ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
Size

1.2MB
MD5

0e6cd2cb45fe6867359a8ec81108f0a4
SHA1

45dd450171b34ca89ecdcd08d2d03d0f44f53813
SHA256

ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a
SHA512

fc609891e7cdea8dc03b8020bb3d7a5db691f17e8fc584eaf67a734ff5c2df6e60a1667929aac01156e3ddee08ca4394ca0d7b048a145f731d1609488cd79724
SSDEEP

24576:2RyezuoM0MJtdhWy6mv2WkTKzqVdqVm+z+VVZcIPSljjgylffnf:T1onW72WkT1VdZ+z+VLSBsyhH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4988	alg.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4624	elevation_service.exe
2936	elevation_service.exe
4088	maintenanceservice.exe
3320	OSE.EXE
4600	fxssvc.exe
1396	msdtc.exe
1324	PerceptionSimulationService.exe
4908	perfhost.exe
4444	locator.exe
968	SensorDataService.exe
4584	snmptrap.exe
4048	spectrum.exe
4512	ssh-agent.exe
3600	TieringEngineService.exe
4412	AgentService.exe
628	vds.exe
2280	vssvc.exe
2656	wbengine.exe
1972	WmiApSrv.exe
1004	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\82911fe166ec4f27.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047d0b12e4963da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9ca2d2f4963da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000757c1f2f4963da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe05292f4963da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000388f322f4963da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe
4624	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2444	ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
Token: SeDebugPrivilege	4356	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4624	elevation_service.exe
Token: SeAuditPrivilege	4600	fxssvc.exe
Token: SeRestorePrivilege	3600	TieringEngineService.exe
Token: SeManageVolumePrivilege	3600	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4412	AgentService.exe
Token: SeBackupPrivilege	2280	vssvc.exe
Token: SeRestorePrivilege	2280	vssvc.exe
Token: SeAuditPrivilege	2280	vssvc.exe
Token: SeBackupPrivilege	2656	wbengine.exe
Token: SeRestorePrivilege	2656	wbengine.exe
Token: SeSecurityPrivilege	2656	wbengine.exe
Token: 33	1004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1004	SearchIndexer.exe
Token: SeDebugPrivilege	4624	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1604	1004	SearchIndexer.exe	117
PID 1004 wrote to memory of 1604	1004	SearchIndexer.exe	117
PID 1004 wrote to memory of 5104	1004	SearchIndexer.exe	118
PID 1004 wrote to memory of 5104	1004	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe
"C:\Users\Admin\AppData\Local\Temp\ea9c9d2dde37c26f471ae87040ade0de220e9b57fce8bf0ab5b347af5b484c8a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4088

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:968

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
400KB

MD5
f04177d0e2dc8307c65c2688e25689be

SHA1
f74d7c24c028146bb8b63b561c7c74cb1227a326

SHA256
3e210f72a2183bcf97778222c4b8e9394fb0732e53a8a99becbe24a1131496d6

SHA512
564d032c8679e6d6d313b951864796e79bb5e8837415b1d99677babbf992f0a437c8ac3c6aace2ef0aafd1e3a503a341d4e0ffd506f25f240308259bc005306f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e4d7eb56c4727e5c93105d8a4fa14b80

SHA1
859de7bb773222913967b5ab8bbed7268094b386

SHA256
ec5b9118e0cb1babc8d6a7cb00d60f5b5a831dcc27b6c7d783520a7bde11d411

SHA512
4c6e415362d0aad8b19e3fb37a43a5ebe68b8e73cc1f318f398da1f538531c34257dc4f10534ff7c8b8713cd34fd2437efb3c9a794c6067545d721b6f1d5c4c9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3ec4ebc1a81f7a62896994614578290c

SHA1
3e4b664b092980fe0c79d1097565e0c6927f7691

SHA256
e52e247399241c7838b977953ed9d429b35c0cbe6820381b9b8255f93816d851

SHA512
73d8638b9ce8014ddf44860a3f3c84ecc2c6adfe36193ef11cf6cbdd273bd58504e92032cd2a48657e381052614e8741ce342a67c76c9f0f5dff9bcc2dd81dfe

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9ac55a486776682be6263e9a1bd63edc

