dec3d7ba50b1ec8fb9f36b9c52ff0348542308d46f24fdcb91f3a5698648785d

Analysis

max time kernel
173s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_82246258115a29b7cd5fa331a4910e9a_cobalt-strike_ryuk.exe
Size

655KB
MD5

82246258115a29b7cd5fa331a4910e9a
SHA1

c4f8f306e4b75c966c567942ff7b6c55a070d0f3
SHA256

dec3d7ba50b1ec8fb9f36b9c52ff0348542308d46f24fdcb91f3a5698648785d
SHA512

0aea85b206d6125dce7f9c9f88f40ed2c5452dc254e39c434aa00cb2b2740a160c27e53ee66f22128289bba90b97e3ea73b94ffebf3bccf71078eeeb869d3b2f
SSDEEP

12288:NjC6V2l2FCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:Q728NDFKYmKOF0zr31JwAlcR3QC0OXxx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2964	alg.exe
4804	elevation_service.exe
4636	elevation_service.exe
3008	maintenanceservice.exe
3196	OSE.EXE
4052	DiagnosticsHub.StandardCollector.Service.exe
3024	fxssvc.exe
2756	msdtc.exe
3792	PerceptionSimulationService.exe
3960	perfhost.exe
3768	locator.exe
2000	SensorDataService.exe
1748	snmptrap.exe
512	spectrum.exe
3136	ssh-agent.exe
1660	TieringEngineService.exe
3132	AgentService.exe
3212	vds.exe
2896	vssvc.exe
4860	wbengine.exe
4416	WmiApSrv.exe
4240	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\40c8dbbaf9ef887b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_82246258115a29b7cd5fa331a4910e9a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a9abad07a91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ee217ce7a91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2fa8fcd7a91da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001933e8cd7a91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e5bacd7a91da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7a15ace7a91da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e354f2cf7a91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4804	elevation_service.exe
4804	elevation_service.exe
4804	elevation_service.exe
4804	elevation_service.exe
4804	elevation_service.exe
4804	elevation_service.exe
4804	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2552	2024-04-18_82246258115a29b7cd5fa331a4910e9a_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2964	alg.exe
Token: SeDebugPrivilege	2964	alg.exe
Token: SeDebugPrivilege	2964	alg.exe
Token: SeTakeOwnershipPrivilege	4804	elevation_service.exe
Token: SeAuditPrivilege	3024	fxssvc.exe
Token: SeRestorePrivilege	1660	TieringEngineService.exe
Token: SeManageVolumePrivilege	1660	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3132	AgentService.exe
Token: SeBackupPrivilege	2896	vssvc.exe
Token: SeRestorePrivilege	2896	vssvc.exe
Token: SeAuditPrivilege	2896	vssvc.exe
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: 33	4240	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4240	SearchIndexer.exe
Token: SeDebugPrivilege	4804	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1860	4240	SearchIndexer.exe	130
PID 4240 wrote to memory of 1860	4240	SearchIndexer.exe	130
PID 4240 wrote to memory of 4512	4240	SearchIndexer.exe	131
PID 4240 wrote to memory of 4512	4240	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_82246258115a29b7cd5fa331a4910e9a_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_82246258115a29b7cd5fa331a4910e9a_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.81\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.81\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:512

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.81\elevation_service.exe

Filesize
2.3MB

MD5
aec5f6582af7ea5876639a61fe2a9584

SHA1
1f04e7f3110c576429aa7da05e2fbc150f83144a

SHA256
0350e994d32de021fd8ededa962edbdb4f8c8baf8d509a53280eec567b636dc6

SHA512
2c5d158caa15fdd3f3393d8c1b8080147d8a6b4d8771ded0e055a61c9cb7c606c6c048b1d3b0c9f6024c9085eb733e73ffe8447e1016d20fb492f152d76aee87

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0f0cccee2a278940adda197c50f0daf0

SHA1
23db7d8faac231910e0fe20b2f09d88919486be0

SHA256
c5cb11e5d767384fd85c742d5fe51433a74adb889bc072d3c1b20ff6b3eece72

SHA512
c1a9452e45a1c990c9a4c42ed485c26d365b32cf4d3f0a9d141f7a0fd9578a9c05afcf657875760b8f7ce2ac3b400728c962beefdbee916fd8c865502bb2ebac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c6f2db8680ec62fe7f4f7f6b4b77fa71

