2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae.exe
Size

1.3MB
MD5

4e0cb9ecc0f46dd5b54b8831e464190d
SHA1

e037c0959ce88b45f80a30dea3216e8746912e6d
SHA256

2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae
SHA512

d6ea8a060df0f2472119d06f0dcdfcbaab4d3d6570c6a1e843e6450d16db7c1f6fe623461578edd70ef4197f968f9eceb07c09bacbe696f606447bffb3d2c159
SSDEEP

12288:rWiB+tOxqTSgZG5GnWMBUKZGYaJ08vTZLfX+PdgdnW:rWiBTxVirnlBUKZ408vTZrX+lgdW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4944	alg.exe
1028	elevation_service.exe
2056	elevation_service.exe
4140	maintenanceservice.exe
3860	OSE.EXE
3472	DiagnosticsHub.StandardCollector.Service.exe
3624	fxssvc.exe
2984	msdtc.exe
1616	PerceptionSimulationService.exe
1040	perfhost.exe
5060	locator.exe
4972	SensorDataService.exe
1512	snmptrap.exe
1820	spectrum.exe
1736	ssh-agent.exe
4300	TieringEngineService.exe
1068	AgentService.exe
1840	vds.exe
4008	vssvc.exe
3844	wbengine.exe
3768	WmiApSrv.exe
3600	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cc269ebcc4fd1e7a.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc473b39277ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031720439277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f96e4239277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b308539277ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085d04439277ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6a93d39277ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099d30639277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085d04439277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1028	elevation_service.exe
1028	elevation_service.exe
1028	elevation_service.exe
1028	elevation_service.exe
1028	elevation_service.exe
1028	elevation_service.exe
1028	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	976	2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeTakeOwnershipPrivilege	1028	elevation_service.exe
Token: SeAuditPrivilege	3624	fxssvc.exe
Token: SeRestorePrivilege	4300	TieringEngineService.exe
Token: SeManageVolumePrivilege	4300	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1068	AgentService.exe
Token: SeBackupPrivilege	4008	vssvc.exe
Token: SeRestorePrivilege	4008	vssvc.exe
Token: SeAuditPrivilege	4008	vssvc.exe
Token: SeBackupPrivilege	3844	wbengine.exe
Token: SeRestorePrivilege	3844	wbengine.exe
Token: SeSecurityPrivilege	3844	wbengine.exe
Token: 33	3600	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3600	SearchIndexer.exe
Token: SeDebugPrivilege	1028	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 5432	3600	SearchIndexer.exe	127
PID 3600 wrote to memory of 5432	3600	SearchIndexer.exe	127
PID 3600 wrote to memory of 5460	3600	SearchIndexer.exe	128
PID 3600 wrote to memory of 5460	3600	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae.exe
"C:\Users\Admin\AppData\Local\Temp\2a8e9828746403c67fbf59004f80907ae9c76fa459f073567b1a8c4e780dbfae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1288

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2984

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1820

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6812b0d20acadc956a4bd0a73e16f86e

SHA1
a322924ea5797758392449e219ab28dea55aa2c2

SHA256
0d0afa3d4692a84350b0e878d99989f0daab073b8a50af4aa658395f326d0519

SHA512
4e843f9fd4d84f0f76910462bbbf9e308aff6330e9e3c7cdc9b6bb06efd81d5165fa4c8306e177ec100d60eb48e69dc7206ac842f789894bba20052fdba3f122

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
99e2dc45dcf0d906952be59ad0c13215

SHA1
00eab66bda87bbefc0c1c308ca998c73ffadcf18

SHA256
c5d5ee383088abbaeaaf2692b1c0fffb3db02310300e531a59dc64d04e6d4257

SHA512
23a37456fe4c6f24c40afb945c8a40f022ae1a0968c0df670adb7163ab13d40cf159c9598ff0e242489340a7c8f305beb58ecc15cb123cb1aa4b2db99be3074d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.2MB

MD5
c58c1db5f681cde3db46c2264ed869e7

SHA1
000673d12a0aa4dd887c4617fc42197ae2537a60

SHA256
fb91eae58215a014ae876d3f5ba5b30aaa1c3081cea640adcedfc7cd74cef819

SHA512
372830eb593fc252a3b6daf96dfa5912ec2773399619034f8a227c708422f7882098d55765eed0d177e097fd102b4e3caed205ada7b426f835051ec5e90127da

