7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82.exe
Size

2.3MB
MD5

729fddc414274624bdd7850955e9d4d3
SHA1

8f322fb7c3168b92a43828f944332e144e1967e4
SHA256

7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82
SHA512

1fddef904e7e1b4c5228aef655bbbb9fa4a890accbe41b941c9c0642348fe32814678ce29ebfcda769afd1e806ee5af09a611182a407c3ebf0c13d7996989f1e
SSDEEP

49152:U1z3TQm/KXAXtDWRMmWFZeAbfBVGvya0S9icoLrNYMqFg3FDAV3rdJE3jM2ce:MEmIAilWbeAbfBVGvya0S4dYMqFaFDAn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2240	alg.exe
3568	elevation_service.exe
1456	elevation_service.exe
4052	maintenanceservice.exe
824	OSE.EXE
4832	DiagnosticsHub.StandardCollector.Service.exe
1380	fxssvc.exe
1160	msdtc.exe
1428	PerceptionSimulationService.exe
3848	perfhost.exe
2108	locator.exe
3992	SensorDataService.exe
3088	snmptrap.exe
3524	spectrum.exe
832	ssh-agent.exe
2112	TieringEngineService.exe
1688	AgentService.exe
5016	vds.exe
2184	vssvc.exe
3068	wbengine.exe
1576	WmiApSrv.exe
448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3b104e6d733efdd1.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_103906\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063496de0e914da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a28aecdfe914da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5a729e1e914da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef2e33e1e914da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000139721e2e914da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000634db6e1e914da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e66e5dfe914da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078f056e1e914da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000523700e2e914da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3568	elevation_service.exe
3568	elevation_service.exe
3568	elevation_service.exe
3568	elevation_service.exe
3568	elevation_service.exe
3568	elevation_service.exe
3568	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1680	7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82.exe
Token: SeDebugPrivilege	2240	alg.exe
Token: SeDebugPrivilege	2240	alg.exe
Token: SeDebugPrivilege	2240	alg.exe
Token: SeTakeOwnershipPrivilege	3568	elevation_service.exe
Token: SeAuditPrivilege	1380	fxssvc.exe
Token: SeRestorePrivilege	2112	TieringEngineService.exe
Token: SeManageVolumePrivilege	2112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1688	AgentService.exe
Token: SeBackupPrivilege	2184	vssvc.exe
Token: SeRestorePrivilege	2184	vssvc.exe
Token: SeAuditPrivilege	2184	vssvc.exe
Token: SeBackupPrivilege	3068	wbengine.exe
Token: SeRestorePrivilege	3068	wbengine.exe
Token: SeSecurityPrivilege	3068	wbengine.exe
Token: 33	448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeDebugPrivilege	3568	elevation_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4392	448	SearchIndexer.exe	132
PID 448 wrote to memory of 4392	448	SearchIndexer.exe	132
PID 448 wrote to memory of 3816	448	SearchIndexer.exe	133
PID 448 wrote to memory of 3816	448	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82.exe
"C:\Users\Admin\AppData\Local\Temp\7d35bcf2f9e6ea15a22a9907663d49d7ec764b93e3d4ad23225acf6b51717f82.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4052

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:824

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1160

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3768

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
106ce4e44f8de976ff87fed814a2a1d2

SHA1
1d270d235d8c5be4298a6bfee71816e611e17f34

SHA256
8cccdf28f29a8a91383a5cfa7355dac45348fb260018b0a24043536efa4c860e

SHA512
5c1185484d6bd4c328003d70b14c11cbf993e9dbafcd182ef0ce8026653137b8f0e7f9f9f12be8fbcd36cfe2816fcdfcae535b1f24d6046744b88877954455d6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
f9f27c89066bfdf2c0a0d1ce7d3acb43

SHA1
7b55dabec91075c6bc0de60b3a89c681a2983ce5

SHA256
283ee367eaff430ef1ed3137d4802efc8b12d1773ac8f27aa5450cc290628e8a

SHA512
0ae15c054d90d01ab1029ee4d900ee412b03884f7e254a737609b45a3a195268bdc5d4ff4412c9b93f9b1653fd8429a690fb3a9344a5e4f08934351ef23b5813

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
f9f27c89066bfdf2c0a0d1ce7d3acb43

