95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc.exe
Size

716KB
MD5

235758a26c67825cb2e564ddbf898b79
SHA1

8abfcca20138a1c40659fbc4d6ee705c36cb15d2
SHA256

95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc
SHA512

7070e7b7e4f6e25a1bafc19e134dd6d9d9f588f9b519c55269e6bb7e54feeb027ef924669405e33d2231531a178487add5ae224ffaf1423bff05c2eaa9be9b00
SSDEEP

12288:93P/aK2vB+op/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXRr:9/CKABx/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3244	alg.exe
1820	elevation_service.exe
1228	elevation_service.exe
1760	maintenanceservice.exe
4428	OSE.EXE
2412	DiagnosticsHub.StandardCollector.Service.exe
4440	fxssvc.exe
3992	msdtc.exe
4300	PerceptionSimulationService.exe
3276	perfhost.exe
4064	locator.exe
4004	SensorDataService.exe
404	snmptrap.exe
3348	spectrum.exe
2836	ssh-agent.exe
2952	TieringEngineService.exe
1044	AgentService.exe
2564	vds.exe
4600	vssvc.exe
3428	wbengine.exe
4144	WmiApSrv.exe
1100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3463101c98e5a49.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f2d46026b4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fe4f9016b4dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5a35b026b4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6fe4016b4dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d95eb016b4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7552e026b4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000159cf6026b4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1820	elevation_service.exe
1820	elevation_service.exe
1820	elevation_service.exe
1820	elevation_service.exe
1820	elevation_service.exe
1820	elevation_service.exe
1820	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1164	95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc.exe
Token: SeDebugPrivilege	3244	alg.exe
Token: SeDebugPrivilege	3244	alg.exe
Token: SeDebugPrivilege	3244	alg.exe
Token: SeTakeOwnershipPrivilege	1820	elevation_service.exe
Token: SeAuditPrivilege	4440	fxssvc.exe
Token: SeRestorePrivilege	2952	TieringEngineService.exe
Token: SeManageVolumePrivilege	2952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1044	AgentService.exe
Token: SeBackupPrivilege	4600	vssvc.exe
Token: SeRestorePrivilege	4600	vssvc.exe
Token: SeAuditPrivilege	4600	vssvc.exe
Token: SeBackupPrivilege	3428	wbengine.exe
Token: SeRestorePrivilege	3428	wbengine.exe
Token: SeSecurityPrivilege	3428	wbengine.exe
Token: 33	1100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1100	SearchIndexer.exe
Token: SeDebugPrivilege	1820	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1192	1100	SearchIndexer.exe	119
PID 1100 wrote to memory of 1192	1100	SearchIndexer.exe	119
PID 1100 wrote to memory of 3252	1100	SearchIndexer.exe	120
PID 1100 wrote to memory of 3252	1100	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc.exe
"C:\Users\Admin\AppData\Local\Temp\95bea85d52b8a66b70e089edbf5b243ad771c0ed9cd5c760d67c62c790d5f3bc.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4768

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3992

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3276

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2828

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1192
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
548e497cd59d85877e014578580458af

SHA1
3fc43e9914e8311c81bab3fbc85d20cf7ca8b699

SHA256
4b6dc12155f176825eedff3749a40e1e41ff90720a7b2c0bd98882d7e3aec6f4

SHA512
89961e12856efb3f6a06b20c5b80193bd6f1a85c35b4da7894d2c3acf7e715a31091f5b69623d8d21636afb852badce030f020192c4d7435c81fbe19be36af12

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
5887055998d8564bfc2744396ec2fd85

SHA1
00b6e80c963093f7155e477748dbaa1a8ad8fb4f

SHA256
4251778209f125de3ca45f4b8b7fe65a0eed596eec70a62bdd0dbb91f136d8fb

SHA512
cad1a61dccf9d8918d425f45fc544bfcb09bbdc45d801f5c63f6a66249ed73d3107cb81ed3ab4fb1c6964dc19a449578b5c82ba5f8894920595ae6b2a2e92081

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9fd9be5753b5f9a77b2a68a51be14ab8

SHA1
d72a2461d32ac5827af27199d84bec0881babbc5

SHA256
e866c32816f34b7ced14366b79442358c761ebb00cbaeb0e2c7cd54796314ae7

SHA512
959bd88516b4de6c919692bce149705bb6c035884f98fac26f392091a4651b4a1e3c1964a405ace39c37fd47528e05971c7cb3139b846e10b06ac8e42d78c22b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e5aa5492f9938b5bdaf3d095ba6bc132

