86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5.exe
Size

706KB
MD5

4313af7822401a86b3b2ec0e01345b19
SHA1

8d15db5542ddebd4694a1c0957107eef855f214f
SHA256

86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5
SHA512

7b9268a3dc6091fd2c100859d36eeab07160409e07b4be1bd537cecc554b27a541456d16ffe676cde23d368802c782dc8b070b8d68975abf1c641a3583e0640f
SSDEEP

12288:QWiB+tCGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhr:QWiBkt/sBlDqgZQd6XKtiMJYiPUr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2128	alg.exe
2464	elevation_service.exe
4004	elevation_service.exe
3924	maintenanceservice.exe
3488	OSE.EXE
2900	DiagnosticsHub.StandardCollector.Service.exe
4472	fxssvc.exe
3268	msdtc.exe
2408	PerceptionSimulationService.exe
2728	perfhost.exe
3612	locator.exe
904	SensorDataService.exe
1648	snmptrap.exe
3640	spectrum.exe
652	ssh-agent.exe
4904	TieringEngineService.exe
2440	AgentService.exe
3424	vds.exe
1836	vssvc.exe
4884	wbengine.exe
4816	WmiApSrv.exe
3944	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4d9cd47b46f975ab.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad7a54a9ca8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8637fa9ca8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb42fca8ca8ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3550fa9ca8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0c4a0a9ca8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaa4fea8ca8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018eca7a9ca8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2464	elevation_service.exe
2464	elevation_service.exe
2464	elevation_service.exe
2464	elevation_service.exe
2464	elevation_service.exe
2464	elevation_service.exe
2464	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4804	86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeTakeOwnershipPrivilege	2464	elevation_service.exe
Token: SeAuditPrivilege	4472	fxssvc.exe
Token: SeRestorePrivilege	4904	TieringEngineService.exe
Token: SeManageVolumePrivilege	4904	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2440	AgentService.exe
Token: SeBackupPrivilege	1836	vssvc.exe
Token: SeRestorePrivilege	1836	vssvc.exe
Token: SeAuditPrivilege	1836	vssvc.exe
Token: SeBackupPrivilege	4884	wbengine.exe
Token: SeRestorePrivilege	4884	wbengine.exe
Token: SeSecurityPrivilege	4884	wbengine.exe
Token: 33	3944	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeDebugPrivilege	2464	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4688	3944	SearchIndexer.exe	121
PID 3944 wrote to memory of 4688	3944	SearchIndexer.exe	121
PID 3944 wrote to memory of 3388	3944	SearchIndexer.exe	122
PID 3944 wrote to memory of 3388	3944	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5.exe
"C:\Users\Admin\AppData\Local\Temp\86ce0258117f2c7d4fff745b23ebe8884e6c16a903b2123d205ca1872a3e39e5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4004

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3268

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4688
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6f329639eacabfc6b53225be61a16a1f

SHA1
11653f6218ff31929ec411f767ac8d3e012e39f2

SHA256
159545d36e7b9c5781c52bb76cd28dc1bab0f5fdaf1638ad992c6c2dcd6b247e

SHA512
d5d0d87ac4c3097cb0e6194f62dea96aa29167bde5e204977827b8a288b2a6a8083fcaf48ad222505e478be3bc27417923957e6fbc2fc6fb5c4c85f0e9d8a569

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
7b187c229a39f6ef648ca19d2108224d

SHA1
991d00ba44da675711d0a6c75e334b3f275f0522

SHA256
c4f8aac21e1df5d71a0cec390a2effe4db7bd4e7fe8ad90cb6d78cb4e298a145

SHA512
54839faf058a46f3278ff5c0aee0a74188439c6488af241c5edd47692572ab4134af45ed962abf9ed504cef09ae66ba37aed0c19dd637b8134268b66b00999ed

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
893cd4437225ef7c5a8953ebf0dccdec

SHA1
7703dc1e80754569ff75b908a845eed1c6ee67c9

SHA256
f0169e63159cdbba6587eb63d71a704248f3a5d93cb1d03a150df11d301a1322

SHA512
20ab8e6473e5d782ba1d7beb646fa5391d089db31070ea6efefcd042215ff995dd55203b81e899c248d6abf5ee4a6b074d8c1d363718cfbe8f15c0b551250358

