cf9c0914f269287690cf51d0e1793c5bccad13d6ce2d7b0e7c14bd68a83b06e3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_78a260fbd8f2df205f66750cc16810c3_cobalt-strike_ryuk.exe
Size

781KB
MD5

78a260fbd8f2df205f66750cc16810c3
SHA1

e255136abc7aafc20592e23c906d46538107c317
SHA256

cf9c0914f269287690cf51d0e1793c5bccad13d6ce2d7b0e7c14bd68a83b06e3
SHA512

1bfb460b9b0b7d915f728f1354cedc0f69bdceb0cfcddc51a49d1807e36f97a7890d23179d863075d1503555dc0295702e825c3fd1cd9a09fdd7be76a975e231
SSDEEP

24576:BPsJcuiL6LaRFdGJm0Q3WKVSwdr13Ek0VA:Bwcuy6KFdi2Ga9x3Ek0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4580	alg.exe
5032	elevation_service.exe
3136	elevation_service.exe
3168	maintenanceservice.exe
3944	OSE.EXE
2628	DiagnosticsHub.StandardCollector.Service.exe
4148	fxssvc.exe
4676	msdtc.exe
1736	PerceptionSimulationService.exe
4136	perfhost.exe
3536	locator.exe
2084	SensorDataService.exe
1624	snmptrap.exe
3000	spectrum.exe
3900	ssh-agent.exe
1320	TieringEngineService.exe
1476	AgentService.exe
4896	vds.exe
4316	vssvc.exe
2252	wbengine.exe
2108	WmiApSrv.exe
408	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_78a260fbd8f2df205f66750cc16810c3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\849fb509102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aac38f6d494da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d77e0f5d494da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5a3f2f6d494da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec2b1bf7d494da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bf200f7d494da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1c656f7d494da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e93280f6d494da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad232ff6d494da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5032	elevation_service.exe
5032	elevation_service.exe
5032	elevation_service.exe
5032	elevation_service.exe
5032	elevation_service.exe
5032	elevation_service.exe
5032	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1384	2024-04-22_78a260fbd8f2df205f66750cc16810c3_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4580	alg.exe
Token: SeDebugPrivilege	4580	alg.exe
Token: SeDebugPrivilege	4580	alg.exe
Token: SeTakeOwnershipPrivilege	5032	elevation_service.exe
Token: SeAuditPrivilege	4148	fxssvc.exe
Token: SeRestorePrivilege	1320	TieringEngineService.exe
Token: SeManageVolumePrivilege	1320	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1476	AgentService.exe
Token: SeBackupPrivilege	4316	vssvc.exe
Token: SeRestorePrivilege	4316	vssvc.exe
Token: SeAuditPrivilege	4316	vssvc.exe
Token: SeBackupPrivilege	2252	wbengine.exe
Token: SeRestorePrivilege	2252	wbengine.exe
Token: SeSecurityPrivilege	2252	wbengine.exe
Token: 33	408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	408	SearchIndexer.exe
Token: SeDebugPrivilege	5032	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3968	408	SearchIndexer.exe	130
PID 408 wrote to memory of 3968	408	SearchIndexer.exe	130
PID 408 wrote to memory of 2572	408	SearchIndexer.exe	131
PID 408 wrote to memory of 2572	408	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_78a260fbd8f2df205f66750cc16810c3_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_78a260fbd8f2df205f66750cc16810c3_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3168

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4676

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2084

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aa2ce5b63f26ce8788653ad9faf774ac

SHA1
88b72d9eb0ee2235543b0abe3823e0fe7ec2c8e2

SHA256
87484020095701153312de21b890fe502187b40ad26e4aeee065262768d5e58d

SHA512
f10adaa9a786c3926bbba577295ee6dc5991479389909044acc2b4e20db07b8156dbb2a80ca27ce80039e045659257b742a236dc346dfb58e4d71a592b36a43e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
44198f0c16bc6d0ab2801b9a37b2883c

SHA1
ea4b90e7657845e3576342fb42f6f2417371c9ff

SHA256
b32e9460ed2e276edccadc3dd5a379e49566e951b3bf95b9e37759652826639e

SHA512
1ece387e11bbca167b5b14cc1aaf60e9011719f560b1cea356f26d550f9d4fe30163751b90748e9d083b5c8598fe27eaa9dcf1b589401baf3856434e812219fc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
01a8597944ffcdcee16be0b968652b45