SHA1
7b55dabec91075c6bc0de60b3a89c681a2983ce5

SHA256
283ee367eaff430ef1ed3137d4802efc8b12d1773ac8f27aa5450cc290628e8a

SHA512
0ae15c054d90d01ab1029ee4d900ee412b03884f7e254a737609b45a3a195268bdc5d4ff4412c9b93f9b1653fd8429a690fb3a9344a5e4f08934351ef23b5813

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
44df3b6be1a25d6fe2ca1abdd392afd0

SHA1
c8cca85b6fc4df8edf901291479c7a5d9f05d2d6

SHA256
473bcae53078e1c0bca716a749317875aefae83de094befdac9384baca4cf387

SHA512
e7fe9c3aea9661b7735a15a1625600c33e38ab99df3a2135442f7a52b18641abdf4b92ba958c2fb147f3870e190ae6c95004a03dd866773aa2ef6b365156fec5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
642e7811a561c9ce6d5ad3ac896df785

SHA1
8c1f96e1010834a394cc835c2a6990b0f034894e

SHA256
1716e62d6ea4161e427c1b60bafefae6bd85234e63d05dbab06529b13064a17a

SHA512
7e32debe73bbf6641bba9874c1b427ed8a4975e0fe28291abd7b2d3a9ada76c30a37602d9aec69c977bfbd825234efc4a7f0c0c32425c5d06fbe320b97a4af1d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
ef9291e4498727a3f8d1fa8e318b6293

SHA1
a154d24602c3c8a79eecfbe869bf11a572fbd39f

SHA256
a25859bd4799d5c03c820a9551eba6be4d62da94fa0e91e5d65ea8fe5a0a3de8

SHA512
cbc142ef79827d386abe013d0684ba086d8394c02e1ab09cdbe18595abd9920883f8f8d205caf4efb878b22cfdfdd4a8dd9f931824b5d9a97dc3f737200b6f06

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a9d84f05b2cd0daae35be4efd589833c

SHA1
cd787eba99624445f5ad8a8590bb01168b156549

SHA256
78f738b59ab18b10cb02816f22a1403b1c40b702d3623b4cd27a545f2a47a529

SHA512
b7f1cbf8fb3141336c554eeda938fd54caccc48af227a457dc8568f73fa215137d868fc7a216ba66720d8e968329a18c62d87fcae19a9988a13c1802fc602345

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
bed332a0dce381d86710df8cc64d362d

SHA1
fc1d1a3aa217e8ecbf988ebfa6e41f63e5c3c411

SHA256
cf82cf326ff70a3472b06e129290f58106dba1408d08a59e622bb64a9d84c917

SHA512
e66e9b57b746de3388eaea65ad2cb07a552e043ffc9ef0298e0630e466eb860e01e769f58b07cddac053f945dcde6840454c17883aba2fcc7baf0725df47d873

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
90a76e54805a607bdf4ab390d2663701

SHA1
d431d3bb483bbc3d882e481e8680d195b75d0a7d

SHA256
0ae1333f9f9ab8f9c808e83318361459271142ad68286f8953591a6e07d51441

SHA512
e9146a50a0a2c805eca1d1829176ae34b0101965e08be741ebb7cc94f9d4e77fdf0178c783150248d470703ce151712760cea0085438b6391f4b9ad49619f0e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
d080342fb39baad0d88dada042011b26

SHA1
ced9b2a85a136cf0c8beb3b587e20d7e5a54c68c

SHA256
76a8ad9b7e7562e02fe8d3a82c3ae8e23285d183755887dd1b72e0c9e1d5758d

SHA512
ec66a659654a51de54f3522e990dc9c3e09bef140069cb5f5ff860c1f504b4738504e4eb93e43a8b714b3590a392c804f143d8e7d35c2c42124a164bb9adbd87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4f58964cd03d292a2a46ec844d77c04c

SHA1
fa19f63e4807fb61fb6705c0db3d1bb5acd80b87

SHA256
dea2d518f3d8f7dce0120ef1542031c5966de2b63ab4daf6a68775bac300d2a5

SHA512
5d8b9afeefe034f4f6a80ddd2c5aaa536503aaaef4578a55b4b2dd25363b84ebe7e2845005de7f9dca9c912dc395f13ef9d12f6116a6d19e87a6bc4198a28ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
002547864d4a9842476172ea7395da74

SHA1
a6b32caba42fb11cc5f8fa37464cd5919b841f3c

SHA256
0a7eb264df366df4607b51c8758879aac0654f2d2abf7a4016db94c51c605a17

SHA512
bea984065efa2b9621192bc7676a0275c501dcead324fd34348daf1327010715383c0541692183593a89b79e06a634a555c5951cd4cdc9c82e8378e59427e664