SHA1
8aea33d155a76134b55ab69eec7378c2d9be1e2d

SHA256
359d84d15cb4516b1ad85a05a859d326365092b4a82fa46a3808881854a0846c

SHA512
b5c3094633d33242ab4253e634b20997cecefc028ed2aa5c7f74ad586185956df62d207636c18c3a1e09f7b9f4319c7d3e8c491ad8c0c5051912b902f6bb1508

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
00a765dc34504465bd1bb4d870048702

SHA1
8c32ab981968d29befbabf487913320e3b3d2efb

SHA256
e25dfbacd0871640a0b9d5cad675e865ca08217860e8c666989bc1f9b82a6583

SHA512
8c9060fe914619b101804be169060c239957ef84b7ae9560759fd5cce222b0ecdb55162ff1d5e9d36244f987d01c0d5738e245bd88e0b5c46feb7c0968d8c4e2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d6e329167f89d0c2ac662cd0de41a0c5

SHA1
36d0b0b5241a8b2fac4d3dfcd8c8b28cb53e2bf8

SHA256
c52d9e0e3bd274bdaf7e57275d0ec02a9e07a9badfbc379bdebf3c3ef098efb4

SHA512
216760748e031dd7a04252c23347fe1dcde517f2e99c3ece872e5660078ad42a3ec3c1f606273bf2cd136e434a5ba6844f520e33a7937a35a6049d53123087cc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
45faada2eeba075a583a8b72d11d8dcd

SHA1
eb1aa8d65ffe4079d0a6c79c16a0983f012ace39

SHA256
39cdbf4519b9d1c5b04d92a82d6eb8c456a3fcefc3c8ad5ef63dcc9f31ac04cd

SHA512
1b2e8f3ec36e5770d29de4da39c7f510c3bc747fbda95d06d7968589e2a3c79413f22935a207ae324820bb905538f3ef3cbdc3c0f3191f10c0177b6dbf6879d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
042ff56c25c9aedd3a49f7cc81371703

SHA1
396c52d5f9e81c963ac906374092b9330e96f13b

SHA256
e37cdde060df4b64027770bf0f83854728a51002b526f848485aba33921b1298

SHA512
9377b9440809f0cd1af31b30d0eab5e0a032df6944668912d7ae9bc277193530892d91b73a219cafaccfcf7cbc9221c35686d160b7b63de75781e1d347d52bf4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
57d6b0c6a145c564bb8324246d326add

SHA1
4055f20b289d77b75697a45e0f6cd1bc4dfdfa54

SHA256
ad95bf08bd420c78422e6eca70502dd6f4bbe3b9cbc55f694070c8b186bd3fa3

SHA512
3b19d76fc4a2a49920c9db7360a0c19509f7622d8fbe592738329dcae183426a8507e5d2b45a7bf89e17da1f57854187f27db6048f1ae4079e7f968febeccb30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
42be3622e81561fc8fd500a06ed08ba9

SHA1
5e16d72ee240ac044921ebba157dae3f9e9b5832

SHA256
789466bbe4b26ca011f242d50b90956f840245263c1adb3958ebb4d768dba2be

SHA512
cefc3943e90240e676534319faeaab908b1915d80e816d5ea63494f6e78c62cb8b755800c9b42f8c804ea37c64b3e901ad237d5b72d3b61da6d206fe544095b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
41f419bc9e4e1f85c92b6e3a1e35a951

SHA1
22935711864f0a0ae3e49ae9d80a39aed67075ea

SHA256
bb54569235576d64c9bd7dbbf08a77b360b23467dd7a3d941758277ff470a71d

SHA512
c340fdd13dee9fbf170a50c7d7ef2c90495de648d5c5169d44e7b898ebaed557a5c9c3ef97d029c78072a499cc57309e240ceefa65d6e9ac60f4922c31a4a29e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6f8130b01bc8f68bc4c77f2f4c022638

SHA1
1786c3bf4421f4c10c00aa00ba01997bd9bc20e6

SHA256
96b123b3d7282bd2c9f15ac3f561d2b46a2b1929a6905c255ee2fd032e10a89e

SHA512
e778ca9285dcac31f11d16a9c77c80ba6e21adbde88745badc352f6fe943698477fc95161b54207419e57a0b49da839ff89a5885c9fb1529339ec805d0619476