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f9506706f9ed916b1d0266c267c8d52e

SHA1
f8713d27391512f0c8ff50b207d13e150f009a65

SHA256
7e958c55e2db8d34573499cc4bef775515cf71b61d2984119b4228777857602a

SHA512
83daec29b3c014906879a75cd2a50af06dd0364cda9654e8a3d036433d0966aa357560a174296cbb3426a24702af190a65443f6d848f854fded60ffaad665871

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
edba1b41b72fa4d1841228c4f5b3fe15

SHA1
b5e47c7e78f42778fdaf437826a637737799fee7

SHA256
97b74c32fcb7c54458a82985deb4b950d0e8daafc6d2b027484a3cde4a45f0da

SHA512
130f59157021be990f8f52dfbe760dc716315a86182fb9a2053c5daca30f1693af2712d62c820db8731597065826351737ceb6241595d09744d501ae25390534

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2cdf7d2ba18a00a7c5cfaeb2133b7cd2

SHA1
85a1f59bbc95384727e060bbd54b4792063ff4ef

SHA256
b8da6c19e68f8b3d8903f8520e69b28a3a1af0bf429667abd11b5a1304e31212

SHA512
ea2972b19d1f0d0fd160d05270567f71a200326aa3ad41c346161475d390b431e2feb1af931d1a7cfb841a6c0ab15d4b0499cf49cb0a0fe257ed279b15cfad4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fbb39ae0dc9e0b6d86fd2d81b59febb6

SHA1
0e2c77af6c0612921d050c10bede87bed45e7088

SHA256
025ce64f65f4f430226a706cccd8847acf16a3ea05e6cf3ccab7d35553013718

SHA512
942a97721eedeb255e4554515aa6c43e6b5428206d7b9e7e2d395a83a7ee56821db446c0f9411ff8cbd15c42004db8e45a98527d1e9107294f6c5de79272c87e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
775d8b9ff670fe76083e8228960ae39d

SHA1
97ae034acb783a34b22d39afe80cbd6059ef00bb

SHA256
d514b18e52e62db6e5030e33c6301d779ca689384c3d995553ac93893d7dcad6

SHA512
9a860162c9e6bc3d9c9a6727b271c81f9037bc9240ca0330a86f3e1b3b80a122a58750cb76a9af24c44fc4c0fc934cb8a424863a3be8bffe7c2fe8e2955daabd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
09551c0a4f018294ae7cc634bfabd438

SHA1
cbb4e0e5e211b463317a92e8725a6a93a8aaacc3

SHA256
38623623a7e50a297fcb70c1424e88d3d229cbe2af33eea345c90737755f8e5d

SHA512
9006b172bac7c85d9eae882e2eb1b5ffe48a59f1a12b52ad83bc3c104b399daeb43bf5f5168ec03a1fd8ddad00ac61fab4b17f4e772891ba1acfbd8f1e9cd3bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
62058bb49d9212975c2cc38f29e64c54

SHA1
70732cf5fe6465730e8d76ad1cc2088fc3fea159

SHA256
cf0bda1673b374d77ebab4e3a97990d643e11311aa8e5f8b96340bc921ee124e

SHA512
9fe8ad8b0b863a7e94119a35220c623559e9bf846e01528f52b8ec96757c9091c26f3c64c748cd33dd5fedc39eb2fce50aa0ad0e2469d1fec4f731437cad6c6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ebcc67319e7076063375d24171d2fd31

SHA1
f4f4985d594d2a23fa7f2265ae1243f130aa63d0

SHA256
4942f368e781c8f5f101288c948e1b78e573d3231705cc27055ced334cefbbf8

SHA512
3a328ee93e7ef4b07013f97032c6c681ac5d74c00cbe8569ad622fb66443413b4748c82b9e3f9725329fdcef9a6e7064de2be64269dbf70776562436a266e13f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
40ae791b91f9cf239a25adec8bfdc1ca

SHA1
98f8f48b769bbe3cd973b65882262dd15d67a6d8

SHA256
f11735affd1c8120a44986d51dabd18402b87daf7df805ec4eb592f52bb188df

SHA512
ddd9fb35ef6b6603216f83275f72358ed5eb8bca320b7c5c38c134eca3f98116ab7f15ca72ccf49a3b3e1a8cb0f073ffc9dba3af9320908684019651a3a582cf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ee326c00896a822a439640247be70cd5

