1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5.exe
Size

1.3MB
MD5

87be0d0b36d67cc20d4586fe840b7bbf
SHA1

a9bb0dcc26259f5b9429c91b6b5b0f426ae06027
SHA256

1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5
SHA512

b50dbe6cc30a5a15fdc242a171ea34ea6a352b986f42c065e8e8f54ee9087ca850ca2452f9614feb3a049b470c87cb1fe01196a54491f711e0e14f4c29a2b6cc
SSDEEP

12288:5WiB+t3xqTSgZG5GnWMBUKZGYaJ08vTZLfX+PdgdnW:5WiBKxVirnlBUKZ408vTZrX+lgdW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3300	alg.exe
3044	elevation_service.exe
2096	elevation_service.exe
3596	maintenanceservice.exe
4964	OSE.EXE
944	DiagnosticsHub.StandardCollector.Service.exe
3472	fxssvc.exe
3156	msdtc.exe
4544	PerceptionSimulationService.exe
3664	perfhost.exe
264	locator.exe
1924	SensorDataService.exe
3836	snmptrap.exe
5080	spectrum.exe
680	ssh-agent.exe
4336	TieringEngineService.exe
1832	AgentService.exe
3112	vds.exe
4660	vssvc.exe
4932	wbengine.exe
4332	WmiApSrv.exe
3584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a78ed909d8c8c63e.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f879fad6073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045c035b66073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ad6adad6073da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf2b21ad6073da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fb40bad6073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	880	1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5.exe
Token: SeDebugPrivilege	3300	alg.exe
Token: SeDebugPrivilege	3300	alg.exe
Token: SeDebugPrivilege	3300	alg.exe
Token: SeTakeOwnershipPrivilege	3044	elevation_service.exe
Token: SeAuditPrivilege	3472	fxssvc.exe
Token: SeRestorePrivilege	4336	TieringEngineService.exe
Token: SeManageVolumePrivilege	4336	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1832	AgentService.exe
Token: SeBackupPrivilege	4660	vssvc.exe
Token: SeRestorePrivilege	4660	vssvc.exe
Token: SeAuditPrivilege	4660	vssvc.exe
Token: SeBackupPrivilege	4932	wbengine.exe
Token: SeRestorePrivilege	4932	wbengine.exe
Token: SeSecurityPrivilege	4932	wbengine.exe
Token: 33	3584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeDebugPrivilege	3044	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 5652	3584	SearchIndexer.exe	134
PID 3584 wrote to memory of 5652	3584	SearchIndexer.exe	134
PID 3584 wrote to memory of 5676	3584	SearchIndexer.exe	135
PID 3584 wrote to memory of 5676	3584	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5.exe
"C:\Users\Admin\AppData\Local\Temp\1ce8d731bce1e7137c8e7d8c003cdc42767b77bf3db5730cabb0e78ec297c2b5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3156

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1924

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1b49b81d8e7f51a414b3aa5498e13682

SHA1
54c4661d7920cc6987c46a2c64b05220dff8b4b4

SHA256
335351094be42ad67a3d314a566912b3e6bb400c7c318273cd2c828d59f57855

SHA512
e2843f9099e7f8de8b841b04c7f580aa1ac0fbc993f3524e3f1e8a321bf609ab6cc30c924ad4d2488d3382201c62745ca413fd30925f2f8c5757915aab6a2718

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a6b73207bb237a73c45a4b952b37da50

SHA1
cae02d4cb630f9951db1faa6c706edfd39940d07

SHA256
1f3e690351c1c1b7903e343aa8e628f71edc85ea2d68df41387a1960cd9b0d7c

SHA512
e7372893a6c1a0a9b09a189af272a689ed421b84dfe2e43de66119e1139e5c6feef9fb24ce89b95042b162bacaadbe4377eff713a65df65705d3400af60b788e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
256KB

MD5
1309949a1e084100cfe1582f7c3055b5

SHA1
e9bf9d1439b8ba53e7efa5ee831825879cd1f224

SHA256
16fd82ead276ae087e7494bd64035378d2efe19bc2e24e3ea64e9b897f5b1896

SHA512
497d625304c32b7e768eb1f29cba14eb2b90c9c3f2942588a2725dc71b1afe36b751cf2d81652ed6934b93f157ac02992d8ad454033da4fe91e3a7c8bfbd0904

