d8edc5740253d000ad2def53327ff5f718e276f0e7b4f597abf46ffab79d489a267852d43745f0fa7052494ce6f265b0187cc5c98005

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e167e0db33e23f653af07f5682782b7d

SHA1
f3b391e5540c9d90379160c6bd3580f29f7df92a

SHA256
d1b22b9b86c1bce7a4239696475df1e5cef8f5e17d67293a7c1f8d60913f572e

SHA512
63fd6aeea51b695850d5adba2e3a3495aca7010c2da3e61b6b5766648ec973996519e20314a46c8068184597d18b46c4087673652876cf8598241bde99416987

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
42cc7971cd455881504ccb27f884f1d3

SHA1
62845431bd5257ff13714357ef402a41f21da12d

SHA256
3f209bb59449837903e067089a3b0cabe396724e003291450c2061e82170c019

SHA512
059b34484d6de6b93fe5e2823d7178a4076390370939c824a61ed16f511999a6a09cb46495faa4cea69ef80f803a7f0438f1983bf9f2eb36ee591e6d91d38e33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
898437370664daa87ac1bc33fb2a87f8

SHA1
b1cb0253558ce970b671171406db51993c5a41a3

SHA256
5eb1f6c9b75124c9b8c2d83e656d981f3f549d3f80060933619260a43cffbcd3

SHA512
731279d684f12dcf454a422e1fb8c8e0c4704cad587f2127d9648b55b264db29748d40e209def1d3e16e2ff4762fc5adc4294be2b753072ad99f391d46a07ff3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
67d383ac37af04dcf1626ce62d72cf35

SHA1
83e001fb8daa0fb3ae1ed9b98d9008a25536301c

SHA256
ef6812086f453d6a8d2173273657b102a38d7f84a0574c638d0b15a54fab37a9

SHA512
44630da141a0e5db0824d220a6f447665dc05c52c938af5e11dd5aac8253c8cfd41acdf7f9927b15a4491f4244d418f94be8c1b9f8e5b043b6da540eeb1c9bb1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5e21d35aa5aa3b07a506caed18102c7e

SHA1
9f54e94bca3f97ec003f5ea8b359e2de7994a155

SHA256
1b849c0654b7710b548365ed8417fc439e8027d37da60d039da7b7bb06d6e08d

SHA512
33e32c5d092bfa2fcda44d45cb99fbc82fc27ebd5c43b429b8f8dc2317d54d540964289452afd722b315ddde37412a6c07555f0e82979209cea39673acd4aa5b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a110f8dc7d03ac505e6575c6a2a4cb29

SHA1
0e9eaeeed04aa375fe3cb3c214eee6d27ec8f652

SHA256
b064d55e3bc5e1abfb0d8c3b6a89983ab484b4339479252c13a2454fa6e8eb0a

SHA512
67f7168553e855bc0e10f3243146d921d56ef9a6c1e9af52c1aecbd7ab37af91e0fa4b883f0fc7dc6e5aac871eddf609386306552007ac3644683ddc1340fa2c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9f4ec49fab6fa3daa93b0022e73f1128

SHA1
0b686ff23d824ec627a563bafcd7ca97d414c1b7

SHA256
c5f295c14340d5ad7eaf72d2ed87026f569245bd23dc056bc568daa8bb18df9b

SHA512
0f81ac645ca6128b2b6f9079ba9569862ad382265b105c8330cd04643c7302c8e7eb6dd50ca80f3db17fd8d6f9321379f63542fe774fd67d5f309a0c4b9d6459

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
739a0874773107253747dee1c45dfec3

SHA1
25457cc3f357425e494d48439b560a8432628f76

SHA256
e09aecf463651293238ccbc259a8c8fbd28aa2c51756dcf97fc55a0865d6cce7

SHA512
e4dd6cf3521e39f06971874a93843c7a7801608f95acee1851b9951c316090bbb097c9e966fe1905f4c5dd5a541ef91ac905001172a4910b17f93193c1bcb60e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
03791befe225ea1525ca7b1d4b6ea943