SHA1
bd1a5922f14fedb78e6c3184d8e877adfa9f7f47

SHA256
b035195326303671392661852f101208d5782ab78579c9f4631d4e213757e720

SHA512
da3c8ed5e599c1c712da7d4ed54ccfcc1b12c987dc8012dd960987e1dc875be9f5bed9a70b58d8c1b7df2ce4d65c2dccfd06c2d4a886b4ce57cbf5d6060f6233

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
162c8a5e2d009f815ab1fc6432ccec9e

SHA1
8dce4ffb900fbcbff65ac4b61f6453e7ea697675

SHA256
b912816e8539efd865150806ee09fd2e3e4458c57dd0aed46eebde4c93ecc8c9

SHA512
1393ae4e741ef6878fc3cf98f930265536a5a3fa9f9d1e304914459b890945eb52454dc8f05ac7ae4b2008391d01acd74a9f9b6c5f79be7b641a56d4d9527d24

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
fa147e46c1cb8fb25cfe867f94ba21fb

SHA1
badaac6a43c8c11f74d7bcb81682cf59404335e8

SHA256
6e7e49e1c7c12d22043f8fae0d7df9f81be474ca00094280c41784cd395d7a56

SHA512
135631fa85cfcf71d89afaa2af37f2fedc618e405aefafabea0de2e2cf3ff5bd26f8b0cbd853518d604093895608ce1508fcd7426607c1ff9186b5855cee25d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a615434827fd7be5a253958bab839a54

SHA1
01e5dd0504b3abbc014e13f3285b933502486b7d

SHA256
332e5642a9a80b5092d1af0cf07b85200bc6e32aa10e3d9e58763cbd99cdffb5

SHA512
ee41affe2db760f7a15e582a16151406653ecc5ed7fcc401164a3838399d6af3f5b9ddbbd73981aa41d1f3edc7e2f1f423e6e31d09cef08d2eb95748565a2242

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
fc1721e3aefe1c6ae8a35f8d8c1b6bf6

SHA1
03ac2aa955b323a029a6a7134105e4be635a4dc9

SHA256
54704a4cf55b277fd59389f20331e59f17c0995f1af3f81f82dc867492a05739

SHA512
4afa6af6231cff505c2020eb46998651cd445a158ec2d5ca2931f1232208184d3185e88e0ab2956fb30fe5698c21757108dd76da374f1d4960bdcb8d53e887f5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
87011bf697935aaf13531f245d789aa1

SHA1
6d32f3ca2a188807cbbb99b3c5d3a08b752ab2a3

SHA256
ab4e9e843877bf84698596024defad57e8df643e1a684a2f430701ba43248236

SHA512
2bce4a5da3fd9530e22bf5123b2be70db932f9c75dca4ad786e772073189a8c80bce9b4e9c87a032f641d598e13e2940f8f3311185cc7c76316672662cd56604

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
239bd5d2580e102ee10ff608b77ca6f3

SHA1
a8666c6d83083f66dfceff7e9ea60ecd464c2e25

SHA256
b49a42d7cd7651601d5d53c7e1c20732c5860469ec7d51ecf5221ef9e0fc5553

SHA512
9791141bdb3aef382f507f5c8f730dd342e79c7dc55d0dffa0ec291cd26b52c5cbf9894d027dfcd5f6e7520044caf6fd912c65e4c0e6b53c41b0d553168c1aa5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
d1e12ac008361c5efb428aaa40bf51ba

SHA1
fe9aa3e752c729fecd751e8519f23e14e18cbb86

SHA256
67ab2a24f733b57371742b1c524bc8b06b9ada48c65baf6a497a761c343669ed

SHA512
6faff0edf0c1e21f2517999786246235de0ca653e6d52ea4bb886dbcffd34610b6cbff59ead609e287302a85b701df3ee5bd5790eb02ef5e1bdc0b1b8f617c94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
35dc1c980ad5ead0106bbcc66cee8f76