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
320KB

MD5
e9be2ac3d6c94154674db112e4a907ce

SHA1
5edf6786e8f4c919626a8a9fd2b656cd70d8dc3c

SHA256
5fc5df67c047d1dbbba6164221e03b1f2d8025f156a522155d47b1f792d3b616

SHA512
dcf776559fe1e51a1584120129942ba9fead6233143cbaa2446a05c6d9973567fdf9df230f4d105db740ee5d37edee46e6aef084b8cf8a8f46144541bb602cdd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
320KB

MD5
ae8df63f65b4f1d2dd4cd97d4935bdfb

SHA1
4bb0cd85a5c65802dcdac48a7b96f19b34c6d88e

SHA256
70de9255a1eb1d69b4b2136b8df398f54adcc93cd4b7b0e13d29fd981d86342e

SHA512
bacc7e8837ff24f95e91d855f4b898295e3fa2d75cf34ade7ccaf1f7e877dae8358f0d7716b7f9bbb6fb82dd634caf717032d05760a480377faa91b2c787ecc7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
320KB

MD5
cb1b9c847a3b411a619a80b37eeb3a94

SHA1
9e3991c9a327b1b07c8cd435692f5974195927bd

SHA256
cd94c3b2c759a90c59a2e7548b29d139ea9fbf36a8fb948b5cd3fe0942c85814

SHA512
685bda8887f1f9781cc82cd4176cc54da36cc303c70fc6eb15d5c58f4a9cc88df869235974916556c03395b82ed7464d28f02bcd907e41af966a210ae7fa41f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
256KB

MD5
907c23cce536c234d6737467f6ecc71e

SHA1
3ecec255834b0b6614717c276f27493493ef1a93

SHA256
2eedd4d1e9018c386d7fced29bd39310efc65ddc70b67a6478aabfe175b417a7

SHA512
7ea078a1df89d9b47631d97b7ed5f4e7689e7fa38b81a8f2c61d34c3d78d81f3f9f15d98c128d046df85d0f9f938eba044f467f90eb82f814f260c47839e4fcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
192KB

MD5
0685e57de58acbdb1707584394265821

SHA1
e1e2aaabcd027c774df41843259d73daa08299a5

SHA256
467f44a2f68a866e80357c5419867380d034a03bf723682e540bc13f57a38056

SHA512
91f3e78bca69a59f991f55d54228ecf5a9de5de79c3d035ffef836e266b45f23e9b56ff221556f62b1e0b5607893468811547fb36497bed480203e5164b6a8e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
192KB

MD5
5f8dc2748f67adfc578ca91b2bae8422

SHA1
30cb6fcfa4b6f1e8d02cebadc19d7f6c46c688f2

SHA256
2b4277648aea6964799aa96f43eb2c989bfa397ac3d1d351dc0fb7e67ff668d7

SHA512
de63497b5d676efe3fa8b4c371f8fc191f72c6785f135de841a31801f4da5434a580884298127f78307a6ceacb519d99860b62c81cafe71d89847e2253d3b3fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
256KB

MD5
f8a711e17c957bfe4cc05159678c20c0

SHA1
ece602f30ef6f23c562873997f7dbf1d2409e6ba

SHA256
eca22619040a0ef5a928169cfff135126bec72cc266d6ba46ca1cc3a6798ea77

SHA512
0ea12ed5da89e60e6cb1d8b4af6d7f009af3c89b6b616797320d33f8afe636eff58c1b64c7d0569309e8dee02f36958b49c053c56acf6c32e8ce91c7da889721

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
320KB

MD5
b54579316ba179280cbd678f63a5a8b6

SHA1
a209920e7affb65b116e3e0779181c2d760b1429

SHA256
1a90b76c82558f782b8b9568706da54436af2beb74f52a6d28bafce80f402315

SHA512
a4b03274a0ef99144ae22a0c0c1878d51417c23d7e1dde268e600a2a7805ca0f5a10b0e66e293916f00647513203df9c4cc4abe67b4345cf0ab8764d9b3a0544

