c81291ec8133f01f85324945132ef3d6afb810f7ded4b549eb4c04704ab0b302

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_a62bc305bdc0068323b37c9e2474eaab_cobalt-strike_ryuk.exe
Size

781KB
MD5

a62bc305bdc0068323b37c9e2474eaab
SHA1

fc2cdf5896d849741c0f366c491d9434898549a1
SHA256

c81291ec8133f01f85324945132ef3d6afb810f7ded4b549eb4c04704ab0b302
SHA512

60a950c581dc213315f845966981dd194230f04a24b0275e477e6f95a5aa6ba4c600fa98ba1b468ce1dddc0d13428529003f11df354d4fb5d4506580ac733c9a
SSDEEP

24576:HPsJcuiE/i328ab4F+rM/aXq6bJfBUam6:Hwcu3/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4540	alg.exe
2848	elevation_service.exe
4932	elevation_service.exe
1420	maintenanceservice.exe
4724	OSE.EXE
4224	DiagnosticsHub.StandardCollector.Service.exe
3060	fxssvc.exe
2976	msdtc.exe
4760	PerceptionSimulationService.exe
3716	perfhost.exe
5060	locator.exe
4340	SensorDataService.exe
2092	snmptrap.exe
4064	spectrum.exe
2368	ssh-agent.exe
4076	TieringEngineService.exe
2412	AgentService.exe
4324	vds.exe
640	vssvc.exe
3688	wbengine.exe
1340	WmiApSrv.exe
4856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bd879b1a2b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_a62bc305bdc0068323b37c9e2474eaab_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000554bbe27b195da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4e8bb27b195da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008722d627b195da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3584d28b195da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a484d827b195da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075001829b195da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3556	2024-04-23_a62bc305bdc0068323b37c9e2474eaab_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4540	alg.exe
Token: SeDebugPrivilege	4540	alg.exe
Token: SeDebugPrivilege	4540	alg.exe
Token: SeTakeOwnershipPrivilege	2848	elevation_service.exe
Token: SeAuditPrivilege	3060	fxssvc.exe
Token: SeRestorePrivilege	4076	TieringEngineService.exe
Token: SeManageVolumePrivilege	4076	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2412	AgentService.exe
Token: SeBackupPrivilege	640	vssvc.exe
Token: SeRestorePrivilege	640	vssvc.exe
Token: SeAuditPrivilege	640	vssvc.exe
Token: SeBackupPrivilege	3688	wbengine.exe
Token: SeRestorePrivilege	3688	wbengine.exe
Token: SeSecurityPrivilege	3688	wbengine.exe
Token: 33	4856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeDebugPrivilege	2848	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 5384	4856	SearchIndexer.exe	128
PID 4856 wrote to memory of 5384	4856	SearchIndexer.exe	128
PID 4856 wrote to memory of 5408	4856	SearchIndexer.exe	129
PID 4856 wrote to memory of 5408	4856	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_a62bc305bdc0068323b37c9e2474eaab_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_a62bc305bdc0068323b37c9e2474eaab_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1420

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1308

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4064

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3624

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5384
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3d9a8f28211c67e445dac558a499db91

SHA1
6d84080da0172d8ad851c18a1f3526ff6e6ed1c3

SHA256
e3988638222b0813de11ddcb2d35e748905afccdaa3385737a6d37d09f9a5408

SHA512
77e39e9ac35761c2c054940dec50e7ee0bfce0e726fe90de0d19791704660c6e81c13b4cbb5589b80a09edfe25dd8123238d85710df6c1223662dd89020e2d09

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2c8fdc49ba87edc234d3e5031a0636cf

SHA1
018fbc3386cda235e3afcedac9710f2acb0dc23d

SHA256
d5bdb47d0b9035e067c8337ddd02beef83f715adc72925fdc5d24f0f39fbae54

SHA512
48ff39979fde3d1b0f4074579771098884d327b29c21c8e5c002667da88e06a5c3314e5c4926207591789de5099c490b311dc5691b713aefa14438ae2a134961

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
81a045fb31e2c55ab3412bd4428b14ae

SHA1
c546de20a3f808a0cecf07280e6e378274562163

SHA256
90caaf99dacc48081abb4a8ea7fe9ae6566047ad3e6dde093524cc40b52011b1

SHA512
4f10a9724d00aedc3557a8cceba2a53b690c5c9cf32c492965358640b32d4e7fd05a14156901c4d819f4bb041d4f919e5e9d946d75b240205038416305386107

