9dad1dad9673954e1bd2ac97d509470f11557c0f0f12bc2589b29fcf8edb30e1

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_701e1640c81d84bbce7f5346692b57c4_cobalt-strike_ryuk.exe
Size

781KB
MD5

701e1640c81d84bbce7f5346692b57c4
SHA1

2a10eb0185b222fa6bb516d1cfea287b72d1359d
SHA256

9dad1dad9673954e1bd2ac97d509470f11557c0f0f12bc2589b29fcf8edb30e1
SHA512

33214247d0f53aa4c53f011a6f324dcd0d46cfc7e54b11c6be38fcc738f2596824749b4158888e1ff9fd6c9b9be9463fee773a7ee22f8b666904ddb9409e71db
SSDEEP

24576:hPsJcuiP/i328ab4F+rM/aXq6bJfBUam6:hwcuQ/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4200	alg.exe
4988	elevation_service.exe
1100	elevation_service.exe
4668	maintenanceservice.exe
1560	OSE.EXE
2768	DiagnosticsHub.StandardCollector.Service.exe
524	fxssvc.exe
2008	msdtc.exe
1952	PerceptionSimulationService.exe
1240	perfhost.exe
2076	locator.exe
4020	SensorDataService.exe
4812	snmptrap.exe
4488	spectrum.exe
976	ssh-agent.exe
4940	TieringEngineService.exe
3612	AgentService.exe
1608	vds.exe
1408	vssvc.exe
2732	wbengine.exe
212	WmiApSrv.exe
4308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ab9b7ccdfc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_701e1640c81d84bbce7f5346692b57c4_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{96FEBE14-784F-4E29-A39D-9545447021D0}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092f32768c594da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6b1a868c594da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045a07668c594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7788e68c594da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d027968c594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1604	2024-04-22_701e1640c81d84bbce7f5346692b57c4_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4200	alg.exe
Token: SeDebugPrivilege	4200	alg.exe
Token: SeDebugPrivilege	4200	alg.exe
Token: SeTakeOwnershipPrivilege	4988	elevation_service.exe
Token: SeAuditPrivilege	524	fxssvc.exe
Token: SeRestorePrivilege	4940	TieringEngineService.exe
Token: SeManageVolumePrivilege	4940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3612	AgentService.exe
Token: SeBackupPrivilege	1408	vssvc.exe
Token: SeRestorePrivilege	1408	vssvc.exe
Token: SeAuditPrivilege	1408	vssvc.exe
Token: SeBackupPrivilege	2732	wbengine.exe
Token: SeRestorePrivilege	2732	wbengine.exe
Token: SeSecurityPrivilege	2732	wbengine.exe
Token: 33	4308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeDebugPrivilege	4988	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3400	4308	SearchIndexer.exe	132
PID 4308 wrote to memory of 3400	4308	SearchIndexer.exe	132
PID 4308 wrote to memory of 4780	4308	SearchIndexer.exe	133
PID 4308 wrote to memory of 4780	4308	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_701e1640c81d84bbce7f5346692b57c4_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_701e1640c81d84bbce7f5346692b57c4_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4488

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2152

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
89fb2b9f3e0fe1999234891e2a11685a

SHA1
97437d0f83ac7c6ab5c7a4fb1f095f9c15e05352

SHA256
76f295832ea36ba30e53e2c41d59ddda1cb70d31b9a251f495e6f29b0ef4c247

SHA512
f59c549ca7b30e9ef7b3d5c7792a1432f4e3d6479e4f319434fe3bed7598ebb221a6584fd4e3f7c17478d5dd51c265a641806429aa659dbbf63d61bc8310fa0f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b9f653b22dd261e271321d0b676c6802

SHA1
5752c686373a3705eacc368ec25e8bf7276888ed

SHA256
32b969873438f08c6f03df884bc119693d104893e979b018f269f66bd18c9dd1

SHA512
3b9cfcfddcb0bbdd0cfbddad4509b2d5cb8296f5c304f4cbcabc9dc06dbad731cf1344623d3731c99fa4575306d1f8286730e06fa8a98aa0af90bd8f4da3d11c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3233bdf41c2d5d7381c74ea8ee83699f