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d833af6f1b3592074f1fdaf0b801b2ee

SHA1
0330ee64d9dd5655f56d2baf8039b4f90b5dfd52

SHA256
80360345a285052845a7ce42a761bd5172472728572435d8939660f38689f2bf

SHA512
9c8eab72e5008d5af3e162b995363847d192216d703446691d26d75036db146358deb7060ffb209cddeed6a859ef456b01dec5eea30db0b2d2873d80c0347768

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4c1f3491808d252cd996e7c28a0fbfa0

SHA1
b9f0d02447642f835d26282d450ffd733b0ca10f

SHA256
67c7975d51b2375822c98b2073ddd79f29ead0dcf3decedea234d5a66ae0da23

SHA512
3aed8cf66eed164866d13395413c1cf39bd683e2cce0628a5e291ba39bc3e0149356224adaeb0e67cb267d63051e809adac96ac5f87ac2e5d99378ef05f4f192

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
90b7ca7d001dbb8a235ee8928191b9ee

SHA1
bf531da24948d8e3b5cb1733f1769873e81940b2

SHA256
4510c4f847e5f16d3601a16f519d8da08552d88877aa8b4d878d121906be4d54

SHA512
800bb1793de094830367888a3e600b1486700a0c376b53a93f3ad563f58b95b374d38205a939b831452282b404623407697a8ec095070efd1b046d3cd342a00b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d17bf7f0e4c1b6bf7115f93a3a0d2ef4

SHA1
442de821c7990e1dc47243e76cfbd86297e5aa9c

SHA256
01146fe00e48aa1566552e0966ed4128e66edfb86f99eac510ee246b8c86494b

SHA512
8fb0522f60d2f5f488e0571906dde154bfd748c894cbd46e9ecf4137047879ca8ba641fd92b48c9dd6ccbb0892b3e0e26d2cbb25390dfc84ea48326c3aeb1360

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bc81904ed232dc3eefc47163f9cf63a8

SHA1
61e927ef7449590892a6551a2f6ce61264cca034

SHA256
985f01f27e66a821cdaa4c5a820b585182ee6f9ad784f700bfd74726e66d3555

SHA512
97859a5a90b2cf9675d09e1e4da9ead29baefffc3cadad338899cb005d99ea40f4a6c335e3759f676c4254146fe2998e02ece318658d589c0186c5351958d40f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
debd7a2559c6b67b9599f6f0eb71f787

SHA1
8c4275f875bddf76b74b025f362ac4b77fc8bf37

SHA256
61c5abcd656249255f2eef5cad23a162df9e719e3074b86618e641c6706dbfa9

SHA512
440eaf05db22048404af1d38fe2f309d0b84a3dddd4da40b8cb36a9582fd228d0d13f746c548421493f8eb49aeb11dfdff1ebbb538d5b9a9cee81688e5aea18a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
70a92e82809d319753e7c2f0c056d7c8

SHA1
3d26b90b2c73c3bc9193fa4add96d35ca98c5afa

SHA256
49c55251a3747e9e9745c801a4350d91b4668fea5e19173c4d533057be5889e9

SHA512
5ef64d160d05ce9fed09e642bc41b71f2238ebb8e276153df304a25b7ef80db04282c93f3792f177cba1268bc4ca387c8512139458f99b16e7eeb6c386898d8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7dbbc9a9fea840cec1d8c6d6c6c7ba01

SHA1
5404544a68be5a7fe09d5986b3d8b229082375c7

SHA256
0c85abf5a08d60bdddcf8ccc3d46cd8adcb75ab820f322e7deff9667ddb88545

SHA512
cfd5c1409042420de5ada30e38789d60d5120b49bb7bda8fcbd4eacd07a0a56450da785fdc7d67d911677e1e71bb9f7058c97c688a21f30a2c907125e03bbe03

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c7887f5c0946eb4ba7693b9af709795e

SHA1
2b9b79aa83c6b47482aac6cdac5e3a654d9926e4

SHA256
95d3525eef20e6bda9b5638ff1cb486f89f030867240c43bd2d97fa09cd92bc7

SHA512
e341d2b9f57791e718ddb81eefcd3410790efb14155c208e501d0b1a59540e631994ceb28bfa9a6ee0a92d786f17f41cf8a3c47152c92cf2597ab1a23ec256d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ea7ece28421aee41d0d365be24d766e5

