621cba86a4ee14a238931d27d5c2b2b5a0b8bc87d0eb618b3ab72d115c60136f

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-27_2d3cd573f994c2d3faf9920a940df545_cobalt-strike_ryuk.exe
Size

2.1MB
MD5

2d3cd573f994c2d3faf9920a940df545
SHA1

b4e4294058d21814e68fd7dfef8fc61c4f493798
SHA256

621cba86a4ee14a238931d27d5c2b2b5a0b8bc87d0eb618b3ab72d115c60136f
SHA512

45ddda4b2533c42c37353417b3b2fda9fe4ef633f666ff3eb6b78f6faf814560247af2a1af94ec110f4dd1a803b778d26f2470b94d99c9d54e2c0a7d8d3845e2
SSDEEP

49152:5ikKqNuKuNgEBV/wtjUNqE76CHHwbShgDUYmvFur31yAipQCtXxc0H:5iekgEBVnfboU7dG1yfpVBlH

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4548	alg.exe
3268	elevation_service.exe
2260	elevation_service.exe
4924	maintenanceservice.exe
892	OSE.EXE
5028	DiagnosticsHub.StandardCollector.Service.exe
4592	fxssvc.exe
2528	msdtc.exe
2592	PerceptionSimulationService.exe
4676	perfhost.exe
1820	locator.exe
3544	SensorDataService.exe
4600	snmptrap.exe
1764	spectrum.exe
2900	ssh-agent.exe
2572	TieringEngineService.exe
4568	AgentService.exe
640	vds.exe
4000	vssvc.exe
4244	wbengine.exe
512	WmiApSrv.exe
2044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-27_2d3cd573f994c2d3faf9920a940df545_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d76bf73cc056941a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77531\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ae456567ce0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000021e90567ce0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9259b577ce0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d7022567ce0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dfa9f577ce0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051091d577ce0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055b309577ce0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1872	2024-07-27_2d3cd573f994c2d3faf9920a940df545_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4548	alg.exe
Token: SeDebugPrivilege	4548	alg.exe
Token: SeDebugPrivilege	4548	alg.exe
Token: SeTakeOwnershipPrivilege	3268	elevation_service.exe
Token: SeAuditPrivilege	4592	fxssvc.exe
Token: SeRestorePrivilege	2572	TieringEngineService.exe
Token: SeManageVolumePrivilege	2572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4568	AgentService.exe
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe
Token: SeBackupPrivilege	4244	wbengine.exe
Token: SeRestorePrivilege	4244	wbengine.exe
Token: SeSecurityPrivilege	4244	wbengine.exe
Token: 33	2044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeDebugPrivilege	3268	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4268	2044	SearchIndexer.exe	125
PID 2044 wrote to memory of 4268	2044	SearchIndexer.exe	125
PID 2044 wrote to memory of 312	2044	SearchIndexer.exe	126
PID 2044 wrote to memory of 312	2044	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-27_2d3cd573f994c2d3faf9920a940df545_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-27_2d3cd573f994c2d3faf9920a940df545_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:892

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1240

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1764

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3260

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c9ffc87a449639f45c96eb0848f01b29

SHA1
b91b4b13225692736fa740e398abe9df5c5f98d8

SHA256
3196fcbb8f02c87416a396d69337559ee3afd55eb47dc5173d1862d88f84c261

SHA512
fc4df5513c49ea1d7a4eb0ef990732f5813490311e0a61658b422f2e21fa40e55e1192d94b8406edd1f25c1499c7e11943d4ed7d30e7ca0d1c13c2794f0f6e61

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
2b708e0d1c18099801cf4994b4cc38fd

SHA1
63562ac1ded8dd44912ab12d1fe34f57f68a1c9c

SHA256
2a2cfb5d3b2314c064027d04e62697cc51efca451503de262fedd601e8282611

SHA512
a5ccf33bb80cdea2c68a9f481957fe6ec297cb617161f9b853fbb946bade2dc2b5f015aa0c46be6c9af12b8104ca1610144c619b59d394b50a3666a4426f4502

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9165743ff789986330d6b43859324115