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
192KB

MD5
954a79522e3595735d8a8442f35756f5

SHA1
3df1441fac3ca1be0ebd3da6d7c03617162229fc

SHA256
d18a0237dc9e5a0bec99fc8cc612af90578a8d540b646de0d9e04782019d86b7

SHA512
3f19777c8b70f9d6b445990bf6fa98220c5e35ba4b992d93419645d09c4c93af30ba449d44fc3c61a84694a6cab52e6ff0471cb85db1a8240577db64a8b622bc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
746c0a838c095fc27ab0a767fdfc86f2

SHA1
e9b3e4465d9d4b6796a7f2772199791685d9c85a

SHA256
5443dcd3fc20e8fdc748595f238b50ef15406f36fba917ed97fc84060eee2288

SHA512
88557f61deafcf1f5aafe4c937950ccebdb9717069a716e7f820a682ce1093a47ce0ee7c48e4df4c48c4803c432d14eefa32175fc09ca5f69f1d73373b3de93e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
115KB

MD5
09f3da831fba5b1a712b2f4803b1cb6d

SHA1
6c4ca128d5fa43f7996c01ca82de593e5c63875e

SHA256
c835dbc708eb18b4c33d0e0a7895adb09a5aa39c83b498f240315f9f7c1eea7b

SHA512
c23232554d9f297007ed926d614afcee06f4bda5dceb743c84ca09cf41951204c83f8841a56ba2d43441209ddb2c9e5c730f29c2deda95da4d724cabc1954fd3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.1MB

MD5
3227d854bacde54df0ddb83ea3867b6a

SHA1
50271090e8f83287352d6434b9bad1ddf0096212

SHA256
1b34b9b09c02abc6682201ca399c0806d9cfb2acbfe0b8a6e46e71dfed4ce1ea

SHA512
c2d97e17152b2bb94853dd997f1631a256e3a26fb194beb27a391f02ef0291f6bf726f1c89c31276453b04c79635aefee9021971a230c6fd68917dc22158e2f1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.9MB

MD5
b488d3ce1f2e20fe0770fd33f93ea382

SHA1
290dd77c42c8e07a16755055edbfd9cfdcdd2cb9

SHA256
c4fa6b4770bb58c03fdf3ba7569f14eaf54ff58e4300a882d2e4dcdfe3863409

SHA512
a5bf29df4107e12bec6e082dcd97c2eee3d313d4cc63ce96e7dc80550747a2c08f8dadca1423d5428c4db2e19c33de74f5b377d554be91a1f7e1cb5095083f2d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
b2b469dd5705840cb04a6f32215339ef

SHA1
96753c092211ec9182d8391deb19c143da43a5f3

SHA256
34166fba02c867b8c9d121a08f0cbc0b6940a2f85cee16be245eb47cdf8a5f64

SHA512
a5000e4d11eb2b1a32fe4ba5069c5f7ead5089f0550e172d3c8219c1575fa4e609db07a61bb77b0998b7d4703fefa3966eb3dad2fbeec5b7563f5514b5c6683a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2d284388ed7e71426aa608b7aefe2d5

SHA1
eeb4848af66bbd0cca525a0c7f33fb264b841366

SHA256
d80f370ee06118fe68d6e8f173c70129d7871dd4294ae3776c6d176192ce7118

SHA512
f446d21a25d30cf47c025ae292c085cf6d7e7a7003739afa8925f97c88dab7351174f1c029e0dcbe3f709d333e02be0378076443e3f012173c253c2b1cc3ffba

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ee1282a7251f3901ded48fba11911070

SHA1
902c17d00a38cdd0465a761365fc32ae5d686f34

SHA256
4b6927cdb36c384768d9341bbb6b4251f55a48eed536be0ec06b90876ac4eaab

SHA512
1e2223190b31598d507864c9529d984dec342a72b855005174971ec93d39fd6fbc899d1b15ad9d50312225b2db7ae871c2f639dc1f83990724fbd4081800dd86

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
60260404e3261947cf75bf0f806215c8

SHA1
cf46504a960b6cbf24362879014f0a2ed5069a7a

SHA256
1c95803662e547f9420696030f04fd020a717f49ba59be6bad2b16160e983585

SHA512
0ac6062f4e5851551b0d663477baf6d7fe017ca7f35c0a91220a2cef48960659e6dc61362debf4738c8984e2e14486ac289b671d98a7c56e79f111fa9ae65996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
dc4198effe3a3da8b5d831883eddfe4e