SHA1
6dded01283a0d346ffa29bbf5fc2933c878df251

SHA256
b53a5ae055b2bd24ce3ba80fc3aa9afea0f9f4b356481d37322e695c08d7fc34

SHA512
06e87475e4bfe12fbfb0a73f0b377c3918ffc7f111ee026e3fad71a51e000e20f1aea5a3413fd408d16dda49ba8ccc0b3ba9210ee06f47c9fd1655aa63538c56

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
73ace0263998dc7371beceb2aa3e06cd

SHA1
f05fd9a11781c8e29b03095ba63a3cba782b1138

SHA256
a9e51b8df1bbfa74a77e2841ee9563d056d9c18050234d58a3467247e4fbbc80

SHA512
f6356d4b87866bc3c8ae805ca3aa4aa0e948abd15e585e498a3ab191c6a8431bc804d8a1ff7082c3cad9dc7d10aab0a5c6a27a64d8633bce35250ccd5847865c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b80c0b78abd50ffad0bb5982a5ab81bf

SHA1
78f916cfc8697e78000b84d402fa4164baa39112

SHA256
196e3150f931cdeb852f80874ebe649317a579edd7795b211a520f0943f518b5

SHA512
1e6b8d559ed75aba3cdcf39dc4ecc4dad1514af7b3c95b4ec976aff8d08af0233d33c5220afa2a5ba2d44f3252f3c598caf0cc6c23ea59b14eaa6c6e255d2c2b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dacdc5cc7418a6ff9f6c7ed162e128ac

SHA1
94b05ce24e47a87bb4f5fa6a1963f35f54065785

SHA256
fb968c90bf8b9a0878b49a699fa229d54e36d5db7c94ef07ded76e4b66cf8936

SHA512
c18a8e51a105e1b0f0c8db1441b635a25542a356b05dc913baf38a87c6c4de6b0c74ad88839c1ee0cec057ee9a3044e74a347990f5c63f2ab09f7f71d4361281

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
74c1aeab79e0439f793f6c9400946d9f

SHA1
440f14d8696ef7400ffc19f5834d84f8837c8142

SHA256
cb285ca6a9e2ab37bd8bed7161a0fff791bc96c704ba7720090295941f62ba6f

SHA512
7e97915137981c24b047144d437a7ada008b1c0d1a8a28b074c09ada2945d063f77f3099dd3ef2f015870d02754edc2479b6332185ea938d58b04c6e55ae8d44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4ce2c96a50e050543c86dbb797640c16

SHA1
60a2166360496c4bf50af26d9da2192183113ba9

SHA256
60aeb6edf33743e47c856381bc2c5d398c24e7fc4af8c05eaae19521295a26bc

SHA512
bff01582acf6a387f6f7fae32cb622836a9fd72a8a7f844d39d04c80844cbe97c25956d5ae771580712eb26809b2aa5bb7fd022ee73b8d8f137b93ca536000b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0f4e7548e6178a657d30f80610a2b452

SHA1
a0555e9df70f4b4c9ed12d11fad160230fe1ad3e

SHA256
699241b8f1f03dabeb2fce70c1ca79f9914922ad054e9dbf75bae8287272ebd0

SHA512
1c0921382de149c89fd5482b4a37967beb78c128cdb2f222e7bfb7705bd7d845d9afb1a4f821c9dcc961c934c58c28c616bcce8b32b80bec3261238c30fb0457

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1a95f323b3473edc95759b672d23589

SHA1
01d5eb1bdf7ff00d96eb47a334804ab0db7e410d

SHA256
7cd46883f28a1d8d132b88c662955d7f91357b97b72585d05c641a44d2dd5c67

SHA512
7b3090bcd5f51e986b0b0c654a2d5964e524db07ac9fae559b30d67fe3785237a4e7411f77119e595cd7929d8e767117f9f6e445eedcf83dbf058289888a0508

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f7a4e29770639af68b6c58436e3d149b

SHA1
08b504391fc12148429b5264cc5a07ad3655300e

SHA256
98327f727533603f4043e3d4caf03f918368b323ce8056e413efa76934c7c6a9

SHA512
7386f8b73a75e56ec1bfea9de6f57541f208624a3722c147d83d9578b5325bd092ccfea05fa7a329e72b4c18c1480eb35cf41a4d73873b5c1400f013752cce98