SHA1
1d82967d64d70006bb66375440a16c9b80295ea7

SHA256
e3568ee06a64bb5c95de973561bbfdbed57d1f72026ffe2fbda9160e3d2ae8e0

SHA512
ba1e437143042ad417bb637e14bcb39548b36123d603cda9729311adefc46333080b9dcead1f2afaa001c0072de585f4f08838e972018ebac48eb0de8a2f626c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ffc18fc6dbd3cee345de320b1228b299

SHA1
60b0d0f4949b33358dfef21adacbb9358c198cc6

SHA256
f6d350be535d3d32b921d26cf5bffdb2f478460770bc221dd5338768c91375be

SHA512
b2dbc0354de0146612610afeb7a7e509268290435e9ad187e193a5be5fe7f64bce129215edb94d036345232907ab91874c0aa03f968af1d459da3c83d4f18bf1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b5c5355f3b62eceb6bacb0431090d638

SHA1
a2fb21c989532d343f73bd630ff367d435942f10

SHA256
0d80a10625ca722bdb5731d6e80bb9d1bacb90b90f82a030204693e9482ddb1e

SHA512
594c058fe8033b1c3508388e4244bfcf6b8a8180d522d1218b33b47df2dfb8293fa9de8def684a997ab470340d7eb567f60fc0ad8737ec05088b94557f3b6f6a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
ae55660ab508d034cd8f68a3f0610006

SHA1
003e73faad1f9f5e6e19adb6dc3a30c9a99b5442

SHA256
02b4c0574f70f2b010ecde10af11089d1d7b44c31042eac2f73ac567b70208d9

SHA512
17811a607dc925619462a0e1da38866734e1b43235d5858f7ae8e59258f51764f862b7204389936677683712c369f43fb47053b281672cb2a39855099d582007

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
56923d729501f8f07198066ee922b322

SHA1
d5b677160ac65991d25c1cbafa88c55b9eaf707b

SHA256
9abe8c78e7e531206907f2ef251f42ade63aa115572411b69ba7e6a718294298

SHA512
b9e262a53f82d137a3b298d68652f721fa2c76abdfa303acf049495299c181883a5e45b7308da2716767fe5df80898e65cb1c039d8f7aaad50eabb53d812dc5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7a864910b8eb24d57c11b499d95cacb2

SHA1
523fe1492b1c3338f66d2c20e624438bd906d4b4

SHA256
4547bbc8f538548cdf5bc6249baa33962b387610e895df06a1842805c693b4fe

SHA512
3b94658b9b16b2f862d5925283049e936609974aebca372b39c2ef8cc7c593b4cc611f8fb2ce0b7936fc5cdb1a434b6f75f1b7c3e2282c0b28cf45cc3d6b3b0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
2fe561594982df014f7ed078a7bcbe68

SHA1
866a3c38b885ba629bb970e37b6c8babfa749a8d

SHA256
421975c53be37110b0a9b43c87c0742efc36649a2f8e2cf3b7744f3e46c7d760

SHA512
7254762b813c25fdad829e4f53be1abf49f0bdc49184eebaf69e845b8d781643ed48e86d331be947db96facd40678673786f84e0574620b125570fe293158fd1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cead9a406c9b966ea9402f627d18518b

SHA1
7c34564925ea9bd2cf4fe6ca7535e951f25ed697

SHA256
08c5ff5a1ebbc61dd00d081b7316332a1faa63b6652e4bd2d7f3df5bc9a74c33

SHA512
b2bea30c688c7712f86b00e860f26af540b5a9822000a602720f8a0e45ae1fa9d1acee79c9c1f014f3ebfd57220d6a6e034cd53e74f1e4a391ca183d745d1606

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7b999631b1b773ebdaea273cd4c4c96b

SHA1
9e7ecf75d452df0e4e307784ac7c0daaaa07b4c6

SHA256
492c8d4c92723baaaed38aaf77014a137a291271b1faadd4c4c018bcfad4414e

SHA512
b6142f7bfe35cd16aaa0ad4e87c2d95af6bc2ecd80ec7ab0c4295a9be4949164906308f3b35c47137b2666d07f6518fdb46c9c284f1ed76347761ed53a7bb1a0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
023877099ae4ac045b391576b87aa453