SHA1
8ca9bab9c3030fb5d34bcdbee20f178b95a97894

SHA256
b577646668bb7f36fb4a4ed2b556f3cf7175c7fffd1ae80da8a255a7fbc1a99f

SHA512
e0beb6acc7b3f2e2aa9c4604a6da8e2d70a4112e320729caeb7e540c539520f1fe32367f85b2fdd74efff36c1db4ad0a5e567f5aed6b3724470e4a310cc0d0bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2cfef28023e04807ccc92adcbdcd35ed

SHA1
6338a60e9142853bf4668c7c433767212dda78a9

SHA256
6a2c6942b9a0c776926cf33d5ce532739eb96aa30c776fc83a7e540c2c13ff5d

SHA512
eb5290b3177bd0b84f7959806f424230e3450fa41835de2b4916eef78a3abb0e86ecf951ee61e00538d50364870a445269fc991678a0ec26ccfac9841b65793d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3e6fc5c3436cd54a0e7d88736b7dea8f

SHA1
f68b483e8843ebb4937915439c72300f5ba00ad1

SHA256
1441884baebb1a5555f36ad3ace6c47da71cde7999853fcca9197b6ea4a61c61

SHA512
7fc65389c046f36766ad8e547f4dccb64dcbeedd77f33437398b88e93c132477b7516117c813e6e341c53609f56b4825faaa51b166d014d08eea06c3e8e9d277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a045b1d29175e309d093b71e7a858f60

SHA1
6ba030e23d9a4699776339ffbcaadbd3abe43a84

SHA256
1580c5ff64dc335359c5d238e4aae2a7e8ecedd6ca394c6b4bf6211ce66b72c8

SHA512
61ca915141f3e85b8f2d7beda0c2301a46d884ca140a0f5571c4da742644607322930867e1c3ce69bb4174e7a2cbcd86ed5d08572c89276facc3db968abaaf44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
bfa9f0ff8f08953060d4062bb56da011

SHA1
ca1d8e654385b226965e1b708d0bc115d6ed451d

SHA256
30fbd02b70347920bde4b226313ffd1d3516c5c8e8af4eae325cb3087540a653

SHA512
81d89c0be70b43c31b48ead30b4e133036130bcc0901821ccebbc43025381ec155273c4cb84c0e16fed470963f8025a9ca2f669ea3719ebd77e4ad25b62c8422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e29754e81ebc068ae2e0cdc550285d1e

SHA1
60fa6a5062e80a78a267c3129c73a2c5346d8b01

SHA256
533c58f05d7d05553a8467844da0ad62938f47a8b688d390562c929ff810f3a4

SHA512
eff86f55bf605cb99426236f098d40008ecd3cb7c398360ae10e2df44ce7a156b32678bd48d0c31854856db9ac8d33bd10242d4bbf5f4f8bc64bb5a5485bc6b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
33867b7f19794fb9ae50c6ebd50c52d7

SHA1
b753dd054093a98f144bd69f038e5f0b301c7af6

SHA256
90006a6756cf5c2a1ddbbc0aaaa2db70d82a38ab3fe2199795e95288d2956b9e

SHA512
7135c9763a91d0c35f4f84f6ffee53d71de12b321bb8b1ae3dfb5391729c2dc95113d43ecd76a4187d29d4bc3f49c62a0df718cd78bed2fe9a39a75144226603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
12247d7d31d482565219c8bf66196d03

SHA1
b70e1930cf283fde4227195e53eb99ff4b99d48b

SHA256
6c9b0de7bd567922de0fa84fdbc95d0bae9f1a9b2f0ebb12a40d7952dc9858af

SHA512
6cff906986b0b2e9716e0fc1eb83445324e762c0e5398fa268e6a6da4b9e2ed8a4ab105af552f7422128fcce7eb0d52ce0bcbd1640a0086856c1f38b448ae438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0231f5245cf7d5951b2588dfe97e1be8

SHA1
908f9196918d911ecae8f9e2490c9dc13fb1baef

SHA256
ced707cf3c3191b3683c969911597473e130ff4ae9fa5222c6794f9f94d2d5fa

SHA512
f07b666c9ff22f71008a6be35aba699b035061ab527bf6240d2cce4476e460e814b63d5ce96ab2a77fdfb026ad350c8ffeb9c04cac2ebc31ef42a7e782ee0d3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8af7267deacdd47745c6f561a5f64cca

