70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a.exe
Size

705KB
MD5

2576632b7a7b6681741ddecd358768d4
SHA1

efbba301edb3ec59ce18dfdf8ba2df5b09d85f8f
SHA256

70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a
SHA512

7d113245c96c6cb21d7bbd94ac9c7b24386d8831e806f36fa708ec2349ff761ff1b55d8a8c76eadb1c851f489b8f819b48eeeb4459224617d147aa177ba8f482
SSDEEP

12288:fW9B+VJMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:fW9BpSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4400	alg.exe
3628	elevation_service.exe
564	elevation_service.exe
5044	maintenanceservice.exe
4824	OSE.EXE
4280	DiagnosticsHub.StandardCollector.Service.exe
980	fxssvc.exe
4680	msdtc.exe
4668	PerceptionSimulationService.exe
4452	perfhost.exe
3116	locator.exe
1920	SensorDataService.exe
4404	snmptrap.exe
4008	spectrum.exe
1160	ssh-agent.exe
5216	TieringEngineService.exe
5332	AgentService.exe
5432	vds.exe
5556	vssvc.exe
5656	wbengine.exe
5776	WmiApSrv.exe
5900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d6be8324ab059c5.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E620FD1D-1243-4CA9-AB2B-6C02435E0E01}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E620FD1D-1243-4CA9-AB2B-6C02435E0E01}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaw.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082b8de2faa8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc5a82eaa8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bb27930aa8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002756bd2faa8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a004a30aa8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3628	elevation_service.exe
3628	elevation_service.exe
3628	elevation_service.exe
3628	elevation_service.exe
3628	elevation_service.exe
3628	elevation_service.exe
3628	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2264	70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a.exe
Token: SeDebugPrivilege	4400	alg.exe
Token: SeDebugPrivilege	4400	alg.exe
Token: SeDebugPrivilege	4400	alg.exe
Token: SeTakeOwnershipPrivilege	3628	elevation_service.exe
Token: SeAuditPrivilege	980	fxssvc.exe
Token: SeRestorePrivilege	5216	TieringEngineService.exe
Token: SeManageVolumePrivilege	5216	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5332	AgentService.exe
Token: SeBackupPrivilege	5556	vssvc.exe
Token: SeRestorePrivilege	5556	vssvc.exe
Token: SeAuditPrivilege	5556	vssvc.exe
Token: SeBackupPrivilege	5656	wbengine.exe
Token: SeRestorePrivilege	5656	wbengine.exe
Token: SeSecurityPrivilege	5656	wbengine.exe
Token: 33	5900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5900	SearchIndexer.exe
Token: SeDebugPrivilege	3628	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5900 wrote to memory of 5496	5900	SearchIndexer.exe	135
PID 5900 wrote to memory of 5496	5900	SearchIndexer.exe	135
PID 5900 wrote to memory of 916	5900	SearchIndexer.exe	136
PID 5900 wrote to memory of 916	5900	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a.exe
"C:\Users\Admin\AppData\Local\Temp\70d41d42745e348ee416707b540a47e8e4a3aa8b3f43ed13cfc14abcba16c74a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3372 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:4380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2840

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4680

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4544

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5776

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

Filesize
2.2MB

MD5
27081c5dafd73c46e992356ea5ba906d

SHA1
ee55dbea09e4c1cbe2979d8d9ac39e5805857df5

SHA256
15e740b123bae99004aa07220e9187d7bc051a3b891424a5cc5ca76b73788f24

SHA512
dbfc93e408dcb9a7c10c75418426a6e99d0912671e043843aaf7816945b4a842cfa35fb5b6ac9bb40bdd250b9e0032e02af3355ea111faeb43adafd41dfb33de

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0df8da5c69db141b1639c30debede6de

SHA1
55f2f4d9fd73af1e08b472665969bb08cbdfc30a

SHA256
2f56d2839bcf297605d2c443a1079f3b7d0298293bfc96041661d68bde75bd6f

SHA512
434faa8ba22b40ceb52f9716c9ae93148eb8e26e7897bd6bd43c8d4d46c9df0c2b96ffd6be1b06d7e03cee488fda165640a960d0554e4cd3cd9e2fc0db34e123

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1e73facf5800f69db3751b6f739bb09c