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f0e7067c04edeeef31c92d7178838f8b

SHA1
e0c69e6206b3a937e2e25127ec898e37e3b7e61a

SHA256
1d8524892e54f6cae043209ac2c6630ca18ecbfa9b75b9cb39b752ac57d4ada6

SHA512
659258a27353c1d3b12fca461f87d64b43e1c3337f8d5ee55d96c38cfdcbd5d6a9023ecf7a3c1917df89086470d150f4cddee9304cd0994087a28e26b3022c7a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
f8df88ebfcf7a324da6a7e46d12b39de

SHA1
07f37e669e7ea70b74966fe1e25c3b27ef8aeab2

SHA256
7367088e5de421c8f5964ed5f906f0e5c14076ca90b501f69f9e8b7b70fa15ba

SHA512
e818cc691dcaa9dd6f60e00b7d275779d656093bf3020b67fc66af9157bab87f27a6ecd93b99ec5eeb5dc38c4367cb3086bb5bb52e066672e96f62f13bcdb3e2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
bb8fbda2ec9defb7682aa7ae994e23d0

SHA1
81c7dc2b758e59e556db9fd625cf3677b243b85c

SHA256
37ee6364cefb999dcf8d4b1949f15e6ed0fb6545f93a3f827213c85248d69190

SHA512
279cf177899251a0bb6e80620dacd29f815cc1d2ddf18720b55336188a764aa2a69f622a398cb9b0d53d0d76139876a36dd89372c7dc442d86d593900a27ced1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
87abbca7d958fb0998091c4c402912e5

SHA1
cf5e3729110118e4d2f68b0a51e8433d7f4520ce

SHA256
7fad7326162b2d801869c10ca2588e42f0e933400295d489b249fc9c006add3d

SHA512
22f0f969e27902a7f865e871243f49d49b7e966be06e954b06c22a61217f2257d42ef6e6a8f6ea73a2e1274ca46d8ab187234f62622539c73dce16d3062f97c0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
30127aa49e1fd43814e34bb04d4e879d

SHA1
3e04f5710b2c6510d2cc456482fe2b5d355262e5

SHA256
e80a857f3fc30bf3988f660717abb6f9458bdd63a3a3f2ff7912bf675239c4ab

SHA512
f5ff29e07465b5c38a72d300108c201dc636fa57684baad4383df357176a345a5698593dd33dfebd2e7385d73e87847ba014922a8ceda89f6eb041aaefab5d48

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
92c4c42992b5695e6a1469e9f537c07a

SHA1
d4ed42fc10526ecc4027f86f5d606514bb4ad4fb

SHA256
df6a57de1d5be3bcdd4a8017299d8dcb15ee0080aa680bf2e383b0c4063b599e

SHA512
d17ffa0f5e2fe4963adfd95c6bc9d497e1a1073ec14c0cbe60d6183fc4bf74b6e2cfa1ee94fb869138713ce09c0c1b06e979628998b97e1e88af4d689a209b88

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2f4e7c864ccdc3dc6f4718e77311e99e

SHA1
45afb4aa91e2be1bf6b920cf88755fbcdc14fc15

SHA256
a4b49e6ccdcd8b9f67964ce6678a95b25c76e69420d797f040ee81b7c2561ed5

SHA512
d1204909ce3e341c2cadf850c4decb304163bbd03aa3335165f1bdbd63e7a638c21f4223bcacea7a7c56ef419b1d29cbdf472894e28e26c4474825b5440cffd6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
56c5daea07ec3b490220d84066303f70

SHA1
4ae007b1cb140d3813eefba2641e1d140c97b95d

SHA256
e993dffa1ac44b5700b1437d0352847fba207c69be661f060e9392459b9b61eb

SHA512
3500834227ce2bba9af47460d9c3d246e86692d5246959b5d822953b5731b2ac984fa465a03bfc3e73271f03cdfced36314169362dec2b9b6cbbc8764b6f35b8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
cd7f0e3293e6e0f2fee36c70e4595ebf

SHA1
49fe031179d0cca9ea95ab90e42660cc2d436b76

SHA256
c31fc3fa223fdf2a991adb37718927a84a60cd2d07c518de55e6a25347fed64b

SHA512
f061ab0899462006c86c57e02d173e5d6c5be94098f5b3c49f5e3a2029e903f6c54b6826a88c3e67146d3b4c691334f612f1a994a53233eba590d7c8533c4448