SHA1
4493730c6a091788c586458ba59111c980c69137

SHA256
5e9cf7375abb5634bb196a8f559b8c82ee3649215f2b74b792170b2c7b26e248

SHA512
ead1b77df879bbbf3ed8f64ec6e1b3ea949a39b67ce19f10f493a29abe5f98a623c78b426dda47a36397d3331fa5a0958eae81f0704efbb772fa513ba50fd991

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8877e1161896714f8b636f397cae9f65

SHA1
09fbcbf4bac4c2bb491e2c0fcad5c0e82cd86364

SHA256
dd28d9e3c4ea90f8c5a6c103add476c055e09f24997ffa057e2da35705bbc96e

SHA512
7c52735d9ee36bb0a28d602a084cbf607e95cfa4aea9cf69e5fa639bc47758bdad36683ab4fc007cd8ced6bbe3971fd811b32746043b3e1dd35f022c103e06dd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
79923f5f8ce951581995956e03c4ba3c

SHA1
28d6ac3cd8afa34b6ae84baf9ded6e7ede944249

SHA256
28f2fddc1cb2d7b440fe2be64a393e3fef387c875e213ddb7ff3bbdd8fad0b8e

SHA512
1c17ad7be8d57d1da9098e995913b1c0264739b85545cd09968f2f3ec3ca27fe4f886e0eb26f394fb076099b39b1833cbc279e4620f10c4768b52ae1d5b9dd2a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6b4cb0e12e1b666d3081145706f13223

SHA1
01b74aa8ad99d98f165a03db1f591574b3fb7d6c

SHA256
d386ad11b9930eb51563b83d7c8c9d7dc2c5fe77c36d286c10e79d18d488c683

SHA512
f76649e456299c6c60745c4915812cf4cdd592a50e52b01df4560ffe6d9db3adaa15810e98f8acbf1b132ac6b01df6c974a5bd29ec485154562254ad574865fd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
9b93affaf18da83d5854eb7c1a8ef376

SHA1
487fe89ade5091f0b9509030c55ab7767729ae97

SHA256
22e095a15ede752c9b69f17fa95015ad6ab06f07c9af551e719ae383129ac3df

SHA512
d6077f9e83e4dd9972f82dcaa66a3f083f3b518547d9f459bcc2e7bcb588ded2bf1a5d013580d82e20870e700955017a3b5235f909bba2b8f7aa2cdbb26b1cdd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6789b43be5c4a1170cc13d9cf14819c6

SHA1
6aae31247de17de24ca69735d60031d771d685dd

SHA256
881540eca756bab5c124f933c9eb42f919d96f21aea62aa82e69b086214e9a9a

SHA512
56525379c9c573a69bb0d9b9137137244f9e9d1fe1e3c8037b0b6f1714466ed36fce0a79dec484391240d890e6c8df37b34ef0e9ebab47acb44971f3460c3fa6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f2b3c950a2af30a005706e44b1b3e646

SHA1
d5151b1ed48f405288c957a2211b29585c8e895e

SHA256
01aff6108cda3426fc55cb54233107fbfeb34fefb2dcf97ffbfdab7a8807e8ea

SHA512
13581467a432e47cb69abe4a66deae9264ea1b4a4591588e86b5d528aaf8a17628713cc88ebba5a8fd23c175b57f7fac3ba33135fc6a89faf26d6d8ade4baf04

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c97a86b4964bf38185b2d1c9ae3e0ce4

SHA1
c535d8fd0ed1e5d4bb8aba075f6a9eb3c74264d0

SHA256
ffcbcc78a0d13a44bcc4983af24ec0937d9c64ea2713bbc10f5f9eef8c0189cd

SHA512
6c83188c4c289aa23daff2d03f564d051c17e1e5115f406b12072e068e194592b0bccd04d7696ce14bebcd7c82fddbf02433fca0ce5287797984d64718d22121

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0be8d1ae131fae3f086b5e5958d56442

SHA1
f30919d8ab846b81672a8f448d948068c8193a1d

SHA256
27b69ad1ab41c2532d89f53eb74efba3576a70a0e53dcc440b0902cf72b26e39

SHA512
cf9245ea778dac9e02fba1a29f83afebb4b36904b40206e05a67b0f5ee903f35f045cbb2d69969b52af1b1b6e176a35d841f64fa0d24e77582754db77f3ee317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e530e23ff409afe8ceb6eab5ebd3afd9