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9dca5ed9fd779704d27bd7816bdd98b1

SHA1
1c2b786a18b617c77770d3a7e9a23782065a9087

SHA256
2f4bd9ab9d2059fa1b04f621de3fad23fa60d6a11dee4a7644b24a7b8bb2ba70

SHA512
fbadcdcc95cf864dee617cd335e8f32fda544f711dafc4c8eb1acfb2a343f8ea29b2c2bf16918c5287f0feff15690bd41eafe42320733e6a2f22b98c72f0870f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
92a899a7ff3e53b02a535e72925e2fda

SHA1
849daa3d3028af4836a4754f0b891d9ece176296

SHA256
a70bb1a9d1260b77fcf16a38b6f485cf97f366d75f3f6c1e4f93fb978efb45c1

SHA512
3ff8d27c4e9293d47e648040009fa2e57476f252f15cb30fa390603958bb9280b213838ae6c1b666cbb1b8c2dad979532764c000674cf6682c22e784605455ab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
833c61579ddd6dfc35a9b215a59ed44e

SHA1
bcc6e60bacfaac1510955ce546c0ecfe2b439776

SHA256
0b0eed72c0e90e9bf56e7f7730dbe10944aef7843ad49f1608d2889caa3cad35

SHA512
e03a5449652d5324ecf08de58c83ebef0e61ec6fe0b7fd6b6a5da402eb5ccf621c147621fc631bac048c9b2488dea60b27730690c491e06da005c15ffb9d3861

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
51ba0bb0ab828d957b3248043bd5ae8c

SHA1
f68fc1ef3dc79fff578013735985bad898b01c28

SHA256
7dfbda7094fb17c441271b05c7257eff0ec768bc4a90b176d32a00d427dfb034

SHA512
bf566e5b8d2c8c3d48b289245af10117278d9700d806f3725731f8a7d8c0a0f469c51f6a93608df51c8a37210cacbc21e145fea559c2b4ad4b83d823c255ebcd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
823638416377c01faf39aeeedec5560b

SHA1
b0b7b243ba80a63e1e7447ad624c46f4810fc4db

SHA256
d3cb1e07219edf1150c170c39d3d8ab0b999d2d8a19dc9c17611d2c140613896

SHA512
771636c35fc9dac191d0076673876c220b056009d711e95369b38d99b0ced9aaad3d20650053f8b38d07e9d54763ed1dad783a46a73cbfaca25c74467a7ebc79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c5096b53c370d38886bea957a44925b5

SHA1
504e3228e6f2f54c6fde7d747e3685d9ec85582d

SHA256
5469f9b19cf7c46fa91854f0ac3ea397dc2bb4a4b597891ca22e8e2d039b6426

SHA512
1d10c9586999112d8f24462f4a5683f7807e6054bfadc542997ac66fde2c9af753d9aa00a1717022d9f14addc51d1c763887fb0eb413e7afda5c5c7fdd4d9faf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0f90d21dc3ab580c2885310d6e7bea19

SHA1
8f0973f513b3521ff4effdfb0fac75104d780365

SHA256
eb1d38737b5d9f6599d09f53735a9106196fae9439c70824a46125216eeae1fb

SHA512
1af9a17d8b83b65a25b373db9911078e86aa47ca347a781ab290ea508a9fdfbd1b9c3bb7943a3734b87d3ac2a1ae253be62f64d8d71bb8d7541aca52e63d5c99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d0d301dd5630f190374732be7a3a0a50

SHA1
26631f683eb373bc50eab823ac88670e7a27c7f0

SHA256
d1eb90a5ef53aed15e6dbb72a4c01c02228a20600f5d3cfe87397a27539bfefb

SHA512
7d8ff30864e0de9a0f184980b864b47ac44fd19c1ead16111704e5f94e1530b12cbc31795a406c9c8e9437a87c70189435b725b38d78b4404c670ac88e952ce5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1f832ea52f157d530f20859313b6ddfa