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
39d16f6de709e22f1eb3f070c21572ae

SHA1
026734c8be027fa3fbba9eaa3b65a5cf8f19cf54

SHA256
9f8eb2f2ad51f044b6175344948043a218d4c115056f6ec53c08e3ec75cbf4a6

SHA512
3d0acf7af2a8a73281f6f6bb2f363c5c592c70a248972f470f1b024830eae4559e0ea68cc0c192629e1f2e2f30e06bedb8cfc509ca6ea41ed1f5deeef83bf174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
2d8994beb0d0c4ef262a003db39ed39d

SHA1
ca31584f83ede6eea242bd0a71893532b3d0e2c3

SHA256
b2d4578708ee137d15b6af6b44596323c8559177a878d80b2a5893683208bf6e

SHA512
75589763df9ccb20ce5b23cbfc69da2c95d22befc9d6a15be2b1ed85c3996b4aba9ab0c76490792de39187f01c2dfaab28e7cbad95ce763a13d89729f7338f64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
e0aebe158168c13e7d58b0ad313cd4e2

SHA1
9f19be58f95d6bd50deaeaae69acdb0ca4864e57

SHA256
a011031e0e7881627731e61a1f5f81c717ab2912484ca1591ad770189305bee7

SHA512
a2915eabe1b141c28cb8860b581ad5276975fdb856a01e0b1594b2af9084ca20d79c155d8af4ea8a7b5b0578771ddea2ed54b575e6d807d8e7b1ca7e004acb9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
3a973d06225a6065f214ce0bc8828da1

SHA1
78351ba748ae3461ac18c6a6e17648367744834c

SHA256
b59864a9c05df2fb25fbf1204575f65bfb5efb3001678d63032ce647ec6ce360

SHA512
78f702de1fe2d920ae1b74386cfda9e21f159d2020ce5c24d16c93f26724963f6637863749f2cdb025abef0ed0017e905d670a7dbeb3cf0ba0f2a46ef6e6b328

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
8cb65420600e098dd1888d7216895234

SHA1
ca9f2b7c91c2e1664751c8b572dc19acfcce07d2

SHA256
8b6da6d385a1ba4b49596d78bc0f5c828f1a5337263c9785dc65db8a4aac4453

SHA512
69a15f9a7f46103aad87accd6b9a1d0dbb78bc022d51ba1cd6cbda7ebecc2e3bc77f6e9fae48f158c9fbbdef57d5932a744088f3a410df3e925d25dbd2edc0de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
af607f7a40fdd7407160b7d750487544

SHA1
01e12e560b6e9d75a40e261efe3bded688d23b68

SHA256
2359600cf518adbd49c8df5d8eec34aeab35b44bb3d7af6dcdffe8fe24a3201a

SHA512
85730926916aa29a52cac56d065724d0d44cc954834f1d50107c08255cb3d08df78e61c27a08194061e95306743b609f813bf9f68c802557847001bbd5b6ff60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
5a6905190d55051e5a2df7b06b7afd4d

SHA1
284ba967b46b3739722533c4ce25d1c5d8af0925

SHA256
332a398a18c3ee5b3740a8c2bfdf547259b32d4377a06641adfd5379545ba94e

SHA512
33eff7940df0fe3d46ce3f99f9d3810716f16aa7f1f00a3adf02bf92c5811d09b4e9c8e3d480f9ad66edb72a13f61df79e6a69c474774ec21ba2e536fc756a66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
84184bb5b99bca46625b1636c7e435d1

SHA1
81dfcb97029f3fab49a6640feeea42f861af6f60

SHA256
47d4f1b461682866bbadf821b010ebd3c0d47379659f8c07a0a1bab2c5e1fdff

SHA512
a9c93a660cfb4b07828ad55d9cea514445cc79220e3844c4028d78ffd393e29ad5591bc0d876f67f9d04d2182be6427e1ecd3397b9ef700a4757473738dffc5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
a2ae60a8342079f874ed974b1ceff971

SHA1
b974d7b641b919029a7659b1aa866834875ca897

SHA256
e46df780aecdb9d571bb4d454b63d14b62f56edbb7e20085cb9d80b1cca9c7b5

SHA512
d70e6096de679bf10317650938fb7a42cd25e704a0c624864b7743004fa6fc7ee6c455626ca54172cf7d6715146d897459ee0e22ddb6cbf9277a5b469fd0023a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
7065635627659008c12e8e2939781926