SHA1
f9b82c9b3ff80d8b6c07f82324cc6ca1e112124a

SHA256
c227925257aecffef9c9f3578a746af0424d54bd0bdc0a6380591c0a0467234d

SHA512
e3c0d996f491a9d773f0c440340a2647872f052cd705e4a0a5dbc895aaf5cd19ba1b727e1f285ceb6c896d3904f0d736c0997275de3dc5964ce23172ba7da20b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7702844db10dc8e3d73291b3f49e467c

SHA1
17801825fa1289afd97e965c81a1150d94ad996e

SHA256
3a3e0b53c3ad217c2aa0eef24d76672c0416a313e38243e1184b7556bff3c363

SHA512
d80dba4330b40020106081570bd8562306f3fe33153712a0b14f4720aa6756da28cb968c45ba052e814694c8ade7b9180640b0f6b07cbd303900e01462852efc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
202a97956db00af52400344507e81abc

SHA1
23dfc0f419b54b71b118ed9ecaebe3633bab2e54

SHA256
a357a7d7c6d683efc26aaf12d2e04ea870a1720bdefee4985bb8836d97ef79f0

SHA512
5b3dcaa2c51d30c2758e75958906c12757c8280b2f1e7463c0f1a2ba15184e0d937ddc865aae21856d8099ec5a0e581a645859f82a2685f4b7ed057957dd9af3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
977e00840bf24acb575dfebcbc4fe5cf

SHA1
c12b8abec06b659fa59236f6e88773a46f8fd1ac

SHA256
82d44af3bf0fc78544e90675a373a9c91c4b7d2dcb9b27a0e4a8bf977c28d5e5

SHA512
c062d7607c87aa20df534b28be53105c7b88ff5e34430a82400bf8c7da627a1fe699e66e73363365b3730694dd14cfbda7fef0994686b145f43de1ebd488b2ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bfef088c95f0b1256018f543ce2f5db1

SHA1
c54bacbb8089099411ef8ca09b3cb08c13caa3d5

SHA256
79d38ba40a7188c292090d5abc436b5c4081da280ac2744f6434cbe6b124fd3f

SHA512
5b1130a3836bb996f8f8e51c8856417fecf174b7ac103d1017a21e0b9398fe1bae7c2c25bbc88c8e1a38bfc55c6f4ccbf784f847a6233846bc448e1efc36edf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0b0eca3e5e2f824f01d468174518cc4d

SHA1
910ff257fc6ef93bc7d7892f4bd07c4bc77ff177

SHA256
2d82c8726b60f3afca3b7810baf021b451b8ca44c0ffaa86892d8e97149e147b

SHA512
ea93e8cfa7115b620a666638649e88f9bfaccdea96203ed66e8aaf1eb711884c0cf05547de859a9171c3679d590f2894b9b50d79906b3c555c9816e07a33f2f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1b4e3b7bb5c12a7f1d38f3b506d7fec4

SHA1
158ad74dd195a0f62bccd9677e59bcb54b9d65e8

SHA256
658353cc46b8a275d9620dce0d1f1d255ac511af618fea74ffa85029d353932c

SHA512
8e823e23e45089ff3ceed05a8d9672d49588ac69540fa88037e124ba34081f2e3d504c863deec4658684c25dd5e479621c4e1d6d7d71665c3c3e1a8a4f2d926e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
216d9ed0d9ef83d98e2e03230b970569

SHA1
e350e362aa31157e288869001c8f7aba3ac4df89

SHA256
8531d1f622d0b1f9f503c8a1ece86e026ea5683bc2294f3e6677416102a48c00

SHA512
7f367686e1b6b3acf5bc662b30a31b8d8ac5d349f6135bd60bec5ddd55f81c522236a80892655e1c7aeb5cc27e76d6a7634865e96877cb7d1067016b25a38dad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
8ca0468511353e458ea3bb8ee3532185

