5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf.exe
Size

1.3MB
MD5

7372a16af98c956703c93a3b75d62902
SHA1

714ab2e1005081123e2625c6d30a4d76c5d2f3d4
SHA256

5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf
SHA512

eb27de109564fd0561fe9f1fd8cfc4d788584fabbef7ef5fc0787ee8d099894a22958966249fdf8915a98686654326c712973e95e54b0851b40bed16f6e1944b
SSDEEP

12288:x09B+VIiGqKXVlD0drus3oDLoYfo9loGmbI7iSrNozEI:x09BRibSVlIBFEMgo92BSrw5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4896	alg.exe
800	elevation_service.exe
3552	elevation_service.exe
4540	maintenanceservice.exe
4176	OSE.EXE
4216	DiagnosticsHub.StandardCollector.Service.exe
4028	fxssvc.exe
5084	msdtc.exe
3136	PerceptionSimulationService.exe
2872	perfhost.exe
236	locator.exe
1920	SensorDataService.exe
4740	snmptrap.exe
1836	spectrum.exe
640	ssh-agent.exe
3436	TieringEngineService.exe
940	AgentService.exe
2400	vds.exe
4328	vssvc.exe
5040	wbengine.exe
1112	WmiApSrv.exe
4028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\72ec8092bd8e231.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_122187\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032e403faab8fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000303bdffaab8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000412248fbab8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005da0fdf8ab8fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db516bf9ab8fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000467291f9ab8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008145e7f9ab8fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000053d1af9ab8fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
800	elevation_service.exe
800	elevation_service.exe
800	elevation_service.exe
800	elevation_service.exe
800	elevation_service.exe
800	elevation_service.exe
800	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	228	5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf.exe
Token: SeDebugPrivilege	4896	alg.exe
Token: SeDebugPrivilege	4896	alg.exe
Token: SeDebugPrivilege	4896	alg.exe
Token: SeTakeOwnershipPrivilege	800	elevation_service.exe
Token: SeAuditPrivilege	4028	fxssvc.exe
Token: SeRestorePrivilege	3436	TieringEngineService.exe
Token: SeManageVolumePrivilege	3436	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	940	AgentService.exe
Token: SeBackupPrivilege	4328	vssvc.exe
Token: SeRestorePrivilege	4328	vssvc.exe
Token: SeAuditPrivilege	4328	vssvc.exe
Token: SeBackupPrivilege	5040	wbengine.exe
Token: SeRestorePrivilege	5040	wbengine.exe
Token: SeSecurityPrivilege	5040	wbengine.exe
Token: 33	4028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeDebugPrivilege	800	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2368	4028	SearchIndexer.exe	117
PID 4028 wrote to memory of 2368	4028	SearchIndexer.exe	117
PID 4028 wrote to memory of 3432	4028	SearchIndexer.exe	118
PID 4028 wrote to memory of 3432	4028	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf.exe
"C:\Users\Admin\AppData\Local\Temp\5dfe2b867a6e9d01ee8043136299e55398bc268e495e1bdb7ca5521ce25d60cf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2096

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2368
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2b206031a298eda3c06b88b8e563881f

SHA1
30719639ac7f421ffa6336faffd6cf31244a7c0b

SHA256
1fb373b6150692a61f6a9cb613e9c96d09e0f2bd32246d781cd8027c32aef28e

SHA512
700c668f634c82e2fa5c8f41f62bcc230bd149864d8d1fd30461049b7155349185fd3e55c8f480c015fff731c7ace1343a4fbc2a4fff6d80c3e4d8a031d9d923

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b59863e3d789b16c7660af7b68dd2f24

SHA1
df8a4016a8e0b6c682f7abc1804bcd27830af203

SHA256
00f044f4cc20ead1de330d210c434ba7cae6c014cd80c2e7f1417582e8515cf0

SHA512
ad35977550abdcd86eb885ab5f4baf96111c3d7a608e91405d08aae14e586782cfc7b1d3e863cd9300d0b4f779db3cc9b811a3cf3f89b5f5e38aed69b63d058a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9f7c123bd5d7c3f9cb0c632148dce9fd