SHA1
96c44d3823a1ca9628467d1af856bb8cdbc30ed1

SHA256
f115dab26be290cd4c66ef87d18b39b2f26561696845b4594814ba636231f71c

SHA512
af1a7d63fdb2f1cc66a9ff17840515ee63d6582904f945143d2dae0bf4fd137555162e577030612997a838f2f7e977383c055e4b03be3a3fc6057fda36a6c06f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
092916932a0f0312fdd0d65efa474985

SHA1
0efbd35edb6ff89bb64787bb12abf320e947682a

SHA256
aa76f3924bcd4d1bb0e752c413c29e1ca1dfc53857225d3f3d9cc6882ab86c09

SHA512
d63920a3ae61e5b647c25b2bb17ff5f9685e126584d1c008eb00dd8e9f100f10cec7fbb57cde3e45b76d278c7428671703b3d30d950f9256b489a83076ef6526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
9401f1cbcf60b4bb22efc224c53188cf

SHA1
3f623271b7395e15f320399fc9f952a3994ed072

SHA256
7265186416a03475b99499e01edffbfa159f0759dcd91537e24c4f68c0b9b2cf

SHA512
af932caac7bd327eeae23d459afd43f4af40a11270a51fca706e6e9aedaec0b68bb7663048d63d107fd3a2e92315d95dc72230ffcf345e4baeacd8863a494911

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
e05182e2311910a62c9fdb9343025a8d

SHA1
61d674c7215bc07dd8c1db7705c18b1e3623133c

SHA256
f1d88005f92019135a1e44870e8bc51bc12cee0bc9733901a6c297d1bb31c58b

SHA512
5716ba525450801b8f70f6646167b22799f119550577096785a3d2b66d74b7677c4aea969d7c8bcdb2696201266cba31f0765ebbd27be21e9a0c87c4ad710c73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
6e996184481586356b14abb65d03bc76

SHA1
80aedaf7436bb1c7f236dfbb034493c139538ada

SHA256
d165eff6dc4a2c4a04850a2d73a6567956e69a55d617c54d8357cdeac7429166

SHA512
660fb8be59e8b68254d6ffed83e24b76581939d784a2cacc43dff0eed2956a9d26089b5950ff925ef351516ac062b2f2e4322c4e8dd32db4603539c5dfa86b8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
f4ea41bc16d0cc5d53265fcf1381f649

SHA1
342402baa966b38e68593ba508e94d94f790800b

SHA256
bd2355545dcec3a84ef4cc9853ecf9f18eca72e76685e5537a779f1a5c789bf4

SHA512
f81bc5c9ca034f1adf8b0db9483f75f8f0f7b6b6fdaede9c2e1d28127cdb6422725ceb23f05efb85bc292b638fd19e6496da1092f3c9612e24fa9a72116815c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
ed31c667dc3fa391cc5c2b653071d452

SHA1
cdcf3b3810345cb63fe8961cb52e2cdc4ea455b0

SHA256
c0ce01253461c00d64388baa8882aeef72bbf8cba9455dbbfd40d4c106527a0d

SHA512
0f5332cc345119d18d063a421023adc0ee3409264d8f33784a82f2bc1871b65ac8b36008016be0ad95b504e5a75ffae1dd42fd5ad1095e3762099b235cad898f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
91ff8785e52f2936a59da17efd74ffae

SHA1
1b218a307cbe60046dfe15f3f0a0dede5e09a9ed

SHA256
9e742552903814598e8ff012edb794f779cb64bf7bc4ca6f6d9408faf4a3612a

SHA512
bd146b3d65767174af0d2660a40742b9adf6212349edd244c9475c1ee07d4e3f031ae3c16198dfa19f07af57cfae7363578a2b63c86c0393900ed062066fc220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
88eaa4ade2781c68a766c28b684f745f

SHA1
aa5bd632423ba687bb5310635e201f675ce4b662

SHA256
5c6e1a285cdc5451d85b633fc113b7c6c1d1a3760bbe6879cde29716c7562f5b

SHA512
50b6153985967fe7d55e70055222b9d7b2db2c969fe65a039591033245af8e8d5178ef980ff1101cce3604d59bf371dbbfe808356e3a4a420fde90190fc0c8d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
19b88075b9aff1d0841b2fca2858db00