SHA1
9910bc34d8257705793f183246aaf59ae6a8f36f

SHA256
9d4d15051f14ec1453ae18356a6a78f28d5654130c647fe072c693525cf85120

SHA512
b3e7636dc9276ea85a0565e37f37cbf2f0a0bd882e01919a75be0771561d519d12ec85aae89787d60303d5a521bce41b24aea99b08910a0cec4ed8c21379d746

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fa502ad89699d362555b1014069493da

SHA1
0ea57918384c6bbb1b1ecee67692f1f21b6891f7

SHA256
f6c0c3e26910d031d43231f1ffa1d0a2a7ff4ca7ed0d71b0217869f7e249ae0b

SHA512
fbe71d7ef584a376751194539bd8dbf9935428ce1c237a76fcd0f82fa42fda24b016c15129f26a378871b79aceb40e3e6efa0e06dad026ce923a0fdd22cb7368

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
64e18bfbd9c2f95419ab7570ed6c22f5

SHA1
674867d0c36a8ae01083f6ea261ed73d9d38f2fb

SHA256
37bdef0fa0bd1e2ed7863c3d6ba3d79d74f528d29e018f002d51fdc583bd95ca

SHA512
5ccdc2284acb2eb9a050ab18edd75c447525d96b123893143c39f94423f4eb2b79dc0c2ebf5633b7b8feb12dbcf987f6159c87e0ab6505fcc2e6a9fd810b205b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
32876ec1bcdc84ce1b8d784e1dd30cc0

SHA1
2cbd9fc16aadcd3e4a60746eb85e7b542e68c27d

SHA256
5c38dc75c797042e16c01e5747c39070a62af71540b9641bb63f2456c4b3a86d

SHA512
eaa0f148c17817e986ee55b3f5beee6c9288cb17293be1bdd4c40a1a4f42209e25a9abc10355884455592380f90336e01093a01bedbc9c9708bacc9f1d08e098

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
670ae66d5bfa17032e12dfc3d0a82a40

SHA1
58c79e06afeff1b5e550c5cce1a992b401192ad4

SHA256
b4b777ba1683ac8ff9dc9622acbfbb9cbc4bdb875a1e89d2e364b67d8d87e803

SHA512
04a8ed794e3b959c14f1e317204d2bfbdd57854675e15e00c91b83aa952bcc099bf3e5d9a605e9ca3c0a9040296924e8f855bc5c2700a55d355ae1e82c26123b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7e6e016d1305ed34b90a71cef7abcffd

SHA1
25af9829b2e7c845c07fdd88d4d0de36bcbdb244

SHA256
c3cba3ec3ed9a1dfdd8ce2f40e68db0a23131b569bd7e7383bb539a2c263db2e

SHA512
88fd822a73347d4b1ed98cca6107aeaf1d99c6dd09a4954e94ec08396dd000d86920448b1120c834512b63351912beee72a487e0578a02bbf0a91f42dcbd5ed7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
95529e5a816bad09a853b4d45fa06582

SHA1
5e9295c611ea269798d3d24cff585fe47ba7d91c

SHA256
cb72e052002c2ff6bb6b01f8f62fbc8d34678adb59bce21f63811ceb411539d9

SHA512
c6c3eda59f28efab2ede8d5b28d3056e3b60f626419dc36918dd904f6e79ea29071c95ad2ac1f64968783a6760076fa969eb1885a62a0fea95bce7e0b67cd2da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
44d8b4388dc5350314991b95d7cc1e43

SHA1
3412dcfe98add3642bd6ef3004e6b030065e5582

SHA256
44cf92a9669f5236c55bff7ee8e9486a83ff467ce3b2cc05a0d6fccc1b857f65

SHA512
1eae7ca56d81872bac017fc16358204b3f9dd811f3e6997b8cca6c93da5f72a1d54b6e31f030a4eb83d003eabc00b0262cf441a5dde4e3259b3a7fa4e456dd86

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d214491b2a8d8df6d9f30a3d291bd5c6

SHA1
09d4720bb46c30768c3f4b2e2287a597babc1921

SHA256
f8ae7a50850916ba41b76f2b0760754e24fe93f1e50f779aec60c903ed7185aa

SHA512
0953b969f125f3ebdaa02953be1f3c84e7ad46f7230086e0f806163a8844bfe70eb563fdf4becb5ec09df5edf21acb2926c40c7cde0418de2df03bd3a67ab803

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
73563da7ede6602d285dbb468d67ad09