SHA1
4ae0658ba8cfdb334a9311c4fe919cac5eea52e8

SHA256
a05a5f3a0e3ca56544eb9a24f5a257d0779665a6e5a537aaf019c9bab75ee9d7

SHA512
3ea8e46666da64dedeb5ea0afb1fcf7779703c5352c3af699c3a670c566ee86bf84f1cba553c8b2f0c4eee0980b9ef82e1efe86dea62b5316ef98b61a6f69e7e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c0b105e420e98d3b47dca69d229371c0

SHA1
24c95d66f7455c214e77017ffdbff7ced6307a07

SHA256
f327539ae25b055a067fd70a39f5208e4741e31ecac45351b1e4d0715cf4ba85

SHA512
1515236ff540b467f62f53f99fc3050e23648038ddf3e9433ef6659da39c9bf09bc442e4f075c383a2b45d93c337e648923670d34fcf6def9a8a95856d91a68b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cff0914c6e25ac3fb650e295e1fc3207

SHA1
dcfe8caabb706e21807a23704b9d8f477b1fe30b

SHA256
5ba3270900cbb9e451c6b407909be95b445d8e9612fc37ae6392cd93ad0956fe

SHA512
271b4ac358a39f3617841a4d86a02cfd8a2df7e78f67f57ce3477b0380809b6cf123e1ab8dd789a37015a53bdf2b2e3886c1fc5ad510155ac0f5e0a30b9cb7a1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
164f19d1835ec116fc1c262eebb9527f

SHA1
b48ef1b970369310aa32cd7695d7e652d8629ac6

SHA256
547b820478354ac45ba9d2cd85469c350e84828b8add737c3865ac2b73372467

SHA512
46af1ff92f973afbbddb15d2193f9f7624c13436e43d8555ef37457373df5ab0ca24e5f8d1e460b520146e3de2bd630050de821a4120fab10d04900fb6c95187

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
22b2a24cd1fbac1d2d4702c7b2bb76a6

SHA1
3ef8f796a0d6d2e034251d85f0231a6f92e0000a

SHA256
1ba3b99ca17f59976265fe9ef00d546f8f885e69068bcf45f84561acea91b007

SHA512
43da053b33e79859ceaf089dae6ee79292755fd9b1afbc34b9acc1f295b66d040662a4fa322d6c65ed43d9bd808226dbc0245116dced4fed856984f23bca1b49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bbbeb4b82500931b5d1618c638f7336a

SHA1
1809644d23b80a35324323df634869338920b377

SHA256
182e7b97864960905a0f3884d2da1b080940f5bc2e82bd5eafcf8f948ceb74ee

SHA512
d9ff577393e0db621d31344681c7abd44fca1480756abdde998c5f14fa73df54a9a0edcd73cfa9855595839680147216c26cd7f2a9d4a891e3eaa6df4d33d00b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
98d9e7e1b0a1c53c6167472ed171d993

SHA1
900f78855f32c2905c218d5c1dcbfcac1b7e48cb

SHA256
cb29f4dce4526ea9667bc971a8169fb36208d78574360f78731f0631477f84ff

SHA512
cf2253ea19d25ee3a65f57edd292b1ced7b68571f68f742e8c97283b0f46cbbceaff7a5714b444ea6f9675465461565d8b3e4a58c818437fb0908f501f06d177

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4345a38470d5cb67e7141d3f9afe938f

SHA1
e6a9c05213150c5bc67324fd9400e6f0ebd600d2

SHA256
8b9e93ed690982031b0346cd25a39a313d6b02625c9fbaf9548ee3549327c868

SHA512
09a421576eaf17be8bc718fd6b64659d9cdaa1e70db44230fce9de3b50a4fc4d39149d56990ac7c8f3904ec2b24dac754a07ae7f3a4623536db8c02feb4dad5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0163d9e8f1351d231f2506002a28cc49