SHA1
09bed98c6f38c3c47fc78288b441ef62b0557a9a

SHA256
76f1f0945e133937da27547dc54a357ce6632d0207583b7bbbdb3247cd3160c0

SHA512
5b4928f058686730d43cc1984a17f935d69ec5f22e3cfa386abb1b91aeba26bc1225af4fd2f52f0b0d5a63e891604792904f5ceaff90ffefd87b802aaa7bbeb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ad36648eac90259e7511408d916e45a3

SHA1
a868ddebcc4ee60916c850ce9981ba3f919b94f0

SHA256
cd95e1ae7bb6fd6386d6fde9e922cd0021256ba5744073fd2cc7f3b7b6233d1f

SHA512
1823ca14628b2974b4917e6fcb9bae2c3003467673dce1c1e61d21cb012762379fcdfce047922f40e3e8c390729f1e803adadbd04d56e733558c8442ddfefae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
13cb1ccc8558276079e5c3304ff2487f

SHA1
973546e5342af95b52f27ffbd8d5c2e50c3bb552

SHA256
39afe2a21787994b1f20080555021ec9ca365825b0c8e0ff5bb44db8f4b313e0

SHA512
17b4a37ba4a75a7c394ce80279a898f2ab1ec4335ff64007f9e0d32fc24d03327c0ac5bb16888e6817bfef75551e082e31704a7c8e7ad488f2123086e8edc8b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
5cd332a0afbbf1de07f14c8a5bbe48ba

SHA1
0df60c441a3fa6de6a45fc246511f6e34a397737

SHA256
e16b08aadb5fc4a266474ea487a7c34f9b9be595c127a08773abbfd86d7ff45f

SHA512
d2d428de3da43e403f7cad007e320aa9c2104f58591cb078a6e95e8353b5c3034c61b528d617634afdb5e8ba762b013298497a35436197bad90bd758abc2d313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4e40dc042067ce370dc44dd0879cfa9c

SHA1
c6e13ce861e90d022d25d15bbc45f6603fa58c12

SHA256
f0ccd9cf6b47e659c47c45af2f8aef65747095c2fe878e2421e4c4eda64ed6e4

SHA512
c8291ceca6f663385245e82d648b895b9d2f05a5db3c156639413ab034f8bdc1b1af2dd4f8594e939c93660c28834b47b054f75b12f2c437ce82b1e490043a8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
65b3ce079880b2e5233cb3a28611e752

SHA1
03e638122aa3fa4dc6fd5026ec020d0a0493885c

SHA256
445cbf208b120acd4244507089e9d5884a67d56672f16ea189fe98b7b7c01761

SHA512
ef3eafb9166b6d7ece42ac6e009018629d44ff5bc746d53eceb2d3f5da4683134d056d78bce5ae6e0a19c7f236afe5e2ddbde0f52752f4b1ea4236b0cb8c115a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
896KB

MD5
adac35fc3d8f0ada41d4fe6f4a4887b6

SHA1
887951f0504789bc3d8f4c0658cd3c752b93b090

SHA256
434b9b95f65e45051f6452e5ae5c036db96d2c9706f361bc8db9318f1735cd8a

SHA512
adab6e69e6542eb71ab027135a88b215cdd6f3baf5b25db19ba6ec84de54beff446ee6daf1f5e04af663ed5525b2f96925f028b704792d4683aae6d0766fe578

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
832KB

MD5
8928a1a3ae24604bb0df5c1162ce2d03

SHA1
aa85dd8c03535139791d690ee1c6296fa3192e95

SHA256
dd833ec859c731c87df52143c81d79d237e3c8368bbd4c6710125b2c68ca1838

SHA512
48f9fbdc908d233dcb8525834d2b3fc1b77dd0d27399d4e5070e2a2871dfd7c2f92832ac1c498d213aa4710797f19fec0b4d937a71864bdf0a30038a930e6d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
832KB

MD5
3cf704c0f6f009d0caeb344c5c02d172

SHA1
e86099844c13f2cd15d6af6148779f83815cce3e

SHA256
0caaeb2efc516891ce8f93e9d634052a7b5f0110e33e0c9ec7bc607ca7d7cedd

SHA512
e20fab5bd9cfbf357dba4888724f40077075da16e23dab3a2358afe5e10a634b3f51ac02fcfae120c843d7cc9b4adc3f2b9edabb083dd7cd03addf7a7f004fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
832KB