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bfe859be865f93b2051447a8f73eb9c5

SHA1
df08331bddc6ddcadf6a3cf290d44a3117f5bb65

SHA256
e7b22baba1ed3b26530dc62ce8c8a60adb1bb704439f2dc02d2c269beeadbe17

SHA512
0b88aec5965e146412336e123a5f2c965a23364836e6b054168b9f96bf2287c631aee52159371e42b882fe376922da5eb47567497bf982eee24e0f0fc5fc2e28

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b3528dbe6f9024f66e6deda4fd9c2e05

SHA1
57167da81d74a8d4d8b917d3eb7cce9ab82e1628

SHA256
6d86d2f189a333376e67b17c58bbfc8f86eb446af9b99cf48b2af46b73476543

SHA512
dfb1ba1a8f1cf1577444be7fd1601c036f3664324e25813db827321e8332b4f19d8954f639cdc2d6818ba32ec205594ae95d6a54f71b76c571dccd239391cabf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7848577204ba22c683881d230549f485

SHA1
7183a07410223ca7796e0ae56165a5e47cde5562

SHA256
292961c3f27a4d435e63cf0410493efdf318bce3c8a7e3b6c7da33f51dda8bf3

SHA512
5a61a220df9badb1b7c4234ee5abba67deb12056dff220d2340c959ab033665c276c1911b65b74e87703ecd479e2a71cb583d851098cbec1467512c9501d9dcc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6fd993bb57a56b5cf4dd23b884d67efa

SHA1
4fd63090de178113f2ee0f511918c7c8b9045784

SHA256
3267d69d59d12b4e0039ad1e9ecb98eb151097db9199a2a9499b621559f8106a

SHA512
2e55117e5c98b016910743abcd16fd0c8a51905e38c50c17240c907c7c7e4700073411fa9b69407cea5ed297eb7605f82a640d2e39d6b2a3fa091d7493a85905

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
52833776f8dbc47d16da3b3db2d604e9

SHA1
0f21c643cebff7a1446279896040dec57756a523

SHA256
2bb4f60f9739061d4a7c96e8ebee506a072acf8d2328839c64e5d59d38551ebc

SHA512
d922844bc1d12ed78ef768c996b4e3aefbd17a7d4af11e5790915be0559e816a579a0431552c290be68af1b320269bfacd384ffee25ae0848d4dc0a74154b8c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0b6e549e2233a8b8c7b305bfd49bb000

SHA1
cee60504278faac92cedbe81ddfcc49046e22f4f

SHA256
5e731a19f931630b098d1b7bcd0ca233e0fc45c29ba1e5feca933437543b64d5

SHA512
cb54b4eb0561a868993c02705286d3607e3d3d0c53fd2afb12e23c380b269da60a7b066eb131ed39073338a1294b7d03889d8c19872d47d8b21d1c9e6aafdb51

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1fd9bfc9fb0a9f340aa9c48197fbc8dc

SHA1
e550ce139f3dced1bbe9b615bd423e50fbfd0dad

SHA256
2ef7a422930ba7a3b4aa6dabad805b614910d39cc6fe9f7853d53da1fa6691f4

SHA512
4ddffb6e1a0e2abb721127f1a6ce1f3c8a283c10008cfc89889b390de2b78d95eed9a1fdaca03199da0d329708653d262c4e479d0cfe6a28ac13369927eaffdb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4ebecbf8cf5806c8064558380ba086ce

SHA1
473647b3af704b12c45f17323f5262944061220f

SHA256
92429542a20302f03bba1ca061799718590be64a823c396befe51339140459fe

SHA512
bea50cc38cd96562703ee907e0a0b6e3992fe8fca7cd16d57579dbd800ba5e34275f96ac6da540df60522f82d20ccb61fb2f6f0077563abeb27a6e7afb3afeef

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
577f811270fa7512dffc59ee0dba5a4a

SHA1
97aa45d89639b9a29b1e10858efdfa5142e25169

SHA256
567f794b7816b7c191e15bb86f8fb06c0e623b97c50b8c3bcb44d58ac5081df7

SHA512
759e3f10aadf7bef983e3b5eb2279580dcbd0b2c2d5a069799d14d9b799d9c098ddf7d2c7aef91ca7c44891b7fd59d42754809e530fe9e18bb5cc835cb1bbdc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8697f8e12175954731d38e9bc8c80616