SHA1
b8b11c1e766b500c3351804fd53b00a4225e10f2

SHA256
4f8ccae6c4bf158292b616845aeb3a850b0957a607e92fc509045969020ba481

SHA512
0e49aa53826e6bb6d4880feb70004e2ea60f505a85c65df8275829f2aefefc36a85dc0d28628945c724b543250fccd17f4a0e3ef465b3259627670ff439ff7f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
20cf150f4c424a239fb301a7a12e851f

SHA1
5d7a62a6f4255cb08f88eb5bcf22b1ef2c6bc811

SHA256
23965e0adda7b25d4771769a96bbfffc1ce014cd716cdbc80cbf19d712586fe5

SHA512
7a4a5f052a071ecc621a134e745e10a2a08cb8dcf5803ec57f4d2f647f6c7da7f584f0e1755a1e3ba9b23e2ca6c204a99f440f5314cbe63060a098fc7218991a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8d4a92516c52bfc6d8a7cdcc78fcf5e9

SHA1
0451747d6bc7f5108c3480d3c4364206de4f8554

SHA256
21f11f58d0cf92f2459f35ee9370c8df37375f479b908d26d1c7b066dfb94c25

SHA512
d21965a0b483669c7673c1f4738e7e1bc4d73f9419bd0c930038714346461d8743c21bff0e2b3234270058defc7c4a5bfe44a999b6cb2caf0ed3edb8a37cde0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
37fc37ac8fc5a4269cacdaf69529084c

SHA1
ea00129786506282fcfcbd39e6ce1d3ea75424b1

SHA256
e937908282706841764587c5dc8981ec2d13e65d5925ff1e3c6feed8cdfd81fd

SHA512
283defea1dd04358fea01707ae29d52d9bc641642bdc22cda0fbe98ed2c004cb9387e2be6333d5b331da298acca717025900d94e1f5b17e60332006e0db69f61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e3015897c2f63ab664e8e07f4581225c

SHA1
3e34ddb15f3eb526653e67a9f5985a616f974100

SHA256
e52166ad4def5873bd954f7bc731216751828f94c204ecf9c9d0d281440b1020

SHA512
16e35131e61efaf9740cc7de6c636e604d88c4c86b2a8f7c00b7d204c161d4432a77e1c5be7432ee66aad015b7a34005641aa232138bf99614366de595e9911e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
896KB

MD5
0218e2cf2497ae72d5d36e5245dcb95f

SHA1
133e4e797fd24d183946863df8171d99cfb80a0b

SHA256
614254660a731a46582fba1105fc4b3bbe4a17a5abf3aac41cebd5ab06d6296c

SHA512
a8151f9c89cfba2e651fa6775010b6d236dfd5045e2fad821de205b363d39ea48d745858d9d54959d0b7ecc5224070e82e6a547938503cfaba1920a2dac4de83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
768KB

MD5
fee3212cd4edf399df6f9aa84f0a64b1

SHA1
8b90a8180c632a439ee2d3b8bf5d526a71a5f01f

SHA256
d152d1d593a838470a569fa7d13461766b75b0ea517b03a7634e8f29b1f99a37

SHA512
892dd44898697dfa6911e162395b31a795d7a6bd742d9170ba3c0520671a79f5f7e19e2b47a5353f7bae61c7a1025d76d5a6426f740dee0af1121d1e014e5c2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a903dd8b4d9adba39db84302fea10efd

SHA1
265aa50df54365163193113ddb2aaf0c7266f85a

SHA256
9ea3b1b0c7c3bac46c32187ba3b4349dd40f9999570694311767b35fb298baf5

SHA512
beddfd3879f87ffcd9d1edb71afd291aec6b9169661a859ad320f29473a2f838b0a3741a0df1f426616706371b7e7b327ef4e2c957ad76116a8a9374924f1e20

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fd82af8aab885a2a55f7d2d2518a91fd

SHA1
f3e760b90810930198960cf2c295d14d929fbd26

SHA256
6d5d6d15699b71a4fc71d213f4c05b33215c1cdbe3ac142ee5346b7291a1f80d

SHA512
108ea83a82dfa76caae11481df9bba0a7f85d5dba8e400838f91d61789173f3656809d559320ebe4a9155f236d5c3d9ff0868d41caa48629aae25df26f0eff54