SHA1
e99abba225a3c293267611a4de4fa37d0d782873

SHA256
3ff947b798c399d52d30964759e56bc2f5f73e55edc337aee922ab9289ba6dd8

SHA512
f51b17b4d53537cc7c01c167da0592f5feb71003b6d56c4623c62af5d4f63605fb073338a55cd7d4612e14a98cffd4a000666270bcdf1b789822d3ba63e223e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
018318c087c7633428095b212eac058a

SHA1
18bb7675f024363db61e363fe2a4c62477444c83

SHA256
52bfb64229844b32530ae7688e3a506eba4a1b95c81e5fc609c72bed20071e05

SHA512
559704fba4bc8e255f5db87625f4da088e424b45372c6e1b8c9598bd1a052ed24c5cde3be2f95362206b92f48d32f1c588d7cb6a6d86e9c6596bef0cd9d4741f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c350dece9af0fc9479d6863fb2442b34

SHA1
ee8a8003d5df139e393e0a097691dd07cd0626cf

SHA256
6fc3a6e0b2bb9e4addc9485680607bf75210f7fa888d3f26b0e5805ee81f7339

SHA512
3abab030a884f68877c38b58e3fbfcbad9744995a37127d646b5bda1014214bd5439fd72ab7b8b46b7185ffecd4f2ed611bbcb48fe684fef383ccc9b43be5010

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
de03b025a4e02820524c15de2f6367f2

SHA1
ca3851362e5093c5c612ae81db900a2656852bfb

SHA256
5dbb20db28a2ca4f9e62c88b946b9d227a226efc21094eefafe89d2ecacb0842

SHA512
4407918bf3cd7ee05faaa53685fcfc6fc61eda48239c2cc974893a5231385f631c924da525541d7d7fb2938f9c3dfa817d13dfd1740bdcaf8007031726df8e84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c5dcf8ae22ded1c168b239f8884c063f

SHA1
3aa001a90d099e83c2da7aec954a0556fae5dd19

SHA256
cede94b06338362325b4dc7700a15d5583e17d7ee2e3fa45eef940d6b110f0da

SHA512
d9c30ed891ed0aaf3836983784795db76f8233046799658fc28eac1dc46290903ed66ea25a2456cd85e16c558ff2b7fbe50e799a9cb4b67d697a67e0d8761425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
af548f487da0531ca29141191a6229c5

SHA1
5a8962c09d079d37e35dafcad162f2df6cac1a9e

SHA256
0476a2c3a325f6c9439e50ac4abc03b13c5e950361bd07e1d20d89c0f7ea9281

SHA512
a30306baf6df130de66cfeb4c412ed72ec9a2a100365e13c4ee1242a453abfb1fddfdc00e220db781ed165a7edceb2a710e9ab13a14e971b835b5153a6303de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
492bd909e372e9d540331869cae17c05

SHA1
39ab8170a535e69e6b51eff504005a91365000ca

SHA256
7f9c438e68edd8b9b0d3f294ba108b75a8ec09cfb2995774df47dcd0327cdbc8

SHA512
058f947db4eae5f96e38f219aa2a28f554d4370241c1b50c7e64289d09f5367d39d48cc17c66b310e39b836f788d86c203cae996c42b742355268ab5ca750aa5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a95ddb3a96564ebe1bb0eafc1c2c1fa9

SHA1
6b819579d05bc4460e44fbfe40c3e8e2b122920d

SHA256
25acbef70881ad35fd55db8af21cd8959747bccb32ba33d43102ba90ddf5bd09

SHA512
677fde079d16c96a762dafbc3e071a2269e17799123d7ce29ad6ba653d516016790e753867e20777ec0ea387c5c54ca42bf2e1f95c50e56e60e4e9e7b95a5310

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0ac82f95b03d0240357024782852a110

SHA1
00d5b55a16ac8c44d7e210ef9cd1dce7e33f183d

SHA256
959ede10f21aa71ddd147eb6138e504b2b9d2591676de73821a9cb0e6b22b940

SHA512
3eb67548796243334e9907b5ed5c3c7092fdccd5547b34014481ef6d387cc934891c7cf94466a5efb038db7a7db6afdc45b468cab9d0231f967e705685ecb870

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6f12669747273e0c7d18a6346101d57f