SHA1
139b4515f1a672fd939b382dfcbb8b027eccec4a

SHA256
6867ae0d8f407ebbf35b8c9d6af2ee4efa0c6a003f918a85c319b67b557cd112

SHA512
1a40fbe8422b38c9fcecc0ff829e83f9f66291848292bee66b2df8ca2264ddd2df21331eaaec5d14cf575b1b2219079c678c31c89aff6eb8eb9d6bec6861d7ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9948ece6cacac1484cd79dbce27d7210

SHA1
10cbf84edb6006cb7b7fa9aa4d1138c9b6b62999

SHA256
ae97ad1378f9319bb7b45e175d1783a8588dde4ff20caf6d6bd34eb5a8feab4e

SHA512
54641f0c928ae15bb1e2326f8d4920e2f4aff3d25fadbfccdee10051fbc054438a4e551e7f9b2ae7502bce503aa06854b60f191117eeda58826d375275604913

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e665eb7bddea5cb260afc8fbd7261a9a

SHA1
baaeb442759cc44a135cd3659fec0974bd6b13e3

SHA256
44d3ca955ad29dc512e8d47b7c3ccfa8cbf30275d7209402057db0cc2a6362f7

SHA512
fbbec8d24c00c9d4a954c3f487fdea0f0bab6824f025b41ff54f18b9df3eb5c015e580895df6ce92f0c2dd9bb66c23e4209440c214c87c0038ae897dc1726dea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
936ad4b3123187f549e9d346e6cac879

SHA1
a71fc2b56d5c3697d43821b3353033fabe4ffd34

SHA256
874c13f14808513d2d35ce12f16b3d96ef850eb077d48175e82eadfdd95bf11b

SHA512
bd51cb136db14d24077989b4a525713a223e36f9cafc762f0df600f85fa6dffb32afe31427fdbebf21709c340fec2d348c1ab18e955be5c63616aadae274f08d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c20af02a3134950f92421f7c782b5949

SHA1
b8481f87aa1803ba45b303edafff5c37cbde08e1

SHA256
c98e3b0b6fd29dff264c2eead6bb0316dd8bac8cc352ae5277df7a10af107d1c

SHA512
2d7a87c826e1ccd6eb60ca4957c034f1eaad73be631d4747b56e115d11f489efdf5e87072a4cef712c3d20004b51139d1bcbb87a7d6ba667c5f5407f72c92e51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
562851ff6ad2bd62aa713d12fb2fb0d5

SHA1
ad5dc550a4e29b16e20714a19bb989d623905060

SHA256
f412af61a8734bc5a358bb65f2c6e12509fd8956abe341ba3174cb9ce37e0c6d

SHA512
ba735fa666df05197641a3f32e4b583c00fb05c613560c0d44516296175d40f211d8e9b358664d2e287e212ef497f9b541bf221feeca4dc60b04dcb9f1c53576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3360e7b03f25739988e781d3fd709929

SHA1
bab8d337620c94464e8fa102007a470390a95cd5

SHA256
1d59cbf3d839652ba0307661ed99ab34b313c9ecee3417881f46691d70c3553a

SHA512
e474709a15ed8524a0a700502e15e1366696605edfd722f105db47d57e2cc3ec04e7ffa841a761b0d1badd3e3b843eb754d35c562d5fd8d5bf0987226de8b135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9fef26cc45414df2d411717207358b2c

SHA1
bb53f8990e00a3af61112bf75c0842094e6d42b0

SHA256
90f601b55c1a1850733608ba74cc4bb11a23ccf85df6b1bbeaf644b4a66337b2

SHA512
ed0893e4bb5050b6f8be5450ac5f32714227aba0d7a92f566ebd353c69d6f4dd9d6ad8b6fa4441902142816d786f349cacd0a1bab85fc81dfff2d81fab4a0c4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
aaff59ba2323da980d676565ef00a2cd

SHA1
af1b0eec0bbb2546469f6bfa08db8164a888d163

SHA256
6bb02b4e260bc24f63035d9113e8bdb18d11346cceef52125345143659484980

SHA512
4a645e777d3f105b093b54fbbb10120c249c2513b5a8f4d0615533395e5c9920435a845ea8f9c2e4a04fad4bcd487763ae589c1f3c6aed9849e923485c4a5cd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f3fac662cc5b680e15eabe27b5a8e360