SHA1
364aaf3426ad8eae7ef9a3fe51aa1c44e23830d9

SHA256
182cdcf7bf7b4bc064787e634aa6bd239ff03bf3fa3e0eaef0ed04ecd36ccc25

SHA512
661bc7beeb7e93c04fced1a376a67820052fb4bcc58a95a6f816116f6fdbdd9b966d296a752969b125214bbf6ef5cf5c8ae0295698d0a55191286c36d43b6bce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1140f0d361a3d4cf4f8fb8088d813fe9

SHA1
34f18d07682cbf5af4041a1e51f124fb029bd2ac

SHA256
2620906dd789ed1ebb93ccd10ab102c81fca97ff7c33df8e0f06305c3351c977

SHA512
a3130c5a63c3f347de1a5876fd0ea4471994fffd24e8e6c7012bf36eaff1b641f0f50159811214cb5e6d014866250caa9dda81eb6b847305d8c3789c0146dbd4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
57d9c6d05bd0a23a5095c309c47451c1

SHA1
bfbb8521307e9c5a231319bf437757a8e21fcb22

SHA256
85483721b3ea82a239c794359db847fc0bb6a013fc8b02d6163c34a7f4fdbc3e

SHA512
9db708141dd2b1cefface3c9126070527a0825c6a7f39cb1761081d757182f23238a2091b836ff9f2e400f043515948d59d94432e73996c6eeb2fdcc32f28b4f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
494a27aceb87042806b2966814d42312

SHA1
ec28519bcba4a14b389ceaa07d1cc6b6276a8d81

SHA256
82490c06ef090f9d2d411febc62217f2a20d6d0f4b82fe9f60168297703dc553

SHA512
01f8dd0adafe981350cefd8b9fd01cc9bcf316c62533d8f0e69350434bd2fca15043a525404e221e9c8f68714e8fdadb22c92d94a3407a3ea0ab3e9f299efaa9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2065290bf910cb3e47ae2f6761e74d25

SHA1
edb80707909a640e61aac254e5ece79db14ede45

SHA256
6db1a982a4eb5d42a62654a70d6539f76d6b0fc9912b11a5b0d5878b72b4dbc6

SHA512
7c3c48fc6de7f173b7414dd7db9fe7cae498c129829a92dd9d47bd7119c24c7f6c078569bd7753793eb6fe6555fd639174389f42259204c0bde061c540216761

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9cf51ebb1b26348793cbc7ca1fef8835

SHA1
a11f0c9fd5d5a8081dd168214c2c8fdb76750b7f

SHA256
bf226a00ebeb152cb0c3d16776d95cc93ed84c3a283fb8f6e91118fc12b4d072

SHA512
ca06754a083237be01e2712f5d224c2c0e5c4cf613d01a4d3be89be74f5c0f00d51a3e04e11233608484051eda5b9a544f2199b3361083720af26e4e4e9d960c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
467242e9515f988f811228989772d59c

SHA1
86dc784e1bfbcb8d634746af03d38c5ce9a5995f

SHA256
742c573fa0bc028a753d67c1f8bca2b60b48a320dad2d428e4bb17e6fe840865

SHA512
7ec828068a0b133e6f0b79d6a6d1711075e2a0f8f565d3823d802aa47ba676256d490f07b63089a959bd24cdfe550b1cc5ec56f5870a19d968789702013d9756

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b468d2890e74818687b1398eb08280c0

SHA1
16c7ad4e8123d8650a79a89bdd30384de4ad666f

SHA256
de10788c4b2b0bfee4b96b02de2d7cba45f3396eb7617b3389c9cda03bc5fad3

SHA512
3b541fc10413f7a21615461c06fa20b8315e21eb8d6b131fad8dbd0b2e8a994c1af2e723fcd8ba74d06d8d4ad9f5bfb0c36fab4418a022b3cff8a315c1000eec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d26e42f467ad98c614557804cf4d8191

SHA1
a60da7997953d584452e6e6057018a698629e153

SHA256
0c05b6cc9e1a2aea6112e29959c6e40b5c275af5a44af770055e480914f94725

SHA512
f57540bf0b173d0112fc32f30b48c69dff9e5c9079d44ca36aabf63f5e900b38a1b318766785992f92863abde4c040527c366488d3c32e34dc31d3082b23bac7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f005c32cde71a373b4bef71ce826b393