SHA1
e3749b81d3844c35e7e469967a40da12c0268170

SHA256
7220117c758432ade01ab475f72fb474a312078227c6f67b775d88dc0923373f

SHA512
af498bc1e70d9cda141dcc48da2398adee8b55e4474c1123d680e2b0e60d5b6d47a61ee1d99f5f679b315c6681daeaeb44eb5a8a6c80100ada0abc622c562811

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4cbbd5d1c3e36b0e766b436624dabe8e

SHA1
b56cd9dbf420fb8c61b7989d7bf44560c53ecc34

SHA256
c158bcdb081e90a53026cf786afac8413b5bbb191341353fcbec3f48475d5c19

SHA512
6eccbbbc6ac6670e605f08a3ed3e7ca8d5c6a12901240f176bf4bcca7576241f8d27e7151c8be703bb2b7b28e852bc195e05f133cca4c7c8dcf8c6579894ef87

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dae0a94c99cad025d706fdb166236027

SHA1
4699f002163c49a82f1c5dcfca5ec5c03f0738f6

SHA256
b5b9d8fc1d90293eeae2b87926b0d150fc09842cc58eb59a85cd47beec8691c2

SHA512
3dfd877e17c3e2decbc4cc102d4339d93de5955afd99884447238e82fa8d4b4d72cbe90cc402e6733417c54d1f77edd198ace95e7e0ed2bf43422586fd09bd99

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9cd8434bd93bcc9120c4fa94305b76f2

SHA1
db1848b2b7b73a8f22ec97e9aee4c40832e4caf7

SHA256
c2e53bc724f4ed0f02242fa1668f32fce2855652604bb8e6bd8c3a290e6fdce3

SHA512
c89f66a1d7fdb700fe08d18d15562398a687398360c89712fe4605d8085bc3681c1c0a4cced9b9d308f6a1c7e3ac3c53be55743e5446cac553bbc6910c7274f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
023bbaa85a8210726a81e732a8a85e02

SHA1
dc8152a7b3fbd2166a707bf3f32a7d6545316efd

SHA256
fc6fa8663b1bca1d8c165089cb2d5151552f71b18dd0a4d009da5fb5f19890c3

SHA512
1adcbc905b426269a418a5dd3045782887c640f261da2564f5af297aed5eff569265a9f8fdf4ec81a95a97318a21d7be65011764c5d38c17f7141e1bdc3954e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4f1e5a98427d61bc554c75f628b38ff5

SHA1
0df26cef00ca059960706d06fa0ea0cfdc337ebd

SHA256
036bbe0c88d3916e034fa4957be04ba894f1e3457be54c53b0ce92fc2bf02a83

SHA512
161edb1d4eddeedb0f8521bec283d8d268c901788bd48a775655461a4878084ef0150194417a5b219a5ae0ec4c91e4739efd3e5dcc62aea6c0a22dd563c431bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
54d37498d2c8ac276a5ae2d7123c8ead

SHA1
1be4488d7569a1016f51b989925d87ebcd9645ec

SHA256
e84ac81522f9b7760a5fb39b11421a6e2e9915ea8b8e48884e57bd378b4cd50d

SHA512
54a83d58c68fb71d91410954329f11d9151ab89536d1292cdae9c889c58033402e068d4720aa8b07830956aa8d687ce345ab6f8ec6d0180622f4f240c5b6f14d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
88a9391b3d19c0509776366a735bc146

SHA1
78939ea51b7441a01b7dd21d0564bfa1879adc0c

SHA256
4a519c169d52b0351a9f0ea13460f2b11482f7f1eab8c4ae4222c3f4e1548a08

SHA512
89b61ba0ad60e4a995c3f040db8692b4fee19b4ae7e977392bed64b0d9459af78ed165bc8eea7da2d53d1bf62a2e8f35b719e0fd6b9189028e2ba3c378eff67a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
41e044d3fc6d63a8d1cce0563b6b7321

SHA1
dab2f958b09c0d1690833c648b2927c2e2b4187c

SHA256
e4be5dbdb9ace8b157020eef9f1e0b02120061a7706736cacc55d301184b2295

SHA512
8a52c47d1c55b52798b3775d7933235b4e19d3147f67858ebf4072e8f80f06a67c0a09e5eec57b7fd4dca538eadc03f49a5a53e05b05093d2d5d78be0c38e62b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
66b8cc5c2a0e754df960a7fa48d8f4c4