SHA1
bd6d87ce87efadfae55aede0692eb842f6838f37

SHA256
de25a2183a0836e097e8565ab5961e626e79e10d56a555eaddc366ae5c190b27

SHA512
51a8c1f38f94dae9cf83b5c33cfb73bd937cd4e079aacb2a6bc46d8e03be66aa196c51eab018bfa9130ec57ac4d712af50b4f57cec3046521d26dfe873d61360

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3ca51092135197c0b3633c7c49d1c0df

SHA1
b1a0feb70302d89728706e197f6d710fdf3d44b4

SHA256
d77fd21f6a0ac12f55b3f16f25df6f83acbd8ee3b5299959ea3e3d357b5dd0f9

SHA512
f8e78a5270d6398c7bebda28791786b403b8347fbc05f0935eb6639f08e24c936d96880fdfb596d5543247de6f415e1219c30ae6cf12e00c6b3fb8845a702dbf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
90d0121a606c36c2961b74d885741529

SHA1
a60f5bfd82e5f713b60bfbcc79d58e8531ac791f

SHA256
836a41028816135b52307aa5b5894bdcefce67e5e5cc1f31d6c6f51d80c33f1b

SHA512
96e562b41d1982a7075fe36d4a6a5f2d7aaac28a0d4a5fd5891e15c07f7c92de00ea13db92aab4ef60f80821f8596691241671f3044fae3251e7573e3e60d76b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7d6a1ccd8bd0356c5c74d3a064d90599

SHA1
e2dc29a8c4693aa044a15ec4367b327e0a4baaf7

SHA256
ed0c26386cdeaaf653fe22f3e71a8ee637a1f78e4d7734af5875aefe65c13d68

SHA512
ec0941ffd3def5a0e97174f10218260526e0fa5a70d4305ac4c580f000e6ae5613936bed39e1ef940cb259a236cd39fb678b35965d9d4918ec404e94fd6e4d11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9f8ea89013cde367af0a612d645556f7

SHA1
328f59eb83fc95169e699ea58eee90c5ca353839

SHA256
ac64f57264ad556828cbf321c01fc8bca3dd2986b36fb0ca791a84125241b869

SHA512
698f7b41c7bb11d360149c6e47a54a5d596d590cc229ca0967ca84c0e23027e438f5fc963f4ecb6804dffb27c43c90575169460ace69a1838d132701e37fb13e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
2bbf46511dc0490652f3bbf44469ba74

SHA1
50cd873c8d3c9149245ee043acde9bfe3feec1b4

SHA256
f72caa8daa5d656eca1e89c2e2cecaff68de1215c5b20e2e15c39a39b741e9f5

SHA512
ef3a346202d0bfca444207755d6070577b65c5dcd5f0580064042ce00b6de69418a320828721862f0ed7f0a826b927c499f69ec8cf66b87a59444b8ffb9cee0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
3.5MB

MD5
906d3c332271e8df966387a42c462979

SHA1
920da9c98c2ad92cc6efc5d5ff463eb2e80bd346

SHA256
4a864d614b6c691b7c3923bddf6fae5669074c0bd151bc466aa8d272ae02348b

SHA512
2f792cbc8f24701861675cd846c4cfe6608f46667eb300ebc5902b00ecfe40bd85ec5a89eb083d6c84c6cf79b992d0f4b6db609869df7fe1b902232a837b141a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6788c663859a9533c44fb2b7b367ef7a

SHA1
9c0df621637c3d06fd692510969a1ba04dc53de7

SHA256
c08fa85d85fd0b1ac93a643c42ce386720abf214b5ad7c71bde40fad375dc96d

SHA512
142e9150e84a8a8fc2eb972c94a91971a06c635700bdae75daf3d477b293fcad5180b7166db20c516097ddeeef4abe1a591dd2ea01190529f8e341d0fe263987

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
468296e5d3555d62ac455355055be689

SHA1
c70424e8ca9779d56d3bc87032acb4207b74c07d

SHA256
a77c919c9e2094f7b933e0a59d345c3431ca80b2ebc0f958b2d5de31edd24e66

SHA512
852359d6a5daf3d408a68da24247ca14e341df9f38cef9d1a48491781293a5c5f88475516fefa850c0f6d5f9d1d7dc27a443cfb6b4682226b54a53fbdf6b0340

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7fac6461a83fdc9d29d8aea57db18804