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
06a6b87e6b56428838ef847d0c7af52c

SHA1
a57cd433e319052bf0a7cfd9838df7ed07a06155

SHA256
9565d0ba3207f1d91b32da9b67257f1c5d9041f932c9e0d85d148d5a5d15a2fc

SHA512
93dec7acedb41237c8ea647de3ea0d2a986432cce697c05e0f79842becc2acdb6e483a6a1d0f7ce203d5ad46af575902ef9167c8d5f403ca51f8a0cadbb37826

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9925d3e69e11e0769efc4a7cb808d53d

SHA1
807cebf791ebcfaf5e399371060273c1ef8f2e5c

SHA256
ccf27334f8c27b769d93aa993ac2b9eb57e3609eea309ec2c1ff122cdf784d16

SHA512
e4f6fd571cbfe5705bfacf8bf4ac2fd186ef9a54a6ea4a80ccc7cb2198695e2e976c0e7a51927d69c7917aebf7add224ad69e7171d4a4eab0255d51543213bca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
8e27b740d21aaba3e208d57c44cd8a6e

SHA1
930f8dbd98fd5512a1df5f6e31f77857f0f893b8

SHA256
edd25998cca49eda05ee4ca82b804b942141560a302a4d3062616a9ad3f2d8da

SHA512
d04dd04547657382b0aff93f6a5c9e75878b494431afb9e5849e032e54c7c57db91a2663c4ae96fd1bd0f0d568bffd8ae57490d2a8e1e8410b76513c49fe4920

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7c78dd1ea479e0c8971fdbf17a8c8a91

SHA1
ea10426cf3ed4bf2287123ec810a30cd8088cd5d

SHA256
1abca367c5d76ddd6425fd55379a69b7b5a531f871c26407b4207394e3b8de00

SHA512
d9aacc8b3c29615450e27efed0dd84ce26940e69dc5ebbc884105dffd17553e21f16ca650d2f59b1eb779ea5907bd8a9323c336b5697fa18de0129341d8dd32b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3b1b9ce9a6559a5790623d8722dedb67

SHA1
6795763f9100bd96ff0ee4e2d7bf405d85cddbc7

SHA256
4197ef662d503e071341bf30583bfc29f248628b68a24bf471ecb7e5bf7c11cd

SHA512
c4298dd60a47435041d84f201935289a2a087bc4a9440c3089499528607f7b419a3a9fb20f09f0a6fe4fdf5fd153025be8f82f2d0693d42ebb0c24c5f4dbfd89

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b11b71285ae47213cf5ed67ea0f59ff5

SHA1
9a356e0ea376fedbe7159db5e406215869f12162

SHA256
c0439c7b894d0321fb11caea5a612fb6fea98fed1cbbe2feb3b1d92bb0bfec09

SHA512
48d5ea493118e19805ad79c67366dd5b7ce78a3f54f0297ec38cdc5fa6c5258b85ff7c3aa556b65e843914577dffe913033818f46dd05822d7fa36f64eb9ffe3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
c28158bbcb672faff2a959bc8a211a17

SHA1
209988863cf6c37197f11e8f93f9d97dc357e61d

SHA256
a2cd20b35c0f179c9355d6ccf44f4db863580e6293027b92424a44af305cad46

SHA512
31431c4d3c1b8a4c936254f483680ddcb3932332fe4b2a4278d45878b1f7652743a3b38ef4cdf08040459f75efe7e6596e07624c04a9d768307910c3e8130c56

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c096f0c6a9f417f7960ae494882695a0

SHA1
f9dc96b8759e0e29f2c3397906c53918a9246e13

SHA256
941415715b32eb2ef6e9eba06b16d7292877dc6329e7806e6a0312615746f339

SHA512
6de7ec300c323ef189d48bd8267997b8d1733482fc3a29a541c52669fd8dd11f6e43c51e7f1957a3caa760d498ee9edd1b03af0009d2085fc6cd1d945313e8fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
332c6d374d90ffcef8740b66c9c8c757