SHA1
b33a20afeadfbfbd79a52b3012ff152c959b08d1

SHA256
32ff9ef8ab4aeb76c2fe1a19c39c507f7b42d71016f12cb2ac1e8da1e8d0d532

SHA512
8fd711c3f44997c2cc5b7726264aec7de049f0d8b36006988a1d6ce7b2721ec2a99b92dc5a1747573f923034e6ff0d4500dd47979ebe4e3d5e13f3e3ebe7fa21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
19056c139a3296ff219ac8a036bab1b1

SHA1
7fd5f49fff79bab0b74bee8c94be9777fa3e2a1c

SHA256
99003b72995b3fdbd7cdcc5ec2e867abd2c3afbc4786feeff91708845ee2bbdb

SHA512
bd4ef670d984b3cdfed0a30efc978853b33653f6358b6dd76fba2ca2407fe1fd4b851482a6bf7ffa3e8fff11d3f982ab47d0f95d162f1a0fc9392dd37f87dbe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b296eb6efa9709bde7b8e480a773192f

SHA1
439268737494f4e629e2d9928aecedaaac50eae2

SHA256
3728d51400885378e142e1f0627e6613a5a32c9d7b9c8a0589b89dc97193655c

SHA512
56ac809d8e8254ed82981493c7f07ce4377984a130d59fbe3755eae9b9fb965f36b5f2df67aa59b0f40502e0b81875de6e4db32430f4584e54ed03d0175e592d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8ded598527440324291907b70a87fd38

SHA1
918fda114b547e18efeb968ecbcc43c530ee6741

SHA256
4757607d358df6bb624ef11b00958d7a4dccbd46be520692bbd91c45292f4b06

SHA512
5e4969d1d180099f30c3ca0d346c3e3110f720f156901a9ceb91cb0624c5c296c2f1528a8a911328678b0a1e0321d71b03be8b4a8530164dbfab5537c077583b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8dcfd1ddaf412dbddc0262cacca9d48a

SHA1
ff9bb13c06d3a5438a2cdacead14c658037e0ddd

SHA256
b2dcf85d4026d42aeaf79d8060a9830de8d612ae668e83c983c4fd7d1c76e358

SHA512
f204caa20a5511ea025a6bdcea86889a25af10e520c041ff43e18f023b2730f73334323c1553a42829b4c6017bb9d0eeda9ad1b07302abbb3f4c4b2ae7dbec4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
622d5eba3227249ad56f396ff93dbd31

SHA1
7bfe2481b76d6de6ca8eddf4fc2f75cbcec3f9d0

SHA256
4b3ec21faf707e2d2207793048a7a1a049f42fab72968b427aeaa9c2cc9ea8b4

SHA512
4f444d8b1c15ee23a386820c39d50d5df8649ef3c8e60124ee37b256b8c8e07b386fea68ba5075d3c37d4bde486d0a35b7290d0127bef65e1ae1154b65119c13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
be48690863b51b52abb2c1c922af8e4c

SHA1
6c7e4b7c0f8c345e1b093cb88fcd0bce0f37cfd2

SHA256
6933f729f65d63455d917c0bb2c5a1db4b56e962d86c9485152f836b87a6065f

SHA512
618b541379d790b49ea425ac0361bb141749b97b6398445daefae33252d064a9a00d538b99e3f3b7b0ecf9922837957a4b7fa00fd158742ac4d7d0b6335a3d8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
38bf7e393f5b305dbcee595515b879b5

SHA1
2f8d0ca7a2dc17ec3f3062f9a7c522f548517ef0

SHA256
64797bc41d9c460b70df612a16027fe0a4ee2c713743d127cf01e94dbc3779a2

SHA512
5e19fe95952008f08d38373b964a4a31878dc5c6186127de8f66c9fbf6bddabf9626bfa1943db835a89eec20f3cc76561c8d58c9148cbd797bd60787b2fc0915

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1171bce1466a621fb5d024fcf4ed51e4