SHA1
76d1e676e4f4ad7d1faeae4d567e605164b67454

SHA256
5545d207c1e5b7fa890f15c04df99a293ece29a43e135f892fcccb216ff0c408

SHA512
b068e52bcc9e854b4ff71c0c655beb82a73898aa6f8f9baf48d3b5331a657b8ed66e1fc8be62aae2d6519c6deaca0ea8131196ee49e24226219c79d28aa62d8b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
76457e817d476eb90d43474920dda671

SHA1
31f9131fdf206177cf2e960c67e3be325838b2c5

SHA256
8ce1587fb1c54a070210481dcf79691fb0a1c9c24c5ea01d083895ad6a5f9731

SHA512
9dceb627e73a8ac34551cadbae6f2ef3bf90d098af8c1d6a79f14622be62010ca022ee29995f4854288d5314c51c70d9fd16b824625c03ecc11d885f49ac7b43

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b7e652e3fa4026c42d1adf0adee051ce

SHA1
18fe63ca6a44eec78ae4f55975391b7b804a33f5

SHA256
69873b2754f5d403b481dc508c7ffdd6ac54aeff92791f67c89d77fb5f4acd7b

SHA512
d012f673c519afba0b96401f7ad8c76f4eb529e5ca9ca1347c2d32f91a8dedf2ce0a56dd3c35b8d5d7c4afc60d6bca74efff46698edb58c2fb8bd5c44499e046

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
c5da01772c4d55c929d67577e3ec05f0

SHA1
cdce2c63774c82491294da81afc9bf8f80161084

SHA256
a1a68a32f12ea6a2876431473e703ce78ae9d9292223732b89427eb17747f2d9

SHA512
619b96d188843e10faa23579abdbd1c9700628c2430a797f642a4e7b947191acf5ac7e716f7c59dc21cd95d208fc8faa424d9563c66fab36b53237d22895c034

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ba8580b6ad37c569b35357809bff98d0

SHA1
e1e3ceb85b9b829e8b84d3c40e45d1c84e285cce

SHA256
6037f6574d9573a928959e1c4e69d82f02c52e0893e66a9dc98ac2fb8c077be9

SHA512
efde7dc15537c1c5ec7b9e8accd38c20a89caf060af1d5d50364777ccf8676a64dc435c3cf4c0b9adb6ebfd44fa0173c731f113ff7306409db0e36624d45ed63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6a66c10cd96c470bbc83b202036fe399

SHA1
999c841cb0e8cddb449f3936c783b595e44fb08d

SHA256
a254ac40ff336bceb1d8e555238b3782013dd14cf4b36bbeeb05135202079906

SHA512
63ef3dbe540df43b2ee2cd01807c47a4e234d9c23c66d6bf1e292d55a0dea1bd14ba5faf47328d82cc4cbe5a046b954797e27f93c0d1cf418192c0fe1bbeb376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
30ddcffa04d303c24997479a7ad0e428

SHA1
fe06a4b24d73e3c2cdf941a56cbdc5b1db509554

SHA256
520e14e0c242d43496e337c196cae482d11e14ffffd0b6155f0e506abb13f0d1

SHA512
d2c40bb3b5bf5378543489cafa99c6fd11616f39f048162f33dbde2cce14f1eaf35724cd5753ab1ad967fc895921d502accf66d1ab7c453bdb60432457503ec4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2e3d21b059d66a1510606100dc2c6541

SHA1
a0ee268270d483596e77c20106ed44dd09c1ed56

SHA256
0b4d61ccf3ecb2f79e26a23141df700f9ae7cf667dca1df2000acc64564e150e

SHA512
26294c676fb527a21472a28a56ad4951693f75504ce4dfb8cf690987917ceb1d6f2fa792ac2f15fa0a5b12c055747072c912866d9742ba95b3294145ac143d26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
752e0874fadd6e7aa2ac82e72f5c6b7b