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
888KB

MD5
92c6617f7852cfdca2a02dfdc38eb4bd

SHA1
6d3bf1eb6b5b9b8dfb035f38dc7c07306802792b

SHA256
cd3a54049609bb09c11ca6dc59e70cb5b7ac31148409bbbab96020bdde90288d

SHA512
5134520ab6c675809159c16966b79c49e757ca7f33c8e39d088d9123549257ed2dba6f24e3d76dc508f36fa833ae38280774432ee1869414fb24b1c3d2cb0a50

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
897KB

MD5
e6304508606d95905e46dc7a82b56dde

SHA1
d448ede2e8bf8f1959a6ee1593b909a47cb40dbe

SHA256
eb8944e6abab7e7797065560ba30adc89bf3cab3fe21d0672e3691201f3b4390

SHA512
2523068ce199fe4e64b0a35ade59c0080a8172df74550912dbaa5fd57613d3c576e361c6945643288e53edd2e90fcd412c03a6f77e7b2f4ea0e00b39b21830e2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.0MB

MD5
b8fed8d60efe31fcba7cd9cfbb32f2e3

SHA1
fcddace3771f15576ada806f38cc1885ffb581de

SHA256
ea1ff10c003667b9a3c6fc1c08a80ef967b758ac535c47f3a9dde698df01056a

SHA512
d5eaad80b6ce3a0b182c23dd1920bf8b7e3cd54eb713bd51847740016f1ba267dc4beeb7652e8d37fe55edb54b80a37ee70993bcfe369f5c42af8805a3178dfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
02781e154a62598796ef2c4fb2ca5784

SHA1
cf0289b24cab30009f2f523eef16b78d94f4d457

SHA256
cb24bcab35889e4b2573a3c9e4c7446018214a697df91ad35622fe8bc4ef17db

SHA512
be148d188aa1187843f2a90e87bb658ee7d17d6efbb77366f8853673e39234052709f6ef24ea2fb507577897a5531161d2bf7b7ccfcc17e5a04936706aa3af3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.1MB

MD5
f9f2e597f9f994b75db8d2ea31e9acdc

SHA1
74ffac117ab468b158413be8fea9ee518230bd6b

SHA256
5da5fc527a49db64354060f2f36870f17d67cb461e29d3b6d15d4245c57a7da2

SHA512
ff199f636b26f52364c45f538d08a265c43252f4475c067ead265fa3c228ba62fb7a3e1c5a0f93d4787b5452b04aec1961b1fbfd13235713093fe980e34bec11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.2MB

MD5
900a833379f969ee72976b269c349493

SHA1
fad7b8748bf970c6719b877416b056d7571eb4bc

SHA256
9608366a877b632967968e336b32e9891407617191c7ded709b9e87c7ccab7aa

SHA512
b994580483b1bc5bcba10cd678562fd70bafb9c4f64222ece026aa44f8fb0b002e500cf46cddafbf29c5a55d9596fbd751855a154199538600714af9344eb1ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
283KB

MD5
aa56997fdc9ed0451639d2b088a8bcfb

SHA1
29d015811fe12ed18794a68dbebb7081fa608c13

SHA256
986b92aa41910034acf3656f7a633a707809af79b08a7e8595b1a741b206c34d

SHA512
4e74ddda2cd27029ae85eced0b00de768e13806dfe33da5ca39f17e20dd8879332ee02c8ae704c39e39e82114ad0946ec8ee7b6a4c40b2a5d7c2fcd5ca16e233

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.2MB

MD5
33812c7924410877abc57fd1f2d688de

SHA1
376e201914586e6010841c44379c5045823f6853

SHA256
96329a57b970439b9877cbf930577bdcc2a2d064337393416e55a84731ba17aa

SHA512
9b98538ff232992db9d3786154ff52fa7f77ec83819011c7fb4ae842207ba088c7eb0dfa93ef4d56d29f6bba9e58b7b2559aa82d186c209d3f6bc077b29cc7dc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
983KB

MD5
a593aa5f612d3200d51e46b31af737c0

SHA1
5e7aaacda00e3991d940dc87a1cfeed874e38d8c

SHA256
e6516d4a95896bbe15660eec59f91d7931ce8899ec891297d2150509c3ab2c97

SHA512
ab23e69bcda7a8adf16dc16c704b492b8d23db9fed5a894e58fcbc7b54e909974a554d472b9e41a0f05cee8d05c0fb9fd3abd9d8e5c8f9eba7d82261868f46ce

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ddf5753c1aab7947ae764c1aa617f739