SHA1
9804d0be9b3174897992c27f8843a590db584924

SHA256
c7455dc7b5ae64de04612072c8326abd4123d8761d57df4631b340a9762e4bbf

SHA512
13060caa356c708081c985a8604ef11045528e8ff8d6c93057744d4d4ec3407a0cd1609359d6fe1809668b9ab900fe598cedf21200623ec30dd63e32d21cb125

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
390433429bd69fc328a3954185956133

SHA1
92fc52d4d10c4d5dc2b1996ca9aa04ed13479b16

SHA256
ee0364dc330d2901ebe2d529b99b69b237bdd7ea013e14f4ac61fe69fa12ac68

SHA512
cee6be68153b3f79626a8f8ccbe621f5aed934f98187c65f8a9a58646a7b2c85714991a8c47eeddbb8f7c634865c712b48c0b3fef36a7d21f6d12e141d556f5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
97afa75c3bad380be0e3c7075ea03f75

SHA1
523d2747f82400fbe4bfbdd38a03a4a16ac01e73

SHA256
167532fb82877034b395029e68bc0b357a9bda660846d764196a7c86e0094924

SHA512
9b5052622a71eff7e7c06b6721e75da80490dc8df7a6dc1b73d8a36a9b4f0385fda15e58b7d140e8efc671ccb0c510d81c878218c3a881843d99eb7dd98a66cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
613da25f861197a9c02abfb86e51d374

SHA1
046d83e104f29b5f3eb015f0728e86c44ca67784

SHA256
276ce0a2e5772b1e4a18362f56e3461b55e297b064d97abee8d8bf4e19b05de5

SHA512
d2dd68e8a60c0699557239e156aed0e35d2b1f3b6ebb39b53eef08f2845f7ccc78cc7a6baeec0ef6fbe983cbcbb452ecf9abb877b999c832103c3d4440e32b3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
f637cbc97930d7f669edd6b2548dc6c7

SHA1
452b9f0bb59e0cf3889058f3eec1fdb2e487b273

SHA256
cadbfb4a14be88bb8608f87a829abd4c6672e559ebb080ba52dab9c787daf2d2

SHA512
8254f768853bf73073dca8582d44a548952f1f065d1c6f2208054f130d2c487a1461f20c58b88b3efa30ad9ae5bb31fa46164a9ec53ca426e7ae5338f052d5a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
732401b1ca2944b103e9b7aef4bc4ff9

SHA1
af07cc5d945c2b99c94b679e4a87ca16dbaff2f7

SHA256
c5dd9cba416428bd06420fe300ceba10740a59ed98f0092f71a5e591d321f20e

SHA512
18b1cc15aa4910ef52f3c09ded0b7975d3232954142f49b0100d55f88efc8ab0952ba9855e9a4696d1111949b486cdc7e030538407a533db493f6c00ae7bb244

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6796cd1e52e26da0f84f1c97d3f39c18

SHA1
8cdf6fce980dc9a517cd294a254a5c6aedaf3efa

SHA256
5774a826f525d57be49798b552ca6144796c17bf0c40fd986e22db3996b17eac

SHA512
600f31672b1d73b1a96b44462056372268d6c36af121f34ec417b62e910904479aac1844beb01e4d22a370adc6b36bc18e8223fcd3c7653dcadeb1e5a3f79b76

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b979ec423d46a9398bb1f5582933f5b4

SHA1
1a7e6335255a6bb0e0c32c6045b9cd1d2931fe4d

SHA256
47fdead5d04a4818788ba4694213b23dc4b2f103de43835d3b49bd33379b87b4

SHA512
79b325d83d43e1350cc365e3894dbd52e170a1c24f6f6f2aba6e83b390249cbbb2be9b19c1a92ec98a49cffff11a816c8802db1a57e59264534333725d8c9da2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3dd2c8bc6ba281ff8ddd01d265474087

SHA1
219cde6e8e61dbe91e931c940bb91d0bbc2c66e3

SHA256
53307dc251397f89fbdd3de5bdb57b8cf17a09e2c22e52c3b943b345f775d700

SHA512
5ec619c8a6ec5e61c9feb29ac38d2ba31fe7864023a76258fc84a2e5f8d381c69927e474022a400d48420b7138e2a5b92ae826666fd8899e64110ca2a5bcaa61

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8fefa990a826ce5a9b4e81501f10658f