SHA1
169160b3a7347de0fd145c80f23c5c2659168bd3

SHA256
9ff94b81b170d98eb2bf337670733ab483bd55118afd8162ae3f4b95ec3d28f7

SHA512
e8f6f6769d2857c03d9e10aa1f8e8c76fe44a4f63fb2549edcc4c127ec3abf7db666db8cf43814857d660c2edf5d1a78a7f0e3dc007fd868e3fff2cda269b0b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d67be43f30e22185c6657fe5904edb3e

SHA1
1cdf5e6b1d025a8341d9477f1f46f947b95aa1ac

SHA256
72d338d8fd5a1a5725b483c0f9e5c962ecb58f4dec716c5b839d9f357f72af33

SHA512
187499b7e97a7604ae93adde8d8b7248df2b74710db28d2dd99190b49dd80f35624cc38ac3460b30dfa46f86bd829e0d4adbeeafa23f202348622da826d26ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
61411e64d8a471c20c5b30a07eee9a87

SHA1
f757511e110125781f779531a5b90cc0bf5db4d2

SHA256
0f30ee6203224492fabf64e158b07d0b285e150fe4d3f79aab2bba97dce8703f

SHA512
c8da3ac577d05dbcd023fbc4ec9a78707b008503bcce0bb166c9c6368011a298b89c557ac1357d3f3050d592456dd757ee588941a385a224858594eb3d974544

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
680d00525b90a48dbba4a375a8bfb3ae

SHA1
487dcd752280702e2ed372a62715ddb0ce84893e

SHA256
bf0908893604b5f6ebd648747c61957c5f32e096f1d2ae8206b639ba5b164e29

SHA512
07c9af5d4cc01af99671245d764ae3ed076c1c1207ed41fc6f04ce1314275d17e157ccc0b859d2110ff0436c4faf8793a325b631c500c56e8743aa2e338adf30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5947f13b423280dc16a9bb01a01cf217

SHA1
4d5abcaebc1a065395e775382753753e21750dae

SHA256
13131a854751d3f91ccdeaa0130e80319f16084b2749e0408d79d604c028686b

SHA512
dd5a995196a983078c8a8f4bdff92407ce2ae45628367458d2e7cce0aac443f9ae7cfa332a90d7a9d39f67c42ce1b9010729ba7dbc37a2836d85889f9432539c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a265bb954fef18abda638d9c849514a3

SHA1
c6a7ad786c965b4bf566e590da6a0bd224341119

SHA256
6efb41e4ff30360bcb628d0a947cfdc3eca991c089dc1fd6b897e8c3faff6b98

SHA512
df7759f6c04e80040c13c74098a197507802dbba9c4f8a419328a1805f1a070764f079fda1396a95c1f2afebf515f14d870d7368703c36dd907b99c40c79f089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cc615198992ee4620a608c632d5336d3

SHA1
5e29c325b2f5ccc6f5a7461eb195a2b5c1cde6f2

SHA256
640b6d475106b8eeb2298a63fd33c2e5bdb7c2ad8bb86533d20c00772fdbddbc

SHA512
c532ef6708308a5a936b52f10566396c409227102c9ec8ed12fef6ce5cde8beacce3ac564f4be8d5f85c937090b1de98c0a6076cc7fb5ced1318b1927c01020a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0e03fdecc899e10fd4181accdcb65809

SHA1
cd96494d1225cf7be950d06e171d908cff7b6047

SHA256
ea90552ce8bc0907048a3b0f7cbc1a522b029b1612531259508b25f6edae1ed2

SHA512
d335ced44a2ec0f8a3ff3bf2164829d4e22c572d648af0549af46a34d9284330e04184adc6146e56ce619ec5f2630107ae9b39c1099b79eb077e436aa16f1956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
56fe9432da4098769df128ccfb554706

SHA1
2448c508744bc858773b86604a8ad50b2d1d0c12

SHA256
8685d744112008470ca6bec23aa530b8f187723459cd77051a450a3eda82caa3

SHA512
f5e191ec022d856b6e8af620f1362bdbfe7dcd6ccf8ef21c68626a9b4d9e52efdd669157df54455f233e5b046d616d4199ac3413110e80e9c201cffc3c7028ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
ce719456d7453303acfc0e077271a909