SHA1
bb54db3b167566d09785e6411db2fbbc57ba0a2f

SHA256
bfa5f341de894a584ff5e78e6c6808fefd59a2c7f393ff14073955343c583596

SHA512
b55b82f5abf6a105c3595c2586bbda5161664ff3be086353725f60408b151965c242359ffab426678a33d9ee154bbbcabe162d465e06190c3715f30244434a69

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
998KB

MD5
7f1b49b81fee9c9e02b70071da68fa83

SHA1
e25cbf2fb1fe840c1a41351768460431aef3e006

SHA256
a6b895a322e56a45bed0a48f852c7b39874c22462320535932d275f77e92412b

SHA512
d7276d2e52cff1650cd5d5b8865d34022e9e481028b4f30f0e1195c3a7ea6e655ea1485c42eaf1b1a1e39655d06182c41a3ba7ca9ccf8d43a7a2985c753eea9f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
885KB

MD5
05ab8114239230cda18cff2f0d4fd588

SHA1
586a0a6f7a644328d30d41787eefd8d466c9a491

SHA256
68eb8b805c4f723bf4c823e478208bdaa8b0cbae2b48a3c061d836f0923a7589

SHA512
c6b6cd20697bf62137a34471934ac6f451e974c2304a3f5b14efe3880c97bbd54c0519a3fe6a019e1554f7a71db1e1725f9b5ace5a211495c7e40efc0038ff80

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.0MB

MD5
fca0691a49d444cddf9352235ffa5211

SHA1
4cf46207b9fddd47728f961fad4f358f3c81d65c

SHA256
2ad73666daa26d4c22dbdaa698e1ce6834ac8469b8ecedea4d2417cafcd32946

SHA512
939f4a277ba58c82e3f08b2bb8352f057a2eb06e068781b0c19ced9bbb958f1716d6529c7d3af548ee1cb7522259b4851175b260080f89423e737bdbeb2d943f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.1MB

MD5
4f0178b73ac38a276c7fb15a11027140

SHA1
c810f3bd13d80c416aeb2222f10100b2626e46f5

SHA256
ea207acb9b69462f31f6c42df7c601b48efe957eaefcb0cae03f103d3f61d5ff

SHA512
43b10c7bf1baf5be6bc4f9ac46c96ceacda5a8b8cc3fb786b6039116a44723849772f29ef55f4db7760ab11455f75241d2f06e4d398507c6219f16249d0a6703

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ecde2fa51a124c5bd1e66f405ab8cd80

SHA1
1129d293eda3f1eabbd3e85a699a5b572fbd55f7

SHA256
8f3c94f8f58ca97d4a1252375968f44a1811a8d96471fe927fc485134f56bc9e

SHA512
3df3ec0b914a9c24fa04b65be5dc0b1e327cff804834e72eec3b302e36a3bbc12235404a656afec2f7e6dbec6f85888d349043c8e5a913c28c1d813fd313753f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
858KB

MD5
abb6d08f428fd57bbf041c3c60f183fe

SHA1
d2a01618cd4d612764695a671dffa578f330ae43

SHA256
47384fbc6f9d81c7bd27b76b51dd122988670bc2181828659b6dcba9444cb26a

SHA512
19313fdbfadf090fe47e8850cc9ac685062f5d23b907b37086714cabeef3d782772738dbd5561c4d6f3ea7b8d121bf0e23af5a49c094e2e0802f8e35ac14c810

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.1MB

MD5
4e8c64384dd030a93dab8c52c31d64f7

SHA1
7cbdc16f11990f096fde9eea699e4efe7d756d3a

SHA256
628d8ba28c42f9be8202e79bec6a4d79749fd8e3a8b9f488e683f20bc1832eb0

SHA512
7bb39fd83dd610159f9e90124c2efc9d954b5f256c07845e779590930605369a79c1a2127c5b022c73915d5c5ca17232c6405abd6833100a9c44ec857d3aed85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
889KB

MD5
aeef1d05b5809979f8c4de4cbfb56cf7

SHA1
312f99cfb9af2c7ebe5316e31b051345a3daad40

SHA256
10d330552e3f2e86beef0a9feae1d42c6a9f5552ea05054da2fd5cc27b58e02b

SHA512
7de5162004c84eeac570a5955dc14f8a301388ff1e21b45e4781f29a5d93edf98551ee66f3ee583a952cbcdc276b4a3fb596d4ccb0f4b14551fd8fa250d56524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
848KB