SHA1
37d26fe5556c7200ab5676a740b51b902f31029e

SHA256
49d40150247bd95b61188ea3106f3e985162dcb914567308fb4dafa3dfd31efb

SHA512
318c46912836830ebf6f1b30f5ea30f5877d8cc205adc575a0b0d9cb2d7c794d05fe27ac78611670cd7151d1a830fe930200e7d20689fba9b9847b12711ba4db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
020a3d81ab923029e5e36e493d2a73ed

SHA1
6317eda0505158dcf802fb0b49a4a3666c0de514

SHA256
0f2fccaeb6d6a430923c739b72d43979a1283646bcac0f1ddab7ec35bd0289ce

SHA512
81d9fe32be17246b33945af9c2523049869e41e03d828fd28bd0ee1f50be31160ca877312d90d432653b22a7a95f36b04608d3e3b16d5f690ab696256c61b647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
870ae7f146300862ca74032ebc74d39e

SHA1
e8c6b97fd0af06a15b96483a76b19dd5d493e0fc

SHA256
da397b3b064bbe141640c88342d7060c804e43539af3be3854f7d55f610f5a82

SHA512
d8f0ef910b8d67f324be5ff9a7abbe71adee15f753bd16c12fb16806d9e4151395c87aa3309417dceba28fc4abfab81f444b88c4908aea9dc744e8ee192f5c4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4631b43843456616500a8387a55ffe7a

SHA1
babb93714d4fcee1c2328df9b4d3b061513f205b

SHA256
40af7cb637763bd32b6d7d598e9015654fabda55eeec8a303c76a9c7705848f5

SHA512
90341e271563d6ebd19a70e1b265978edecdfb7ea7029286e9525f4c5ffd2ba9060ed52427c967aff559569c774443d7abdbab732dbbea50f2985710177ed132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
1ec8d331139ee943bf052f376bfe8e89

SHA1
d3bf461e4486946454e201e67784ca81f139dddc

SHA256
45e51e8ee142595c7cd9534ac0baca7e2ed0138a4302a3b85fa4f4a27fa68bba

SHA512
07abada4bd0b205f02d899dfa232a4e4eab18ca2803381bdf77af65480acd151441b4963a1a2af14096a9dc22b4f52fdfb31e44ae200bfb647c138b24ff1d56c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
945579ab2af40a2ef3da2c8be437dcc1

SHA1
6d45fa7e42a6a136bc21e703c74292d2f68f844d

SHA256
92313b82d6dc08f379d0093ded762272d2bd986e720459bf3681f55237d16a93

SHA512
cdcd69461136ad31a8d019d73cb08b11207fd8b28cae667500dfa74b3335cf8f9893a2aa986c867c0f458f92b543007259b10123d6895c65440d4119395c60ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
192dbc71c220692e38750fcd31ab4f83

SHA1
22de7dca041767e7e1c9ce142164e707b004b1cc

SHA256
05240c750ff8eab9491826eba84ef7f4cb7e34e020ffda1353b213252c127482

SHA512
aa75d808ecc4be699da0d77b07801de4f3ef23647dd4efab221e8272b283ac0723dfe7890e278bce09a6962081d45005f2329447396815f5b5fe4f9a979161b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
c233cd4cc057988e7eeb50c1c26b3033

SHA1
fe1d6b00d42a02f7360179be1c7d0786b0d91989

SHA256
03f7b9df7ea8f158907d083090d8fa305d1a16bf74ad80f785bd38189a836fb9

SHA512
1d4ab72be5e88fae0f80120927ac2c3658a4c1474803b57e89aeed23389d1408086d8f7be93f3472f75cc3a8d02e8168ca0c5fbda55f5b28efa190f0c47aea7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
968d0d6806fb5aea902b3498caf3f515

SHA1
d50c1faa2c23758794056ef6fc543cce87c9bb3f

SHA256
8c78e484b5ae5ea24833bd14ab3a9e89fbbefbd7a71adeca0a10e542f40007a8

SHA512
0445cbc60f2da4c331199e346481625a75212eefa9c2569e086fdd6535e599ec013bd344473e9ee07228f876821eaf397b84914e107b3cd9082abd2269e13421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
ec5d4de87233bb0f09ff7774ed7a2ac9