SHA1
de05cb534151c37c8fdb0ae247f3eae9c4e2667e

SHA256
26b3502c26c6736c080e8f3cac8f07e98a6b1cba36b01072785cfe292bc307c1

SHA512
4a8b4a5734fcd86f252006acdf0d5f680598ec53ca951f5425a1916984996d3e608d93b9945d3a7d6fd3100a6a4919d0e2bcb8de86aee9c315cb388f6398c79b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a4a6320f327b3d85cd3f72eb62d7b7dd

SHA1
d0acfac7030504ad6f61e8a49e7e967f436b4d31

SHA256
31bec77d1c587f6888fa63245d98f36a4ffff0ec5ee8480e4b801dfb7d029cd4

SHA512
ea3c614fd5452b95782d6c8d2208c1d359d159caa17042454491da4eefd34ce556ac9c443b2e3480e852865de9070a05e82ea242ab277f28e6ad5f85a5c95112

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.3MB

MD5
2e41e97b77da1ac050e6f06477c02aa0

SHA1
0388ca4bd055d29187d522241e182149260f7130

SHA256
05f81292ccf889845935588798636b89c5898e6ed8ae452ca76d3cbaec31ac45

SHA512
81ee8b98f4a9c9f9374536cc014fa7c58d21fc31c178ac37761d85d9ed26a396a65228df14a113bda948bd0076b4cfe3addf61ee2344de95b7362b183c72b383

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.9MB

MD5
1b387e6e18b4a35079e6f23ce6fc60b7

SHA1
143f138c5520f37f7b339a89a33edb57178cbe72

SHA256
5002286eb617b781905b90367580b058be6cfceada1d575b9e9d8980adcf5a96

SHA512
b5393a977b06cbeb15db1ed8d20840139e8ee5fc7e5d2a4d8c6b3a365d03dd9e8b083463376c67c014f5627961487e26bf93704c9bf8af623d784c3654817271

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
636397d56d3db949e97ab72813dae995

SHA1
d3fe65777c363a36094fb48949d4120f5c40b9a0

SHA256
d17c93241f4193e81955503de4a97ed499552c49e415f87337264491e8b935a9

SHA512
a52a103f49fe534ca344f77aec1659509fa68a2b00578b62507714e7aa8b624c6aab78ef38b3fc48f869f2e7babf33c8dfcb9c1ee9600c45401524f52af19d8d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.1MB

MD5
62b551412aa4eb19dca4a646a306efc4

SHA1
c2110ca7b8569cb93fc3e5eee0585d691d88779b

SHA256
1a4d3077194ae74501e04c83b722400349a7d23074392606aff5dc5c3acbeed6

SHA512
ab6a89094697e3794e4a0b0e651ce83286b9dfcc1f4e530661ec53bdcd0c61c59afb5035cb4a17f379c5ba8d2b4018ca34c2c4ad2695022035a395f1d46c3129

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
afa98284ebf24e8235666abfd696e945

SHA1
f5c4279edc8c66311da2d1c7ada4364557d7041c

SHA256
a5e2efcc0ad5cf010f00ccf0f0271e8f440df6dfe74c925cbf896676c7f87484

SHA512
1a84011d6b3380f748e5672b501686f96f040cb0606e5337adc8dbd6139f116dca34378a625a07c062c596ac9e7eed75672ea276dd5c452a771a54681c97535a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a761d51324b672f0e473de4c990015be

SHA1
3e3c97795862dcc665aa39f98c8cb4419d469b4d

SHA256
b92e0f39e8f955aedaec695fdb2aad52fc00675cb27127a7f96baf72830f2331

SHA512
a25b0179fc5f640a34d2de5468d4ced98d3edfc9477add6ad1de1e91c95d163bfeb3cf31fe752808afaeac2e0ed930a3e9bdaf59ab062850596572b9624cf98b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
129e2ab109f3e391a41fd0d024052e80

SHA1
4fe338e04cda1a0525c23980b8d1aaa6f5ecad5f

SHA256
e6ab24fef4205810fcd4d61205b8791d7fe8ce2d8740c6ac3142f86289984f6b

SHA512
7ccb9a4478b06c98c04f9b4749cefd053ef8dc0df0e2e7d299fc5818db012baa1dd783d5473f5dba2c19d08fd32f497c16f9cae813c770cb18bb2e2fb10d1e81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6514d33e5befa9fd80b92ab6c1b800ab