MD5
2e53a290da533ddb4ef9c9367ec06f6e

SHA1
23b737514ee831ad6cbaecd8afbf5cf79a3e0c0f

SHA256
2e56f0ee1ee9e39495a7182a7b4cfc3aee13f708bf14c38e39fb7ad8cfce6591

SHA512
7908de3b3d9fcb902db765564fb58a99faee8ddb465296fe6ce739d1a1284df11054306c8e6a7b7c849399df559e6b4d294404367dbf2f3bc73b473fee7e75dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
917KB

MD5
48da861db396ad7babc72d37a8403399

SHA1
1e3707c44e8c231e99206d83896d5ad0d9eb0dea

SHA256
82969f3a5f92abe66f4ff080f355076ad773b7367a9856a7dc2e5c78c75c0c50

SHA512
c8e245399f9be20d0bdd3229305a533d371ffea6d2591f936fd67ff3505bd9d79ae8c8f1a51b8b354128190d82f325b0a4cfef19c6048ac6f8be04be9eb8e7e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
892KB

MD5
7794d7e6cece11ed30d1c7793be802fa

SHA1
0f4807366e44a9d26d8e77f1a23cf6245888f556

SHA256
c47415fd51a4d0b54c888a02208bfa7c730f391b82a42d9a704e483bf766061e

SHA512
a20aa1434b5d3dfbc2ebb199f4e4ed1f7d54c7d25a520f58ec9028c0c0766022c80fcfd8cd4028f51f4307c7edfbab77051415e0c89d1519d62e8cb875ebba4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
693KB

MD5
993f3a17146515b6f3e37b3def24b0a3

SHA1
7a894e3d184be12929fbd641ddaeb54c05ecb80f

SHA256
660642d0706a02b09a41016d1fd9de2b191e1bdb5137af50d2e87cba702b736c

SHA512
0ec0fc55609c61fe392361c24d502bbe47a99eddc15be0befa64f624c28a5c239c03c1a45517a81a21184da2183b13e2bac74b6408427d42d1ae5dc1a23e7470

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
960KB

MD5
16f82f6993d66f2d4b663f7e3173b28f

SHA1
15e7dc94a64446d68a9d59bc48c8f565787b64ae

SHA256
3bade4c12dc95c3e77c4cef7b09b8a51429b51a575f24360191de2e13db3d0fe

SHA512
91afe3bafa96f36250d3e929d4c8116a13d85357512d6a53926351acdee2e590da4b821e93fadc09114149ae6a9ee6adb37507bcfd4fe38c5dceb18a962ffc7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
885KB

MD5
53dac0bcd56debae87176e1c05bfc97f

SHA1
1bddd6b2ae0b4a6507b91047081141261d61fc84

SHA256
02d66daba0c95f0926c0e2501b15a320d118d86f701fbce4805e0c56e470d1bc

SHA512
0946402fef4e0ea723db454322268fe5735dbbf7dfba677a82c69e5c30a9765b7b159974b0dbdd0a01343a3a1ee604d82ed52c5f952a6f406895d290398a5864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.0MB

MD5
21bf3340679fedd3c900b5694eacbe60

SHA1
2c1e65b4500068d838ddf563ea311edd0721191d

SHA256
7b7ec6c72ef81ad8e1dbd8d50adf8f3e11c45f024f916958e10aacbcb8e648e2

SHA512
ec8d594ed7158383d553c5254a380713c9fbbe5cc352de7ed5d6aab7fa10fa2d19cdf62ff8cf6fd5e9b7329555fd86b9f1c7839a989c289a7ae9a991ca43193b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
843KB

MD5
41c0b8d2239e744951dd362462e851d0

SHA1
3a016b99cd7c1d3bc42501ea582815c1a1a10fd6

SHA256
1c40686c18891742177f4449d708c65f39f2385153966e5990c636eb19ec30db

SHA512
a5403f531a98b9a9790c5493c07aa0142053f272e1a9f5a783fb9bf0ac668a1ee4e1e833b11ef7c46190181d11514f09ca7372ea43e5533a92042a3f68388d20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
285KB

MD5
b83f8237b5002a264f67d074fe0407d5

SHA1
0cb8cd3499b857f38e903b436c39a67596329643

SHA256
3c0d84db2dd99cb00d4028803d5bdc07008ca4ff7d647d4af9f60f8208f3343d

SHA512
ed52132f7b7b33518657f84177c9823867549949ccabc8d2463a5964eb08c33136304eff752deaa41ccac2c1de7f68ac7682bcefb1b89900dbfd3a780531a087