SHA1
854d9ae2d6e21b1fcb499bdf9970b31cc42d0d05

SHA256
36b424ffe7b7c294d718eb9f01f86743547e68106861f27f3cc6f7d64af413f2

SHA512
c4fd16e9bc0c24102fffeda6dfe19c1deaeaaf955646740e2c8a9234db0c2af795c5e5314b76d33058056cab9671f12763900cbc56d2876643bf2c5b2265e8d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6237b0b99b9ff9765b497a4775824e2e

SHA1
6572db610d5a30168def3ce6cae69837928ad384

SHA256
1987da8deed72d3fabeaaec9675a664a376de06437eb7044a8ab6f34168a070f

SHA512
5ad1cee9fb8e422e2e06c559be88d361af1fe279882b7a615ae517cade025d4d36ee9cd9ad05b446b92bbdb9b8b721effb9027d1a5445384eecfe67e8dc34cd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
692d7890d1bab61349d95bea7eb5003f

SHA1
b953cd949f74428cc0a7387f407e1be444dfcad2

SHA256
a9212fce011e300a719e512a369d466f58e7c305aa5e7b9e0171d09ca4c2959f

SHA512
01f4cc3be5daad430c216200ae2fd28db81876cd18c033874a9a55a5629e348b21d2054c84e8b4bfd38f8d1d50e0bf1b2449f21973905ccaa7186d0e493ddbf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bfddf12afa7992a8a38781ec20c363b2

SHA1
0fdf1ab79ed5ad402f12e5be7f54a3670d71ee11

SHA256
e9cfaeafa5185059d361007ede5a7703354e1e43fb799093e4133e2900ef803d

SHA512
18690a3c56704ab2d35e55b0d3f63be1b254714b53c2c5706452d07450f352f3a91f6a06c182da93f9802b63400fca2e30b6a64000598f94305bffaabdd2824c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8e366f31928fe929355bc9b51fad92a5

SHA1
f072fabe54ae81cc373dc9ef056bd522e4eb3f04

SHA256
8a967b5d6398c0541b816593f1c2bf130e011796d9101b90df103f786819d96c

SHA512
04e5cf8fb391803af2227621efbe02cf7ef44eed12fb9446fde8ec1df9d9297b734a7f1409ae846f5f6fdde019c0092ce97eb9f5d503a1c17c15097d22407fba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
262325a44e5fd4e3915f01f5b12c4a6d

SHA1
efdbad7b735c59a470ba9f4783711b29edee7f62

SHA256
e84aab3d2c60ceb8f204a0639bfe3e137cac189861c0c851fea9984f3043a0df

SHA512
d78a823032302d46ffe06611876f1452ce530d2c0d5c7022a56e78f47cf9c64cacdd00d1dd3d5043e4f1a8948dfd7d4112f889ba38ed7fdc147c33950edf7810

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a27301e277a2b829fb118885fef3ef5e

SHA1
a5aeb0565a01df16da036621161cbe77f1d851f9

SHA256
dd5511f408a7890242f5c59e1545594d41a7f52d75022d6ccba81d43dd6beb94

SHA512
172290fb3fa7aa51f89bfdf63572cf3db2ffa0788939c7ccc40df806f26368fdf785c16124f49ab6e52ebcc74547fdce3788234a4579ef3f07395734db167dcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
db6e1d10a6da103d4372fade941e947d

SHA1
3ad5a803c72f4c00abfca3a398b8efa25fbe0fa2

SHA256
d764d57733e3f8ed5dd6b73f8f6cf2f7f9820d8d32dded6e06029c4e0c652272

SHA512
ccdb54af6b4d4dcd9453a7ebd466f264e0393e23d8d6ec3f8a8bd9e55b5ef2f81817286f80d60379fdd315a812cee1e16e763632c3667e84d1e2e41644d6ba9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b109bf0e17d7aa5592be854850cd36f2

SHA1
cea95b744cdf7a06a473ee57c15c320445908149

SHA256
a8a19283128807d082fb7f11239c36d2c0e0d4bdea6655d201c00397720f42bf

SHA512
30849870abccd7a1d37e22eff89480df3e8c909db76bf4855bd113448d2d294a24cb9244df055553ab3952efa91318611ec203375788a492fdc59f01001035bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
03ca1d07dee102d683ecc860cc485295