SHA1
cfbb6ef585ac05b0c853b15d17c23f4d615c8e17

SHA256
a7c5b6aca5f65fe04a4e3397f639cf1d88e0f6bcc3e8215e592c0e5c57d1efe3

SHA512
64c3143c05625faa2fbda1bd7273b6e14f6f6e935a676962edc90ba15ae2a0056026e1b999e358264448d9f367ce99b89ef762bc6decc471ab921b6a78e82bb3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
060558b7165828eb2210b17314fd9f37

SHA1
5cff135651e68e25cdcaae048f4f82ca22a74710

SHA256
7e3d4278691f9cfc9ebf43e1dc451d448ee3282338dd4e519eb85585bc4b6af9

SHA512
3a916928c9e1c2ad449f2f727162bc8c4eccbfe4ad83632e55f4bdae63d0372247b3601a996a297a1398362b25d5bbe0a9312d46061f577bdbceb2f4b46f741c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
14d173d9d685ba224ceb9fedad3201a8

SHA1
653bf38315cb059ce166ab35eaab6572a76c7cef

SHA256
0750113c7c4841300b086faa2d1a6568f0cbee0b95e613730e4b439a6d663616

SHA512
8e69108fde4806700a1ed5e902d01e388642777211842f89d7d229abbd4dd406b5d376c7b402ad99ad75fabb5acb81b5497ca730e6299c2d174a2b97238a4b61

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3330889770fa258c60b34f4a44b0fdff

SHA1
0215894367f8954314104be22e163de0435c9791

SHA256
46e3ce6ac7627e42f68a89bfb6324a9c92056e63ca5da43f06f33dc9be596821

SHA512
f9717c1243b9a0ee086f04e063fe23df91c478c0902a3e18b5cfd371a0e68c687b304a81a00910270003909d5b45f8ee4d0f822cf1c4fa93deb443aa437f7aad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
87d8bf86be8b27c093b06b2b92b35968

SHA1
55d405f3a2b96a3ca73488f281c53788006a86cd

SHA256
c661c713ffbd71c852b99b05c5ae388c1b576c2aab9340c63ef3abbfcd2ee887

SHA512
91b1a50da7e88b864bfc684f874d9aa0c6ec5cea3c9e7321d85c48c161ccbf51c517133d48521a2b4f9c15be24fb791c8277a640cf01cbb70a449f09f3e3c449

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
02cebc7161dc68c7dcdd54407bc4c730

SHA1
a3e367dc3fbae69a702b402259696eba8a8251c1

SHA256
35b561759c5dc929f0394ce20c7cce98335fc421836bf6935806e5c9cfa63062

SHA512
29ed0f62c491ff33cfc7816eb46cd2da837ec37e85f33cfc7a4eddf7cfdf447629b0fee0a79a8a456d40498d9940acb825d1abe13682b919d298548cd4cd39ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2658d01bc47213d9a18996b46a2c7879

SHA1
3a8db47b57bd90549b6a28d2fa33ec2c093a71b5

SHA256
c3862caa04172f75812bd6c5b2a16dc094bd425dc7637442065ef94ad077a4f3

SHA512
53e378c1fd871eb92aff4ee6ad01298ec7a1c1147de6212518cd4ed1f382caed87cce805bd849d62b231fc6ef3d06e4fdcc3f7e6f06ba862aea3cc9a1d221263

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
63c6c6666c21ba924f88a24b941d8c70

SHA1
5599970b8806541c0d3f273a0f6a36a3fb6c146d

SHA256
134b59cd4ace4b5b7ab650e7becc21c5377c771ef33a67734a891817c0a8df5b

SHA512
4501b6d61d2820defda9e56358d14a8f59c59a2aba2fe55de1ca99ee27ec500a161dd718603419f531b0d1ce0a8b82f5425f855996bb07fdfe9fad8d35954f4c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f8260e09bbdee5a2bace8c14f4fa93e6

SHA1
5106ee6883da6edd756e0df5df621ca29bc5af8c

SHA256
6759527f816dd115223df23afffc223e89600f61137c67171a1e8b331cba1e6d

SHA512
a661f9961ff09ba7904f9bd2b9330f1d49b7b76a1dded6f4bac60bda8c8ceca5ed7fd332eb43c123014f31c5a25f66b4bfd3cb96f0cd6dad1ddce0a408391e45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6ba1b26a30e9f91d90d43dbde1b9e450