SHA1
6f18f6bc6c431bc5465b248e874314a7aaabafbf

SHA256
eef5b00ba07f6126404b55ac1ec3d8300f72947a4d66ddaa7adc86a52053c7e9

SHA512
1c394ec0ff32d83f26119f244538894ff690fa340550bffd057d6142912c217a228bb1bd41614dd7b5dbf083ce30be4f278e91682c423507444711d5d903229e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
276fd9cd48639495c87d4d1aa43304a2

SHA1
01925947a514fad76ad2e46ed9a34a0a7dce9ab8

SHA256
cbd1da2aacfdd6d6b413bce56e7cb493e4706ed1acb56873e67ee8d003c99ea7

SHA512
053e1bcb5bc19a85cce0349d6fb2153af0b869bc88ff3345cf798a2b2dfdc977b9398b70d81b99f7b3d99a26fc529d38f85fe97df3316e70ea05451f80cc9226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d51f36f49a6a164cd26391f8ca2b073a

SHA1
c2672aff7b7e11be44b508af0087bcfbcd4f3851

SHA256
5918809ced923f0ba1d1395f3d1aa168c6f2289f67c4af52b57db6177b52a614

SHA512
f4d60678078508f38b8aa1d713659dadf29500a45ee4c492d1939099bf41f7993f0a28026413f897d11d9c223f74dd3b38ae85c9ffdf3e970bb9bfc17303b4f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5ca15f705dd3b63a10e6b04b446fba9b

SHA1
c8f79ae53507e2e7fd26e05e4482ae6a2ae6ce0c

SHA256
08c0b3d800cf68a405003f8341246dbf005a0321ea94c796ac2d2964e59ef694

SHA512
42c0abe890e7033adb0e3d243db9301a52cd0b6ef024b5af63299f602dc28501e78f8c7491e0c8f3208648329060256540fe5a915c4c766639563c1f02aeb958

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e1e84e879a444f09d42bfd7c71c94409

SHA1
db657539d61e4cd0c91340cacea7490faadd5b10

SHA256
6c19a6f015c6f00216c89d523c998f454fa1df26160ed2e4fa1a11874b57f13d

SHA512
498ddc5bad2077820f24d3075c3e7d896183517ca1fc5a6109f56127fd77502bd77cee95979f38a4bc2dd1b8769108ecb9aef8fd5b9ba4c1f099d93bff0b0cfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2d96261846cbee71f933b33b03149268

SHA1
11f485bcbb26b75086b15ae2be223ecdc9dc4d48

SHA256
9315329dab34b5958e560ac75deff469ffebc9d44b3a824166aa8112697af9b6

SHA512
d4559258626676833a9473417a05b5c7b9d95d5007329e3dcb59178ab16d8ce56203faec46372161eaea3ea23485cdfff4bc3246118c14eda89e3f7ae1f56fae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
211dac8c8f62aab93ed748d43128596d

SHA1
a4afbec8545f16dfc288608494bc42a3b97763e0

SHA256
895f6f0a03607bf51bd888ccb69dfc572732ef37eead61ef83fa7fb2a4f11f52

SHA512
7df7ead59750e783460ad207793c906bccdd537093d9524a195c08070d7befa5be8e443ba24c0b0700e685b27f728de3ff31b70c1707bcaab2a902011061cf37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
afd13e58b0990dc2448ba129ca11ec01

SHA1
9ff418bc9aa66f303bf5cd57dd1a9234b116c0e4

SHA256
28da719d7dcc69bd1b5ee3d2651a08846e6ab93e05e2d5f8c174b3a7aaee6267

SHA512
c5a6129664bcec484df5a50e47a3d169de89a9568d030a2305cb27a426a79a9e657f4baa79f5ebd0b42f2395b1625f6ca5080d0c48328cb8bfe9d1a8792e25c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6639a8ff1e758b822efb809578c093a8