MD5
7630bb32467790b3f543699e1c894b14

SHA1
00aa6c4087c54cf21bf75160525f0414aba024ba

SHA256
8b2a0dd878837d1809ab1823d8efc967e6145f469a477197942eed01d5313106

SHA512
04e82015c77a6ff6c5b7a60af3ef6d4aa4522741afc0b1e54ca9451965deeebd9c064c7c841088fb871a7d23c61c351491d338fcf7a9198cdaccae412cfd3121

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
896KB

MD5
25f33eefc6827389f2756cb3e22ef812

SHA1
e194a7d8eb5ad91effb441500552e1a9b9f56c65

SHA256
3fe1e46c6e5591f8c2ed394f01a259d1b13911eb3fa68a0c4318aefd0addce42

SHA512
dfdfcf5f455972d149ebedcd03a07480f46d8c88291c3ae351986a1e9ce07ef16bb55e2704097d656f8cd7e62cab294f214a550eec8dbca584a8e74a0e6582fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
896KB

MD5
392a57a9a294b4be3309adfea05ac631

SHA1
96008d2e82057ab0c3eac280c5eb6af1ebe0aa93

SHA256
27e083623d1453ca1b6113dc80880ba461c1a17f9b05c6dc265b78e00c9ebd92

SHA512
1d67fa27e74711c1837bb6debe95a93d07e08c8f37c7aa0d638bba53ba6804eeceb593748dc98832a354569311b5efc6434c73bda0b99d6e30652a2b256f04fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
832KB

MD5
75b437c68d03cebcff44e18397c5108b

SHA1
597d752830960255947b875c24a317a366f3ef7f

SHA256
1b00c3044964ce56f42d90c60bc5cfd12c3a7c6447b299c6eb3fe7f60ca04e2b

SHA512
9221f243a4b38db46498af2db4de52ce2d0ce2bf12c100a9e80a9f33ca63130e5023eade8a322cd0b086b4cecf87eab0ca8be6fabe2c4ffa96c3f8d65962c977

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
832KB

MD5
112c28049e3d300b4d54ae7bef63abde

SHA1
fcfafac192f18105c6140d4f05cb98ab085acc0a

SHA256
d9e04fd54aad497a3d9f69608decaf5df97bc5c315e7d326110c3d0b7207e1c6

SHA512
75ed9f33e210342280ecd8c11b4de82839a594b952f888cc07dff7572e3eefbbde62a9fde7972aa2631156e0dbf59c1fd0d9c8a2d46f198c68a92fe65ecf3882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
832KB

MD5
95e5648ff9192335a646cdceb0cf9530

SHA1
265cf0183aa1953a0522fa540ef2892b51773e01

SHA256
66054d075f788e077ce41336621be7d2a8dfe993619b036c04cc4eca625f9dbf

SHA512
2662bc3e260e426cfba464c93e9a1efdcdac32844944eea182625d8f6b42f2ebe0f5f948edc3f0e6476772a2613b000bc029f11610f9514ec5477836b49d993a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
832KB

MD5
64d460918860146b5bd0454965330e9a

SHA1
4293421e119fb81354ae13d002ff064ed4d5be35

SHA256
308090c4554db09ed3d2258991e02d9e8d4a1ec94b5d3a41f44411b7c7c53a8f

SHA512
53d962b9cac284f877e2c2d2459ec1f65ca6da51192737bd793ad84668b66f6fdc48f96663daeac992ebcc21337b150b894e4e64f66afe486c5accec5c4c9c3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
832KB

MD5
824b9b24772c99cf1d4e12aa865ba317

SHA1
4eff7d4530d79d75125cf6e6a66f506d84a7ca1a

SHA256
9f82c2ff14c153cb0a4931571b55f67ff177b3472ba2c63319b5f755470ad8ca

SHA512
4d5d72d8bcfc9ab8bd075a3f5f4ace0f95940769e3b395796990a4f11276d8634ee9fdc6162982e3554df433c79e1ef81802ae2520751c1b5522bc20151a7862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
768KB