SHA1
c9761fc34ee7fa5e1d63c790ae1a580f22e73a83

SHA256
57350f499e66bdc90723f43df2d07ee9f1d3f4ae88a3f2e331b87fc89c592d00

SHA512
2fbe31c8401246036e448df312f8d1155d7350d4521cf7867e04a5d96dd6be878029c161e913ad194c510721bdbcd0aceebc91341ed41b2ac26d1fc0de62ceb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1df0ed1d6062a2bd627af5ea3f815263

SHA1
9e0200693d52c8a11ddd0e525d2684583690b547

SHA256
5f6e1eacbb28faeb0af5c6748fe82b0aa456dbc5e98b771986e9fecf9d3bafba

SHA512
22dd9bbf6b67a18020fc14b1a304d7a8521cada80be5ce380052d198658a379c6106a7af8a58f1e6261ffdf0af6eae4969d0c5a97f63aca3eac2b127aa86386e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ab333b7fd644e398e80358c74fc4ed91

SHA1
374303c782acfd9d21c12a1613a491e946a86c83

SHA256
81163b573729921fa7bd9be83c59120d6b48d9400a93e24f8a58160fafc32177

SHA512
f4354fcfdbc249ae006c095ffe5656775a3b869e7aa239bc3cef1ef71d272f6ccff7dad9e8de143d8173fe2ef538965d7bc7d6652dc039617fcd94791e35ef97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
afa363ecf038c1655f922b158613af08

SHA1
ecb6bad1021193b1b46eb25920feea29698f6e1a

SHA256
c9bcd10739e04452216dd1ba7eeca637d26227ee5fce914020b8765b27e80569

SHA512
f5bf54abd391ecea75e33aadad4faec57654364bff85ad31527be6961865b803c9c32418674192c600f5d7d1a1ddab9d8c05b448887cbfe03c3d467d025b2a73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5acea25eb64a1abeb1c2145dd480862e

SHA1
60cf9b62fb562240107933bf68f2b8468fb1e63b

SHA256
d5d9f58461e8488b701afa77b6bcbc5a822187f3a41ab6fbe3028fcea9b86f3c

SHA512
28f77fb4271db81705a9e0ba5773df37be250a9d1156350e1df74a3c77e04d6757877651ab98bbda9d6c75feec8fea3ffd70d39ecccf6aa00ca34f860ee536e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
dd647b806e453592d5cf4321531d564c

SHA1
9487ca8cf9e8c7a9347d767636481b1b269d320d

SHA256
e0d0d33f0904d6d284f6676c504de01160ed975aa17811a08614a0647e9f8735

SHA512
59616b1e167371dc3e9da30a113d6db27696038dab0917f42c1e8f96bc59a70fe7b7048d784c6fd02f5d69e9be1fcaee35ed2b03c2a73b2aa33f617a5d78555b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
377443567777337aae1514c9648c9a42

SHA1
7a33f5ac99b8f0a83244b147a8d8155b286392af

SHA256
60c74a74eccac71ebb4c91f9e07f05917a1a431f00d9c2ec1ec9e2b168b5e6e5

SHA512
cd31e1a771c9eba153bcae6a5d9d69b6dda98701a95247dd0eed0abe7a8bbd65754f8a0022b7750b2eaa0399af1703624e58aacdde1927e1cc61c9c7254ae5c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8aaaaa9703248303789207f71dbc1aef

SHA1
3017a58cc37059acbb1b3c64edd478a3378b3a1f

SHA256
d0c9032d37647be4bb3472bd048c0063900600fc4ed167d11aa3a2f045fc0f4b

SHA512
f39582cf126b923f79d33eafb978cd0d85db7672571a9e2fb0efcd7405f7acede49277af12155fdfed3dc56023cb27449d683721b3239e79dc2c33a029e48ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
07f38cb0a42e367c0b49430b24d21d66

SHA1
2170a4b4ed2e249d5131597b7ac62c25f8efa57f

SHA256
042165d57aa5d082c80e782b9cecfbcc26c9b0dfc6312fbd72d6343d1c18290e

SHA512
740f4c8177a365075dacf133e0a81c85933dd29fabef40281fb920ff1f566d59a8cdd9aa8b8cbda681e6b71ac50e02c7d5ecaa326888c7b3a870ea990b36e7ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7693e7d078ba221f5c28793486254bdb