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
342KB

MD5
93cca4201438882568b0fb0da2f58bba

SHA1
8ec7fcbfdce8d223d287da020560d55174632528

SHA256
a7981636cf22565fffb37b238b0385165fb25ca69e4c3e5ef702e940e22d4222

SHA512
0c87b824a9cecbcdca581e34d082d2a2e5636b196a17662fdcb96e67009e8222e4548598a29a91ff473c5f9e85f732efb0526bbee0d3e373624c7e15dc640d78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
320KB

MD5
83964adb3869f5816d0a4f5e693ddca9

SHA1
1417990ce2d14d26fc92d671ba1199a9a97333b7

SHA256
115929c01a8828c6ddb4b39ae30ae5084daa6780ed1906b43d9edc05d33ffce9

SHA512
cf444c6dcfaae83fb9bdc26041ef45e2f16f43ea196a40353b193782b16b475a60451dd5c3cc3f39cbf61fc494b858fa911d133d3c0b7949fcea35565f56947d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
347KB

MD5
325b14add9f21fbc92e273dd73cb3ed6

SHA1
7af7424a63c29d9355d9339fef3337c0ee77bb8e

SHA256
8ff4dd330194d58f8eaf4994a044c5bb3cf8a1227d2acec2fcfb11c97efb497b

SHA512
09921fb8e4919f22e70b4ca3eb7b189f7dc2d685c28f1103ea810286b18d30d8efc79195a8710450e40add120c08a65d73101146a5778a078ea63e48a74c1f9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
248KB

MD5
38c4e824f486f3885877a8b0a8e50abe

SHA1
775ba09c2f9cddfb6c4633ef804962541993ac4f

SHA256
23cabbe3584dd4820acd221a6f2d34f6dd6eb5c5292cc8286e67de70b70b8368

SHA512
812e8b038974814e31363f9fb17e0e99eef40c48ce8b0f54ea12bbb62542367b7e3806e422e524d8f336c2017f10ea8270972ba8ae09a34d663360e3b6aeabfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
213KB

MD5
378aba17d08980ce70e1d6de04ac2ccf

SHA1
60a171c06beb37dd8f75f7c3350eb263cbb25354

SHA256
7440912c028f5f56741bd2e6e7a9abf35218dea25b00aeadb80289c04b3f22b0

SHA512
886b2cc1c8e9486ea998ead1c395e7db08ef8581b62feea12e6732c0e38aa92f29723abd33b751f4a3c7019a983d6a63ad496c08cc0b4feaf7a4a2b8147a73b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
242KB

MD5
c9944425cf0549a509b1763b75ce82c6

SHA1
67c60f6f26ee8d837cf153f898d803db5119dee1

SHA256
a936682a1b2f9fee1cdd8b8685cf5e292b8f5c6f8d3fc4ac0820e4945416b1ad

SHA512
5f0a6188bc5d7d419beb5d8a877b01f3d27e3948a8788d003923e0cb5c2c2ca58923e5479bfb164effb5939d8e143ff8d485bdc897ba3506db76e24befcf1d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
224KB

MD5
9b9109d63215bb4dd65a5c0ac0eb3fef

SHA1
5c0e23ffffd446b5b1dc2e5ebc7659face03442c

SHA256
ccbc63ca5f5f59973995905941d046bfd9f2afcebcc1fd2be12d30d704193cc4

SHA512
d8f76c8d5926421728c5a04bbd0a64cd036f2e0a7b93b1afe87219e750cd8bb139e244922ccf74df7dc2a06cbe3eccb0d6a69e8edd8e114d9b40290c2042db5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
254KB

MD5
06b273eea88ecc519291831fa48d5499

SHA1
a3de688391ff6d80414482905673e63f6b97a6be

SHA256
8ceb6653a6ba73530f1653413839784c0e75d71326c76e3f647dc651f6ba5278

SHA512
9ccd9c297d4e552eb4e1723f647e9d7c95c83911e39cc564326d31c0572fe84da1e55cb339fd4c0387e2db0aafdd48cf452d19b07677888a03be6e2d2e58bb50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
288KB

MD5
5fa9949827a250023644fd3823e0703b

SHA1
1cff7cd827d6bdacd28c8431302643768353df23

SHA256
36cacd12ea0739ae508795919cfd56498bea4b31fe34bee58b3ffcf4f0860808

SHA512
18081e6f0dddd8d25c9b2f071481321014b755a7589669d8d17d426fdc9dd8d28b64a2a9d06df34a89a3d65a685cec27f9b46a049e9808739dc3efea302f455d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
233KB