SHA1
d73cb671cd43e54ca73b3af21165554abd35e1b0

SHA256
46ea6b94758c602cc6106654c99950dbc87a03f702dade28fabd743c620a2616

SHA512
97f8f6e8787708f7971a3b99844e1c582c3939d99120090a67108d61ccadb2fc53f86c66232339e819f9776897974e9dd087be66124c9b3d7d650aca6c7abf92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6b539d3173fa11aee74e9294d1723ad1

SHA1
f1a77c64e1d4e6ed5e0a236d5562481a1db3cf18

SHA256
ce03b3143466120fd5895c5fc87f1106be21722448b7f3179a2f6d997dae3802

SHA512
21a73bf468002a8fc82ba6cf6506207c0414cb5d119d58ff1cde66b2090d97ee8d4e516a3d59637288292d842c52920862ec9bca42dd339c957cbd9cc0571042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b66aa79ae0554954b2b47b751dd4a03a

SHA1
478fb9b5aa0ac9005e3563786aafe2187947f271

SHA256
1a14e5cfffe59fe227d7350818086bd0ddf6b3eaa437406eda4f883e204bed1a

SHA512
7c5f5c0c685dd15d5fe8d62099506fcecdd1c57392ff57ffdf5a3d2e70178ea0c5ce83313930c21713147e947ec91c8a471a6c22439dc81f1bc1f2aca8d4db4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
206a88789532fb7700456de5d9793a0f

SHA1
39e4da1807f0d832151a1d9c0f6e5236c41ef661

SHA256
00a750cdb3806aaa0293c4b9d1334d7f78f14b9e6cdded941e8b5783f44b2e12

SHA512
51889c1866c1f427ac6c89dbb891d5c16d973cf099d0dc06827da71f9b8ab71b6e910b743281e57a5d40ec02c440b4481b8b36773113f6891cbef4c2f238a7f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
456b8452f097ccdc10c3cfef6faf1ed2

SHA1
e0d517e5805b51c5e35757f4d28caa481d852ab2

SHA256
e81a953b82dd23707e1ba815aca5d47c739c8a211251351055accc899f423638

SHA512
968074de478d4bc7258198a0d100da36225df6f13b345bb5cf699a5916cde8670d9ac4856d2e4dc31cde17b23e28268d3278369247905677a263a29423440aa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
6da7a49079366f1b01e62d7603b5a9f8

SHA1
c92da31bed3131c00029e656b26394ad671f6dba

SHA256
c2382c4770bb64d1d6922e3b5bd97a0b8afc16ac3e4a95091e13fe73ef23782a

SHA512
e15118ef5e4f059a960b9d861cffaef4acda09e9e4f2921cfa3dee09ba4f2440ac28b5627e376066b5e6175ddc3b226f893f509fb5e79965b5cab8067866dbbf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
25c9e7f86ae4bf806cdeae1b18f71989

SHA1
ca639828ce1f66f79b759f8e524f65e420c320a4

SHA256
e3f8740783f92f4cf8bfee68da0db8fdf39af02d34e1b9061bbfec472b476537

SHA512
a8859f5361e3309ad9dc15b4950fe4e3e782df109997a800878c083d71b7d306442122330277efe7714c9ccba4806b9001f7f6ead90eba3e3b95223e67673638

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d1060e8b522c5157bf514c849fb53b87

SHA1
da964fb92ae192973d2f7e3df3fbe3ca7bf31a4d

SHA256
ca59544ce190b3d7bc658f72b5b2bfad02747c27088e1f6f3ebfa763a16e014b

SHA512
e0ebd0868546bd3adfc13a4820ef398d3dda91f5a633f52767465f32e77dcd05fc8e9596b06044444953643b95dacfae81a86c1b30c693b2090b837d796a055f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1f44f168a32b18ea9ec2094f80365ede

SHA1
2fd0f2eaa0a6e4598419812bcdd6218114a7a07e

SHA256
fd3a4c20407b0250c64d97253cee83481245b6d2152d00e7c9808a374f78687e

SHA512
bcbfbbb021f5596afd0544724d3908f1a16d5829e946dab51c1e509e549bd47e67c017a609f3f15cf6d7cbf46f07184b5c4b0a9b00c4208730af2c9652545a4a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3e8aa4324b4ac7acc79c44f2e45ca7e4