SHA1
94066c8b82d42f3d5f7887538613b12f10201052

SHA256
ec8e2b1a0f059b70688c8c17f5b56ef2e3c30ed15981ea18957bf07783ccd168

SHA512
a1d82b12fbb11c66059e4facd5b615239b24d6375dd2cddea5f2816758a54e004531efe288bfd4dc50eb519b973b3ff20fab49704ed74ea1d3e554656b90f5b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
37898892ea335458a52e8853a255ac0a

SHA1
94ce414cdf64a2dd2c48bd83d86df08d0a47a047

SHA256
f09a23e698ff7955470f5c8be36e711e8c5a4690f6962627ca0f561750df4fa3

SHA512
f5ec11a9a6458ed9a14ba4429c911ecc40c955b2273ef0665d632eda746b880ff43c831b0c4b71a2ebab9a6f9fbd3142576c487e34961af29f5133141cdc7e98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6122717cac68dbce9943db281300a648

SHA1
be2f82e85619c3fe90e7a67baa88020173274431

SHA256
a4ee044df0ea2b9e7c4baea834d7ee8a2cea255343b7732ee3928a98d9ef09b0

SHA512
fc173293c7610546b8667bd5eee0b71d501f219ac0c1d5af2e85751b4201fffd30cef3b6aa934af30058f26da2074d77a63ca516853e429ef9f0dbad7877fec1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4cd7ec98fa17464d9132521341c83520

SHA1
bdf1a614133ad9ec1cacf621b3ddc8a1b45edea5

SHA256
7c5d3c7e12f499a6c9ff87cb4138b4c709a289c8aadf9751ad25622d0f331f89

SHA512
b722799d1669de11f02c1aaddd34180e86a7d7ea45452ca1699d3fbcac4694af6b3a1b1fafce1ea2bf09221b88b2c8480571806d5d0e9e4c07b2b16bedb562ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
398095bb3262857dfe9fb47106727100

SHA1
5a0d1262a8669649561f319573c521bfdd26c6b1

SHA256
60463bfb838820b9a0b8b044452896b2af0fbfa7e2f8ab6ddec9efbaea057d61

SHA512
7048d7b6c11fe50d80204161ee0b47f0417eaaebf4ad5fd2e6529114ef45b86b091e73145b3f12d837cf4114d60a4ff67d9d3b5444f433e9e86643c40687f157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
481ca68a5dac949c81b299c7f2b0abb2

SHA1
f308c49e036dd56afd8441808b753bd588ef7325

SHA256
5a0e36db890f80c884fa9f72640a071e34c7f01bad70b069d8f0b1928ed30aed

SHA512
da0362c08d1fe805e4b64e4004e74395c708421e31a4bdc70b0fa3d638a7ef15534443c3fe0e09c771ffacbe82ed554bb018f6b7540d670e3355e1e246a5489e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
cde3bfdfce02ba906302af7a364e8c38

SHA1
09054e0761f2afb8371423d318879cf195b0a59d

SHA256
bea2d883559dd1c31a369377ac701854f65853fa7ea1f2dc25fbe72f805b3d05

SHA512
9a60ca1d3251e6421e99a78ec91e58edbc93b22307f14d2a7577a3661cf1b49667d4f1a8a490755d28428355684fa8f1fd340aebb7b02cba58e0f93d3de76ade

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
1a5cce27d1919a0a5b6a741a31fa6847

SHA1
534d4ea3c0619f4035284fe3e4b737a743930e6f

SHA256
0e773be5e46cc275f396901dd20b24933e3feb2053398eb058a2015e05689eed

SHA512
073589d26deff2faa066178d3174a301ce4b5ce75e097f1860aeb1fba0a977c0f991e300697dd815d51e13c8110bde2195069554dfd89798bcdfb206c74b3bf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
d024309ad151508acaa6c537abbdcc93