SHA1
f76a855552d0d0fcc9a312c80e6804eb5d644f61

SHA256
903534fbac6fbd379c4b9752b55188a35ca6e3a9538832497476a26049757bec

SHA512
967de608155e4a3adab341ace7858f1cfdbcaba2b0e6c148f7d091a3fa2c9ceb7fc7fba94473cb0b952b8cabc8f89ca9fa558f3f9c044d184c6c01585e44ac92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4f2949cd1a441366cc276160e5e0bbef

SHA1
b19c3b689fed5056b0c7b7a0056a469357703737

SHA256
499386e221e0d9a583e1e48ea951f6b4b46814fb4696609e945b08716e276308

SHA512
ac48948eebbd8cc64d2c6d69a6a6964fcd632edbd5c24baa3fe4cacafbebe9e79f51133b269680effe1c5cbe46494d0d09e12d899bc2f3f303b9d79f7875a7b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
61cea165c1f18274455204211bd25b99

SHA1
3b4943c635e59573c6b90c6d69d89d5bacb1e663

SHA256
c8a21a9a5b097d90cfb2ce793555c37933ab48ffb55e2a54d8a5699d9f5f2517

SHA512
385a041e3cce34ef5f3843278ff70278387a91166e0e83875364af8fff9a14f58d0eefec9ca24db5ac81e94b007e4f3a69c4bbe3fe5df3532e577d6243073cf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
79aed3a32caa0ef060051cf15c34e4e2

SHA1
a2e0c94fa579545b9a9b3cad64b69284da7c9a97

SHA256
5d6f9823251e14881b00ed1d3ecf60a258b49e956ac17766b10f9f3d8189dd9f

SHA512
d82569c85fa6302f8c45135074527a97eec9aa5fb9a61184772278dfb3417d852c0f340c1a3fe50d287b1ab1edf71888d0d9253f772abc5ea471023c895ff287

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
10da115e1891c57dcda7fc41a31d1140

SHA1
d1f3e39ef7dbc656bf102134b2d9fc38af1063f4

SHA256
19c6eaee37746e9970ad5f84429369a5c913b02524b9469d353d9b0a28c90073

SHA512
7a538bf257fe6304c8614601a4cd79a5604a5ebd30d181ebcb7efd2362821f346ae341c9c08d4d3943f7f8eb5d6a87133397e5a6f2266c4cdddc1aa337fe7105

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
90cda93c51581883c842e4e692778d13

SHA1
cb6455ecb0eae4fe3c53c9636c455a79be81383f

SHA256
870d1e7f4c1de5ba9a8e9d04cc8c323ac5703856639bf162e6983e05dde2c5f7

SHA512
2cb6c081506111b6cd04a7feb65fc8689a1143df5e087275e2c7210856cecf69e0bc5098f1c39b63d1670d36756c18fe58e78a18a020d524ab9649a51e218348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
adc698c190ba52c386ccb4adba59edcb

SHA1
700d75a4d0f60807aef8e848a550c83f778d91b9

SHA256
19b514c246dab038ca50c940241188426fe82f464342877ee9a3f86adb3f50be

SHA512
6989e5969ec82df49a79443dbeec5c7ec40d3593d4f7bf29cbe1d844d299d0d956246e16b1b0cf6b488db6fc863c89b45b7fa16e70ef792f6a1db9760e007041

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
96c7985efca7ed2c011b982465889cb1

SHA1
205de687b84f97c490257fd001e6cfdcdf0ae15f

SHA256
1b078b427841dc676ba7cd1f0eb7da97b60f0f0663de79939df0a8c5eb73c075

SHA512
5f6a4a75436544a7c617ff8dca96b3fdccdfa51629ee7ede9da24aa71417a59030a0175451f2c9faf3fff5c0ce085119f09001cd8e9760cd58d7dbf0753c07bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
44ae6c0f3c2ef9e308dee25234877ad0

SHA1
0c2403ad2c8f9fc2bb6f06fa2a72f197afab9b89

SHA256
3f93b8f04a7c543c1c26d980d194eebc16aa3cbe4f3f92425c08b4afb9f651b2

SHA512
b608e30b48c95ea3f6d755ea8ba1369ee736f6c81807dcf30cb64791a2e10c2b099ca661d90d26c1d782be84697f7cacc4512c4d86f17bdd50e12f6aefc818d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
fb2b990539165daf5e45e5af31e19f82