MD5
b2204658fce66b1f325e0e714214434e

SHA1
3dd6c254ea9d2d54c2b504188cc877e667bf592d

SHA256
d73565e4013653e5e195844a26793aef25b2ccc9952467f783fe6aa74d97ce41

SHA512
577e06996244c21f5db336e47f98b4ad55ed093555ec43aba889b9db26dfacd505708b42890077f53861a476ed48a8455be1cafde486368823b84364b0005807

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
186KB

MD5
58b212e6f9b778cbb0d81d97fa7a56ef

SHA1
64e0a88ddb32dee69e5f247aee8b56e1366d69b7

SHA256
5f380bbd29cf3b9ada2281e4f36598adc6008bcc127af91898c25aea64a67c24

SHA512
627b341c0977557b4234da63aa187bb6624cd4b91e78e73156b8b3b0bc5adeec261ecee1fbdae0a69ef4d8726940d12b3bd0aa51f22a8e29614b207ae5d7734c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
370KB

MD5
938438d89612ebed266670d6a3d32ee4

SHA1
e8e42e018aa8fb28fce611b40c553d53b2e2c45e

SHA256
18cb77162881a9dbf7ab5a4f29a1baaca766b155d2fca4e0e3cdc6ab9aed013c

SHA512
306f94306dfae654dbcc794cc4e00fec4b6eff71167921387d16cf3fbeeb376dc2d4c5795b57bcd1554724bea624864e88dd638ad98de6ec8bc3f71b0f6b6067

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
365KB

MD5
e423859d8cba799f4a5fa261aa81d325

SHA1
b53cb32dabdc6fea5b8660b44b1e7a13696f1087

SHA256
d645550325654cd8f5b230f1ac9247f4bd78df47658ad76c42d44b05f8334059

SHA512
fc0a5434a8ba27e51d1cefd056a3168d96694438bf2e7a7c735c3b858ef25355cf2e6ffbc9f3acfce127481287e0ac3a6eae9584242869961148dd2b9926516e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
746KB

MD5
ec58989f574e7146bde515cefd50549e

SHA1
64113eb65dcb7a123bd8781f01b6a9d098116542

SHA256
7d945fc127759af6bb22e137c8cff7ad8909e11edf0c11eed5207f95f9671a79

SHA512
0808adaf399da3f34110fbf7ae56f8195b2bc4cf49288ef507bcf99fded7f96ccb11afea8c5ee501d1a0db976689369564b9fc956cd5bb1e41ee204c0f4160e1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
446KB

MD5
fdbcc4cb67d2e382e320d6e8c95b080e

SHA1
4e3287edecadc1c45407c84be635b7c3f230369f

SHA256
6216786088e2a1db899468ec9eeb1cbdd97de11f7ea4e267bec2368afda70e71

SHA512
1aed3567579fb2aeb2b6b846b7c0578aee482f20068df1aa2c7aec821634e795a65c3de1d6922309b0f57b387a18991f20079ef49c3ef3a0ba4283a1e4d7a3ac

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3c3331e340a20d0a106a5da242ff2fa5

SHA1
e86696ce558c14ea4b7c9eb8ac7a61cd84eb70db

SHA256
689b4a6cddd0bdf4899df973a01558ce56b7a135a98affbd4332e49d15a0335e

SHA512
4dfb5e37aa48a8f3af8a63761da388230e741dcf0bdd2af2a87cbd65bdffe7f5ee7754f9e68db83aa67e7f52996417fcdac7049ddc04d906ff1bef7dfe8c38e2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aacb1d192bc4d84a4405ca5eb7e12c16

SHA1
610ff3404116fe9a2f4a4dd1d77f54748553d02b

SHA256
6bdfe7f395497738f8db865886fcd6da92a475aa8a4fd8c9ad9f6f20dbd76de6

SHA512
b4bda59b64977a714acfbf6861b1403d35479fc58975df4715a505fd116f17583e6cde9ec8775acd22690f584e7e571f93384db710024448783abacb8122287e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
772KB

MD5
61d2ffbe4140707f3e82007dbbe388f2

SHA1
769cfa6f23bcc03127092b346a898c2dd423ff12

SHA256
c564c1294f83e17e6bf464d75e95b2cc40265e388a518f98ee30be012ba46d6e

SHA512
f904bb8413da836d46d3d30f81f3c775c136f9bd94cc7434e01972d4bbf1c5c9cd8c5e9bb35102e424eeeb12736412d3144f7d8deedccfeb2034eafef8313603