MD5
dce3d52ad689c16768047b86b622280c

SHA1
b5e9b5c4b4a42224b242dee10a432a84dc39556b

SHA256
337cbb9a1fa212911fcf9b7fcaee85f4599931df155952061cd1b3694e560fc0

SHA512
4549ea5bbec10b0439e919b9828cd2390e38fbc9f9a684d36d89871e68754e8d7716b61a428a7a50b9cc5f284be055132e6b887e7f3b62317808b3f77090ef4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
128KB

MD5
d83c395bbc75b625fad9a7f256533d5d

SHA1
6f8bafff534331d1d9e1149efc9382c39b7bc321

SHA256
2a6c2b9fb7767e1417e4ea996b3a8bd22cc048a71ecd22391f957b179918510c

SHA512
cf26e75e22bc41fb19b3ecb72e58aad78bbb3e35f102ace1943f64b118800f809d87a01449e04914c82a96e2a3f6212f9b2be9caa2667c296425b813438ac219

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
128KB

MD5
32616133a8040d1d882a3ea0b32a3ea6

SHA1
b32fda269c5771e18edcf0b2138622053d374553

SHA256
7922872fc2ff4e53e37a28c162c70e1e4ac3465a9a5a79c7813a21d655e194c0

SHA512
2ce9f8e085ac99a695a4acc94deb6bad22897ec1ff8f02a6a4a0eeca151c553a243ba59ff5379d152a256e17698d5e77cbaeee0c1036223b50c0306fba089184

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
128KB

MD5
403217ec25fd005ba19986fb5e92cd26

SHA1
32bcaf264b52eb610a374f08d94fd89ec6f43c25

SHA256
e767525c22b05f2d8be76a78f3b0b53d3c56c7848e16a5b2c115c24efcae5364

SHA512
2a07ac2dc6b6b325722e7f83990ff3a3e5a3dc0d9aa607a820b5b31eb6d0e35567138d28474e34ac1f81b06fe3cf54838a15656ea54d7774361cb488b45b7f89

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
93a7534f528444573b30ece50f2be4bc

SHA1
ff52cd8d38f0d3ad95b0f4d1f337a86196c12e9d

SHA256
37d69c0f8dabbd4f7fb9df347073339b6523421b26bfe105138f0d1eefaec675

SHA512
a564023571cf6538a1a465d59a83e4359236553e7a154486b5b912f01ac745abe90f1fef01f5b1a8a42b29e6e397f7978e9bd3a0d38cd1129c85bfabb2e596c6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a21e9b5dfd85a2131ae35178829d16f2

SHA1
4bd8e1fcca475ede763d0ec46e0e05502ef58f7a

SHA256
02192e1a6fc8f24799446e2bcc82ec6fa437a437397bb4eb10e180fb6ef20fa0

SHA512
fbcd98455eb575f025edea3482f47e64c2b74e48b249c61600aeec635d868e71ffe6b90d1ae1b5883d52847dd92d8eae80857f4351b46b45e58a2202fa0a49e4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.3MB

MD5
70cc4691c9c7c062d30908ea686c9bb2

SHA1
b642738d387fb6955cd5148b3d36ba56308be913

SHA256
ea1c1867a080a992b6f45dbc3ed4b1791fc79f00af9eee26627511610ef89efb

SHA512
b113f8b5109dd2521ebc4f836ffb821550023ad1edfa5e6cb0382b70724e8fd47549c3ab278146d3b033e3ddd9101a60dde3b5a9aaac117d3cf791b6d2eef57b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
78eb4768727bcd0148069064c5a7dac2

SHA1
610c982f462dcf8b38598b22b5eed8a022160cc7

SHA256
903117d374b28dabeca91b1b5c2ca300e571964b090fb6f21a3bd6484bd0074b

SHA512
d02085c8fee1e015d5b6604defaaef7aa12d579fc2f2370fd38f5574bc3f05e649cd93392de2f676820a2df8e2a7583a9b522ef7b2ace42017f3467b8bc9c8db

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2fc2e4e1b10e524e033d1a0654bef6c7

SHA1
d4feda144548dd3063a3f3371c2ea7929962c1f9

SHA256
3e5132399ede8d5a4dcc797c517fd63eed7f113b7f3ac2df6a3acee405b55fe0

SHA512
cfff949fa13e3da23ed57683cc5d74823bbbdf1d587e6a17b984fe55e6b917256527fada71e2e0dcba66a67d8edce0093936407413055b7e09717a3c2472e496