SHA1
1fe5e224e242564566fc6abb4207d7d6b49c515d

SHA256
ff0fddd14873d1f5b6e2f8e2068662d777fc423fc7de50a86f848f7ad8d51308

SHA512
847e13431ae1be1c2ae8d697c7bff542d9b9366baad329b5705fdce068235e865a5ece533c722a7f58c5ab78adeb37d93c5a08db5b698372c22b4144947d1cee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ecdc9246327d2350a4e5c36b00a5966c

SHA1
cad802a01f5089a8cea118595341e97d0ffb92ec

SHA256
0869e01f50ee59730a7f11366bc7143d9a832e2d574a80aa0b7601cfdfc125fb

SHA512
ed47cf8505bb66cc46bfd69e7a299d181d8f1604169f7ec91c132514258e1738a250aa10d603182b23829a86137d491263f670b4be24863514d1bebc36ccd938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e02d6ff14f7d972ed86a710d4d8c5db9

SHA1
e8e13a243517318b1eb1bf7dc55240c57f425680

SHA256
0fabdeb567f6fe216851972c436881a90587e30a2161ac7f271b1a09d7dc2c1b

SHA512
345b82e4929933007df86ee84865e1762e2d7faa782c7119e8334c3e6263ce2f9a3994e1fa2217e7ddeb6aa06946e764b9da2affb2ad1080f5dce124927b44a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7d8935eb65fb2e23a4f7235d9c5477a3

SHA1
0600a2094e5ed830178a0612dcaabc51e46d3146

SHA256
16a85c214fe5fe81166b293ff65ae5e235db92b69a6d2bf38754f5b6e8ec74b1

SHA512
0ed69c3c36612cb13d312dc12bcc063ad7dc5db7540e6fa78c963fef00459f3e94f5bd4aa116b7e0021b0412ad218191ad18ce34bc1e3da73bf08d2aaf5801ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e84d5be48dd3d8f07708ac3c102ae5f9

SHA1
1bc5d4663186d652b5d5931923136eaaaee25a5c

SHA256
678bce94dd8f080dc5c7ae1e8d31893116b7cdf75801e969c5cc6147c543bd9e

SHA512
5758ca12b7c15a4bf0c73e28329223b70e5a9e406a6586c89da42c992d9bf1d4d86fe7716a3df0110c7c238c2065b99ef85d654c01592518ff49c1216117cd3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2056d2a4e6707bb4e7da2f3b9a0fb928

SHA1
5514b410337ddcc8196458211c33f6d87bf8af3e

SHA256
d3e878a9d8f066aa19318c23f10bf7432dfbe18c09ea138459e12614a335b961

SHA512
07dadaa908619fe692f49bfc086d4dcb8e41acb59c4cee5c32e4d27e1a50e259cb143e481ca1b66c3bafb238fda56e88484704b2fabaef994549d6335be82fe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9bbc7bccebfb97b9b5fee55b0ae91bfd

SHA1
2c741e6c77270be39262b510a7192cb4cfdfcbae

SHA256
7284ec20027ff25ef609bd9ccf60a4f8a950ca513854967c922238cf3c2a6107

SHA512
6e4856915405fd715f7366ea8f42bcf878dd4d5d8ac7cd959d175b16218b7d7efc04da0a7735536d588bb746c78c3abd5e41c7a2b099cf84752e55c67af0bd58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
558bc49361c3967fcf22b10891ccb4db

SHA1
7730eb9661bb29a74c72a96819ac8510ccee52fe

SHA256
c12b543237a0236fe660734486a09ce767fad28f053fa52069bdaef59ee95f6e

SHA512
3112096d1c6ca85afce813ba5e51529c49d2a358f4775967b60082874880e5f0b4c06875714b58dcc3467138a9d7a24c408af9af4cb2cb832a7d8347f5a367d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
538e6c2f7f7ed0aabc2a20461e23f736

SHA1
0484d58fefe064f5b308f3e66d894aa80bf9bc3b

SHA256
7fa306d3f66e994fb51ced99787fbdf26367a57d857095943bc62f35684341cb

SHA512
e5271f56042359b911d93f01e0c492680724fce85b2497b6bc1fecd832b0eff60bfa81bf441b8cddcb4c0863059233ee8da6679acd8e3d3eb4d76bf90d0f86cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6d798c61a8459b99f91226a5f78ef1c0