SHA1
f0d3f6bb13231969bb7ce77684b4903d0c0ad040

SHA256
b06ad3c4ccc57e5588ed6603a718a6c7fb3ea77d9298f4ba52bc28da05f37c47

SHA512
aa969a4d0303d7a7bc590763ab57cd30f8fce3ac81b939c9d18ab6b02788322929a94b92c74892cec35455e882281a54644506eda25381fae4c60a86ce7f06ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7c7dedc978ddea08a9b65b4e2a5881b4

SHA1
09a7d12a2a115490b34c7331458089196651091f

SHA256
94f39eb4609d23bced679e941f645f9c0778178a61a4ace1597c112a70b8a1ac

SHA512
3e4a2d8b13d0b934ce80cf2888320f3acba67676d6217d1c79848b84752600c2fc65b791ece18fdf84c196e6db1ee817b34a3284d8d4e19ba873ce39240b2457

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b8848d62367f925acf213a5259d7a117

SHA1
9f71ad977429370cc9844af7beaa3239fc85aa79

SHA256
f39da06f2f80c34d4f66c6662f6de238f723c429f93d265b56ac7d2ab49c6d22

SHA512
37fd7873e5a8c9f20922c99281356d4d0e12bb4e62f1761ba9cf8e44d241c6dbf28b16a215ddd436158180ed511a9b99213d2de5c379a319dab14e7d2c887e06

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
869e8fc73fe6c5774964f0020ebf19f7

SHA1
581e6e92ee1f1498ba7ad9078051111d539e687d

SHA256
351cc137f3f14284e8a3f5df2605477245e42dfc608b7d126307ec28b1735e72

SHA512
1244a5939cb73994f1c02725fee06c19e42798c506927bbda8019a656c74c7db4c9449124422046789e67b61860edd6e5f5e9f1f18a09b03e74c2f3bd01f0e43

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
67c6d63e34a6832f951aa2f7dfcb2323

SHA1
8db82c7b3a2419b9ab3b6f9b63fe16e49030b8e3

SHA256
febec7651c55d8d96b22d7d85a1ac9ae88f4ac781c8f43a25a0ad72e444c1e3f

SHA512
a571eb4e6306f339804f4ac9c80764c6bd1f5aeb244b2f082a96142d39f50788595de7406ab39c34da7c65e7413ba2cf651388ace8592ba399ce55fb7735fdcb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
604c2f38d128288aa3da3b08caeb3b6b

SHA1
7c9660367206cac97078fac05e79cd65f08af942

SHA256
08f80821e25b03a4b361404a5512402b400ca705a24abea52bb14f95150fdac0

SHA512
02a7d90c0892f7e42145398a158fcf980465ad670dc7cb71d2ca0745ecbded24df7a38e4785bf3b24f2ad54293a054be85aa367632abfe248f886c9e00870a8c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
36b4f4df75ffe7aa20787a7900938525

SHA1
a6abfc44e1961ea8700efc72c15273cafb8656ec

SHA256
bfdc62d2141d593fff68d64365ee3e79e10999bb093863399a2394967cbf5a7b

SHA512
df365804b0cd46b7bce61a9e3f1cab91228319d1bcbfeae380e1d2a6e69514049c444aee544db4aef14e6b6b7f6cec6644e26bbe51ff61830c235c056cb269fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f9d365ab9230c13e6ab9bf60cf503f0b

SHA1
2396a2e59e8e04aa9433abdd2f8ce3e4d2dbbae5

SHA256
0f62c8adf91ff4bf0b9509eee59da709ff17940732495c5ccc66b3dbb964de3d

SHA512
236bdb72676b1d72a76fdf337dd10c6e945738a85a98d49a0be9bca6fac8713e0009a3c65f7f80179ba8420c7d86f835b4a5fd3f39d983cbafe8c23d5237b805

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
4a26d03857b37b15437b0dba53328f62

SHA1
49326378b58512092ad72c7307a8d9873c118fa2

SHA256
0298539cd8cd4a027e74c00190b1a4ae94bb914a717709efa6447270403e1df5

SHA512
42e334de2301d98699eae960f747bfb4770038c34945e39002139f08af812721893ada840224f70f595a553e68d64810c98d28bc47e6f128f0e29d731b1e2bfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9232701d6322acfe09d7ce88973b5901