SHA1
05f1a4dbf7cbd81383986f99d916b7d4f596931b

SHA256
87ae7821962938bf1b8360d593854c317b50c27024c5f77d47693cc376e0a64f

SHA512
49b7944c92b13f1583f1e21740657c1b31ca13469e05f6892b4c5c58ea2485c37f00226e0a25ffd01ea40c55bab185d2e66ed16cff04de6829986ddbba6bef02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7d6f7d1797af309ce5c39978ac14befe

SHA1
76d18704a97e50b37acf6afc449507b24e31d100

SHA256
408f3a81e400eb2834188222dcc34e590fcd5f56276cbbdef93b61060c53149b

SHA512
d0da8aa7a1b4700de9aa13e98bc622d3fbe898344a3aabe68abae869f914e2ba91507e5f86fa7adcb18248643d5548a9a405bfe4f620afc38dfd212c2971e813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6d7dafb8cb6e8d9f37418fb1c61336e7

SHA1
ae505732988e80ebbf4f4006bd81494be3a9aa0c

SHA256
79975a990f3577c8dcdb928767eb87c5624b917659cbcf10a12da8466382b786

SHA512
67adfdd4f6862799ddb0f3057d1acc45b22ffbee55f6a7f4deb8326574e064023ac97f9a7e6821cfdee8eab37be55df2af0a226b56634c47df59181ab517d8df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d50b421d5978c950f237cc5b15f4fffc

SHA1
7b105bf5033afc40818628abc437eb56e1ec8ba2

SHA256
2bc8320ef468e09d1ab39ab6eec7673cd91513bb28794d2bb99399977583c502

SHA512
eccafdee8a36028d1345e7a68e668cb9af6e3112775f0a29a7113a450b804b471c44f456a7efae3201998c48a97974cb03a66840d0430f6e7519d5fc8e772955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
45836c46b1727a52034a30f0ed3aa8a2

SHA1
12c18e8c9179ac718c1780e902e6dedce85d3914

SHA256
355d93a7a21b9bf6deb2044bb647230463a718f9a3ab12ff2a74e22ea46f05fe

SHA512
ae7aabf03e4fdd7b43725d0ae41274b060852516482f0e0777b0414b49d41e3cd7f4c4ed451758699ffb9905cad54f2c185fe1f962e94622792d8a9deb531913

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
502b7092801805898ca9c40ad386ae70

SHA1
4265b7a15bedccd1adbeb527fb98609cb530768f

SHA256
df4e1542c3ddbf077cbc97e03752763a9db9b85a585cc89bfd18300fd5307b4a

SHA512
3e271709f8bb36d174f8d1f3096c6fb93763dfaea031dbde5971ab946e6cbf9aac523abfe9bf598c77d049bff273ab5d660c4fd4b76dd96c300d4ccf97410c1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
eff76fde8cae856c7d6a2b1e8cfb3516

SHA1
74090295f91606ba441bf6ba677abd957f8521da

SHA256
d54e37ecd1196522a808ea35dc523bc7f59222802b4978738942f610cb1c5a50

SHA512
5b1cea2712e35a24e4234ea1cfbdbe715f86ce7ee0bf46643e2ce31f00339b9b747c460730cc525578fa488697b80f9813e0d394bbb31ef2563241dadae60acc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5f110f2e59e0729c8fce76a2a7fb1628

SHA1
b7ecc62519492d0756a76660555397aba1f3a00f

SHA256
e937081c294fee78032b112f0438813bdb669c4a76fda43c3f6c072221fa799a

SHA512
e201e3d54f40a75f3d6bcea17bf8dd678035c94415d851758851912119e77e80681f6276d88ceab35729e5a4c75e68afc5b5e0a1be1a3a231920bfc2271ba93d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
1b6d6150c1b3fa707559d83cde7c201c