SHA1
11e62d1e7d51ef5ac399522bdfe317770f5ea39f

SHA256
9f4326aed5ff1a5d91ed699fb4a767a3becababe164de904de80dcdac9ef2d50

SHA512
986dbc5f9acc520aeeece0aa8014c02de005b2708dff424ccbc236c31d04adda46f92441393a816c241ee5cc35470c18ee05e4623efa1d539355ef31fb3386d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
5442f9b4eeede4d5e6bdd411b778677a

SHA1
dad1c618f5729bd01f5aec9cd67ba9d260575cd2

SHA256
5546cadc57523196062813968c5937bc1aab23fe4d6793e9ad729e971fcbfca7

SHA512
9deaad1bc2eb74f7e4ed41de717729ed69695e71e74a09f131c46c474710a51847530ba95b4b829345cb8ecf2f96b6ea6e08f72e8f90e43f724d94d3ee2c601c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
1d623f215fa1cf34919db49116604434

SHA1
adda803118e410804f8f980071d75d65bc2c715c

SHA256
3129990a85d193c7ca6532c05ecac6dd7610765feb81641ea57f7e959f6435a7

SHA512
7f818f6cbc89084ccdabf49a2ef68c5c4b910f13db546e252aec2d0ceff218e895082b17de57ea440314cb0dc786b0143644b6f69fb31cbe9125525703626e27

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
09fe9084727cd4aab883d8c4cf788718

SHA1
e2257d77a831e67b618ae4cd505905fb912c56b3

SHA256
1f0b900eb7c3215d2a23fc982cb5f09a706e4c7608b5a4efa97f296b372f8779

SHA512
845bde09ac21cc69837157d4bcb098c381b7056a834e41fe9c451d858affcaa7fac4d521c901e96e8971cca0f5fb17daa443af280ca1b7e667fe540af6a9317f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c6efbe75ba83a53f765c6a8602060d8d

SHA1
a6934465c5cb54e0a17a54c6b15cd825f40ba315

SHA256
969c78c6f043b304cd269b9ed0291738d77caf49e0c82cfd4baeb794a6ec73f4

SHA512
43f1b5d4d72146d3477a273d965ac98d1d01333b06d058a3c2c5c8f1db8abff2a3ccfaf3b13941a98bc0fd1819178b1f01ecd667f316d8f0a6bcb87c5fa6f7d3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
518bf97d9aa8155528168ee9f8f010f2

SHA1
a341b44516148396af03483009088abea1e11ead

SHA256
a6730b6937f8f5c846ec50de04d9fcf9bc3f0824a6466781b62aa5fb66b91d4f

SHA512
0a866bfaaaccb59c535e34c061bcee3e1187ac7e44d5490e93ce362855ac6656e5f2a8b96699a136c9e2a5c807bb606fc896de2bd6001ed5262676e3cd286046

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0dc55fdf920234af733c73382561a66d

SHA1
c622aec7d1b1241d83b18a733b4be8b58e68015f

SHA256
3933f0c9b53a793bd43459465f411d9d23d355b1de61980227a3fb67183b5ea8

SHA512
16d7c8f7817f91b481268b2f941204801d5b380c2935472a572e167a71ee0332416398bee08a029919a82b10b7afae2f7cbbb29af41cac1dd93bd2b3dd82e86b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
39a6be3861144094485d12d911d8ff30

SHA1
aa656da1ad3c85ca79d9b1136373adb874bccb3c

SHA256
1e4ab46c7d2acd8918ad4f21e2518700f7463606cd8c560ae69c2a9855db51f8

SHA512
e2f93d9fc6fac18001adf23992c8ecbfc5980dcf6ab6cc4c5e28cf5e09bcf7c4a547a387792436a8f41aaf7850cb57377da71ec5ce2454a79b77349bbe9f58ff

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
17750f629b9e5d169867986678327b30

SHA1
1837e131c896eb9d5069aea673f8a98292090915

SHA256
3be60cb64dfc2abe6896288706c06fb0b6630c723e67bf3aa436708aa9e8a077

SHA512
47f9469e72d3355f065966bafe723f4ea28efb81b3f89635201d7795ccb6c9fe198b3385f7369cb3b895db64d4d4d9c561aff78ad23330f87816145a0edb745b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8443288004c323950b66422f1e033953