SHA1
5a8c1622cf6ed5021b48aba25e35da19759fb05f

SHA256
122304371f0cc5dcb0a04a351530af0fac561586f4aab7cbdc9c5d5a9ffac1b1

SHA512
fe1c6d5dba3ced2ccc5a68d7326fdf0989069dafa5cd5a38681dbf7036a49879faeb536c371ff1b8b93904cf717cc232a14889fd04def5708e4a2d8dcace73d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
fcb2c5cc98434d3810017c397e30de3f

SHA1
5982a23eed37e55252aef2bd2dc3f23488ead11e

SHA256
7c0035656e62dbe6b9bb28d6e5450ee993e2cb04a32df89561ece4137b9d239e

SHA512
21354b084db67231296b1ca6586c42c48894fafa89b66578dd314757d96aaa0b63eaab009cab0b7c6c2ae280fe5fdfa997d7fd231ff9c2128fdc3db7a0811b3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
e7f4c7e4eae11178a339acadc834ecb3

SHA1
41bf43445e74c73960c804be8f0f619fb8031167

SHA256
ba398cc473526d8c3d69ae64c6e0d04cc2e7c9f3abfe893207d46b3f804aed7b

SHA512
e478db15ef2a7c7501897bbd8cce4ccad818b77ece9ba99a8fbaa049b767d986968965c8a5b40e9465ac27a1144e9c346e1e5b3c47493a5fd317f7ed21825e2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
9dab867a418fd8e60cb436c770b59c1a

SHA1
d561e3317e80a0181fa1935c42b30e1d2e2e441e

SHA256
feca767df27a1d51e4480c9aff60a5b43fe6d6aabe2932de656a13127773b3f8

SHA512
ee4689f47374943c09613a95cbfb5435841bbaf6a9de3f6df23633bec824fe73a4b2bb51d16db5ab99a3a51bae477e6ad1685ca97deeb52c208e0c3fca4426b7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
488c9b1928bac79d12365e6b299b0535

SHA1
4e49bccbbf9a8b2fc97697f05f46ab805d7d63aa

SHA256
7b2ee793be9beec199078b625d362dd3bcc081e6edddf091d8f82a4bd8617655

SHA512
6083006ff4a7464af8489082ecffcefa5f07a5276a84ba3d48328c74f2069c3b49b74a0fdfb7b1891d08bfd8183969d6d4e47c5106cf4b30a1e850c98cde5be0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
06ccd5aa02af1b1669ee12466b78b32f

SHA1
3ab660df32efe47747bc59d509ae76fd812535ef

SHA256
1184e5d6ad6b09e97e4b652a26f2f9ac1cac1dcbf8ca392f8f821c53ff90a1f6

SHA512
1ab801f19a4d880525c036acdab4f4414de1daa4def84c7964cf43006d53b04827f0179d2f2027a14604a7ef6806bc5835ce522b8e822e7fc26944c6b04c2771

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
70534a5c518398ef9d9276688a374925

SHA1
9bdecf9e57c3afbb7ba0a2a2b0d02773582e4b5a

SHA256
1cc5e33e04e0d8e2987163add2fc16771f4bbdb2e60a66b27378a54af03db98f

SHA512
cd9742cfa020956947870366d2f0aa3e70bb979215560e0806f71c8d683bce43bc8808a9bed0cedf230446ad792ed03ce1c2ede22817bc3a08df85d15eb968f2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2bb106e78942ea9ea68a703014fffc20

SHA1
7714386146a62a87c402b66a77f5efccae2f9cf7

SHA256
531172436a7361344e848ca9f8be5cb2bc150896b9267127408186990e4f0323

SHA512
9d151d67b13efe876e4712dd7d0034073a635332054fca59b26a6e23f2ed8a8807826ec8ae81176e709cde595bb833137eb5e5ad8a5fc9fcabedb981154fe9cb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
54a6996abb33a91dde3ee497b3e0f63e

SHA1
f102357f84592adce81f956b0d0cc10dd63d95e0

SHA256
9485f912606282cef251a0e01f3a909c044e3ed6e74d6f72cd39d57e9f81e6ff

SHA512
9cad2fc2caf33e86fccf177266d7b011c5d841406b4ae94173f1279aed755fb3a62f91ffb2610dad6db26052f39c0a3f87bf6e52ece3e260d102c04640450606

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d7456832accc67bdde1c28a6df0b518c