SHA1
54a62b1bfeeec8a67760b5b2f0e00f020b709add

SHA256
a9b1e64d37c2eacbed0aa977be0b1379dac8642a02ba11c0105e0f17608579e3

SHA512
46313822027eb7048c9d59412e53e8b8a7b1700c376f5d661324744970d680ebddbfe66f3f38ce22ed81561b1c57218af8c8b16187a93d0122faabeea7df86f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
673908de571cfd9dea4928259e7b6ff1

SHA1
d2a7650713270b04c9cc53c5181c5bd205498f72

SHA256
b5b7dbbe0200abccde1e6964cba23bfed4adcf9dbe284b50d72f53e376ca75ad

SHA512
d6998e217ea4a5610ef734ba69d6ba510ac02fde761f40061db86ea267dc54a162b14c8f1a6198bf3fe3f320e4c1b32c03a17502c79acbe31f0714e4cf179741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
cc85546ed29607332231a4e4a8efd377

SHA1
7a873d031d5cc953263ef310d462947f0a58494f

SHA256
2cf7c4fe87459003b2035e5980d3622a7b17b51a4d0712afab4ed7d9aa17b78d

SHA512
b0a659f3c81273a919f09d315f357fe25d8bcd459338e8dfe0bc1f0508399424f3a2132c621f2972321bc02a111b2abe073bc269a3eb86a91e27300cc47d2676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d5b281da8c56c1f2905d4b6ec32803b3

SHA1
a48913cf82fc6eb035cc5337f9081b4b426cc6fe

SHA256
20fea3f332fc78c4baeb4513bc520937fb5a2f268890dccc4f85fba407c521a7

SHA512
57549b3e75648702c888c65759e043b237d7bc2930227e715afdd5753ef68718e96760014e5420a1f696a9ea89916b3e16a5acee36dc6d57e806fdcc843c15d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
1f8202932160a971c0a4d7f06b5cc12c

SHA1
73ccd1fcf56587501dc4885894f9471712b43233

SHA256
1513529cd4a646e8b226cd011df9233e65435b5fbab652e1b805a464c1ca9ffc

SHA512
03648b362c1118219df1b971d0c805d98425589909fe9da8daaa3be9e8eea9e71a2b5f76b849caef0c23d598baf9ab9b7144ca5abd7e3daf04b84c8b4fe4d61f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
23dbdfa8bd1c9fa7b6bf8c1a7c09323b

SHA1
dff72f99f4a8f5dbe268bda45c57bf25f15ae8c6

SHA256
a66b6399de270b0be966c19a683f804cfef17f2625eaf94dbec41e5a80d21de0

SHA512
0abbb6e2ae3c51faa80f1d8f4f3b6d6a5a9abe756ac3e8889dcc5000815fb836ce2a3a024d2abef3b902aabc5e4792a1b07538d83082443ee3aaa9f7211c1ef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
ce1b29dd98611cfd5fc1a2ecc674764f

SHA1
856d9dc75436d0b31f05b8958045203cdd06b17b

SHA256
854bc43c00ccfb650b54471567732c20e8c574657dc77abec7e5e335c8e433d9

SHA512
d28d5abbbaf46f2f4ab230715d2579aad7fd87dabc387490f6d4ca8f4c79eccc1a906ed6a5f9e9dc99469504db061e60a72e510832ec9554425f94514e3252d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
0854353ecb287fb5321d86e49fce5cf1

SHA1
3e27b2ed330e6a884bdf0065e6c4361d01b4c947

SHA256
799b98355dbbd75b576ad69f6892cd0e90c8fbbdbd3137f334c17db5f97009ca

SHA512
6c186ad14859d04b0dc5bb04a4a2e1b0ba5a0308a3e1e44564f3f9a9d8ccb55fb09ae387b36c8ac8e8b8ae88e6d6323611f0c5432762cf672bc361f2e4017253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
d00a3fe78d4dda4e8268414d9bf16aef