SHA1
bf1b68186de36801f1e8d2050a76510c2dac0c8c

SHA256
777e287868d9648cf9f58286141fdf28a72822895cb8d0278f542f50947be2b9

SHA512
f0b963e9a8a6ad08aa9068c6a5cd5b50fc345cc0cf2aca1804aa8f1eaeb9b41418537372cb8d43ac03fd8a56405c6c5ceffa37ea59c884888535fd33bbc85897

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
36808dff9fd87b6dc6707cf34dfc89c4

SHA1
452a801bdfb12508773b75e493696d78d553a56f

SHA256
c5e339f2ca148d388d8c237bbd28eaaec52a1b91bd27582f89e3f3e86e4b235c

SHA512
5db370e309d5fc1b1da91abe7fad5a038d8fe79172490583932eade647624c2efbae49aab8888a976892d39a86757b33f26024078f35ea2f2efa566377733a3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
42165c23ec489f34c5fff0305a801155

SHA1
0bef2344ccf829157702b33f63ff18f27ec7c17c

SHA256
8a4e57156648d368957c3437c77ff915cc53259afdd93c005243dfbefc06e2b7

SHA512
79cd682ac9bd97d215fd67c23bef1804dcd7f44a3cf443238ce4e2956480660953b1717a3c91a5ab03e849bf14fd058af51db3cb8813fbfd4d0cc33eaefb5a07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
917fddf62eadaab00d6830113e434c90

SHA1
2d369cba688b865a43182aa4fdc1613d483fbac6

SHA256
2f231594e00786fb4cca4a9755d2f30c256209d80df2ff6c5c34ff078bc95048

SHA512
6fa76f4a897aded05d2343d3e54f18306b5415e0c90911462490c0c3c445f804581a2bc26e9b875400a6495890ef5e4d484e166b2e4070d19dae9d6881106aa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
f84ed33fd518fdf1cd30a1cd6d5d0e47

SHA1
f13cce9a615c04b6250ee065b43070321b54d973

SHA256
5dffd4f4fe6e2a9fda7566a704810c1ec6ece652e5e6a47d41f54be19c3591c2

SHA512
16654f8f195fbb0a353426aa8a9c5a4f7953755d583fb6b04636baeb4e2f82317170c6d314999daf94c4effba8d97ef820b8d526aa99e82aadd045864e02861e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f65ef7bf52a1b134e5a1d5e96d7764ec

SHA1
771da665c3de382d6de83569be1cc12772cb375e

SHA256
c641b1eb29468c48ad8db4e23d437edc4dabc7cba7a41f070bf888a351b06268

SHA512
e0f0caf06c6b73e2bb222a3cb1e6f6e98256a5a34422a28a61ea9560ec0ac0a8129a46b8e17f8ab331359b58c61c5dcb4a54e56fdd25eb6ba0a07f95044da2e1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4ef778ab03a5d38e39c91b80d2e9a018

SHA1
c4e71e308e3fe9213cecf33454d19ba4a1281a08

SHA256
f176c5153f9406e248521631904bb7d0bf8e29507a00bd29c30499be7185cc0d

SHA512
f8b51f2f917af2e07919bf34bbc148225e433f6046e9d120160928b8544add6555b14334f87d234e7178f84b396226538cb17999ff75c6b8c055d26d9048fc1e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4d733c40957f2bac84e5342d1c7577c6

SHA1
41bc065969382106b3685efe7d684213923f7ed1

SHA256
406a2eba01569c37361c625bb5d5282729c19ba87f44f10bcbe22a2a92c64a2d

SHA512
736e254787c3143b920a295c9dac291cf589ba3ca47759894293eee48eaa9558fbdc81d31819e7300ce9fcbc9ceea7894ba8d22f7f13f01da2ef58a385ae6b67

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d15a47bd6a15d757edd5f7eae42d93e0

SHA1
10fda6e33ff264ad49c699d58cc887848ecdc350

SHA256
526961786a14a65ed03df2e14b54bde595318db873a8089e616b85e20d541308

SHA512
be4de3aa1dbcd4ccfe37d09070f3d64ce483271738abd11616f664794377a78799fb04fa0d393701ced2754ae50458edbf0c8469f3a94e400f089c4af8efe06e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8a01eba255fdeaf233e553070cefb31