SHA1
b90710d81df55dd48b25712484ea9c7fd886c234

SHA256
ac0528c29944031576bbb78587fb97f0e96b036300117f69838f9eb1f4f16f9f

SHA512
b62eb1ee8883236a7c581ab57f4ca9cef1a5ba9cdbfaeff08211f0ccd11b964b7f8bc163db31b5b9e3c4447ccac94e268303c46ac6b45690cef3b99ce86861e0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e4af1791f0b814501eb31e98cfde33f3

SHA1
6f3e30716baaaf83130ed187f8af96572e206ad7

SHA256
ce9405e8294338074265befda270d7881f396cd09f946013a5de6f61c63856bc

SHA512
b9906789004109b1233a084d97f3683cbf97221d0e19f566f5c69be9d684dfe0e95fc307527ed2552b998b800b03347886d80dd8452f815431b289706ed20f64

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
df3462c7775c7d331fdb0b959241233f

SHA1
1a0f489ef4c3651c7c8d2c3b7fb1435ecec1c8cc

SHA256
5f91aaf75330132b2195552a111d11ee222c6660939fe27135eeca4a9dedf54d

SHA512
8f7c623b7e20f8ddcb20151dfe215028551e26486089a0f0fb33fb78bb6be8e75c406dbb65cd8b70b4968f6ecc2772a28d97a2bd9dfccdec513d72687bde7974

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8c24dbdc6facd5c21bab88e254c45318

SHA1
8699c27e7b995a112567b0a551135750a2306848

SHA256
8e8e1e78d0a26b6aa5b5138732de0988baeb1e431919eea7f3342cb9c1aea4c1

SHA512
9da9db764a5ea32806fcd1506157f13719b86029df7f2a5ab4451e8a28e200dc476db4b72b5a5744b1c59752c148b47038bd7ac17d606bd369d24e2477074373

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e02a22091c534966e1338820afbe246e

SHA1
eb689242647a20464df687182b4f2d63e29bb7db

SHA256
e986d99b0b0ab42a3b5534d843b17ef8415e2d2061465786625d578d0357d30f

SHA512
46b1d7027130fbc0bde3d98b8f63dc6dd3caa23ee2a6e7f92a32c1a2219d5d85b223f8eeb941c53952657cc20ce0cb66dca29cc46d1f6eb07ca5397949e1652d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ac756c962c4fefe8c245e79e5c7ba580

SHA1
7fe6872734f3699c6a9473174309b7c81612af02

SHA256
1743cc8c681ccd054804ffee152ebdb98b46b945e13a62e947c74cb0a1919911

SHA512
6ba037ce0c61186e9bdd41a28b62ee1b9041cf7e45b4cea5dab6c9ba1d8adbb597f45ec7180d5a028a9fcef002aa362d9df2472ebb2396c5c94f01a78ccd546b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f1ea0302019d226d77cc8fc94924e20a

SHA1
160a25bdcd97e85ea63e551d451b8fc2f1b3806c

SHA256
9a961017121018ce0f13f153e7a4298c9de8c0ddd5c904bb4bddd771ca253d71

SHA512
bf4bc9ad926a4ddcb655e4caa54731083b7f8663c0f5310859360a8d4d97a48855372d17a4cc456daaa998c1c3c12acecf07d0c32a3962a8f4af6b811174f07d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5cd589f6ac010c54faf69837d6bca74f

SHA1
953a3e759d266178af4143f6e3dd7636498da644

SHA256
76e8a93097fe01c67a883490422b4505945d7badefdc6b4a0f1e223fb195e903

SHA512
8846be537d560aebb98ea125fe2612b07729822ff12c9327a456f3b0dfcedd8791d5641871d3090e4d03e71f78f77a8b108f9ce689ebefbf2d1f55ef9bb68cea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
22f92b107f519ef0b6b492ba3861509e

SHA1
b48b4f2ebea88a06997a632f9c2d808cf7e26c6e

SHA256
4e2486285af3067f474b28523028368c5d8b94c023c89d0028b1a8b7042ee8f8

SHA512
9cc176127d8b06c532857dfe4512339ca71ef0f1f3221836b1d3ae5c45f1aabbc8a7be6d69adb946ebd274bfddda75fbfb29a6e6362c2ba21191afda19fcb927

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
55c93ee1b99a36b2f114a3d59b0b6b68