SHA1
5c7d9a9d8a6dc171ec858420cfd83f900bdc911c

SHA256
21903f1b367025994acfe57d87570cd2548dec018b93382ec0b59e42c6ad7366

SHA512
84d1ccf03fdfaaefee48066cc3e7375a2fdac23740688f7c5db24967abb0787e7f53683b478856e366579a4c4ff2070912119cc2363a4fb24335d472f2c5c814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
faab21a123ac3ea5eea7dfd2b890f367

SHA1
7121672785c6450786bba230bbeca90b518cb8fc

SHA256
bf87730187405cbdc6e2b9279cfeea3065e0d9a403ddc17fbec22a860fd7a17d

SHA512
f935a602b1a0847a3f86a0dfac4320d4c70dc4acc55d1b335bdba916dcfc7d17e031266435ca79a1ec19c069bea0bffbc36f026abbe404e45d68a1e2572004c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fa3a1342b909571d7ffc5b597f968607

SHA1
8af2c7269bec526ba79cb44aa463135b30205706

SHA256
8315c069b1f789c5de484349a0e6a38b5136b39a0877a8664d6482dd14c3c270

SHA512
15354c4e103c8192c465c40091ea568896a1c65b33d2bfab18f1f3e7de3682dea391e4404673b06e5daab414b6e0e96f19dc3a28b378a08e56fc3772ecd7b5a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
694ad63e206d43803a1ebbd4c30f3c88

SHA1
829ddfd56ca4f2a6a2f0b03114f867abc13c2a99

SHA256
362ccc901aaf52c52bcd71156f63192e8f93f847f9870ea7b1cbe11b2da9f546

SHA512
ce03e067054c1f3ea75fcadf3e686490db0e26565906a71e54c89e56d21a44b7131aa23f6111122c0c9d73a8c87b5797706df2d41bff4401d7de700b94abca42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fbe60e234618451204df047f7931aa4e

SHA1
1c67c6aa92f6cf21d96947f2f824ea357b1415fe

SHA256
0bb0dbdef599334906556983e7a849b452fc08213208edc6fbfcd8fc9476ec0c

SHA512
4da6072b5934478d58e92b016e051b94d007f72b9bdc9c93d9c224e19292c6aa806e6e94c12f453134a857acb2324540502b399e444cd2818bbe4acbf8055c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8eeb43a2808de16c976a673b9de11ae8

SHA1
79108433ba4a848a24877d22f71e2a743f95812f

SHA256
2f40cb45e43bf7ea527ebce36ed5763e3747c02fa5a97e6e8afd04cdac4f3f90

SHA512
af0a30cf580b8eb8e5736c9517624ba79b94c0cc76150ee8f932156016b098681dfff914c5e7ce367c45dc2e404b855e5adf8c9141e6c0419e230a9fbb535ce7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d98165060782a5b47248ad88e85090a0

SHA1
69e825652c032f88cd1e83718a244bc174de1982

SHA256
e9f99c0a5117eadaa1eb390b74b4b44f1f7f1ed8b2c32f36953a653fc1c2cc6d

SHA512
46180b0b68ae782e15b0c7eac2da7a6b946a6cc8956be9c92768dca3255b99bbc6517dd313b47997493b58548351a4cbccbbee2d3f24d11c8a9ecbad57c3575c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9a45abcc9cb2654d085f132d541c2873

SHA1
4e481b49728c0854212030a3ad1da6dca5fda0fb

SHA256
39a682a19aaaf4aa2221612d4c5aff05a0c65f8edab002d6ca8d9205acf72dbe

SHA512
c76e5fa811ffba05f2eb3254508f947328c8a11571141a6853069f8d1a5f4c07a32fd2885982911d150e446578fb25ec1170873b4f6e72132ce41a924fb9c52f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
efa809595de26135eaf5f77057e7f258

SHA1
3ce9be57377839523a7b4c9adba2bc1dd6465c90

SHA256
8a9b398c7905c767f2e2fd730ee724da5a9d2a920a21bc3f9284572572bfc767

SHA512
f5e7877db34b275275dc3ec88384d17f0b58a8f584a9c338dcecd43094a900ff06d21de58d311af4fd519dab22a9143734ad359e03ef51558d0e67f7b49f430c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
2a9e49698ee6ed6db0770fa1229d06d4