SHA1
9cbc201ad851ac0915272c926a7cd782991bd8e6

SHA256
8c4d3174f6da8c5f3feb728276c6bb7e63819424370a6d7d9808789161d9dff3

SHA512
19cccbec555bdd01c695220d13ad1b169f43a05ae12668e97ab95c442244a453df45877a8205eeba8bc7a0fde86a19d3418448d9ef9c0498aaddff62208faa7a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
3c1cee4f465a1cac43bb204087a6d0da

SHA1
2b01d0b67d3a9680268fae63a0eb26977aa97305

SHA256
38cd2ba9a2f5c940bcd99e61d01854f47ebbd313942014a057df092b6b7be05c

SHA512
e951b4aec7294b7df7f4d90352a333249613a0bae7e1445d0662a81894cb3a0bdf13349ff21a55257db21b81df524a2afe833d3f51ef12e3a9474bf8a8967d87

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
3c1cee4f465a1cac43bb204087a6d0da

SHA1
2b01d0b67d3a9680268fae63a0eb26977aa97305

SHA256
38cd2ba9a2f5c940bcd99e61d01854f47ebbd313942014a057df092b6b7be05c

SHA512
e951b4aec7294b7df7f4d90352a333249613a0bae7e1445d0662a81894cb3a0bdf13349ff21a55257db21b81df524a2afe833d3f51ef12e3a9474bf8a8967d87

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
c44f20c8c95684f2cdeea34fb24be5d6

SHA1
85db52878e62064b4e15d5bd3cfc9a41f1fb9dad

SHA256
2a39829c9abda7df1fa2ec52ec7402e8938797a22a546788e6d1f1119b0d1010

SHA512
606f70ff99b492f5fa6f29afb21636d52d7e8df5c13b335433e118aac4794243fbedb75a2235a39a57d28d80759ad6b01afc66574e2b661ab2067ac94d73781f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
774aed821553f732a1283aac3f0304b9

SHA1
8d55e93b40049341d5421cdfa2f882ba86b84ee2

SHA256
18bc7314c38a71989c6437f222a04fb80083a11774affe8f1b94d41596ba0680

SHA512
85f74d5036bb5c6f81cb634d4b722804725c371a0443c2f3392cb0ee84821fdfc0a320ba2e9f7be099e9f5fc585e9deb40c6c9275b43cbce1c060ca2a7ee1b9d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
42bcfb537ccc071e4417a104fda04e45

SHA1
060cea855914ad94d85498fc151e47d8005e3501

SHA256
4a8813d88839309e48aaff68c38d2f52e1b34ca7d88580b7e9cfd4390ecb532f

SHA512
7f6e07a53612b4eb2703bb048276774bbaa62947eb23dd34a4a7264b43a3a6c0f58ac0c8f0843e7d2cee55d1160af5641f09821baa8581371cca5be92129521d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e5e242a9a3890b324487eeeeb93e735b

SHA1
6a838187a824831ca0918e73ba4fc2badc93c8ed

SHA256
c4341bd0f8c09fde8921010e9ffa974eba2dfbec099ff85510baa9fa67addf78

SHA512
f39e085a74fac131cea7f2a02b3573d2e22ae30c3d7a8b08f11ea42ea447c98ecfbd64cc5ab1a3e8d3dad61119af74dad1e40caffec72bb60e9380500df3bcc6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
958e8fc6d75b2403e593764544ff832a

SHA1
eab64b527e4058c009e6f76fd85827b350a07d77

SHA256
89bdc22e5745c928926ceac1b433ff545dd4c34d53ad2c9384535ff17009209a

SHA512
04a3a8f964157855342e62130c1ac887fdeeb592b75e365dd03474f5b8a7449a31330a33b776806ff8c63b588292f8745475cf03950d786b9f8dbe87cab71b4c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fcf88090411274c3d71dd6ed7ef83aa2

SHA1
027b8f26b797b60df03db16052436b6d5a167726

SHA256
08c77d20ae28c07ea6bf46c9568095b42866408646db8662960b91059e691848

SHA512
04c0837284b5f28880ef507203dcde2187349aeb154467fa34e68bfbd92a3cd0d782a070a2e36c6ddd2500f5e3ecfe031d626ec110ab01265431340e6cf8786d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
33d912c4a214cbfd36ddcec3170e8318