SHA1
6dacfb3ad5f461271ac16a7c12971bde8792723d

SHA256
4fe33b6db2431839a0029016bd1dbead74949da4a717392659621ebd86b882a9

SHA512
422bfb286c17536718061513b0ef5d92ee2542c7ddadbdadd07741ed04b5aa4cfd265e96326baa065171a85a01bb1b7b83932508b95c4b81f8a612da1d17241b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c60fff4b36e52ba42b6977cd35871548

SHA1
17f3dbf65fc08f718c842cd09a1c36110bb4ddea

SHA256
15072d11b012af315033c15568af0788eb3d4418400f40340cb2341b466ba800

SHA512
8d24ea536d9ca07bbd055ce84fb407e038011523161c69f485ba5d287d1d5ec40eb9d8bf5b58c653c3a3e9836056e20204ce402433095d668397c8c037049b1e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
990b56fc9fa9746a8c4ff43d1b9426bd

SHA1
2e5dc4ef4ff656fcf159c91a0d7ec88b15a3fd45

SHA256
27ff734992b1380adb3de638846faa25f018f032f6462116a9be3962ad903f3d

SHA512
e7358262e8bb920d825337265e374cf6572b56e303acdde329d23e275a5087c2459cbe1af7846aea91821b573b240184e105eee7735f4b09191e4bfb07adb2c0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
be507a867d5063354eb02f7ec45f4ac3

SHA1
fe0d6c3dc5765e61f101e575804fd11693d10097

SHA256
e45dac2da913f4c59458a5559892fbab2496f79fbf6a37a1da58d134302005f5

SHA512
a76f0e84bc0db9653c0726d65b81b6f523bf2a1f11715da9884e6bf8b1986c9d55a1038a3e36dfffd5fd6b10619df5aedd8447b57eb32202a1a15938b521e5da

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5380f299631b3a272b025bebe37e7a40

SHA1
6753bf0931ed1a6135e7cc722cf064158d51ccb3

SHA256
451c05edaa43bec0d3624f5f0fe10386ca4c8a4780dcda5b1889e0b3f2c8c05c

SHA512
c295a65ff3326dcd24d271402f3ec624cc0d2e0c5d8f19a43e2ccdc75cd5f60a85c9654ac573b79c3e7225182f2efe3915166f449802dbdfe62fe75a4f7ff5bc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a71b2f267ecda56247f6c4b0f3598cba

SHA1
37155a3a2a71bcaf7e4522d3c80ff66201c6a416

SHA256
420f4e05fa80333ccd39dfdb961e0d7050ed6497a01bdb1a5a1d4d272b05fff5

SHA512
428b2a14485891a12e1a1b37939fb5113483adcea09fd3988c305e4c4414712c80e4846a56030a8572dff5778cb2040f6f5be684382147c1201ea14c74f1e210

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bb1c68494f3fadb00ecdd637ecfa9ab0

SHA1
39528395c616f41491a048b7f67f48f0a5c9bfa8

SHA256
d8060abedd5a634baa92b999ec6d7cd746b56da0dfecbab6da9c63ca726e0bc4

SHA512
8ef5cd3041cc988e2bc23b6904fff05f1104a04819e60932894ddd2bd4735036e43457ad4d2a3583f9db09a6651c9516a07f072d42c111e0b27bb1f5ae9a72f8

Download Submit
memory/408-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/408-461-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1320-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1320-438-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1320-378-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1384-10-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1384-0-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1384-12-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1384-7-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1384-1-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1476-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1476-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1476-397-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1476-392-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1624-337-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1624-399-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1624-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1736-354-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1736-295-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1736-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1736-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2084-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2084-324-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2084-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-447-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2108-439-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2252-426-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2252-434-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2572-540-0x0000024057200000-0x0000024057210000-memory.dmp

Filesize
64KB

Download
memory/2628-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2628-244-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2628-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2628-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3000-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3000-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3000-351-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3136-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3136-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3136-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3136-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3136-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3168-57-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3168-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3168-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3168-50-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3168-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3536-302-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3536-312-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3536-369-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3900-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3900-425-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3900-366-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3944-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3944-65-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3944-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3944-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3944-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4136-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4148-264-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4148-273-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4148-255-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4148-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4148-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4316-422-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4316-413-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4580-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4580-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4580-227-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4580-15-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4676-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4676-280-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4676-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4896-408-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/4896-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4896-538-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5032-26-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5032-27-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5032-33-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5032-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download