SHA1
9727416ada85ef4e2d462605e06cc535f3274f85

SHA256
d7034b5ee1951205f0115f614952af94f64366409aef58265e4a807090ce1014

SHA512
04bf3b6035482c8c40718e36cc0516fd6b195dccf26ed89e074d9ca627ddb80824d7c7329c6590ec9f9cc6fde14a479087643d0d669439d7f3219a9044ed3c50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a2c4fe42cc5632fd939e06aa3556282b

SHA1
2b0a768c457d270ec61e8697c8bb333a099ad1a3

SHA256
d661a24c879a0125fe95736fe6158d4f3ae8afd98a9cff07a3b6ace158bc820b

SHA512
f26d0afe8a01ee12856a9a17c14a71413530388065fe28d1a6f982a59ff5ec82d90635a0111a826cc0b6325a0b395fa05cc5aaa0e7871858d92e2acb7daf19ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f99a2d3ddbde075dc1606ce66b3506e2

SHA1
01856ac73b6ac99f113ebfbac7a9bb33382ed8a3

SHA256
cf32f0adff7cd3452eb4bbc4e9d8ae35260b19cba7ff8a668433bff2226b903a

SHA512
2af10750afaaf42c46e029c70491e28fe4197c800bf9171f54dff47cf8275e54bf1c7dee557ad9fb7bd6a3023a860018131ae3096297af7430d754517eeec4bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
705a691c2efb208b623157488f5f220d

SHA1
3ac7d3072d72b6d30294d8fc1e83efcc4e621ef0

SHA256
0eb8f695390eb2ba9190b053a309669e52d57f2677441f25d4d22b880a8675db

SHA512
816b9314f7cfa14b930bc71d3a02871be34f5ff34fc57ea46f62a5ce339ad48c1bda76992e339a3e1aef805d613fbb577496fd561ad1f48d47301421e26c2868

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bb32734921550bef603bd6066edfd9fe

SHA1
b29a7cdc2325e57cb65e9ad2bb4a41292c9f91e1

SHA256
d2d7610b9e13ab2577ba02dcf6d927eb5d3ff189e2411202bf0cbe2a18e18212

SHA512
469fde45dce4e49c7870ed58e6377b42170de5509ed49883659e4320d79143e2b823f125e9a1f18031ffd945032943ef831220418f0e0043b22683218140f5c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
07f0c38e620c409e3a4969b99ed762a0

SHA1
0bb5f956cbb798b6f8ae78997edba9c18aa1817b

SHA256
d7b31a87c0df25a7035e691e9d347205c2136dc8a67f227b27290cd60789ed3a

SHA512
6e21fe4ac77ac1fd3adb3a1275fb41cbcf6e317a4009b4c6ab7523c9031fbd53b867db99e598d443b4f3d1bef32ae085bf25d2d5e76ec92e8df4af9b0cf3ba5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4819ca89eeeda4e5ba7f8649921fccd2

SHA1
69334480429989471b944df42b23c44f9d13aa4c

SHA256
e5923518d1d183e36986c33e96d1e3158802cbafd07b10f24ae23bc1ea586a11

SHA512
577c30e5398392ef9e67783f6d72cad4d1fb04118a6632a091f8d8eab22cc460180ebc9a6bb135df9cb7f5a558022e954e83db4b89590de00e9c5aecbb252d78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9520199f43e72a5e9eeb14a906c441b5

SHA1
451b60736511d46c919076cdf7a06c50c4f6e6f3

SHA256
ef4ce49614816fbb68e390d57c8cee42e757639f11635f82be869aa5db23dc9e

SHA512
74e4bec215f4be9b611285210513d4d4a8f73a9de2cdbaeff287c146dd9eb326cbf90a0585029a380d38fece3a7ad189af22a10c1e6387f1d2857071d95044cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
3d83060f99840ab5edc76d0fc3db9571