SHA1
f9e229ecede9427ff4ab57ad4517aadf924e2bcf

SHA256
3c01dd262892e248eec6e385364a3b589ce8e024ae68021008a24c9c00bf7281

SHA512
6071e19a35ddb02b874dbf739568d7f60ce44e7e12fc45bec361fc44e9504871f6c847814852abf89ac879947cbb97e8bb51e0fe40099383d2b2d4df2a1dc93b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e0ab77059f310b241d516b248e794e4b

SHA1
9b1924fe031c3b30f3612bdcbbf982b9c71e494b

SHA256
f858dc927cf5e524aea9810d24b6f402f431fc6e7be5295e687d053adf6db831

SHA512
ef1cd5876cd03b6ea27d6733091834303d081be638a1c9b530dae455e2eb18a8b532291e142e77c633857277978535869f5ef22d102004cca65eb8e5537c672b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4e236d759cd1ce034026da0279f1a92f

SHA1
dcdbbad02c7a7d86b496d027fe379cefa26d6482

SHA256
e28a90d525bcf6add12d38a24e0a3e4d7be119f056717be3b77098fdd73d7eaa

SHA512
ba2409875e82c2f06be88cd8de13a4870bb0841e54c378ea9200f307e17786eeb6170ae68b9168cc585c292e841ddcb0e78d23088cb0325b0f66043834862f72

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
11671731f7032fccde25a7f12accf890

SHA1
e27ddacf56f239c90c8e4c6fab5f16dd6600bfaa

SHA256
85510a137f12c6de31f4b5680120f0f097a57e6d0b04ce6a672f1de26242e816

SHA512
d0af91e4fbc7b9dc1992fe3dd10a70678c084ea35a5bffdce379c9249d294462337424c284cabcc611cfd857fb396dd3d12db69965dc7124da15ecc1a3637e5f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
07d9391d4f6fe1383317fdb7c3926bea

SHA1
cf5af9b249317feee1ba3b64c78555264855d99b

SHA256
92bae68f9634b42cee0d7b493953e83b407a7360037dc044505ad1f25de7df71

SHA512
e401c239589d6c750f8e8dde6b38195dbfa58ca4eb8a9d7a83eb7d11c295b3dab93d697bf5117dec524236041fcaeba4c3b594851aa619be6d26405e235be293

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
24854065b00960d74e054918a568db2c

SHA1
fa5e4864a6d9f69721e8a6ecb5d835f1b54d8568

SHA256
a190e2e0e8bcb3e5d1db6edee9306ffc10c3633f9eb717888679a49b6b99aeba

SHA512
f93ab27d6ccc2c7c6b56f4f1608c2c9c724ba2544d864ba6e10e9268d3c07d95d35e68122d368e03457fa9e1b2d18140c7543a7e6c1d3e56ada6fd17dfb9e4e2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3523bcc3acc416b031d2a5367d2af30d

SHA1
273c59e1cc838869d88d012bbe5005071278ea6b

SHA256
36803c34991c6faffbd42156f62ab1aa2be05e3b368f36a358d73a16aa58ffbe

SHA512
5f2ff4374b7ab1193829c6b257bd7f5aa4f84671b42155c9d33d0d53efe8106c6cadbf595c87adede6836cc827fb78cd8eba068ab42ae17e538a6f98d5868ef7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
34415007e85c6bc342b8174c0ca297df

SHA1
6dbb34477fa2d2a3e64050d53a1f02bd79bdf3f8

SHA256
83b83fa04ff896c7228d40dba0e43fd2c04a9bc2c43c0da0925dc28742258ad2

SHA512
e87988bd6be5172bb8aa6250f51381c92a442debb085b80d95ca14ef057330942275d70f0ddd46344d221c059700eaa2ba0750e231fdba9ef24ae5cf61a684ee

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4bb491cf59ce329b6f0f3c0717de6d79

SHA1
b0abcffb77b791ddb1e53c78adceeaeafff5319e

SHA256
c4951c34cd43dabc2fbd86cd0d67ca067e83df872acb69f02acf3ed099cf3aaf

SHA512
17683981e8a8009230f04dfbd9b184e2eefa8db3d7b34cbde8f711e7e2edb2019cda5255de98dd795089f58b6c52d955040261308b14e1527ed90a6d575fca69