SHA1
8eeccf3662de1b2458c359e76e0941887c6f7715

SHA256
ed6f724723ffc34047dac226d3d0ab392e3b226d5b110be1dd28de038d9bb610

SHA512
ee5fc11b8fef294de1721da6daa3cf8c379625e0aea32e441036870531e53ebffb67d71b28f7cf692371195c887b6a03077672a41b9e6dbf913fece2a816e507

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
ab52d97f8a1b29fbfc69268762e1b551

SHA1
e0fcc3825cffbec9232633e1986d83fee3082941

SHA256
c6f57e23f4e8b9698d57d5e53913a30f37f5824afe169cc83b194700ac9e55c6

SHA512
318bd6713350b6558469cf86b84808969c098f18e5e01f318d0141863f0d2a1417a2201c2d61e2814a3f6beca67afafe67fba31659d5ab7550229a5c6b461cf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
cee1c597bf6fb70de93df6029b3d7a84

SHA1
e74928b18104ccc0717041f26e7b98c8ecd73912

SHA256
ed069ec12b7071b54dc91c6f36836a1cfa9d43b2319e789a185696386c96f483

SHA512
94debb10aa6936daa9f1c6c0c8d7810db99cadf48fbe4b0e6952d1aba226385049406f575dd8df3bbf59eb2ecafa32ff988b2d65ffe6ee8f4943af0f33ccdc76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
5afb64a1c911e4d4540f6aeeca680c9c

SHA1
efc1c0590e1f13697f41acaae34fcaddb6238767

SHA256
ea1e39dafe9010069283c9b3b94f0f3a10895f6c595e104ef5f4c26295bf7b54

SHA512
e0c163c65e8af999c5d212e336f6b8a18090c84dd87f858ae59fa89a4b8ea6ef18f692bc8ab91e7ce1d792f989d7240009e7e683bc9b8ea9e4ea890ff02d1919

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
1159efc9f0e0e52cabde428955245599

SHA1
bf1756df2b441af723a0ae7a430e7ce16eb867db

SHA256
ef43ee9f3998140ecccd703f48a4be8bbd5020a076df8f15f5f56412f11b0435

SHA512
a348d0968ebb8ad0534375ba29e3de1492c9c212cbaa807c793b938639ff95b109fadf448c9873936890d37c74bc909aa17c37e1497d222e7affefe42d0938c2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c0c1c91b76a02d295aab8f31040c761c

SHA1
d5c148b06ff9acf1c95e936870f3ca75cfe5ebde

SHA256
4e65240db8f07a96cb4752e629ad93e6388edaf358e7bfa4f471106552965290

SHA512
0c055fa55eb0e6d5635d1ee1b7face85af9b4ff2b62bd57ad25a9e64790844d33edf26888b60e33696595a68c1a9d583a021f273296841654b2863a5036c9d76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c9422ba1535ab7d5379b0270f208e29d

SHA1
b5412fe32bd3d6fc71061cedbc0ab3f71abaf8a8

SHA256
3c17ecee7bdf4ba3756f48801039fd659868ee265a9f3679efe24d74597d7491

SHA512
39ab0740632d5a0e47d36eb9a8da767dab4501d14ccfab3c7c57a221046c3a7500045693f8f938b3294e3e5ee79d06e67a62474df0cbba5ea91496c49419968b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d1ef8e98ba74312196cb22b3c572a950

SHA1
d633c714737960f6c7e892d92152544d3714de1f

SHA256
98898daf3138e031a3066f6a3adfc331301ece27c7f63cf7226f15bb59c646bb

SHA512
885ad4ef1e35153cb7dd6143f47a7dc8436e9a407f1dfe8fe553cc6d2ab33970951b138ea66dbfeb70f816653b572f496a51d32958ea2fc48ad24efe7967b9ea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d259353b742c99388ddca4a13fce8884

SHA1
149fda033b263df4fb94d1907f6e2fa5c07bbb17

SHA256
098d6148e493af04183fe75236c8062be142955ea87827c7a61715077794c6cd

SHA512
c9f73ab1b86f47892b185f9328936e243b8c178fb8f86ebc7b8eb03dbfdad7dca7bc1eae1210cfeab4106912cd6fcd9f4fbce11f4f024da15af67050c76a24cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ac51a93f1818c6c6d61c8e09fe93b2e3