SHA1
c4209267b1ab5473eb5ffdc08bdc83e15566eaed

SHA256
b9a822214e3f92c855fc75261379984016b85743b8b61436e50c08ecc4a3849c

SHA512
0afef01a659db8b9ab50ffc8240bdaac62631f7098041be72fec9172ee433662661897ee9de9645087bb8fe8c8a256eb0321cafc9e7f2f792ae504cb842a2d24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2d74ac4a2df83cf16482d02113925f48

SHA1
d82a6781bf310de51b79bbc4030547466410c7a3

SHA256
dec397c10011efdbbacf1169731a2331e3491b94f1731bfb8c1af7a847d4b178

SHA512
b713f24292c419416a80558a1eade29368ec511e03e39007f08d0e6e431fb35af3b6a74b7b340d43786cee84c534f1569a4153a40d3944337c5cfa8dacb7bbf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
13479af19838a9cf8d367be7068237be

SHA1
2963b002e06e505a4a01991b0230bae3cd74ec75

SHA256
5645e47411a7b3e8ecbe0cfbd350ddfc42bb1c609ddfa496566f14437eff5300

SHA512
c26ff09bc60f06907d6d974c53c25ca25d450ed0639c019d57800d2469330c2c8643a1ac5de231b8a737e9b606b52a21069c5689cf3948bbbb7482b9b1a675bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fcc898f920c1734e638d669e61067fc3

SHA1
e03df58e88e4b756536ddc911e9c1b42cd321f91

SHA256
01117b285dc04c0dcc35dfaab625d57cf48d143aa570f425c80b4579a324663a

SHA512
cb5f4a174bcb1dd8ff8a2d64fa0d54c11349f2735fe7f9b1f311f3290a42dd69107d3a8a37db9ef841f56950697c03f5cd59f16395878c1973f29975605532a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e7188d63944244ef73a6d50bc78025e1

SHA1
cfb7cb2e37976588ecc6ad8cb593420a47f1a5c1

SHA256
4e7e6950d6de344a39a16452e05f8a44716b7662b1d1bb7ee417a47de29600b1

SHA512
cf8ebe91fc73a19d710a993f2a4cb8159e5973341fba0c46b2db88e3553530887c22cfc6b81d714421338947be5a3ab6c84739bc362f2d21b7d2f3bbf77337fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
215c643e2b094855ee20cb188cb880c7

SHA1
00688ac30be48ec5334db174fc44fcbacd60dbcb

SHA256
4b4b840a6a0f3da744f6d0b930afd95bedf2901f917939b7fc19023a756ae1a8

SHA512
1688012483803ca47927b25f9892c5b39a305a15ed95be83b797ef234ed505460639ca08d2379f4caf72ebb7010c442641d5f192e45657dcccde851fa6f6de82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a02c563cc82b070c8cefb4d7b03da9ba

SHA1
d03c86f0b19a24ebfef67479980796965c2e13cc

SHA256
b16444cd15d36eb025f387c7d574a973b66b479dd8e56d59e03d44e04d82d01f

SHA512
ee622bbcb0dfd37ef9cacdc46cd3f12aa7a828448666a9231669d8b922f3980c654f8ecc7ac4e3f934535cd911cf369a3f73c6b58c1afc9482cf1c8f0d387c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
541c1ea7bd050291073d572343c4a10c

SHA1
9a75ed0e57555add563245c4abfdc67cb3854ed1

SHA256
067e7918ad14c9705d04a497ea267f24c5e51ef949f8e4474cb720224f1abdbc

SHA512
dcb9147f5ea1b9fe37fb2baa16adf283f5e29ec8b33b80fdf0aefb96121a9bf2a743fd2848354b2853c441f721f43c85765fd701433db3c31b9682b63c370fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c900455c652cc16a4756baf8d88d2423

SHA1
57b0b65668eb2432e14497142ef3c5cbaa83b814

SHA256
a5134229087ef0a33e72262991815f4f0f9d8a5305c3183a4bd7768b8463fe28

SHA512
e498a4001081c143143355a90fe17af42802cc0287fd212fa1c4002996fe8479cfab48693895408c181f7f9f5f1823a76333b7c709054d391f1a12245bf623ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bded1df18b12def6b072d1dc0bc17a0c