SHA1
6ab44606955de66beaedcd07fd426df80e77faa8

SHA256
b20fd52d53535dab25320dd4bc9af96f00cbd05d28cfa4090b223d02897f7704

SHA512
f68f6b612b5a726676745dde5107d3d07882cb373ba4689bb42fc7016a7f6f9395275e4421fe7f73d7148089f52d302ccdff6e2d44eb4790b6f045f59db2281a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
12f25e204ddb2ac67a60d0a9234cda08

SHA1
e164637e75fa7f99ede59335683a9f286973cfae

SHA256
14ab5cadaf02340bdb8ebe0546189fed06454bfc343468614b7a10d215c57da3

SHA512
943ca7e545c1528f96623220078f780cfd48874e757c4a28425cd2cb9ac9e6557d20f2325f591a04dada83efcb79d0010ce3a695dc7905844645f9e6aed90341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
e41b928ac5b6806c1e81d253717b7e91

SHA1
71c22acf3253820dad95dc2f9269d4239a4c635a

SHA256
31ce990b8d7222f1d8206582f2969bef893687ed4ef62a323fa285990c479fb8

SHA512
e31cdad37abe0abad6ed858ab7062c92ebb7e0d05138cccefecf47a758fe8b84a5224bef16a2358dde49196af40dcb023cbec76ed8a8d06c44cbdd0f92a1ff57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
c41ff0d7ad785170f5ca074293ce97e9

SHA1
c6adc8411866e75d58b0afca2d2a21c01654549a

SHA256
6d3a2bdca5c422cb8aaf0a80513e964f81a98d46404dcc11d0aed35caa53d0d9

SHA512
cc4761207b07b9ffbe7bfa623f1c73aea622a883c62f03587e752b83bedb2da191228e8ec173138b1c48f5ebc0a6c9cdcd0c67204992a4316ceb0b227990fea2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
f633920f7e231940cd61b1d81219a030

SHA1
847228bc25ebef030732bbf08423b3f319afa96d

SHA256
52d1f22b123f2d17e8f452fe4abf1af149fa5e54e4521e20be4a6d01b400afd5

SHA512
b712672f6289074df9d3c98a9301c3b5a0f4f982854ab06678d9faaf7d1bd60fb4c5b54094dae909912371876acebdbbfdb87d17bc270d19a7b67fbc4308b7bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
c2c7644b67b73de605e6fadd54c632f7

SHA1
47169e9daffd8ea91b00574cb5092c865f148dab

SHA256
f709498eaa2df955277764d554264f7f35dc586e84b156639511e428005b5288

SHA512
c73a8affaa20e1f31cd0c412b53e5eecfc9525133066b5834494e0cfba31f39104b0e9453b848ab0f3c70c1e9f4b81701ce6e3ea4e6805e3eb411b7452d4b1e1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
5f2ba263d5bddc29bb3dedb4da6a3bc7

SHA1
e4953d991f547656ff5c3b1d38e8f36741e5c11b

SHA256
452fc93df973680fef0d50a7c561115ac3add8f94dc4644586927b80e54e3f53

SHA512
1e3e475a1646e401c73200bac776121a6eaf7db0a53dd4616398af1654b4bdf619955f8032b4741582438cfb51cea2c4f830c5abba62f53ff44f7bdab6218068

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
6017a3ca654b3898d1b29adf213bf78e

SHA1
4fb39bbd6c8306587bf8b60d124c585278b49f66

SHA256
ca6bba7aa3440f912eda8a82fb718db6de82f08fcff58564b7a729271505d358

SHA512
079eda86137ebd3008e1c899e1d1b9ee023b6b01bc578cfd663392943577e7daf866f9d1c75c720b896a39de3e195803ea83b65f29b2193a07d4103debd69375

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
18cfec47ded0a309b6fac957c0c3fdd5

SHA1
31df6b192f224e35b32d30d3b99d9b36b4c576b4

SHA256
6f86a677aca10282f7ef5687d63798306f56f688328be4d381e99986772c88fb

SHA512
89910086927d8731fe509294440f61d6708c99376848ef57d03225628fbf8728b91d82f0c79848a80e0d49d4998c89cb640b4e7c51b97571e9598b5ad61ba0e9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b6088e3b074d14feabd83360f7572c97