SHA1
eb8da8ef77323346db394d74cb339f8eaa1b8702

SHA256
8d2fa6f08580031917de3f5fb6d1a8314bd0896a71b581752d1559f2e3d6d0f5

SHA512
ec90de4898f01dd16174d26101995b4147a4678223801e4617d35df140f9c90271c36efa60409efb87c6e29b0aaf27c3bfa3484cc49efe1c5e263b8ca8181902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
5e8d024b65804adcbfd09d16f6bcf2ef

SHA1
4a970af03a3e63e93e0bc60ffa6c66b535d94b6f

SHA256
ea15ed4c8d60914531013bac5ae8c2e8b96e0e48f571c177471ef1e5820f6cc2

SHA512
d6fab2dfd728c711da74e04ded8e094ef28e79bb4237696b283760df34f28da1cb42b24431809b6823f53cf676d43925883ded894d391ab2d55c84c25690cb86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
75e857738fc9e849db2be4df24a16ed2

SHA1
ed3bfe9ff68ae4c3401529f2749b83657f484f01

SHA256
ab8c1c57757d47d412f4f99c6ff5142be195c0539bef938b97e3c5356613cda2

SHA512
e920aec37380b083518fa578e3dba0424f47a1e6f60d37bbe863f59886cdeae3d0da9dca165020da3b059433454ae5c4544a5166401fd4121d50b27f8956e0f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
750c398c1b54f24418352168c81b9803

SHA1
6190428ac2bfa96f8fc8cab29ce8fb802e180915

SHA256
2b5c4adae751f8572ba006733a05c3e27507db8553070a55d5facb2bc85e8493

SHA512
b80a81a544c7bcf0e68d93a0701eaacd06446e212130bb7a6439782a19c1190a18ed9460cad9e068bfcf7c62d221f43e2ed1081e74c322403c92ee41715b508d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
2a9fb230a965e3bbdc6439fabf0d1f67

SHA1
fe5eba7a93178300e83b020a2e32f31d5ea48a5d

SHA256
8c7e19c5919a47a7ef2c9eb0fe23f2ae41a97c0d39a9aee4265ba1ab2160b03a

SHA512
451c7d52b0328e9d7c39306de4623f45211fc4b0a74fa17efa3bd7d65e4e4132d4c1f9763dc9d550bb051f18c8d78c497ba401714dbe4946fa29e5262065f21d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
77ab1a0a4a02ca4cefe013024d07f809

SHA1
b3718a10da82f896b56b264c2c7d92305e59c3e3

SHA256
86d0d600a5260f494e494bad196cd3a910054018fab836609365716d44b23455

SHA512
6aae800e32ec02379c018479e0786e1d61541a6038289d6751e947ac85efb9182bdf00d1ad63d58f8201f013da1800f979f40ca62cd34b49a74abd073b45cc05

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fb792f063e255e853238c026bbbab683

SHA1
394cbfc1fd4a950ba38520645a0ff1780f3f95e4

SHA256
c1d217e3a35bf2f2f5ea9c409cfe50b899cf46c147d58f043cbfd857308048bc

SHA512
7e080c6a7b04f07baf3428a15d3c4a165bfb32acef6f15890f828eb29affbffb633666eb49fc794566010a6710d0f941679111575e765de17c06bb55df2ba2d6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cc457d93c0617fd8b6e5d557ab30b817

SHA1
e4dd942d7617046b8ed95d3825668aba925a5a21

SHA256
caa1b3337204abf5777f57398538b36ef19cf484e0456bfcfe1128c80f19a72e

SHA512
82a72cfcfc2ef05451b0cd2620803f855588acec78a49c5e83b587c0cd62d8b2723a6569d5670d3bb080579bd10cad4f0040efe8fc9da3227f67aa172efdb262

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
71a261c8e02505b2fe69d15494c6b505

SHA1
e7503a69250e0791bd19b68c2b059b6aec37acf1

SHA256
cd022779db68b89ccb44e609ca5ce350fa64823ea4ea8eacf3fbce2c57cc8c38

SHA512
19ab1f9bd50d2bda2793d8a8071c23edb1f3220f5afd93cecac5c73ca0d12beeebac979e2b8fc52602e8c76eacc43de217d7b24aa1954baafd35310ac34f330a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fb2b1f00fff13286a34d68420de70d43