SHA1
a8601ab2537d897f7ac7133b5cca8da3b7eacfd4

SHA256
0b3b27f4466a1cbb83dbd5e4abb0eeaa6bcaf9cd6201a017935f56966b4e70be

SHA512
755bca873a03db24457db05aa2aa1bbb7283cd497a7dfe4da1567d843d7050f98f76dc45e950205feb244b0f73de9a30aee958184401ed00b90259fd6ce03d03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9f2ea909afff7906ed55438aeabf9da4

SHA1
b77e972e0aed36b309cbdeeb46d50174dff4f382

SHA256
186814c386436af6c7614b69a4874ff4d70e583b65a9304b6324e9d8c5674d0b

SHA512
af8cbcb12b8b5b177c273a83f8e55be2b47543a87c287fce4e17c9c0248a595d328b7ad8ad26828f143a1bfbcd7389acf8de1a7b3d5dcb9f09ac41e29a0bd169

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
579f595798a18a17339eaaa83eab1e6c

SHA1
5cb252782d40fd8fe0483d831002bce2b067fa3e

SHA256
5585bd75b83a0c9ab8bcfce6cc9780855e4aec76ef0a6c6bed4e6ca49d37db84

SHA512
2df98c81473454a73848b71b39088aac73c066a6600b0b7899a9e863df2be2e83cbf4db6baa9e23d7d5fce6029c521b2200d25f5c330c432ad7638231099ae39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fb0bc965dac66f60eafd4c26ab8940b8

SHA1
21b07f74eb8f424b6dde4913616d0bde71ee2e81

SHA256
b837780aec1b32ec7aabfa54b04af18f1266d707346438000dd9cc49a90f5ace

SHA512
e71a1509dc72949d3383bf1a357d6f1a668ea0843c3d8f26a4796858aa403b8562d40036df752761264c40cfa7305b3a99053514ac42e4e6a53541ee63e24592

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
32a56c5f982d24b01f18990383c8e2bf

SHA1
4047a9592f028eea9fee7ecdf5cf6468f924f186

SHA256
335a72c5bda2e80b5673a464e20c3ac92c267d63aa733196f7a0fe774f574753

SHA512
4a556996f918b556c7590691588b246f1092f3c5eedac025ed9a2a4cace19ff0d4103c255219539eba8478fa16d54e0a1a74d210793629afb8a60e435f3f4dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9b6b4c811a7d00be966edc10d8a2ce8d

SHA1
0e79b902383b634c629a9d4343b1b2aa3ed93b51

SHA256
3727283ff2315fb6714a000510224c65db53b3d8ccdcf94022aabf449794c03f

SHA512
d29b4968609aa18396ca9876d8cab3089f3eb83d76e5a83f13c0447f9429b15c9cb1977566891fad90c4ac675f12c39be7984f15faaccba56464ef1c4a7ebc94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3151e81e5dcd5c2ab7d3f073123a725c

SHA1
9ee09b96d8a8b05eb42bb2dd2753cd0a47ca493d

SHA256
6b3f2694a13c3f99d870cb3ddad0483725bafb8ef1b09191d8b2c34108563399

SHA512
eee04697354f73889197aec6317e5a1cb914aadfd6b5f67b21a7a5797c8b24e8364351310602875303ebe880f73a44a8765cad0fa310f179849ed7df086ebcae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
544c9e20c2718d20eda5274a0ed3a366

SHA1
76cb9f9885b6d85f30904981101c09793c033aa2

SHA256
dc5df8032826bb3826aa3c898ff40a75ec32dabc54471994c0974738df596284

SHA512
ac39afc58eaa073e4e1e62c6d72c7728a1554f5122620f719d6fd61dbbbe031a9425613cd775847e66d49a5358da8c5ad142c94e974776ce5e7892b95050a0d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
23e19c60dadc863f8cbf0df718856c8b

SHA1
fa0f21312454b2c2993189206be8bea220645e68

SHA256
204c5624b87bb59cc462701d50bf1d5e46267b37e1c9899eb06a1bcb9fdab957

SHA512
85bad074d70d12c09a6a63c5667cd2f148992c8c506ab305f6264234016971f9ab3578d5ba9d76f6f438954087cc2eb2c85341e64c3669c93ca637a7a8956cbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
5b66108c0395c5f41031a7252f513df5