SHA1
297ce46b4d61d40cbdbea7e65fa5bd48da9bec3b

SHA256
559e68246a0b94b52469cf4d5a6ae254d39a29a7c9a0bc33f74f6ce3f9667815

SHA512
7511383eb183dab7cc72773bae9b1acd78fa2ce6e39b24f9262c6914af62db18ae9bd9cdeca2be783666d349071efef6272322b01e859d5e59ffd264bc8c4c35

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
304217ee5e3d71e1a9d274c8c054b2f8

SHA1
fb715f52563c66728562d183d20a69db0cb9dc7a

SHA256
6b1a5442f83e4065246b7300731a437ad72c58ac1222a8e2863e6d13f754ecb9

SHA512
4434b610501c9bae51e6f490c39ce153781336f777ce84078e61b85f6c71d75629d9ebabfbed99dfb9894c486616ed8e6239aba9f465d8c118231c92f381be91

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
006b3d5b9c6ff7bb4e558843b199ac00

SHA1
3b8b3934cfab3add6432426ecbcb6718d6f62693

SHA256
cf7c97d86fe93c9ef1b1ce00fcb7778381ef9066eff1b53e43d70e863c639085

SHA512
0c91200a19ee31646bb8ba0915ba2157897426607b59387add92876a468c2fe3c41ee9433cc22b7828a63bb1270c2234fd602210e2fc5e7c0d18eda83ba201ec

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
cef2531b24c861b4ea6b428535a98983

SHA1
014ad7d4ad5d6e8d09e0b35cc6525c5eb4df5e36

SHA256
6338cf2d3cbb626babf7165147cf8906b41fea6594fde9546df5ba92e379b6e2

SHA512
24c0627e6a209655531369f0b131c418fa3013ac480815242e99c24b6981f063bcabbc75c532f9bddb705fa6d4b06f186151078198501b160a4940c147903a13

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
1207999bf80a9f6cb560fbd915ef8918

SHA1
7e72cded53352b116d27d455412151bf90bd4783

SHA256
705d13ea8a258f1233c832844090b6d16f92a91eaca8981dd6f4f86fd5764c6e

SHA512
80deacbf539c65b99a55c3270b437ade54302c6e06ef0dc43914fc9c986782a0e200536a5a0959e1f8f8b9c5be2263af291e8abf4bbedb193f840285831f43d3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d78a869db074af7a909a53ee89ae6531

SHA1
3c9780fa1a2e839744de525f08c730e5932a49b8

SHA256
0cc9ddfd3d3df298112488a958656f71ff2c60a5278d5f50b1c18e45fa8b804f

SHA512
a3700f51ad9ae611850fb0475e4ae1cf3fdbb1c4980aa7c257692a5ebf943582f01753263895ae76ed7e68c707e3dc0b4588c111af3b0357df87b26c2115286a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
319406606d1ba8c74efb0d46394ccf30

SHA1
1440f811c8f67dc5cae92db9426a176db8da6c3e

SHA256
d1544f02dc0db298a750f48107af25aaed9ac1972285a231c7cc187780d819f5

SHA512
c9583917cbd92ef67b3a2236d7dc3395883841471417b6cce4f40aa2b9190a617cda37704c0a00173a7e05755a5379c75779f1f28b831fd92951d921b2ea91a4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6fb2871405d53bc6c8704452790b2027

SHA1
662495733e27db0a80d74b0af5e3709a381fe9a6

SHA256
61b9d2aea52e1fc040d0f70ed95154ed58747540a4941f0d4721699e414683c9

SHA512
6170afe74022b2c88aa509494410ce733b25dbe7416211c33d1d2278e7c5178b1e5b64f185b44730451aeb41eb2510e927097bd866220e93c04206a415764598

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
2164ddbd7e165f7db146aac0452a8563

SHA1
3b7460234a5afb4623a79ed229654877e3f970c0

SHA256
8518597adf851d83413514f9b4ae7ec1f7b7043c0c17ccd2dc82e18418ee1242

SHA512
55b00e553dd8ac3617fb9a2ff9c0634602b7f849a3a62ce3f67a823aae149e4377d312038c2f9e86b8c8bd701e642f9774de648491b3816a629336b155bba4ae

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7d1a2733a11e23e05b3639edc4f6eb1f