SHA1
49de5eda9aefe830c90e0008fb070b84f1b45bc4

SHA256
33692729d8fba42375c295b39ad544159bfe27e548489b0ea881f89c0c337cd3

SHA512
10d3a8b4545a8eba036d2635428e0238993909cdbfc57325b4b45a5f1dcad7581b32c821504fc0a15346929f5251aadba2cfb3a3c67c908648ef836abdcee9c8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
10599a090e43e008e6ac53b14ca5a747

SHA1
9db443e8099cf740276cbbf57820d7778fbc8f73

SHA256
e4fc2d7823526cefe091d27de2f9eeedd09b66a185cf012719118d92b2888be6

SHA512
f9b6e01ed9ed5d136c1b6633544d940194d058e5e184e6381fa65a5195318ec13d5a873f4b514ce4a6e3540811cee44469dd16bbd8a3658ee9b1d8f4c31aad9f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8054041a01da9d1b73ab6dfe2ec9bd5f

SHA1
dfd57468c139004e5509c74be35ee40e3c63a3eb

SHA256
4d837fb2b7ac8a6c6bdd913c3bfe24b82a27b9e93a762abbe1577e25db5d89d6

SHA512
7708143326370393eb033eb0a6926bf7d40bc216d957fe6b18d4e9814578937f273a964d348c7ff68436d5bce413c2212df90cb978bf588d8e9125815de05aae

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
bf57d07d420c456a7cba5c1ce8a61bc6

SHA1
d5f587413f06e1a621e000f163b355246e6f9162

SHA256
cdf523f11e22dbd520e227f6b1e2ef7af53eb1e81a0ff3956e05ec6c437f70dc

SHA512
c3ee96472672dbcb5afc7b74d6df7503dac3c244618952a80b5d7f6211400f9b256d2c2406fec986c4125aebe793796fcebaebaa59490568a6334af3e578102e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
36190d8272b8034488f7a9e81b9979eb

SHA1
28e49d16a0340b74152e6e5d873e647f4917775e

SHA256
73ae7e3e6c83de4238dc4845f70fe4d83afe7f8f5e814c381b0ea50b2283c4c1

SHA512
c7efecde3865a1991dc73ca8231bac7737aa1798e54f7d0060304d1d56fb358eeeb8f95526aae4a567a7c8aa37e7482b7234ee80302a973efe7ee80e668229d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
480e858829dc79c355a7c9956428b40a

SHA1
8d206d2290fc435796463d1685d7347e37bddca0

SHA256
3f8a6c72aca054cc71d57440daf141ef6f3ebf85096ea278e32e5ddfbd9a987f

SHA512
2e1a5fb0fe68ac9f9c96eedbf20f5409749bda12221074b7e5d89a05a0f36d9d7c3151a1504b4f89789ab6d246c2b3690457bb88d0a25db06129cb3c520bfae4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ee53fe0cc4bc084557a8ef79e7664850

SHA1
3a17892ae8ca0a306d44774af61b5c7d5583b170

SHA256
5a24b5d110d006d064e944fd5bd08d8f97b10ea22ec304b49c206088cea7ebb0

SHA512
e101d91ff86ceb48cc2074daeaa720e560d4d5473c3d73411b0904fe9fdd80f314b20eec209fd4e20ee8577c602c3b6a77acba677f3f8c31f48a3759bb4e994c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
aac666039fe0592f0bf6cb5bab11a66e

SHA1
5d9db949e24c6e7efc00816b9c7d84d3650acf7a

SHA256
491e9698dab6da6a10fa35078086781c5ab0f58108aecee003333f0b40f57538

SHA512
6de9818482da70d08fc73a68fc2e4a8441937d95d0d4f4fe324e5d98f1cbe2247e557d30321329b5b8e4540a1fd679ea97c4046be3d58a7b6e74d451ca0dcc77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
58eff013bbe065abca37fc54c299c1cd