SHA1
befface1bcef93883912ca6767ea16fdf774ae78

SHA256
7d6ac227fd45bab0a4877c41ccada7a9ad4f015d4bba106d9caf1ad4ebd3a862

SHA512
f48ad5d8448e1a2387b7042cfd53ff60b2097e7532b0a928f997c8b4311b9cdd317a3ca8dbd68f54148f5b39588a9c1168a41d953db9b107746e449803aef121

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9bba3601b58e19744c8b2120fb206854

SHA1
29b6f6d4158692aef0fdba07e0ce38c031d29e72

SHA256
be0d14efb5155b8225cc826a292a81b4c7b6eadda7bbd3794a46288c02144ac6

SHA512
c2df3309210c07855e0fd4c95ffea09011d6142fda1f3db9212f5abac2980bdb2ecf644015762efd002ea588ad09e21974f199e705b5b1d4bfb4745b3346930a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
902a7547bc4cf393db30987364dfb531

SHA1
ea2b9ddde5b800f72fc05256313dbd2f86dac631

SHA256
02c3a29aa941c014f732af7673eea6805ca555f4fb19dac2d3760dff87dc4ead

SHA512
51151f43569100c31712b84db566508b0d6f26dfba28273dc745c06b59149d046624617d37ec303b0366faea7622c97a0969fc1a95458786f507f674165bddcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
cacaeb01b7a87412eac7be012dd811a6

SHA1
76fa9af69db169a6ffe08da53ccb4b2116907ff1

SHA256
f48fc97a6329f4fad9e1da93aba5e1d2003a6c2b04396ed8e7c0bc072f50115b

SHA512
926bcfd16191ec6287bade154ff036499bca895dc37a032663956fa60ce3972f8ae6d7e781eca9d678007ed60a46e39b6d9b4828b3c2a6801c076b431d8de71a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0dcfce67f156d2dc1f441f0829363847

SHA1
53c8421ba5c77a9aede74e8dd9702dd6b17a5fe0

SHA256
3dacc0784a32ca00e0dfe26fdc4aba49ebd54ac832070f50fa3a4b4c140069e3

SHA512
7b8f3f9682263e450c8a1508b6a74fcadebe399d1c8836ad0e5b8f605b1415f3f3b6975b338f7f48ac953d08d457c623e302cc11d58c8c97147887860c9e920a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
62c8386e913b62249b6365f8d5d4799e

SHA1
d99971b106df860cac524bc14a2632c2ab4c844c

SHA256
0f3dec11536decb21ce313ee70e3d11b7463e6f42619bf3a5135a09d24ed0c17

SHA512
8dee6285236f2f5aa2dc85c0c8f76a677e250d847d68939a6e9f3edc8c31c94d306d6cbbbdc8468fbcc1d80fffd77200761be04193cc2506a2c7461b16bfad0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
7ef15ab38a218be02fd642c706d2fc7a

SHA1
f11081c50bb4ba3a7d67840cf241686063c0cd2a

SHA256
1d28a1fee9c409ce6d57c5dd736e00d03fc72b2705ce179d7b5df117a2171177

SHA512
7e9405c1ed609aec6547bccf7a39d0c9f20ec41dbc557e8dade1a9ae3bd0c69d520a18068e5f9a5416b7390d152cecd2d5e6f8a1aa75424054c02bfb4e65722e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
1c9b73f5b74fe9dfc2ce9e37168fc2ef

SHA1
bbf8f49678da6edc2491732286cc78b0c99f4b97

SHA256
aa93906a5c703d041990651640904108d1f292b6e7c128e6c8ba7b421c86b584

SHA512
0966f5918552665130dcdb10858abeb4e6991fd60d615724b54b5ef5d1dff712760d3d5c45aa14d34b8e33543c0c5ca3bd27f2421ebb61ce3d6ed93ca4b44464

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
4d2c089057932a4a66a5a036ca9dbb9e

SHA1
d8641a7cdd3e471b3cd6044a38e9c26220ce7560

SHA256
933ecbeb609078032c10e6b9a419dd7345386218fac7375b28b8346b64ad8317

SHA512
32cd32febcf2aeed1690434a2e7acc48668ea79907bc2d75efba7772af562a7f1375430c9265274676bfd716754a36aa40742afb520311bda09c5e6bd51208c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
97311eba4b0d1efd671e9174d9c6a027