SHA1
30523ace7324bbd8e138caa2bc7ad5c3afc5d607

SHA256
16da439278adf4e414c67f51b79525ce834872bb5092674e96c9933a82d9f309

SHA512
663cfb5327dec132cc31661239ed815883102006e0dcb16d2d7dd411760bdd3fbbc4587c97279532a4c646b12aed115cf56cedbed9f78e5229693010edd59d2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
f3f1f18294ce598b6acc414d80e0e256

SHA1
967106ae90ac32c6992c6fce60d99114aefc67b2

SHA256
03a43335a94472c32b7e2c6e21638b9b486b9b3be7f67350f8dda8be99b93d0c

SHA512
b3c5cc8eca649ec5298890eb93d14fb30cec7ed31c3e1e50b057adf68feb19d4dce6527b2b41d5331a0ed01be5613a79f32f593d2e5550493afa4f56f5e82258

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a407d6114a59d0372be00d6c747c0ddf

SHA1
1a86fba1c7a3e51808d1487e81b2402431543695

SHA256
21be596430eb69fc94204dd2078276fbf605e348d66138fb855e1a3e86d7dfc4

SHA512
df6ad8d2dcbda7117521251474877153eb2661787aac905cf3f9a1cd98debc3c9ff9dbf7dec20da54f96d8faf33fd6172c7402ac1d166f0c7e6d663725e16679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
06a10d97023297daaf1a3e09eddd0ca2

SHA1
1554153451fafaf3d83be8ecaaf05b086bb764f6

SHA256
2a1621607be77f69ee742e2794ead9b3d335d0de582553ec0034ba37c7b693ce

SHA512
2a1208e39db91c9d3569ab08442ef7137a16d8d8ed7f5f6130a4569a48f2763f0219ec53e4219f2220e84db7ef4047ef60a1de53a47bd6073a5a54dfad7d20fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
297bc53a9cc5d9fbc7c5895b039a616d

SHA1
ff45534c6bb6ae2b828e8283ea0438d875652beb

SHA256
86d7ba18ec9c50d06e465ae5ae0d56607a4af1e2cf08501b9448967a660033be

SHA512
1f2d9667dfd921325358ad10492a3dffaeef480888233e3f5f8b970e370670c574069d7c4aea434309edefe792c0f7add2abde3cbc6383303aee0fbb6b22e4ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0296817fcc376865d679d2ada7d527e5

SHA1
792596adfcc72219c504c7268488a41b77f44795

SHA256
559183129f06de1a9479fd02d10318c3097d7c6445731defcbbaafda8a9f64b2

SHA512
e48c7f46f93823fe1e27462adc383c6a5bb6ffd4329bedd2f0c3c5f8eb3a3a865c685029696a91758c5496d96c704ad475cfa0bcfe001968aaebb76b156733dd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
68e985ade611ccfb32adac8ef5c0e861

SHA1
30443a1103cde2f746ed620d1ac73f6c5b67d721

SHA256
63e6ccaa18ca8d8651c3fbc794ada4e9d17cf3badbf328caf4037904d05e52da

SHA512
9d73a050566bb917ca7abc2e369a503ffa0a224dbddf95384ac885bd4fead4d5f898b0b146826f36536052ea3ba50f543926480b14c8885f57bfe5c623d4f159

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7939bc0fbd4e0fe9b0eca451ba512dee

SHA1
1642af8373fb079cf6fd10b1854b13db985034db

SHA256
d0cbb28d898aa1e6be8a424c2e0cf51d26e7cdf478993fe6e2351940d592d91a

SHA512
92e479b0d0164b5f4d9433951cdb862c6bcd3daac011048bde3705a20b1bc6f5e804c8a869c6a7887e1b854076de972122373680259abd991aad16e87247f7be

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f6e95a42ecd6087a097af6279a4cd9df

SHA1
4d5c64e3fe232dbf12cdef979e5f6db65a32f00c

SHA256
02cd677a734a71d9e1a9899b2472cbe8b8be44ace09a29cc3334fbf407ecc326

SHA512
9c8c1cf899cef5fcfa3e3520ad61ea820aa347bf29b02cb145bc782b8289118f87ca8ab23819eed34b26e87a0aea7c764e411f66b8a5e71003495c1179caf4cd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d8c79af554a666d7331f374915723352