SHA1
6d2207b49ef494bdc66cfa6aeb04684f17a42089

SHA256
459ae26fe757cb30818b2809c8e5a70751594640b633b1e870c64190a043a6b8

SHA512
53a927babb1bd4f086f30e9b5df248a1cdf1e112d2b7b8f72f7deb173c8ceec7906eb928564721b242bfde820deed829a124a20f1f7f6d326c5ffcdd08a5e160

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
71944c23157d066589077865b7dc0c17

SHA1
c2478c1166caa2820b9e96507f3f57385c5f0d95

SHA256
3497ed2d70cef8b5fc13168c96df85f212b234503640d2f4f98c0f5720494420

SHA512
752885e7187e72983575d2cf3faa6cf9bf9cc7290b0c5c359c5a4639e87a89ee4f7ace02e9105b5dfd8fda733d2248e32e6eb8b4e75758ded0842e969a0e355a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bd175a3fed5df7d5589c5f96d728e35b

SHA1
3e9617e97260b15b33ea776c9ec9994413da06fa

SHA256
2b8fef9ea932d9379e4697714c1071848a53b0767d52c25ce2e1bbab6c13f630

SHA512
56cd94fe0f23e0fdc471d5b3cae4cbfb3c9a25f593dbbb7f72eb6b290a3cbf7b5ecf9dcbaae73b4f2f7d9d9405222529fe253a9cee2cf8aea8485ef38f9a9536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a952cc412ea6ba2bbfcd033a060d52c2

SHA1
e3d97528ba9dc708a272d19c5cb3ac679588bc57

SHA256
4fe8c34f38ac290cc31fda3e345542e2e089a39ff4064584632bd3877e297e7d

SHA512
6481508e672cb030ec2c012335eb78208a036662f3aa97df588eebcc797ca7895bf454e07f2af8d50c6cae4a2a6199c3f8d271545775bd6e42b2ad5bd8328d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f71fc88e6848f675719872b480c4da3f

SHA1
26a870aa20d72102a8fc4f52cc181a8ef221e648

SHA256
b030e50a13784102d997f8bcd840b8a29c5502e5f5b2bd63e0b4ffa04d5fb3de

SHA512
42e11700f0508c0e491cd2694657394cad80d398d26ab5c883085d22c16bdf4691bd8160a4d462c279f0853b715530e13a603a37a5f0b836c99afcd45213fcd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3338a92a88cf6f0b9f81e0e3e3fb5596

SHA1
3dc7e40d8cdc0cbab4a65119abb36d145e74e6fd

SHA256
c57de1bc3d9ee4dc9f380d28af050536084c13ee21319c5fef3ae1f51cabf966

SHA512
674c8ac246fa33e6ba734ad9bd07bff583c5b5b08c849e309336afde4fb30b007482c3eae3cdba0a6f53a6b93b39eaad795ee5cb051658283176e1b2cc049f98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2fd72a3ad8d45e17165a91932de18887

SHA1
404e5f69963cd86e94714060e45fe27bdb55b9df

SHA256
332f0f1d625f636eed70d1475b764ec6fe9a5dedfdc2d71b8e7fb041a1fd23f4

SHA512
39a287a2708888b76e40aade84de13a2e5971168f26ee7c4b46cfae960dae3873a657694f11bef3268917896d761f407c4afd5332239a2585432119ceb09bd12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f86a1fcbdec90e779c3196d4e1799b91

SHA1
6f5e35e82f838512eac93aa019369a216d53ad11

SHA256
6a35a518867e3ed55972ddb847b8e6dc0e54ba42f573a89401f1b2ab66ea7474

SHA512
30cfe03512e437ce9c1a15f6ef33d44f0836c5833b25986e759215ed3caa8327b4fdf8806082f0635811b3f4ad257f372c7e121361f8c98465614e900f3fa963

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bde72c7c3d78c3900e8f6087a329fe39