SHA1
bf93b70ebaf1f983e27a15c041369c04d8b5a605

SHA256
9e42ad3fd015d52e138f661e2c4e9d3c7889cf8cc3e63d25f7d4175da1bb0420

SHA512
7344ef86038754832c82c1fe0586884e6198329d496fe69a279f27369ae1c96daf3a20e59041ca9b37ecf63a4e722d8dcda7e49e2fb1ee374c6717df5639c9a9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
020d304e6af37eb00026485968f7a121

SHA1
acc0aad9568beddcd092d3ac9787a815ac284b2b

SHA256
35d813a52d62b68996c709b73c5a293a29f503ae6363c482d24aa955c03bcc4a

SHA512
8563972c17a83cf3e59104e53c8957f323705d0c6b68fdfc9058b8508704cf59fb8435b51b684dfbd03ca59fb246cc4dad4eb97fcab93baec96d8be91ce94c36

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
205c59b46d38e5209700dba84390b080

SHA1
b62b52cd751a6235fbd2b40c0648b2d1859fa25c

SHA256
2a5da6202cd739609e394f933a0821e7a6b804e26a87e1f8f43e1ba501406363

SHA512
ae130e00fc0a2ec2ad9b3062e3eb0ed8f0eff05d6e1ee04f7ae3f0286c02de675dcf8baea75bddb436b182bfd2153ec0bd52cdfaf6718bcf0ab31874e3abd7c8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d7641a47310d87605cd2bec4dfe29376

SHA1
20dd247701dd74fa0f9efe388a465b7c3c1f216a

SHA256
a0479880e654fb41b679326d05a366638c10c211185e9064c55bbb46a8c09436

SHA512
b5dcd5c140c82cd33b7d600d518d5ae0785581e59ce0554644d4b4c62c871ee03a0f16b747ae262e0fd543917fa861f2e971acbe81aa82b94cf5e160977440b5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
57c67d144dd31f65bb92a71e789f63db

SHA1
720f16f679a1ddd07f98e3d38941746930ef7170

SHA256
10743c1aa0eeed320bb29471dc2e4e30adf3e2eea13ea0afa9e67366151e6dda

SHA512
ff3b2170e7cd64c98e4d9db15d4923d34ea95dcf74f24a52cb579d9cb1424e9e9c51a6c0cb13ad36609571f67871b0e5f81ea47cad4590745b4454fd87d83bad

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1373cbcc92e13f0b41cbee8d98ec016b

SHA1
7c18b0e3deacf5f10703fc6e41dd559af4b9ed31

SHA256
15947ffcf614c75b6bfa3e2168790b97495fcdf64a4e6d249f6f4daeda65f489

SHA512
11587e34806591d49c6d1b1fc31d91257ebcb298fab98bf04e64f2b4752899704766dae7677ac90066a8a245515dc3ff0d962b2154a322c85547341bf160b706

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
96ddb3133eac1b62a06bc0e7bc19f36c

SHA1
bac4af107fc994150bb2250cc20bf708a2250015

SHA256
535ffd8bf35988c789ffc09c001f656beb2e0c28b8ae5876dae965ac093e32e6

SHA512
175eb2242864c7d88a62bc93c4794d4291bd0872fdaa0508eb6a97a29a2fd65bd112260f39d62c6de6192828b0a422684ba869986be5634ec8182cb126fd6a87

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
40401e6628c4c81354b062e71327fd09

SHA1
a89a7ca8cea0ceacb136b84dc566295607acf60f

SHA256
24c77807a3472c49d8f533df136f4847eeea5e0e9b948a688d0e3a0b37438122

SHA512
8b45d26f5e7505e19eb7cd500ef385eddd37e3b579945862a8e8e79416252c75c18ec06dae6c6279bd339be23345f0b2a0eb0c755a42f6049f7f93af2d28220d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
76770124113cb612149b76091f3ff933