SHA1
50c9faa4cb35a8f165c4420b16c090e31c5d923d

SHA256
9e04f20fd2c05c2dc48d0b602cbfeaaeadbf1ff3b47b962dbc9ac80932a9c308

SHA512
179847c63ec5cf7f7ca5a7ef3596ee0f402ced00489d8307b5856e7dec12e061d603153efb36dc5cddd6d9048ead5376a40d8668026fef759505b74b9a1d6c3b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bdfe105db56c3ceab47d7d31c2fbda0a

SHA1
a2531c561769cd2b241397111a8292b8a23a733b

SHA256
0d513d5ce217ac9c8180044ccbe8aa3e193f16309dcda26192fdef936656ca28

SHA512
bb98dcb17ccdac8eab33493d47e1714ddc4112e6de8c1c97a2f3c846ffea5816e8a1af131c2ff099306aedfa97e1a0c9d72fd2cc6e0e67a3dfd01b6a9f8b76c4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fa58312d39f22daafe5aa003b134f946

SHA1
bc6f12d7f6986cb06efdb20176db4a8b80dc8890

SHA256
d79dad7152a43c371fce4c43dbebbac6186bf6d78edf821b2dd22e5066bb361f

SHA512
e617920807ac4b2d35fbdb559bae67ea345e6371a7beb676a31a160545d9dec073d495295fec8dd3c37e973ce9e87be5cde4e50b9dd2b85d510333b0c8e9c59d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a13cddf2f4abba687a39c377058075da

SHA1
299cce9a0e71b918fd1a8045cf8701bd64b0b691

SHA256
f59775e6dd07321e460e7891f00465c6512b3c00b92977237e647d5548a1a0a6

SHA512
26f088c7259a2a83a19da0665a4ca08ff4555cd0c17aed5d1b815598597e48c5fe2de086dda929befdbdf02337c17905860f03d10da9a5b80584f364c6c648cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
21576c2fae0140080a42e95576610f55

SHA1
dab316df73c551ebcffcb53c25753ce770ddbd7f

SHA256
69761a6c4e5b6dda0791a31d89b904ea17c7831b2625a89c7f109c7a2ba01c16

SHA512
459a726cf1305ff7389db9f2ce047a577a05884183536990601c35451539a04ceb8d0cda96934acf64d10f70f9ff1fc3f8071869637957359d38b327f278bb2b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1226e42a2372659d5b0711c3c40ebd98

SHA1
4c698e87caf9aa5f8aca454f1acc95b9072e0591

SHA256
c6e915353c1cc7d24adcc0962f5410432fcd5a799c4527a2a127c5cddbe96ca4

SHA512
3c70ce5d2f584540edc509477552ff422eb0aa7d6d22c93c6ba2b7b5d22a660688eef4cb75a0cca508642fe32f7d9b5b9684666efe370fec9d368a9e6c8edfdb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e4fb05f2d5709a9395333132eae7427d

SHA1
7d6bf3b8f5cb80c7cfe5b3f4be43a51775c57a12

SHA256
39a15cec737a1d57a2db489c1dad7ef963d4180098a698358de70cdabba32cee

SHA512
78a868c2ac31189de1cb82ebfa1a294eb7d736b5c262b6b3d7ee1cd8e9fc527fe0bf50fe91220a2a78688db3e666d7a812602696166633e714b43bec6989cec5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
64a4e7bc3b323f3184e478b9a2b0afaa

SHA1
c2bd4d17f6b24b99622df07411fe0b11393f5a76

SHA256
b168e35ca75cf9bf0cdcea9c2febdb451433c91acbdbb4f40822d4762d962340

SHA512
58484e220f32ee448eff3664c8a98fb75f8936ca58d318338d935960008377d9490f92bb6f2db40889e68079e6f5ad97da18da4fd7a91f924d7d802d30c89a8c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e17e7f0cee443f96dcc2559dd1b174f