SHA1
4ab82d94e4b881eaf0b20ebcf3e1d7c5053a74b4

SHA256
73c175f5dbc4eca731f4812d8ad30c4c8ea0105f962944855cff62bbe9660eba

SHA512
4b9bb8584f281c366cee2c29f7cff4345f2d670841cf8e8782b67b9db0f9c4d47382f5acee51e43629f497d7c640394181fa47f725f9783bff49e06bb4f97b1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
a8dfbfba667812440c34416462926df8

SHA1
0f3e1855d4cecf47cf62f2cf0518bcf5b2c77dc5

SHA256
cc23ddb8309bf5a407654ba39803354fffc95d89e5574f7510b66676d16c4fb7

SHA512
aae8ce15f401f626a9a9a7f7e0c1ac618648b9e3f2c632a6b8ad305467bc84a989ec0a0094eac39dc40c9fd3c0c41ab13211982792666b71ab5cdbce3e3100e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
7e260eab5349b89a82860aa9e2a8f18b

SHA1
f0a07adfc2caa7fb69d4e570bc25105c080905a6

SHA256
59bce50986254a314e991231e0987fd1fd492235b866a1ed45343e64f0485014

SHA512
53c14225dff2ce5ec50c65f1a03427daad2f53c9b2e5fe4f41fd0a4247048ef622d23946cae1b476db03182b068463693c7636963a327b406c1b630d5c615053

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
8e2b3c427aefc76c160dfca93b3150d2

SHA1
f2d571eb45ee02b1d7583b61de0142c315da875d

SHA256
597b3c1f70741289111320bbc71bc5d97149e798304a81cfb9d34c583d7d7b98

SHA512
8acbfb7389ff8c56fe9da92aa0eec7719f34160e20657dfb32b8bca99a988ef8d3097d83e8cc6c27686b288f8d92282d8e61d7684f02d2d2db8c9c63261fe64a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
227b2c5860d25040549589c904beff3d

SHA1
4a20885aaae590627781a2683104708ae7218f2f

SHA256
36738b98ad1c1106606abec757af33ebd088b88d65c7e794aa08dbfc99dad10c

SHA512
3e332f7503b259cfab9cfa6f0e265e403e6a913fab53ce55a38738c15f7c97edd5854a702313e332f3a28070dea2bdd105e975cc11d3c125e3db56bba9121d1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
003bf2fa9ebe71629836002b15096ec8

SHA1
be2bff2250fcab3b27548ca608cefd05c4f36b52

SHA256
1c6de9d31479c7098accc76bbea01ea10e93aa35d83bb51ac7aebdcc18f0c47c

SHA512
381ad31dc4547bf938b3e133a8346aab06bde462b15ed2450e3a6f76c788c80db5bc78e34873b6e390703bc62f104c45a9dd11c47b1cfd9b2a29210045e5d8bc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7da88b80d43a9e613bfaf36f73a4dd29

SHA1
63730ed8fda222fd2a35db99fe2dd8be67914f1d

SHA256
cc70c886a60c7c3fb12e85d325dfdd1358365180605cacee665ca906afe8f4d1

SHA512
902a8511439dee00be6fc154985f404c116d0d6fd02ae3eadfa8d8cf6cb189d3e3034a6ae4c6eb8ae20862f74b0d8f7fbaabd0acc6f087ea43e939eba9c86295

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1f10cee035e1cc5c114897b3a192facc

SHA1
2b77adb1b254802dbc70fe543077b78a0462f5b0

SHA256
b38f95a0113bc7539ce31b29780cd63b6fdc25ce270ebbac8b0472e1c9d409ad

SHA512
abe5f9a1f62feada4474c8e72aa97132e8b3f56f294e299f411a4c6a8037191cf2188b43acdb3473d1b128187f25f35652fd557e7c3b028307fdf0741b6188fe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6c6fbe9ad2d424ecd8a5a9342f3edacd

SHA1
471edee5db114e9d05a2859abe401f39e76f3055

SHA256
a0a7a6ab89914ad6c185f10ee1802525cdc74d10dc4f0abb81487b6f17308f17

SHA512
8b08ddbb55d4b79215a0f3facb1a1f3bc357845388ebda2386e77ec083d733a4ee47a018f479c9f8d36864aa5e25f14cf23731a400c1831610221f14ee322f2b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
aa1db8f47eac16b8f13e5904e6fd8266