SHA1
875a573d92c7944708847c03cc7be30560a2e260

SHA256
8e6cd2b44430e5cb39a782b0b75da8d6e01efb50f6fcaf9afa3e606939aebe3d

SHA512
0b23872ee73b6afbd0d58314a1146a053b58ee483faa5f20e630e7fc03a519a4e93b8b550175c0218b8ffbf6dce4e0e3e28b3a22a7806861682f2cec88ecc0d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a027317d4a801e6f05722c9b94593456

SHA1
ec3187c385595270413c234fb428ebdf967e6a0a

SHA256
4d2b5dc2d32bf8dad9682acfeb07e2690cee07ada61db79a2ed737d1c24b1c5e

SHA512
7651bca5546e142084c044dcb242b585d121af55561a10953d0a54dbfd9417458e6bdd047f925df700a7e79963671bdb70f2e552ecfdc27bb7a6850ce24ddf19

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
1b4821890d4b6f2a97f634b412e46532

SHA1
02ca14307db6aa2f94f21dac41429674175bf3e5

SHA256
a979c922e2c71393f0bea7d518d7be08560233efd915e6a6628af89af86e67b6

SHA512
0205c5f209164b4497b013a8e1e588edb0d7d7a1c3cacca3110c8ba7f4f04210ae9759dadfa42611bfcd11346246ba36bf88258561f4b5fd6ea1e7b20f590eca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3a1a89b463dba999b1eda351bcdc6ee4

SHA1
8d87f7bafaaaa634c576d904f96446a502cb2caf

SHA256
490499997fece7d3f1e3c67f69a3f4ab3604a68ac364672a781807c48317fc7c

SHA512
74f75cbcfc5ebd809f28192d9e19b28f917f1939eb3b0c48b4b2fbb39c204572c1e571a7578f18fd3cc1cd5b0f98771822ec722433d48d3f1c7a2b8999cc8571

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
66088ad6174fc659d1aa92bfe56fdd1a

SHA1
cbe50f8de1327143ea8474512c57be6fb10c0052

SHA256
aaaa6743dfd1534d1934c980cb2f8e38b079aaba1f72732834704eb30ca7081c

SHA512
2f535b7895f89b57b5f0f81fb1dbe949c3608bd3ddaaf8fde1c8644cc021fc2a4317416baa951ecff2c7dd4a461409d5d122683f04da1ca66a27704f6cdf8aee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a3913b65340f9888bcc40e70bfb5896c

SHA1
aed580390af6b22873814686da0d3c802fb3e046

SHA256
477385d5c870c7a72fa738576eb06c038dd1ea8fc274198e21082172f563d3c6

SHA512
4b73335f1813c16730bf5f5598c3fb0cf0cbdb268a971b10c76a89013ec351b890545d50e696312b054998b8ab4cc74bfd023d67ce5715470dd6b4d2ddceace9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8cae2ab4f3f45436a71f5ccfd153345f

SHA1
bf399a7834d0a38506ca762d4cd7bb21e65a8122

SHA256
11616f98e3b7f19332f2ea9de018649af2f54ce09042b50d8362ba78b5ad9eae

SHA512
6ed24bb7a76ccf1079913500f85863560a987334f003576812076ba60c6a94403b53a74ffcb99dbb8daa97442d1fd17bc7c16d240d954d1e998d536aa5bf3a50

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
23baee5d28d0af1b02bc77598df529f1

SHA1
5a230c4f6156e7b49980dad55f21f63dbfe56951

SHA256
d1227a5df341d9a5038b10ce10a0d486d5f9e5831a60e3d2e480cc04dab3f326

SHA512
05d14c94f5ca5299d326bebe4a7a6fb938387db4b4de6d73143cf2bd492746dda6be9dd281d32f3d61a676f35d161ff2e8b5d9143381a352515038ea6c7f71ba

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0c1457f449bba35cf11847628c9c494c

SHA1
981cfa722db3506632f653479caafb0f5f53570b

SHA256
299208bcaee02c74d846d17f973cc7b2f9cd66f3e69d2517c5f1945735c5f971

SHA512
e61f5a2a796b0a6bdca4e4ff677a625571e11be37e466239eb407f947d1fd48f8d68707dbe40ec6ace0b4cc58c4d77f333cdf59bf5a492b21c40a044caf5f50f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
09bacd3623e8fb0cd2f868312b246c3a