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
388eac0792da41e21078ecd9a31dd368

SHA1
fdef0fe141ae51f7a5fbcf9defe53bb040fd0f36

SHA256
adaa5ca58fc17e82dfb2b4bead3f2216d3deff8e2b6b7b1332f966f39452d05e

SHA512
268e7f34063f9785a0f52612d34f3817878626a9213932d5f10e15eb9456b01b56ec5bfe40072a0cc041a4843084546ae14bbc1498db05a434643d0f4cccb651

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
999424560132b7072f569395d2b9f9f9

SHA1
931265de64ac2644e62c708d61fa23db58241067

SHA256
9302931932df8cdae6d0fa12347cfb50d25a461f061a239337338b3c1acccf55

SHA512
b540d5d42e31a761d50186ef30b28f63274f9ed4cc35df9bb84819aa9b70a71e7b9f3502614a0d524488e530310395fd2e12953c13fc05bf3af21df12d001eee

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4744f122bf406c88fcbd3590995ac500

SHA1
001e4b542408740cb37c5efe4b19a5612aae13f7

SHA256
5de9f06f770c09a344de9cc8dc4a8acc16b12b5295b93c72bb11248fb2fec59e

SHA512
75b156e78b197ba97ffa8bc49927409c64346545f5ba0e8b47923bf0cec18a332af888fb2fac9fd3b3814dcb2f4f36f40950c756c51d71b3b93e1e0ea0c07cdc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a3ad387deb7f76c1d64a83012765a4dd

SHA1
4f256d48761d1f2e90187a28c0bddb8ba38eeddf

SHA256
59780fcef018aaec3b35ef37ac320307175bc2980cacccbd1d2724687d43228b

SHA512
2ea54eb5760955405d0e25b554a90565f2734a81614b87e694adcb4e3208b0465171403025e569796ba8a95e9242094f0bb9320d9c29695991d783e07ea3c5ae

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c8f658c5db8524aab008ad44aedc11f5

SHA1
82c0893814db03764cabde5e20537167d7e769be

SHA256
ecfa125b293bc58b1ac25926b9635dac518ee84736a56844beb3daeaea7a1bcf

SHA512
47a8b4a138c44f830ca5af53e8b9b0a91f74f6a7533e02d75d00c7418ae47e14bb66d9e45d446556faa816d226bccfd5bb408b5fe8388ae27094d0dffb7f09e2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
884caf71c20a6a73b7950a78da164b50

SHA1
2aa2a914454d21d95715f996957936e9f5e9cf4e

SHA256
cd313894fb3789c85a160d41ea4efbaf65e7fc8a3e8de6ba4048b7f07b7c2a26

SHA512
f762966ae841c601fb9078fac05f7ae9a01c1f46d13638f4419e019dd58e222aa29e066019d291d9ebf7256cb2fce5a8caf147431751eba4fbff2346b959d848

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
46442e7a4b1ed7625e3289c755d26bb5

SHA1
5c57c2a9c7bdbb93d1d91d5bd22f45600a604de2

SHA256
1eb0775251a69e592b0f61f6ac5ca0d7a637cd238276aedf6514fc2f85d1c149

SHA512
f9b342ce0ace9bf721c52e6bbe9f639c318242e081d3128ffe915bfcce97ab2dd17e155a3983e7b97f572b45a231463aa3a1fca7a99292ef967d13cd5f5f2cbf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7f84d43e28eeb5635dadb6285c20c85b

SHA1
05a5f0b05628be59f5d074ba8218ff4f7d0cbb22

SHA256
e42b5e3d4df969da47e50c3315bd6feec75e5cc6b320909124a39d6828cfe27e

SHA512
424c6a7117c9ff0527f1e276463c78e65a85b86f9cab1cd24d9dfb0a9b87fca1ab235bf12ff6c5fb5dbfa2ed5bf1c0a51ef6b110ddfe1b6e28c96b8507eab97c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2b21571ea62bd2c11661876a2c956929