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
803KB

MD5
03bd5a70831b31acb3dadd963b242f9d

SHA1
f6aa8fcbf9c93d6adf3d5ca72b24b467812630be

SHA256
e1b89ddbba153501f870a6618472063b9cf1be448a29152eec03b70040629fb6

SHA512
359b0dcbe1e1c777fc710c48188753d77a1c203843573aaebf8c8f8a86d9da0d5a47492605e311e6f6090c2aac1c2479ea95c11edb3c55c13eb3c42e4bae488c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.1MB

MD5
a38bba7abe078cb213985d9ad004a59b

SHA1
16077f1ac3021d0eec5f00edb64b874ead18ca15

SHA256
16295fc0acaa66e19e123ba8873fb1c9ca96857e1e5ff1124b209ee2a908aa80

SHA512
b0e48c5c22c5219aefed4033705ebe17f9eb13c1588431df8b095ed17264328b097966f84ee6a6755462a427fe864235c7bbb4737da86dacb696d4bd3b4c0e86

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
78ad779e319a0fe77350cbd4142f9698

SHA1
7cc234cd956e6dac9d4499cd997202629ffffedf

SHA256
cfca0704b4d19bca73a53421566b77cd718e4505b27125607a5e73101c70102f

SHA512
2da5dc238f83b56ee762d9f44ae43e6398322470e9dd1207a584152853c42fb90698aa9284439a162a8dbb994ee4836e0cf6f6507d1b8e2ee6d5c8f01d671581

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
403KB

MD5
2befe39f2e9b1db32541399840a3b09b

SHA1
5bec5b4a90ebccccea428ab12df5ef9f09561f4c

SHA256
389d8f7dedbb5091c2eb7ad7609e780ad7d842edf9c6c267aaf4679b8e65fadf

SHA512
9670cd2b599860b07f1022862fdeca947a799c5c2ec1d3f07ec1c4c281c1f5714c42cb9e045dc7d2653a3f647806367c79f13ebab8aca1bc7b472c07a1a5b28b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
199KB

MD5
6e68b73afbb3468f532a6be3d65c23e3

SHA1
c1acbe71434038991483577b5bc08b0b0a88008a

SHA256
a7004f0b46b2df9bc14ed06a86dc82a2398148980c97aefe1d27e21a7e2f2c5d

SHA512
6af12a03c2a9d0e33a05d4bf1952cc7530631d1290bf639a20f34b86cf3ac93b3ddc24c33cc9f21847e646c86e818b316c6a415ac935284c83bc538cfe155aff

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9f035a4e7f09929afe63b4cdb68b4b29

SHA1
2bd98691dc1b8fd6a8afba74d8da1f44f2823e54

SHA256
990d6537347a4e9a34c823a02e118263b7e075e127b97104d9ac8ae48cd19042

SHA512
80f34bc608031582fb66c8a9aca9d9bee6892bea16875bbce5a54f12dbe74d6c6059eca4af401472f83b67d5cedc97283db87eeb9b95c920267fe9e5767cd7b0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
517KB

MD5
1a6ac01e930b7bef2643dc68714dddc0

SHA1
eda6ca842f54776a51a088132061a4f7c8d931ca

SHA256
b51d920f03aeb19d326b74943d61829a3bd2aba156b62b7b7c1c3bcf20fe5c0d

SHA512
54a7b4782e39e494b2cc25c0e78eb8a70b5beb01c9f9220c9a81a00f209e04d4a8ef042e6fa167fb919b70cecb04cbd739d393be6b7d7f0cadba33f52a64a682

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
181KB

MD5
b41d0afaa25551335c6009b06a459f41

SHA1
5358f2e28645f5b703920f1b249238312215bfc5

SHA256
550316e35206667461b3845e5221cffae5d11d4a5dd569ba000d5e74ac96bd85

SHA512
a0e326de5acc929d8ecfc3b1441ba41da04f4a0de2ec8fad50e8891ddc08a8698768c89a382065ed1059aa96878071fe9e2042cc060699d950e1f6003d3264dc