SHA1
3bd663375ba78682bc820702a4071a4da7e78017

SHA256
4e8d1afe34905ec7f306ec72666f9e40d52384a46e2abc551764025ff1617f6a

SHA512
f4a2ac31b22f7aafdb4cd4e4d35e10d90851fce81d3e08e84db555b941b232c9ce00d577542ff74b93d618d9327893bf17c2f38f0984e1183aad9b7e4de0412a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6cff6b6864f858c4321cb6000d83fc01

SHA1
06360b7b0c060d43490ed561afac172072fc7c8d

SHA256
671d800785a0a2b1f3a70109b21dd45aaed21f64916ed7448797647f5d9e43ad

SHA512
97c6873a02b68cde3a6e2a53ac500b25aa76eac91a4c49cf6762aaa7ec086998aa730193a8494b15374bcaed8a8629345773c9e2483532fc07dbeb58d5f88448

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
576KB

MD5
eb777232c37ee15a8cce97c498ca13d2

SHA1
932dec6ef693ba8c27710de797ec98cf2ef6256b

SHA256
25510d6f04c2f916a3684ff0e2c7bfb04384e0ef7623ae36784de7ddb98e6832

SHA512
f469be855f3b0c1d8fa6b8e4c30219e282863ce20f49678a4f487cca6c61c08b428035067e02441be8f3719e84156453b5ac78e8d26a5588a56576c5acc13ba6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b429e064fa71c3f2d1dd77a6773f751b

SHA1
46a456a105164a5c95482103cfb0aa59c2acf1e8

SHA256
91a6c4e3d232cd87ce2b2950f7732180c1687b599e35069dccc859a12df580f0

SHA512
da8ec8c432ac509dbcef3f21472da93afb47851f5887f6dcf140ec6dc7ea4e220e6400464438a276cae1cf9710a80aee0caee97e95957df2cf17713f54d82173

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
283e54246f29443e001c43423ee2cc75

SHA1
ed9a927e83fbbcf344ef03f1093f7fc33a62d552

SHA256
47df4fc1d7d1ab80fd1b0df7448f1f6c9a7e4e683786bbf9c29c292fa4f16610

SHA512
168ddc90705a3129e7ecf66980e51263cd4a2487af09c62d5ec6c1cc06ed0b74dc0e9f3e94f8905b5474a7ddd9ce7f4754cd1cc94c5de5dff25cbae2d8390955

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
626bc1c57c69f0dfbdc8724a36085808

SHA1
6eb7e8ca2976c0ff4cc6d2a6cccd6e1f78662d8d

SHA256
c163b4fc7ccd50abd20fa8c0904a0093d2ea71efbd17bf3033fca893b553a896

SHA512
66b7954247da808453659c8308f941362c21abf46f341efd4df60e75cec2a86a86ba8e4ad73066ac2ad5be0882c249ac994cb86d23fdfb2f5880c210b2e3d48b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4489be4ab59bc4e2322fd112ecc44da3

SHA1
a437837a63830d7c68e3b94a703b027ef570d4ba

SHA256
1a345ab12a5b458ef424b9f015980b7dfcad247cd2beebe1a9249e610d3a8c87

SHA512
d79f88f24a0a2fca07949280bae31ad5ea88c22fb88cafe09c7c6c942bfd72646bbf4f9a8f9e52a2d3a125a1d3c3537c01593934965e7ec297dc902afa6b6940

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
af4f5fa7570f283b3b8dcc04cbaa9005

SHA1
dd542e0c17504262e45c6a4131e12d77fedecc26

SHA256
7edadf3497326a9516052e2a553b2b778da6a2e7684820616de325119b894fd2

SHA512
55c6bd081096d06fea82761462ae7c717884741e85440899a2777a1ab8c855bdee64fcdb80e4a61dca8f6791ad38bfece82ede078370bfa11408d276c239ec86

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
94fae6f212272db30b0e6aafd014d785

SHA1
d8829b32019c25c08cfdc35c9048310dc2f3290d

SHA256
0a89ca98dbd61d4407ee972e373a0dfd49030179070ecc7918a81a1dd0260040

SHA512
e3e4a1bc91042fdde139c0d7e21932bb8e3c259e2e071387cfd69b10d6d9efb6c68c3dbe336e26f52f9fb2e8c18540b6550735ec7331b271563ce3815d4f8fa7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4d5d18b25142b8a6fe3ccf1e69268c53