SHA1
18c842ed5f14c4b511b7647cfe08bcefe3183195

SHA256
a56a6b5b76ed0961e5e02ce1a39594f6f75944bb681fe94d4bfa21b5d2dbf4a3

SHA512
083822153cb198eb779f9c8a55b3f49e1bb5d7bc1ece8d60706a78494bc65c93f976c89c46ad7de38b37b87f7f7fea76294c467688dbc636c3773ec4920a4652

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
38ce48636b7504c978a38bb9cd20b130

SHA1
846608ec54cdd4223f1806538764c3d00a866f05

SHA256
024a6f4c14f46aabd58f11fe4e6d3aacb4d8b5b5707f84c6e477146f2dc18c3e

SHA512
742961f1c571dc58687d108e5b42dc3af544e2b66dfec4582f70a92cf953587ea5c566e846ca2edccd098597bf8bb34190d38da5fdab35a65d4e2bceee735780

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cdc89ef63c4c67312098086f10d63dd8

SHA1
f9e51f132b7a7927a46a7a4686d3bf5b8357157f

SHA256
b59e7ae3e5b3a1bdb56d0f9b38b592d83272f02411702960f6ee1eebaa851a67

SHA512
5b542ce86e6a1c33a0694c5f174692fba2682df14fa4e2cd47be88510ebacfc27578e5477700bab1a5630d5d986e61db2b85405a62543a67005abd1bbaeb0db6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0781dfbaf613ad10787170e763675e9c

SHA1
adf7fb8fad994b893886f18874c9ab044267af32

SHA256
72a1f0177438efca11012d266d89e72ac4559a465da0393b346008bfa84c4a15

SHA512
3cd11a79c64b79cc75547760de652e7d9a140da6f7645f06373d8a5431cc2b8abfaa2e9b6c901bcc96b6973e7312daed16833a89301f982f01609faa3a5ce83f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a757f69374e7e84ff91aa9cc7ca97c6d

SHA1
1406cb4df69f586c7c1afea118b175013a7e1d8c

SHA256
0b24eca016d950869f7d985b5a1a4d338e53bdb03c896c20eea7302c3ad6c988

SHA512
a74bbd29cc704548f51ba101930bf7578bb35da7cab8d2606d28c8e3657418ee2cee7866782f63f5ecb2bdf050302982d0b9c938c5f1ad7907238ffe6e51db6f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
960KB

MD5
99ae33ddaa8edc5494b4e3c301143d8d

SHA1
26603e395da68923da3134d591623580600d3ae9

SHA256
6f954cdabe2196e8df1f1634782152e14879f0204a4dcad51ee5c2ca10645955

SHA512
0024f6fdb585b7bae1c0547be391bdd2fbb24cd3ae7825d5b78f7f9d64bc600eeb1f7d25a5155bd940ba005c03972ba22eb4a22e83b4cefd7f30268db8e85fd2

Download Submit
C:\odt\office2016setup.exe

Filesize
384KB

MD5
c10c59e1010ac901c32d8c72074f0943

SHA1
f0091e3297bbd3972fcb828f5612f77d6685b07d

SHA256
f6b43bc11424b7e77720bab49effd16c30dacbaeb100f9540d7ad987391111e4

SHA512
923939bdb8d6c1ff98ceeaf788cacc62e38872ecc28daee9d15a833c308ef68df517ace4b408bef694349fae7c79205583dd28076014ee673d7fcfd1535f19aa

Download Submit
memory/264-315-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/264-371-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/264-306-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/680-368-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/680-358-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/680-427-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/880-14-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/880-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/880-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/880-6-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/880-7-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/944-245-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/944-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/944-246-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/944-314-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/944-253-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1832-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1832-394-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/1832-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1832-399-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/1924-326-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1924-539-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1924-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1924-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2096-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2096-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2096-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2096-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3044-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3044-35-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3044-29-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3044-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3112-410-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3112-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3156-339-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3156-283-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3156-273-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3300-183-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3300-15-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3300-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3300-23-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3472-274-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3472-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3472-265-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3472-258-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3472-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3584-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3584-463-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3596-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3596-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3596-52-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3596-63-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3596-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3664-367-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3664-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3836-341-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3836-401-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3836-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4332-450-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4332-441-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4336-440-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4336-380-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4336-372-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4544-299-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4544-287-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4544-352-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4660-424-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4660-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4932-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4932-437-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/4964-66-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4964-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4964-238-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4964-67-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5080-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5080-354-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5080-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download