SHA1
60ff4742e50d1c9b15d838f16a005b0307041ee6

SHA256
eb9b22354bd97c9b8a43116c0ed5d6a1fadf43c36b71b88d5711900b1c166b10

SHA512
d309b18f3f614a7b6a81d6eadd6e54d9465ec5690f4b450020a5b7d74f27a3ac77300d855f39d00e31d57cf1f47810c884a61623032915826ceb892c938356b6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c6e995d55076906cdca39aeef0d77e56

SHA1
583b869b4cadf606a5b000fbed31fc8afc0f03f3

SHA256
7363449f9c882a1b56345766a0404ba496a61cf7a9549f760e6709c31d607089

SHA512
6891931545134a715c82551156a7f5231e506dd7cb872721934012b125379a063e95c97980019596c7466c357664a1fc31c390ea48fe87d96a9a3ddd69e08761

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
714e386b62e335b936428d13db456e25

SHA1
370abd42a1199863088f4ca3b714a46e13160aa5

SHA256
c20f49045592396cf05021d6665c77ac2d393b3392f65e21f307cb01241a8f8c

SHA512
096f29743c37e091047877583e5009913f1c7ed7310574ffe1bf47ea2625515319cf1bcda5dd06387acfc47e6a495d17619c0229aa5a354e1a28344989ea11af

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4c1a970128dec4d53e829c697222b370

SHA1
9b5d29fba2126b5e1634753e8020bbbbc8cd563a

SHA256
d39867a17616d86ddee431c81e716c5347f662f5aa91015c6468f3d60045f5eb

SHA512
080c4aa80cf05874e7b4bad21789e10e931c6e2267f4ead2a85c9a362cb11832dac1bd9a27df73beba5b810069ff8305668221b4342e02d4f07f1dfa1d066804

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0a3155783fbd2df68f0d3efc15492a92

SHA1
bdeca52f323c1fa41ce4df69b40c3b26e1867c83

SHA256
9505638c9e64ac2f40ae07f41ac5c9f39e517f348971dd0d9b178affe998a300

SHA512
90fa013dbe4d58f72c7179c3850d7215632865c7aa406610ecdd697059d11a15cde0767dba4cbd3de05e9889695729b46ac2d09c19bce19ab1b457d8fb0be76c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
428d64c14120052454764c961b854429

SHA1
69b0f7a86457f34bc5b9da6a9c5376c4b73f7ef9

SHA256
b53c24f5a17ff1a96ebb202c1581245a5243ac08cc7372a565e1d6645b0d0a11

SHA512
d49fcd9404eaedef838bebaa618cc44557ec14610bf71afb2760e0295d57a6c9c1aad4441e2db9181b99933125fed6b74001907f9ca1ba3e02f969b7fe226647

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d0d3a0f2ac05ca4ea85ee9ecb5742a1d

SHA1
f5b3c5a1f84ec160a90a1801d188df35aa9d7bfc

SHA256
f789eae58e0a5068a7065d947198b91856596cba08dc39e9e1b770d5c48a2140

SHA512
85925aed94b840d9e2b9b402dd5e68c80d616ba592f886e93bd0bbd44d8d98c765b652a158858be8d9a70317ebfb7630067998ee855e1927d38975b727879816

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
13b9f1c1905d5622a39a4213cd268cde

SHA1
b4efdffed002c16be797a71fc11b4bdfd7fb2cf1

SHA256
91a8fb437f26f448c503ffc090b02122d859fee6ed546e555b75cda33200d4e3

SHA512
aa50f9cfd6062fba5062775644c98eeeba882750864e63af8604b061d0e3f5bf37d1d645b28045a0895996b5caeb71370cb6cdf9f21014044d6eef2a104543c6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
848088fdfb249e52adebef5ecc6ac80c

SHA1
2b89d3f363915864977f61d0d6fb2b26a9e56bd6

SHA256
f46706218f2c86bffdf702d07e2feff7f386b5ade32ce744d486d6984d625351

SHA512
63c32ebaca7146d7b2f472609307e1ad600450bd1e055fe3426d944b596e649972d2ec67adbd8278777aec66761af49a6709b114605f86bd26fa1df1d569d027

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0268da1cfe5bf72c704f844a90728254