SHA1
f5768bed410f3eac07891040ec983eba2c4fe596

SHA256
c84ae75d7288c457180037e9204f5ba4bac9c97c01671aec0c8f78e13de425c8

SHA512
84361d845bc3389f8f8c1629e7277acfe2b5e0b0e6c8f24b115f23b252d56e50fa05d42b931481e9a0fee2f271f8630b1214da67ed130a48b27209482357b7d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
20ff3bb803e87707be15557e04640f5c

SHA1
a8220617ba25e8756c7d9ebde40b8b37b31bb2cc

SHA256
db0e43f41dc822fb2e40ea4affe53b3c281ed1cbb81e6a4cdd0b6dd519067c8e

SHA512
1f62ae6c198ceca9f4db9d3739e2b48dce69822d7f46f8ca68e63b95833f5f74bdd9ebd847e8e65f6cb7c6f3c0920b1f31a200792d878993b8c86afc5e870624

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
81e6e70f8622c3e8ef9125689d95240e

SHA1
ff22c69b653891c7d0a34bd14a9b9af83743be76

SHA256
002c2b5f129d0a830213544373e1c85dd8fd5595726983314bc21f929ba0b689

SHA512
bf4302c2efc0a365133e3601e475c289e94f8b107d30ebe149321666f5bdd83526adfaf9d05f83d3140906300fd5868c89fa2ae730914a094a449a2877479d6a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4679e49de74b68b9c9761d0d3e1b7c6b

SHA1
753e5e5f69aabbbc9a481928005e0e268c8c48fb

SHA256
8b4d9c68ac804cd3f64c319ebab609f1a20230ba71ca1ff72909985b154521e5

SHA512
350dac6f2aab078c4e836af91e9c29c82bada98d66b3c6fda4e7aea35abd848667859ef274ba7d805297919f4de3f4d9d0a309eca3edeee110a048b0297003d0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
46b4a357eba87f3cde3249cd3196648a

SHA1
5ff229639248099ea1d1353960e3808184bb4cf2

SHA256
3c6bbc419e4580c788ed1fa9b43df76129bc98180e352d9b335c59bb850246ad

SHA512
b442acbb3e189fc87230d2b247c62f3eabde8c27bc4ffe1414b73efd81161e68c3a9e3117019524f0c15f8bcad5b3b5974f2f4527e066fe632de0e3b63ca6933

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
71e2778a85ea28cf279ca57d3d20274e

SHA1
14aa33338c446dab083485cd371271c24fd9394c

SHA256
8f095bbd28516c85d94d7891402ab64409ba1017111aea5cea07695b79cd1037

SHA512
60dd5b855e640cf850818792a81a17774f36837325b848d0a928bd24c6b130cd9572722964e197b3830bb189e03bbb420cb6b3e4513c881d515e7d06a3ec8580

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32def4ac69f00a713eed557af3a5b9f3

SHA1
341d8bce43e84552663d1411134369ee653d056b

SHA256
46a0fc229f4a7c81731c9a0cea0644565e94e1aaf878bacfe05d0aec7de5479f

SHA512
5c3c2a3fec5677dd87e72826c5196845487f31356b1cce3806f612d414198605d5193849be6cab729b39e6387df85f2acbf1ce18ac22dc8118a16fb6043967a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
76208a95949892317478e061b5379484

SHA1
8282777287ad77f875283739fb823e3bc4dbce07

SHA256
1e350f548341670a4d25b64147c31d28650c16f7798caf46d32dff1e82998161

SHA512
4ca56d2b85df735e5b3c7c500ef9f4c7359bb015c659c22abb96f52b7ace725894721746bfaa17d01a7828f2582870504b283f6457310921485df6020c72011e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0215dd9e146103ecbae873f8c73351f3

SHA1
2a62c40a77aa3d79b00a79caaa7074827ebe02d6

SHA256
5cd2f1c80c9ebb22139adc463ee1ffd4e79ef320c2cfeb1a23e6430954532cf9

SHA512
0d3b7a2de38f357c477d3659dfc3480b46fdb637d6744c4cac927efcd3b6927216dbf42aafe17dceb4e2bb75679d6f7b830217f920f3e18461b79bf7d98fa555

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7fe7289b883bfeb1ab5c09f161ada66b