SHA1
dd8eb6a22cc8f97ff4c21dd08e3f6d565ee28d36

SHA256
56f0a5d0a084cb09574d47bb8131e542e9e617e6c0981767379f650cfa769a45

SHA512
81a83610de4d095ec15161ee3dfb0efa2cf58047cc040b930dd74740f76b877cfb4016ba5f4f321da8fa198fdeb53c0cfa0a23bcb48e4c8a7f0cedbe09599338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e7129bfad04c95d2c0e5a7d6b4ff0f4a

SHA1
3f1d5b9b26d0ec475a767afd3bee4c6ab01b09a9

SHA256
ecb8cf7533dbbf49df4192e16fbe8ffec63953b5b9663e38c329c8e3fb283b61

SHA512
5bb6a68637d38fd35016dafeb0cc1152ded27082cc8870d8320ff495645b18771d790a81141cfc81170dbc4fc9f4b325ff081f6cb6b4beee300735d090c9733c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
89e324fc5b657c306de5f7e68cb9ce8e

SHA1
506ae46df149873c0ca41981218b353ad0d697a6

SHA256
d9815db25c6cc2907924a7757b8452ab91bc334f6624c5deb73023667f1b32cd

SHA512
fd831c97dead436d17458c1cd25419b77e0e530d66a5882383175fbe76dcabcb9511dd5e30be0e8ee410246da6761851e8edef09f79daaae298ab3b7847378e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
da2ec7619938b35bdfaa415d754b1ea2

SHA1
0d01c87ed1c7b8ea58058257415d263feba174ed

SHA256
547e867dea39272686a85946114f9b174b74e70f3e8025c30f1a5d41be437e65

SHA512
38c9d420eb6eb7a9c14f13197b32603d68d9eade4647c97cb5d5157fc7db9ece4a5e73696f250c0115bb80b3a2f2dd0ce9e110342232ac952488f6e23b543f2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7ee2cea03f624abcfb973089e6cc2eee

SHA1
4c1f239c3d6e938a223b9e28c132cd27b329e931

SHA256
d8de2aff36beba00e3421bcf11770c47f329781ad0d2fdd01eedc8835dbfc81a

SHA512
ade301872034c05ad24dcf607491996a0adf7f2f44d8010e1a06cc290cf3246efed2828448acc9ede2c73e4a8764ab6ba92216a000b797333327cf153641fea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ba6386c56c2cfd44657cf9e540c486bb

SHA1
f2813f9eabe75935eac2fd69be35656473559f08

SHA256
6fd448ca05254577f1d691f93f81848cd2366d879ae700ed5402dc7b1950039d

SHA512
41c7a57b367d94972d79b146a0dd9db361a690cc99d83f9e76f3143f5126c195dd9a682cb66638e5954071eea3b3f1f9028be3b848407970017f5acbf339b226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
562b6195d899d4169a32f718c240a80a

SHA1
f48d266306feeb86affbc6151f80e8f979b214fd

SHA256
53c4d23606eaa52afd995e7b41b93d5dc744bd2e0960a0f30ed675e9838f6b9f

SHA512
c9afcd160b12126e6c536edc57cf7549cde2e94332d6b62557e6aaa40a257edd0df3dd323f832b3b64ebd81d0493020fe71bdf18c58697835bc07596fbf23622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a626078f571271ed453106e6e9c26995

SHA1
cc2314d00fa272ee9e45e6b82c8ca5297337e074

SHA256
33ac730c8f153edfcdc9e9b417fe641743d1111ad8b9ba231fd1156d91adc546

SHA512
f29569b467e4db8d96113ba29952ae54c96aac455ee591bd9b814d39c4e45574de77e6b6c0d729d139212884b6eaa946712c13c303c351d312ead37edc9c59ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5f850b989c4a8bda118f68c3a10c0c45

SHA1
8aea09b555a07fb37f855c0692a5b00d98d57df4

SHA256
1ecdcaf828c432000bcc351c200b40d5137594419d29762c0d73a80d2127c5e6

SHA512
dff030623945ac4ed5d0e6df2e274cb9a6510862d9ef27789fce473e5abaf23680aad7f4c30e5868f54b27c5966854ad76e515a374f9d486f7e4b51e908a55b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a351e6bcddb49caffd03922a8c8dbd5b