Download Submit
C:\Windows\System32\alg.exe

Filesize
896KB

MD5
d651e592f0fb3c8e1abca5404cbcbfc5

SHA1
d3c1c176fa66979faf7c9b21f44686684748d734

SHA256
842e4f74298a2cb515a10655475fa6a730c30fd2d648f0923a420c59f969ece8

SHA512
77087ee93f468f48bfa148dace56fade9c20b49880145fd03a6c8d0f1ecaddee0e0b422cbab3e2ab37df945367e680bedc06ebea468ce32afdebaba6bea28583

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b85f369e7e820671bf4272eaf09cf16e

SHA1
e613dae47dad517205df6643cfa52e35f05a5370

SHA256
5334db07ddea0e55f7dfaf97743f73208d4cdc4b852da31c445930368e7c22c7

SHA512
4f84249707228c5fe2696c38147f1b295ddd1cd08b96bf8d4fd243c1eb3210744195014964158b2e99daa7090fe985386f7d71faea68ee2d8a1c791b67a801f9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6721d6c4ec9874759c5465cd995ecdbe

SHA1
0e3573c17e9fe9b623eac9d939c645c3f24cfec2

SHA256
bb07e34e6e7122a05b041c7879751e1285492569fd24cde124af148948436d75

SHA512
0e3196c16e9ad605a9abe7c4661f1534d61722314bae5f01c227bbdd165532e0a8b44d520fd3ae3061edf0027fe012c23874552b537786c73e29c782486f86a2

Download Submit
C:\Windows\System32\vds.exe

Filesize
304KB

MD5
51d11948f9cac686d5cbb76307651fe1

SHA1
57f2b5cea2aa7b25d6bc1e29bc4d3892af805b8a

SHA256
3d0718423844b0e30129530235a5aa80c72c916d6acaa16043b115dda435c2b0

SHA512
6ac161b571feb27e6c264b489c7acdc69af53bbdb2114ef03bdb037ccaab79b960713a459402860fcf8db46c395bb4bd68d8dfa14d4b7f4ab2976dd7d201644b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
640KB

MD5
50059f92ca053af3cf5bcf7e3b31bb8a

SHA1
8ef068308e210081f28a5bf5d1cc2a0fc2b684bd

SHA256
88934beb7b9609895e7cf43d3d590ca045f9fccc1e8d5c52f76d1a54bd90a552

SHA512
75ed4495038fbb399dfba8b7a80672723c15ceef09ec9c5af27167301b30e7e3b484c3790edd391b36006ad0e774829e3f99c97d7c966617ba6a4f7330b47d9d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
757KB

MD5
49c5f474f22dbc2d44e2e91c665a5752

SHA1
64d5ec26845093c98d5f91cec93d8c5d87340739

SHA256
1537beb3a214a3a5282767a033537337031797235dd1a36290e41d395a6a4a22

SHA512
7a58496d39203d136401cda1f45116fa771f3c670ca6c76ed1c6678ebc117cac7a9500661c9c8e8de37dd9e56fb673a2690ab94c7c6c9e83f43b74ef401aa035

Download Submit
C:\odt\office2016setup.exe

Filesize
429KB

MD5
661f5b6e60b5c02ab397c627307cb55a

SHA1
3b58a267ad482dafb87fa306edd37c635fbf5777

SHA256
96ca9c42d31d96b03e1689da5ba44e4ce3e555a45a220da6b516eadd3de84076

SHA512
b7800330d8ee4f6f4575423985f24387a6722c3510785c7f5046c1fb4400e6b6756e800db7eb268f548101d92a3bafbe1c63572b2c2ede35d9697bf826159853

Download Submit
memory/976-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/976-1-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/976-6-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/976-12-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/1028-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1028-27-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1028-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1028-34-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1040-303-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1040-367-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1068-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1068-394-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1068-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1068-399-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1512-341-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1512-402-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1512-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1616-353-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1616-288-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1616-298-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1736-369-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1736-427-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1736-358-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1820-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1820-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1820-354-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1840-411-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1840-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1840-405-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2056-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2056-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2056-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2984-273-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2984-282-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2984-339-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3472-246-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3472-247-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3472-313-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3472-253-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3600-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3600-463-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3624-267-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3624-258-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3624-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3624-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3624-274-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3768-450-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3768-442-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3844-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3844-437-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3860-69-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3860-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3860-241-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3860-75-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4008-423-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4008-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4140-52-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4140-51-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4140-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4140-62-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4140-65-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4300-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4300-441-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4300-381-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4944-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4944-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4944-230-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4944-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4972-327-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4972-385-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5060-372-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5060-307-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5060-314-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5460-549-0x00000248CE700000-0x00000248CE710000-memory.dmp

Filesize
64KB

Download