SHA1
146b6ca4a4db54fab37e2905dccf9c3e16665eab

SHA256
5e04d05ffbb8ffae7566edc31b2f8636b8c536d4817d86e65f2c801c7530e637

SHA512
4ac0a1c0a39c4b7be3467d0391a77cedaabe50e0385e7f75955de1eacff65f99eb78259016667ed2049ea72903d03ed26976ada598a9c1c5f16b33dbf6cedb37

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
070a988aa84b2e36ee2f9ce50af412a9

SHA1
da924413b4420bb43d345bc5b2ac695d75d6976b

SHA256
44a725c7020ced3fe0b861f51aa2fb6da2823ed7de10b0d7a27220ffa488eb99

SHA512
a22dcc9fe6fb849f5e9b7015aa80a2d0a3ad583952ce050eb729ed251c974178af858bba6c25dacb465946d649ad57ae85b758e4f7e5405bcd360ff9142475be

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
453fe47e224a915b9558d224e0df7207

SHA1
a2e1f0229632f5c2e56e5e4c486116a0f3c1f375

SHA256
559b99c8182dcddc9c0e50160e90cf5d58f384442f4eb64964c5c4a67175c01d

SHA512
5f087070805b6863c04b44802931dc6d01f4e06b7d3cd981171fe12b549699b4c9182f3be8f591785315292fcf431e25ca9bd06a69bc2e6327444de90d0df4d8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6f2677fce97c214705c9da6a3d655adc

SHA1
6d51e0e550fe2f7543731821755fc13d37e8afca

SHA256
eaab1a74a3ef2a44473607ae097d6de27ae303fb628ed07a6eb004004ac8b858

SHA512
08a7e97ab6181a65ca2fc21aef5ab59288ab2f9718323a7d228b3e0b22636c44cebcd2462359331a3588b050542b5f370f3a3b9ea0d0ca309bc7db384469b3d7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
97af2fdfb734d146d53c0ef3af2461fc

SHA1
8e7d6c620d5ae919b0d7742a427c95ce7e93b61e

SHA256
4b9d1214a407a4019450c3faf2a89c306b7d4641d21ae4fdafc3e0b214c29ebb

SHA512
acee2ea6304c48866037cb6afc9f66d716fdf2e4e84c974e5075dbb2a60aec67c253f490a4f62ea1433a4b1ede0c3e84135a50b42f20c4a8e5accc775059fedc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2480d9ed124990a3fb20a8f3b678bf6a

SHA1
ae189fecace36e47e6c8f36ca302fbcf645f1e2a

SHA256
178d4f47481746eb8d990050d11e53d314aab3fb68b4b9336f0e2bdb79b7544e

SHA512
15c6a7e48faa844868ee7f9481ec4f78076afc144e920bfb745a0b6d12672055b5b8520308436edffe593a416a2b4d388991784ef02380a87cd8037698870043

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fe65c7b20577abdcfe8e08a106337113

SHA1
c20bdcf78207b15ef0ec5d4b0c1031bf67e72f16

SHA256
5602086f1dfb6304417ec6515490e54bc607cf591e5f4faf842a16fa12c5bef3

SHA512
0999c8b0f55ff70c6ac90da3c7ee5f70918eae1a2c34e54b155fb498de6cbbb507d6bc4230b1c0542f5a9c89d592602feb3e7ab153bcc0865e32dbccf66cd4e0

Download Submit
memory/512-581-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/512-418-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/640-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/640-578-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/892-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/892-62-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/892-68-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1764-573-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1764-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1820-417-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1820-298-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1872-13-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1872-9-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1872-11-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1872-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1872-8-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2044-582-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2044-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2260-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2260-229-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2260-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2260-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-381-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2528-262-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2572-575-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2572-356-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2592-285-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2592-393-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2900-344-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2900-574-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3268-228-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3268-27-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3268-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3268-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3544-572-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-579-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4000-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4244-580-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4244-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4548-224-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4548-16-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4548-22-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4548-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4568-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4568-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4592-247-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4592-248-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/4592-260-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-521-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4600-327-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4676-288-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4676-405-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4924-59-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4924-55-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4924-49-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4924-78-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5028-355-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5028-243-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5028-237-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5028-236-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download