SHA1
74483757a190b14dc3828860cfed33ef3644544a

SHA256
cd41b68071fedbbfe9e8341e8a81c360632ba66552b4f109b69dbb86707b55be

SHA512
fec2b2d3aa2efe0c4d9629756cffda54a5c2b40a857f80a01cd6fd44c8717bc406b2383ecbde089660876fb4fdbf1f5d3796fc9696eba5b42758a2fcbb59dc16

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5a6ba29cf8a7df84e1fde88c376bddc6

SHA1
00940ab53626f20c44df866acbf1bcd87d3c83b8

SHA256
e7505c07d2e4bc0b2be264f1ae10b95ed1d028711e9894125f7829e71243aae1

SHA512
f048b47b5c7fcdaa64e739047f19c5c9c940c2b26d4eb3271fdd770ff967691f59fe40a93514e93c954cb789a462dfb27c9d10ea91cc91bfccc10a3cc99575e7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b615980ea14752daa7a7800b7bc08d1f

SHA1
2a17b4c0d54f91ae648700413502ae3223550e53

SHA256
90328d628c72f6bbac3a87da64f86d898a5d40f19176aaabdaf8d7d399838a4f

SHA512
48561b3a0a48fd69a173dffb121004cf51cc2d328d38e871e8ec498303215ce79530e52b5c5fa77ee7284f19cba986031b8bac1aba20857bfcc8a0ebf232e277

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
49d7981b787f443d31cc0f0ba62ad5b8

SHA1
c24df5a2d2c6fe8004d3c351a273e517ce8ff6bd

SHA256
d3b5919ef5cefcce3d066c504c81da5a9b11456689edd7677a912f7cd4bb3299

SHA512
59fc7891430302066d69dcd19002bfe4fffde2aaf56502514ada7e6c5693e8beb4b7547375a0b9b904ba8230959a40b7c9708d44f3bdc9ac0b920e0709b9aea7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5cde7397ddb13a2803d6bdeb58b5ba8a

SHA1
4c0f2043850ddeb0a5a0e1ca82bb0534230ea053

SHA256
ca52f5e76d179b811fd181e8e8782bdea0b01c7780ea0790a7cdaa0278b18176

SHA512
ff59311716990c674a4c1c57877ce12c390842dd628bcd7688352009e97d515278c8bd6ed382718d23b20a8a098ed2a81cb034376a403658e126fd58925a776f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
65efe9456579ff72365376c3ac4f6d0e

SHA1
9e0d6203f2267ba996027590a48852bcd1fda19f

SHA256
f2ca8dbf7562ad60ceaa936bb126e843551c5b66f70e70d1c55185fd1252c7fb

SHA512
5c39be2a5975dcdfeead9dd033aa4b67da5cf529aa8074d2b6ea9cee9f6091ab5538c87b80596c1da0e3b5b4ee4d1cd545e79818ade65a697ce582f00b4c0c6d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5931b8820203cd5cc7281e0d00821bb7

SHA1
27f54faf1634fa56cc7cf8f6118ec301a72607ff

SHA256
a17654bedc8b3842d67fcd36ccd56ff275fc141cfe7e6b74bd7b185fbdc6c4f2

SHA512
20780a1037daaaed6627cb9db3541761aa36b6ba6446a5a7a95cded682a6a68991738154a21b1bf8f947f1ac247ebabb432dacbf91c60189e8c1a637f73d2eb4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4ca91502d072f25c712c20bb4a3295f1

SHA1
8050c43be7eb3d407356d927387f773c2334a3fb

SHA256
1ff414c96816c0c18c09867482873687037b676e207add283c969f56b86d5b73

SHA512
673e8a7aee560c5d97fd87f9dc8abf297ba9d3fbfc9327b4fbb7b0c75ff33cb3f47de16d83fef5b1e04ddbfab054b56772de5ac63ae193274f65e8923f1c2234

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2ce1fbd1404f9b32708fbb98c98c0b3c

SHA1
91e727a9c6d113903cabd5483cd3d29e110fceda

SHA256
5b388caa4291eaff6802977015483b9118125f39eaeb5261aecd7644bf45a8e9

SHA512
a47bb354009c48a00e2ada1ff2e1b6a77a0e120ce955ed6e2cb16d9061a11ec87253870db254c343d2b90e05ea9dc98e1555ddbb247225f98a40dab64e1a3ea6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
06d9c95199c666819a97b22b180a082d