SHA1
7d52113f610757cbf23c5665dd13384b621f0e19

SHA256
9b1eebc95d12991e1f44c0dd375e32eb8eca5381ed67a81b16077e0a91a204f9

SHA512
b18ce13f6d67a7927d096fd410ef1474dd6ec3cb3de7d6989b41add0deb63f83c0a471c60d9c3b14e15546a37068ad89698f4a8f5bb37cb3e69935aae8b8ad8c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b0032cfb9fa4a41610ac88d724746889

SHA1
62533518cf5e6913b7e8a16286eede1f15bb25f3

SHA256
b7a7bb20c3802839d62a6bf5d96fad632b69b6f886768d596f9ad532058cac38

SHA512
40d430c432dce3a29a07e6e43835cae2a0de10d93102aa7acf7eb9b5d7b31a76ffdbf405f091605450640e067423fd44d9e639a556cb2fb427c5c425b7ac9d45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d96d8ef301fc0c36e466165f1f8abe5d

SHA1
8eea3b2937046d45b200d763400d7e00dfcf4e98

SHA256
d5cbe11e466e4cead3c7872314bdfa193d5cdcc0cc0e4822fdd3787556aea6cb

SHA512
503648030fa3a087b8dc2b7b07b39185880b70acc755188499cf3d314576c3568f7ca7249ca3a368d1149520a3d825756f02cdb4abbce0df586a5f78f315220f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9bae18e95b9f81085252a75dcd59cd1a

SHA1
4ea84fe9f772f9d304eaefe8b712a8649017d9b5

SHA256
c46efb4df859f3bbb201f37197af935566580f7506e2279d04bfa8f25b645cc3

SHA512
036edc83632e824fa51dc29a9207c397ecfb7c874d6b283f8782318b11f1e9eb813efde57d8f5863b91845c1004b96951986b049cc718d6c08f63e9e357cdd28

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ff2216e5157ee5dd5daae410bc4f1036

SHA1
3ffcdbf3e20ca60be742968c1b8436f12d38247b

SHA256
10eec1e920bb531a361cdd218c67d0715ec8b2d7112e01c106abba19217bd6be

SHA512
32bf35a6b968f5d84d6b60ad90df3d38d1642a8df2713c790a661bc9358dd45be3e023c75315e65e2ba12b9ca88b184f7e1352e4b763047fadcac501ec928046

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d06ca4d03dc0ff937d409eecca5068a1

SHA1
9d2d9b9c9fd38d19a4161c2bcf4b40ce5cc39663

SHA256
36ce55e2e8e0d526a498d4bd57787c383bab9f1d8460b72f5d0ab190ff890bda

SHA512
f874ff22bbdb20dad46791ed26a3a96e4b2a40a5bf106cc3bf03c20c4c59189a16b48f570f7f5ce0e31e3a9f84701bdc4892a5aeeb3faf8ed25a4aa1afff1f56

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4d9ad929288f84f0bb9e8bfbef693e07

SHA1
d0b12fecfed9b00519f5a5d238fdc6f6eea686ce

SHA256
93463668900f12d55057672a4bf67b29e8392b33d192e9379d38b250f64cf682

SHA512
f7c04fdedc6461e1acb77edab8c02129cc80d5e588a838c0377e205d641dace690be533dbe2015eaed619ade6fdba88f908e463880b93595cdbf17f36915c137

Download Submit
memory/512-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/512-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/512-360-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1660-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1660-387-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1660-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1748-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1748-347-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1748-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2000-333-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2000-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2000-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2000-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2552-0-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2552-1-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-8-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-11-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2756-279-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2756-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2756-331-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2756-337-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2896-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2896-429-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2964-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2964-65-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2964-16-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2964-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3008-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3008-60-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3008-57-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3008-50-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3008-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3024-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3024-255-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3024-261-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3024-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3024-269-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3132-405-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3132-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3132-399-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3132-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3136-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3136-373-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3196-66-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3196-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-73-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3212-416-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3212-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3768-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3768-319-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3768-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3792-296-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3792-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3792-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3960-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3960-308-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3960-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4052-250-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4052-305-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4052-243-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4052-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4240-469-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4240-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4416-447-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4416-456-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4636-39-0x0000000140000000-0x000000014025D000-memory.dmp

Filesize
2.4MB

Download
memory/4636-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4636-46-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4636-38-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4636-211-0x0000000140000000-0x000000014025D000-memory.dmp

Filesize
2.4MB

Download
memory/4804-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4804-34-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4804-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4804-27-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4860-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4860-443-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download