SHA1
6ed2913a0e244af844b5c8740e5359dab7438175

SHA256
3d82a25fa3f438f6e6f91326588fa1b2c7acba4a0b93e1496b7c044b25021546

SHA512
d83d0fa31700bdf72b754ad3f583d7eb7ed9cd6a94ec711d01138f408e903f40356b6e6890466d7e196cad6c9d024fcb0ca930080f32ef08f0cc5ecdf9727516

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b1db157660fe0a07506d01e7f3e64d66

SHA1
a637e0e9f3847e4b1412a879824943db8b36ce84

SHA256
94d681926c1c4a5c1d53dba6cc0c9007908a4863f470cc91009c45bd1b2b057e

SHA512
4e6eae7de9013c305ccc8535fad4f98da6d76fd191688f79706a65ac4f1361ff6dba1baef281c5dfe6857b9bf17c3d62427d406217fa8c9cc98c7a2dad06ae15

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
57eaecfd0635a0cc8431144b1a09bda1

SHA1
75b818dbff7a1e3933f74a9d76f2933a5304d483

SHA256
51b8ca439b7fb09f9c8b0c981a9e790387813410adfeb92e324664ab532687d0

SHA512
5844a1b42ac03cfe059a5f9162b9da6207c3427c642ca87fe5c642a995271f7619a8acddfd91a6a3fd5949350c9c99fe709e89b747ab51359f6cc2aea913d23e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.1MB

MD5
1fbc8f953884f97e9fc9e89004febcd9

SHA1
603b6f52ff500a44c242b3a1d288c9cbdc4b06ed

SHA256
3e2b0e07fc7e328e20705995739e97b3124ef01d134765bba53d924024946274

SHA512
dd738950073b7e353c17a8b6ab0b083fdf026649f1c18a7db636d48658be0606cf3e1fdccaa3e487ecff6cefa561ddab19a98bd84e098f01e759666747f16558

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
9c9fd4e9371210934f95c97501b832e8

SHA1
80f22529ca0e56776e7d45774d310ff7b9d0038a

SHA256
1fc89634ab5d642ee8334666b4c3d7ab38cb41d287357ba8c364c65afdda7e11

SHA512
dff7fa993fcddc2240da45c56ed81632a3dc7f6d1e1ae03b3d0ddf9cb6366d184cc4d0d1ca622922dd54f39f78a1b2247ea35af317f7a3abb5357abf6c2c2d3a

Download Submit
memory/628-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-451-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/968-288-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/968-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1004-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1324-260-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1324-267-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1324-261-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1324-318-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1396-256-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1396-308-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1972-341-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2280-334-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2280-459-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2444-0-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2444-18-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2444-15-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2444-6-0x0000000002290000-0x00000000022F6000-memory.dmp

Filesize
408KB

Download
memory/2444-1-0x0000000002290000-0x00000000022F6000-memory.dmp

Filesize
408KB

Download
memory/2656-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2656-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2936-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2936-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2936-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2936-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2936-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3320-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3320-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3320-79-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3320-246-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3600-433-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3600-322-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4048-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-303-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4048-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4088-70-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4088-68-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4088-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4088-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4088-57-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4356-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4356-235-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4356-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4356-20-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4412-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4412-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4444-285-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4444-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4512-309-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4512-319-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4512-425-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4584-293-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4600-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4624-39-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4624-242-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-33-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4624-32-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-40-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4908-274-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/4908-282-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/4908-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4908-325-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4988-81-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5104-431-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-423-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-445-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-446-0x0000015B68D00000-0x0000015B68D10000-memory.dmp

Filesize
64KB

Download
memory/5104-447-0x0000015B68D00000-0x0000015B68D10000-memory.dmp

Filesize
64KB

Download
memory/5104-452-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-453-0x0000015B690E0000-0x0000015B690F0000-memory.dmp

Filesize
64KB

Download
memory/5104-434-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-461-0x0000015B690E0000-0x0000015B690F0000-memory.dmp

Filesize
64KB

Download
memory/5104-460-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-427-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-426-0x0000015B68CD0000-0x0000015B68CE0000-memory.dmp

Filesize
64KB

Download
memory/5104-473-0x0000015B68AB0000-0x0000015B68AC0000-memory.dmp

Filesize
64KB

Download
memory/5104-474-0x0000015B690E0000-0x0000015B690F0000-memory.dmp

Filesize
64KB

Download