SHA1
2c42bab19807ef954d4c698b11a32dd212218087

SHA256
af6e9bc5b8b1f2838077bd3d1ee7ae907b8fea92d0a8423df89b681829724d65

SHA512
105710df686890dfd8aa5615efd0d6857889c0c2ffb24a8a8ef46407b7c88d768599ba4979e6a776b08e10c0c60a5fe8787192c52e03456202c63a2e38b8ca11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
333fb55a4c299da6d7ae94c56ab25702

SHA1
168e9e338d9ebb8c52ef44bfb9452e185eef2310

SHA256
88d62ecc78930adbf897e9c96e359808cce3a10e0c70602db245b285f950fb67

SHA512
2b50485df300e4a949cdbf9a7dfba35bc940bd2d94ba95fec2f8124699cb0af1a5c37300633ec72d45a69afbfd6f3cfeb93bd4388ad48d06c7afae67fca6834f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
bea7f60581c0d2e2aa863537be306912

SHA1
c9bb86a8040463439e2ed49bc1374ffe100f1f4a

SHA256
8424a7be48ed0c203693509ab08d03811a0048aa2ffc47943435d56e02b1f921

SHA512
18bd58c1f8db9faff41c89d1e5fc5b3490c35478a6e0e084cf9095f3650bdd3e3f90a8b845bc0e1bf5a432596d37c08337b4030918ef5c2c69a33c952cc197e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
64KB

MD5
4e4c1ce5bf34eda3d3352d5c22c58d1a

SHA1
43bfcd4740686c688783cb0255a745a9a4a41e7d

SHA256
b6969e064ec0c326d3c2856bc436c94af3afcb90a3c18f846dab0a7ab51533e4

SHA512
67f6c900d7c2e95903c22f82f9d8da6111d427feb2b91869f7ce730005a63c0d2ebf7a014eb794ded37e6c3e0688266a67ef677a1cad7dcebbdf2c335bbfb28a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
bea41371348608c9a64879836e04af60

SHA1
ee815f8e28443c638f232192a06fc281959a2456

SHA256
7395c22c0571b2970e434b2fe68d57595b295b90a05eccd7818d6e54c45e4585

SHA512
dd944c2407de5e724cc7ee80aab0a2f130bc6100a035adabb0bf5e266085ca73b3923a737e26a0df71cdabd2875c09c4db6a5b9912f3ae548b26c804b1737335

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ac26bbb6911e961d0dfd8f52d56f15e2

SHA1
6a5e6f6749316bc7fae2e6233ad0b955687092bc

SHA256
c87635d526919d73731408c86368d760fb05757f64852cb8e8c4eadb6d773cb6

SHA512
98196c2428a83b0005a1eee1a8675fdb758f5489a84c5e5bbaf8ad2e901a46122411214198268299e7fc781d6a22e4f0b7e0b0f5ea1058e50af5eecaa692f10c

Download Submit
C:\odt\office2016setup.exe

Filesize
3.2MB

MD5
d05d056fbeda6c68c8a2fa9903b2c075

SHA1
3792573d1f6995f7fb23954f0a9416cfa297acad

SHA256
d5c389cb27dc1b053ba26fca8b7e4ee6882dbb5726d9606d5802571d12f91e57

SHA512
101ddbd63354187d99594d14610747fa99583487ea53344150c5f35e2dd1d7ec9ce3326092ad3c716bac3acad511d8cca83f2778cfac87efb5349c0ba56f819e

Download Submit
memory/404-339-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/404-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/404-400-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1044-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1044-398-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1044-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1044-392-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1100-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1100-461-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1164-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1164-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1164-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1164-7-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1164-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1228-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1228-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1228-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1228-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1760-57-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1760-50-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1760-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1760-60-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1760-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1820-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1820-27-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1820-35-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1820-231-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2412-251-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2412-250-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2412-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2412-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2412-244-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2564-410-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2564-539-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2564-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2836-357-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2836-366-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2836-426-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2952-439-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2952-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2952-380-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3244-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3244-194-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3244-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3244-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3276-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3276-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3348-353-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3348-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3348-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3428-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3428-436-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3992-342-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3992-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3992-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3992-279-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4004-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-324-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4004-542-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-303-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4064-313-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4064-371-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4144-442-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4144-449-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4300-352-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4300-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4300-297-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4428-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4428-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4428-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4428-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4440-264-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4440-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4440-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4440-276-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4440-256-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4600-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4600-422-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download