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
29a3b929da6bdc5442045f6396372b74

SHA1
25bcdfc25b61615531adf7524a259e633d4a36f7

SHA256
19c70d6ec03af18d952d63f8f0800e7fece431810fa43d69b902badc54cdaba9

SHA512
f9fcd32df94eea4ce49895b01943b3b2d5502b9067b552b0ab6f2a941d0124e2d2a5ba3d209ef727c329aae4cac81fa0d1257e99402616e006a387a874d9863a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
800316dabdf164a4868f1ae2360edccc

SHA1
89a9448068de8a249618693086b24aa9be198010

SHA256
9d95a924701e6dd77ac5354f0ba4ab274e641f0d7d94bb8374ccc093bf466bba

SHA512
b41385bc2722593c6e14faea40457e2e17d4273192d6b4ec8c905523b8ce2f1526bb2015cf317781ab98b23fe65d54f81ec505b8b6e2dbae35cb2c067a33ea77

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5f7be01af3d98b3e84d2e2bae0fdaff5

SHA1
840da92a8275b96f5ee11f7ea438450847099b98

SHA256
8593b188db34ff1513328182d2c749423786452b89f685f406775ad08ac3a343

SHA512
9db07dc4307b9e728268c284b1ad841147f5fead7c9c424ef8d428feb932827b302cdc1175d8fa7472759d8e33e03d58e7a0efad75ac1214cc0eecedeb6bd869

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7f00ddfce27c15d515e97e50e90f6935

SHA1
f6f38bf04bd07cdffae624573af3568443d938a0

SHA256
834454cc703b23d743a029b8c7ca22bbd1b9bcd3ff42c079a2e6658f3c824dcb

SHA512
129964d1a499ac978836ff3d7f5ac4eda216a7904ca595e8dbedbe061d3e2ebc1fff7f8467ba4e8131bd05ca09b8e61f690de2caf4a5c9bab51a4dfc0b290ad3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
538681b7fb0f2d1d6606411e18248325

SHA1
0468657a93811d6082792793fc788f980bb4833f

SHA256
f63bf51fe5c9dddbb2900bc2c6cc83a18c7edbf6c924a95e8559a8bf0843c8a9

SHA512
26630315199a483387987ceef2cac930cc66e4f85cfcdeaf5e2e13f8f39a4df7a3ad84301bfb1e9251a575df56b3d888cc30280feaf066c985d49971243f6968

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
2e0fe83f3fdd621932498c77e6f9d533

SHA1
36b51c169ab2f3ea2d8c1a3da9c319bb1a0db9a5

SHA256
f54f8f4183e2204510384c9375c08113c406e0cdcfa4d9f6b6794dcde3f0da80

SHA512
8213d0a69bad35c7d541f789392b4f2a84ee4a55227331134567b3bd65f9b7eaf364090dcd88c92b7e94af942c18c04092608bc4b231616669e4cbfedec80ce5

Download Submit
memory/652-364-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/652-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/652-373-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/904-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/904-332-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/904-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-346-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1648-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1648-404-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1836-428-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1836-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2128-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2128-14-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2128-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2128-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2128-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2408-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2408-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2408-296-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2440-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2440-399-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2440-408-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2440-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2464-27-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2464-34-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2464-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2464-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2728-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2728-307-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/2728-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2900-250-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2900-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2900-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2900-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3268-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3268-281-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3268-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3388-553-0x0000027A5B8E0000-0x0000027A5B8F0000-memory.dmp

Filesize
64KB

Download
memory/3388-548-0x0000027A5B8E0000-0x0000027A5B8F0000-memory.dmp

Filesize
64KB

Download
memory/3424-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3424-415-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3424-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3488-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3488-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3488-72-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3488-65-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3612-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3612-320-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3612-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3640-358-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/3640-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3640-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3924-57-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3924-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3924-51-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3924-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3924-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3944-468-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3944-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4004-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4004-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4004-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4004-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4472-274-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4472-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4472-255-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4472-264-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4472-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4804-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4804-13-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4804-6-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/4804-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/4816-446-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4816-454-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4884-442-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4884-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4904-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4904-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4904-386-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download