SHA1
cb026734f3b38cd91669067ad774bef6bea93887

SHA256
9b91c1fe3a5698cb2b52828933d12abb83959b7147db32e47e126c6308fe097c

SHA512
8e437845700fc41b2354a477fd318069d6fcdbe34c7ef44d42810e0ace41fb77a59b698d799a83387737a4aa8e038a6f1c7cfd260d9ceb3c76b587eca2b87847

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
559e983ecd61eab3cc45a5d5ce26c6ee

SHA1
83fffd41e4b1b0f6889023c59cec68bcff9cd432

SHA256
9478c438cb08d392fc7873da6bbb805a7994f064ad86c6b7322d42361d2fb1ba

SHA512
a90b0e82ff4707cc744b6991df1ffba186cb9a10c04d8488f083929a960b6abfb5eb752d34c517e8d50710ca61bcf64e8ec803e35a298f44032e1973f64ddc10

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5575ed08d0cf590e2204ed51c660dbd4

SHA1
a845db97bb32b8b8b39894442a5206b13d3afb8e

SHA256
a469fed7f2b4618dd816bf96a8d78b81d1994a948f8f5e2c2879f0f4b9a021e0

SHA512
53bc3b0bccd1c0257c66c7191281c8888e5b4f6a5dc308bb34320635b9830e2dd0a24887fcc087eb7c87af79c1c3e61ec28b5a5b9ee539cf9175b4bb7776fbe5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4eb7e302c50b87234d11dadd79e5adfd

SHA1
3f4d40f91087eec987fd7d9075502b57d36394e0

SHA256
d5906372ac19f95b852c16d065f095340f367c60766f0bf2161046bae03351fe

SHA512
de3e7695ac3707c38c2fea426a1da85110f083a4d4bb46341ef53bf07ef6cd137a922e913806b576299e318db64cf5f33ba9d06c978d8963219fa04b897dba44

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ae52591f56efc5eed102933b80a00ae3

SHA1
76dba4e09a9e308cce4782dc3b756a698c20a236

SHA256
96c422de807e4513b633a2da70b5c68f368802595a918ed1493b68796456dd9f

SHA512
1d22ed183b31fd49bbfff61a82c6bf6cc92f284575a8655d2175469815aee430615c65ab5a790c819dc876ae4c79c5f4c36a8858d313d1d4ab444ecb5f92039a

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
049a639c2a761a2bcd6022b69524b7af

SHA1
c01567b6a1ec88b38b3d269fb53bc74025f48080

SHA256
e359710b95422737483ac5978950154be9dbe54bdb713655a94e80d0abf73e92

SHA512
902c22b746ca0789af7720b8e2f4c5ca7ea25f54235bd0c91025ec14608c32b4d4cdffffd48b318c02ecca344bc1bdd31bf13e6b441c9088be54ac676439cabc

Download Submit
memory/640-429-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/640-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1164-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1164-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1164-333-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1336-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1336-346-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1336-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1976-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1976-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1976-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1976-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2188-7-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2188-0-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2188-13-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2188-1-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2188-8-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2188-11-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2196-51-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2196-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2196-57-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2196-60-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2196-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2380-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2380-308-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2380-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2516-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2516-321-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2516-314-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2696-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2696-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2696-64-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2696-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2696-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2708-35-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2708-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2708-34-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2708-27-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2708-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2724-387-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2724-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2724-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2768-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2768-398-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2768-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2768-405-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3044-367-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3044-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3044-373-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3100-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3100-281-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3100-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3264-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3264-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3264-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3264-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3368-553-0x000001E729A90000-0x000001E729AA0000-memory.dmp

Filesize
64KB

Download
memory/3404-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3404-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3404-296-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3520-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3520-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3520-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3520-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3568-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3568-469-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3864-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3864-359-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3864-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3884-415-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3884-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3884-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3940-256-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3940-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-264-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3940-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-270-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3980-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3980-456-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4356-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4356-442-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download