SHA1
90249d7ccd0bfe971f9b541c3ef14605dd67d810

SHA256
908d8bd7c6bd1d5626d5a83e67cea3d6d68f91e237e945b022bf4992a892fb82

SHA512
22eb9fe698ca6ef994da8264bc3e4a7c80ec8806e14969d8a00113a049569aefa2cc3568c1a75e39018a4a5d7c443042dac1ded77762a34db37b4ca8b85b058f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8ec8ad72fe1735ccac64aaa56182a108

SHA1
2b275c0555a0d7704fc264016cb8e83ca0e022ab

SHA256
aad1dabcd2ee3564a2c4ce56f8d95d6bb24c33a746bbce8a6cef112004ab7722

SHA512
0c6202abb0393faf6b73207d75f5231146b8ace13393f031bbb71097225b60f94761f3a871129cce6bc6f5696748ec6227de7a7fa7edb8af5e013f757a1e5d71

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9ae738313663647586cc1812d6ae6bfa

SHA1
b71c2daff55a8eb205b3c7420a6a17f43c0e780e

SHA256
915c6f47fdf026cacfb645d753bdc3eabae2b0ada7c2578171c5966694cc4aaf

SHA512
39404c8c8232b3947c307c4a8e34a53e998b53077a4c45debf64890eb7d746f49725e52f1093fe8f720e1cb854e1367d953f8e298d5fa4d26d4b53831f27a034

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0540f39b82d7cba536f2c2940e69f6f7

SHA1
4ae4363249485b952a909a40ceffd199142c1a2c

SHA256
8744d1607417c783b52afe322a052acabda8a96202dfd89d55aa578ec83fd316

SHA512
a589d914be09da131c021291e50d0af09dc0add201b96d881304ed6bb365f9fe40b4b6fb7b146c72e12ab28ad4be6429adb473dff3942bc248e66aef7af33c1e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
64ea73ccac331e9faa6af5c35a4041c6

SHA1
966f78bbaf082dacfa13b2b0166449cd7dd94625

SHA256
4f2827ac8996754bbe6f205585e7be5d3ee26e6de33ecb2b21905a592493ea60

SHA512
66f37024b791cb4754acfe6856ad05b0a17973b78781d7aa367cb5e1c89332722f420263c9a01047ff0bbbc0c0af4dbf96ae55ff3c2fe8d333af2a313daadb1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4755d44a01e98a5c24682f31208aa877

SHA1
9b237e63cecdc359abbc84b3b182f8e7a4875611

SHA256
4b4b715fc3361984d59a7b4bc7b17cd6651b1cbd1ba36010aa0eca6f6a7052ab

SHA512
f7cdef221ea9d2bf0a79fd2e894886af5486a23bd41131790a667eb7bb84434947c7534b1b78fe838f0cf2548e4da58d978c31567223fba649e69534dc6c1649

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a9712f20ff32701641ced4b481118ded

SHA1
82e6eac9406b812aaa4326116fbdd545af961fa2

SHA256
249a42ec9576c918954fc00e4b515ae9afe223eabf6a1f7cf4b4b8d454b9ce9d

SHA512
33f39844a6572094d4c5593514b44752a43bc93cb1a4cc43dbefeb3d6f012ae8c2556cda6be42a5f809f99197372794367616d88595b547d4ba1a5cf4e7c276d

Download Submit
memory/212-451-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/212-440-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/524-274-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/524-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/524-264-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/524-256-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/524-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/976-367-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/976-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/976-426-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1100-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1100-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1240-366-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1240-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1408-423-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1408-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1560-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1560-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1560-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1560-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1604-12-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1604-13-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1604-7-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1604-8-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1604-0-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1604-1-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1608-410-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1608-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1952-297-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1952-352-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1952-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2008-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2008-342-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2008-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2008-279-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2076-303-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2076-370-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2076-313-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2732-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2732-436-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2768-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2768-251-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2768-245-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2768-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3612-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3612-391-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3612-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3612-398-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4020-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4020-325-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4020-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4200-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4200-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4200-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4200-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4200-15-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4308-463-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4308-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4488-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4488-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4488-353-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4668-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4668-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4668-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4668-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4668-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4812-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4812-340-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4812-400-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4940-449-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4940-378-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4940-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4940-439-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4988-29-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4988-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4988-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4988-36-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download