SHA1
303c6e8a1160595e39a65d5f864803c40d275243

SHA256
2729c9880f1e7e72431916e5543359057a5c52a8bc5878f0dbd56c55530fb1c9

SHA512
d90b1d4521cf9579da8293dc3c878484cc3ef5523b61778b27dfa771d7a5bf481783421fd1f57a8852e0153ff97909be5bc26f2ca488943437e2e6bfb5dac32f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e986cfb854efd5585fc3fa515b1a0140

SHA1
d23ff38c506752e838814c08ac1f8670e9dc7767

SHA256
6dca3583a8fe7ba297c54011c3397fa43437b39a6463fb3472891bb233574c02

SHA512
32bba8bc8e1d6f33f9b39b3e92b06d342887506bf74b8fc3464a7b3561ab81677144e0fb69d76c9805b95b5372252d0cdcf040f1bdafb69ffb2c094107b6ee37

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5eb3b5d46535f2a896ac68383afa32a9

SHA1
491a4fca8ebf7527d24384eaaf15becd12c9e50c

SHA256
ccaaf923af578348732201c1792d0b5f387a74758878dfe23d1f8c89671eb054

SHA512
f39fa41a9a3f3de44c92d0e89d901099c625a8c651e6020f389b3c29d7004a5659971b4a729f5df2e59beb501686b78984fe7912cd3644b1acc9a5401001b5bc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3b821f97ac10e4ef1d10891a159bb8a3

SHA1
04da8ec73c69f592bbe8dd4f745a07061b151c44

SHA256
89ca3a04ef9acccb81c243e988c65566c05bd5f2aa0cd113a72fa9b1e706c292

SHA512
8efd4d62d42c489728411b81c44a16ca8c529d92e59e44fc259e7f01645fd12ff70fbc2ab278786ea4e20d5ee1511d0f951d1825ddfeb426814e1daa64988960

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8e2303fa8cb545dc83afc037329816bb

SHA1
10e31a5977d034135d503c374a762d3d8ad1f315

SHA256
362c8507bad91a70b5710ef709d4c154c4c1fa0458160099a311155e85f800c7

SHA512
b5f5e7c2cb1426d50b8daaf49a437d748b0af6eb0940aa64ef441620445152529a360a62586cedb13f04f98ddd45b6f78bc05471d66e5e2444b63980d181567a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
55adc88a699f84925b9fccc4ac862f60

SHA1
66ff7e9a68af5e7be269a659da2ed2207b21ea17

SHA256
b4e0b895a1d747306eedb5c75600297ee807ddb775b9e6fa7c68312a94b3cf6c

SHA512
ee051002c461ce48789647a7eec5c703309be239fb0218207eea4bf11f59e79ff82e27192358a11160ef92a48500e7fbde89c6ae09bbf2b2443a0f9533953b9b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
633764dc941b936d72a4bc9c83b17e54

SHA1
edd933cb59a78953d7fdd3b593ab5521562f3718

SHA256
f9d7ffe94bec22dab13253cb4d4c663ffe50ab9f468a032fa6263be1f9e85054

SHA512
ffd7e6a9064fb3871a6626c7fcd8a2e798746f5edd30328a78a575cf5c4e2f119efaa94add0be96064cd4c88e812da3b7dadf28c53b5ab10dd118f6e81250dcb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e017513b78e574d7036cf3e31907575e

SHA1
4c8c60af25d562c38d231cd35346d100f748a1cb

SHA256
b37a54bfbaec7941d5d5b4462eff88b2958496bc45e6918637e466ffcb32ab94

SHA512
22999c9075192c9962c63cd5cb471f45361efb0c4277a064b158b7b88cf05e870e4c523d44e7dfaa95201fca991762da3b1a7811c987b5e66102b2a8bb23c2a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4bb310eeeb8ee454074c054cfd651568

SHA1
12e3b27901dadf179f535f7be648a48c107a1bbd

SHA256
80743b199b954119920867ab1f264108f14302a41cd9b1bd9ed03d76df26da05

SHA512
ff2cf550ee4483f412d31f3aa000fb37bbbe2c919ab427faadb1e0a425d53f16e9e5d8bff37cc05fc72ea8c0a70119dd0842c5f312cff4c563c9c90e733cc444

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b2a2b657038d52b187b997d7643c117f