SHA1
9a569655742bea2914bbc503b466fd05080e7dbd

SHA256
49268150a46d68295ccee9f1fe759f5b669e7744534e6a2f2646ad452bce8483

SHA512
85647a3da0ad0edea2ca18dda28ee0d22eda7d97af4598603780466dd137649aec28e0bd5d7624e906f0d91029526b932c1dd415a2826bbfc3429005e99ead12

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
46d7b67a1d2cf55655354d648696cbd8

SHA1
64103b0c3e3822d2b7adfd3379fdd42a772e4a9e

SHA256
e7adbe8bb4b76016ea26e058db5aac25ba8e0ec9bdc79eb2480a169cfc5493ce

SHA512
fdee57db56c0303e83d3df02fc5f88d97f049ce0e96588eea94f3e2201f01181d06e1e2bfeaffa34eddb753074e0ee2765de1715fc637bd1722b9dcf6fe94175

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
ebedfd1ea02c1b32624c06deffaf971b

SHA1
3843c09dcb011094e0451e70ef16094172fee76e

SHA256
1bb1d461a0d9bcc258637f5e670b9c4b7f59c448a9a6b709e3bb4f94e754240b

SHA512
fa6d6b896b0c5c3bede0697f9aad0e861a54f4b480adc4eddb9e302f808fd2293d47013a88f963d7c775394e3af74614a915fc16e5b8d52fb87ac68abfc8e3e5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e80a6fe3ac8af6fd7f5275b1a28ce882

SHA1
99f8e85b3bc21f7cbc9663f7bad6df22b3a14272

SHA256
aecf5b27424064cebd478c3fbeb2159d0329d707d5d45d758149a9f1dadeaa8e

SHA512
5e6ebe161ce5f8f1f3c9fbf2be6fa2b5e585def88c9e73b0b18a4c70e29b1f90b0c89caad8abf012b3ae5db68a6b0ac5e79c4203d403b509888eaf9d3668ab85

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
75db4c18b01ebb0ebb8f6a43cc1f7a98

SHA1
18bfb97917af69c72ea962dcfbc8482a6479ad8d

SHA256
1db3b6287806fef688fc909c3a6a6881b1031f7424422ee8780f04e0611d3c70

SHA512
4b30c34bd70803cb035f60577b44e7fda216f0c41f277c4e8ab8576bb8ce16de4615bcd7f118568f2c5de8ce82731b3281220b2b44ccfd05b08f5a420db73d64

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cf88e1692680f31e1b9d2a138dd717b2

SHA1
32b6995d6ad31456262a18714be5ec97d3e6e552

SHA256
673714867f88ec474d612bc83f161f755a9db58dbf150b292a2338204f67315c

SHA512
b9eb083f09fe2197f55db100bbedb4b9f5de44062e7cabb0bf687f3e520eb513d4ba33c1bab719704149d3c3491a0f55521da843dcf84f645af71a88ac3742d1

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
1fd3d7d740329f6c94b84a79a3a323c8

SHA1
5464bf444151292ba95c413d0c546cdfecbe1539

SHA256
94a9ed64473d9c0a6c6a0948f965c9c46fe9e96ed47d5384fea2dce3abcdb4d8

SHA512
c59cca071296ccd7b6f3a574232052f384fa435199d0c22a1d07f1f002a35391ae1daf3eccf4a09e5550af2bf22c6974f44568a0dcd0f61483a9d9db1613febd

Download Submit
memory/448-455-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/824-68-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-74-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-75-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-67-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/824-238-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/832-358-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/832-368-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/832-427-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1160-274-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1160-339-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1160-282-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1380-266-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1380-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1380-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1380-258-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1380-273-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1428-299-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1428-288-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1428-352-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1456-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1456-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1456-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1456-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1456-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1576-443-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/1576-451-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1680-6-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/1680-7-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/1680-1-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/1680-13-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1680-0-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1688-399-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1688-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1688-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1688-393-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2108-315-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2108-371-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2108-306-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2112-441-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2112-373-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2112-379-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2112-450-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2184-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2184-422-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2240-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2240-120-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2240-16-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2240-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3068-436-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3068-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3088-401-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3088-332-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3088-341-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3524-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3524-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3524-354-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3568-227-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3568-35-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3568-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3568-28-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3848-366-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3848-302-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3992-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-327-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3992-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-66-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4052-51-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4052-52-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4052-59-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4052-62-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4832-253-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4832-314-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4832-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4832-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4832-245-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/5016-411-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5016-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download