SHA1
78658cd5563ff52411a1dd522266a09e4c341ccb

SHA256
cef29451f165afd9027f727ab049d15ae5149a9bdcbeae6acf80525cc842b447

SHA512
efa4e523c5929acbf0cc25b1de045881b8ca25a5c93d5a56538356e20133b9208128cecab29a9195905547b366e4c09e01de772dea66c299ec766d4c785a7697

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cccb4c80d6985a5d85414d4f4d431eb6

SHA1
8e4a6e5ab0159f910e7cdd4c04f997139747b6d7

SHA256
9ba6eed9615b738a3b44e142ebae3807ed8baf9cbc6d94f068f04d151e593f7c

SHA512
a511a53fa77ff17669b360e56ccd420e8c9f905c652d09e2d7517409a0df9782d8889e0c217b2013680057f9f927e2c5b58f0638c9dc8cf62415843940aa37ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
22d876646b9e43a448f202dfc6eaefd8

SHA1
e7bc9c41ed2d1546353831776c04631dbde8bde7

SHA256
dbb5ebb38db49fc26067e284c1a5caacddbeab8b40929370fb834e3cecf13fc4

SHA512
999558f7a90575a0d861bddc40038e640e83f6cc6b8283dc776e84d4d17fe4cbafc3ae9ffdfb5ebe386c8597ddbfd1c83c3016db84b5057f59b3bab68df6573a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b43867a52c9e82d25d219c8a3b918e53

SHA1
e4e7c4183a7bdfe6f8a2dec35198b3ae6575229c

SHA256
141e980ca351f66cc7982ddbe22291241b1a94384b37620fe16d3acc6484fba5

SHA512
606d57d391f2f937a03781dc4964ce03474b48c4dd233a5843bcaf80e5b23377263141bc60f3ab2e8f3162c0b84c1a6809784da669598643597515caf93030d3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
84e7291901c03c484ed5ed811e35e1c6

SHA1
43dcdb1c9c986d92273f6ffe2acc44453bc6c16f

SHA256
f8493294d39b8f2da6c34a1b93e0df7724b05e8ec48243b3dc31834cd9d8cc6b

SHA512
496b4c5fa6d88b2b7f78615ca2c6499cb1fd02b908a03339b69c253054ab18d3cd70e124e0e478b9a0b9bc6eca85b1eb212114d557d574f3153565326161d511

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cc38fd1c0e0a68ad4ab89fb7554d6754

SHA1
0d3f692261e870d44287ffe6e4a8ae82c447b718

SHA256
0b9e533fef05ffc709213a71ab216c67cd95a0a81b3f2d873d74fb7d4c350c0a

SHA512
ed611cab13aaade23ac4560886803496b836116e3ddb2e9f0af84db605782fa8465289397691aee0c0ed6236dad008940477732d2a9b11d650b996e75871d7a6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d0b8c0bc7abc770e508ce38125c51c0

SHA1
ed12cba9eb492095b381486dcaf5fcf9fbe1b19d

SHA256
01cfb3a3771e69e57dc2578f8009e1ff5e7bfd199afe06337cf825cb5d2bd1e4

SHA512
c7e442b3f47bc81a1868ee29f37188626ebab8c89f5ed41bbe371a7373cbcc7f4aa8b3346304b1a580d3ceb37ba995f54b8fed33c60edf48d9544400e945cf60

Download Submit
memory/564-39-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/564-236-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/564-40-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/564-46-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/564-47-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/980-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/980-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/980-264-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/980-275-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/980-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1160-375-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1160-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1160-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1920-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1920-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1920-332-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2264-1-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/2264-7-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/2264-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2264-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3116-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3116-321-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3116-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3628-29-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3628-232-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3628-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3628-35-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4008-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4008-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4008-359-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4280-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4280-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4280-244-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4280-251-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4400-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4400-196-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4400-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4400-22-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4400-23-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4404-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4404-347-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4404-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4452-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4452-374-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/4452-306-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/4452-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4668-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4668-297-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4668-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4680-281-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4680-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4680-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4824-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4824-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5044-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5044-52-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5044-58-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5044-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5044-64-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5216-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5216-381-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5216-387-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5332-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5332-400-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5332-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5332-408-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5432-418-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5432-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5556-430-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5556-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5656-444-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5656-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5776-456-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5776-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5900-469-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/5900-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download