SHA1
e3e35293e78ea9b2673f61be47c834a18f13c403

SHA256
0fe0e4604ac36ee73af0190a4fd2d217f0eb15f85af6b7b266ea5acdcb1538fc

SHA512
179a27a8f7f8b98cffb8975d8d1049c5e3b0b9a8039040e66798ec16034034df417e288244936d34c67adda6b17bde5e8256567bc3999ce74c111d9d2a30339e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
821ee5bb4937d5836989cbd7cefad55c

SHA1
6e5f3cff132d27765d4e20375d1033b30b70ef0a

SHA256
b57388dc4a9dcdc1d7b1af310522cdbf9e553875ff184ea4d4c00fc4cc34605e

SHA512
cb4e4b10aa41e917009cbc7bf3493e27416a321df976b25a9f5e434b7f7f545003ddd5b43d17a5fff47f4caef3865f5857ef907e191842d811369c01c96f23f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
32d16314993c8fa1adc8682170fe8d74

SHA1
ee383695cfe568f72a347bd858e09ad9a3157294

SHA256
42a1826ea1f06a865b86276abdd0404d05962da4730857b12e647af25bade02c

SHA512
6d8eda1d5a8a3b272dfb315f8ba3cfd210aeb254d54474bec8c065e71f95148e08c972fd913bafe12a62c9fe678cf23880a8ecc7ddccc751833e0cd27bccdb5e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9c63328900a1f6c5c602447ae8e6ccd8

SHA1
c896a9b0c1c532bd1774b5e20c6adf9e7a509dbc

SHA256
61ecaf86985f1b8f68b55bd8b8bc3a745c73b36f3147f54b5e6f2acb74752762

SHA512
6029a1277bf1c3d350ce5d4c2fba256d2b87ee050f6a3fc107b6f6a899745e66d0b50d2ba4642744d12d7bd652686630bce44160205c1edd0de18cc70f8dbd4a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
efb812ac3efc1fd780d6b2996c2e497b

SHA1
5d6d3e0d89741874b1bab3aa37713177aefc486a

SHA256
d3b05d7ce50a9b61e8c79d891e26a18409f238ace89f760d520190ee1cb5bfb4

SHA512
34ab340dd15403988e0e6b8ffc915d63310b6f17e0949db6ff943a07687d940efd0a86d0b7972b70c215304cc02cd3076be065d8d9c9571b674ad37f44bdd64a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
78344127708647038a62a23e80592dec

SHA1
0bdea012a6114c6b7ffce34844e70989ad506a87

SHA256
520ce43687ee749c23795ca2535d3e776e73cb47fa61c71192a5f300c7371ac0

SHA512
6043f9766f47babaae570e9035fd53e7757bff95b1cc0b88afbac43fb422386c7002317b95a74a356b58117b75a0f5755318736c05f24eb3dbac70ce468274a7

Download Submit
memory/640-545-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/640-411-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/640-420-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1340-446-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1340-438-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1420-50-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1420-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1420-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1420-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1420-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2092-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2092-338-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2092-397-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2368-355-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2368-365-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2368-423-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2412-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2412-391-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2412-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2848-26-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2848-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-33-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2976-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2976-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2976-280-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3060-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3060-255-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3060-270-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3060-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3060-264-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3556-7-0x00000000035C0000-0x0000000003620000-memory.dmp

Filesize
384KB

Download
memory/3556-12-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3556-0-0x00000000035C0000-0x0000000003620000-memory.dmp

Filesize
384KB

Download
memory/3556-10-0x00000000035C0000-0x0000000003620000-memory.dmp

Filesize
384KB

Download
memory/3556-5-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3688-433-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3688-425-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3716-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4064-351-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4064-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4064-410-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4076-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4076-436-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4076-378-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4224-244-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4224-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4224-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4224-250-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4324-406-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4324-398-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4324-538-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4340-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-324-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4540-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4540-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4540-14-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4540-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4724-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4724-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4724-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4724-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4760-296-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4760-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4760-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4856-458-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4856-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4932-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4932-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4932-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4932-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5060-368-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5060-302-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5060-312-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5408-539-0x000001AFBA810000-0x000001AFBA820000-memory.dmp

Filesize
64KB

Download
memory/5408-540-0x000001AFBA820000-0x000001AFBA830000-memory.dmp

Filesize
64KB

Download