SHA1
ef3a78123d358e8fd75766eb06d389d9fe8600cd

SHA256
bf0fc97d1b1b6d437ae62680ce9403a8b7de2246ed1736e52854985b759631db

SHA512
f35b70b58e95e532052d00f283befe9e9423638ee14d600b16ce1c7a212fee34c7420e3642b28e7b06fc4a652f660f966125133038c960ce8decdb42e7126461

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
2122be2012c5f149e39b729ef07b69bb

SHA1
fb80652bde0c199f2faa0c950fe17bb1561cce0f

SHA256
00757db0aafd82a3704db5f0515d6a6bb6b91b46dff2620b08e5327cf3f3b76f

SHA512
9e603ee3b6986644f0737c8ddaa1f22c35ba8c619d3af4b0d47011fd5141610e277247ddf99badb747432d1246af37de955aa0f81324dcb7910120b8c1201863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
d492336d0b2c950785b68307e98b8429

SHA1
5c64f8f9cf4d4ebcef0c1d7c9e8b6c131d148aca

SHA256
f749ab519118d7981d975c7b32c5a4a07b19bc4c1a1fce6870c324140368c7b6

SHA512
c20e0253bb47cbacf83f243e83b408a2bf244bc47cd14a81895daab40795dd58fc47274688b10dcf70deca82dd73df9d7fe00da90c308589976afafb7276d56e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
ebfef44d30e0470825995b34321f7310

SHA1
db7701a94fd16474eb050805b3a4bad1d3b3728c

SHA256
9c6cc4e420813dc207026ac244d4525df1028d0a134eb4b790adab1a35f69b7a

SHA512
cb00f9d64dac23393433da7dbfb4b72795779292b148f77ea65f4be92265131a4b3d4984602a8727507093728c546437fc292eef35a3869c958e20a917393659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
37f2c5384c8f2b073b83e263661e352d

SHA1
5b3b57c348a0590d6b4409fe9f98bbdfda832929

SHA256
075b13b636d2e39ca18a127dba3486c9bf8115856413690441f4750ed7f18fa3

SHA512
2478aee384075007b39ef8a51a07f0bcbf0e3a4eb3fd27e6652ab66d6463860502d03b00edba9336c98cdde6c749b5cfa67568c568b942e2c7ddb78c72cdc6ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
a978cc3befc88473f643ede0421a6225

SHA1
9dcd57c3ab9659c10cd393adc12cc0c3e37c15c1

SHA256
feb2ffff8922b9511c432b856bf511b948df4f32c9e423c461832ba581c5a52d

SHA512
ff38d72473a9bcb9d112656aeacaea865a518e6aa683af36cf89bb2eb5390132044f6cd3815c81a2be15653510fb7354d97a9816c1c72e86eed2007aad371b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
b1941917f7c73a16c312a339b7b9b5ec

SHA1
e0ff38cad19784ed62f3b12b46867fdb5cd16471

SHA256
d817c05e380083ac0962215c096f858534f722dd7d06fdea5d3f160947edf0c5

SHA512
083209194c16e4c5cdef1798de1da697b118a640087b6e1fcdf162abda6130ea224dd4e21e432d95f87081ee88cb202999e8cb6a6ee835008e9c856ea51fad51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
6aab5435d835dcc4a11bcc99e40a7846

SHA1
7c34329dcc21e23c19a8d6d11ebf474d34586138

SHA256
b7bc282c232d56ad744099961d6adbb7256c73de51ca4dc3d2bdda29fff0125a

SHA512
05ca4dd6c93a328f83beecf67d990aeb983853c854ccf0f8936e5f41bfbf9867f451714bc99d876a03c142bcbf97a2592f289ea052fd2d982d10792dcf154055

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
72e5d0bea17734ed36691b8689f42b0e

SHA1
174e99cc4ecc4f1550f166c4710dc8e7649f90b3

SHA256
7ce20104af8236822cc818dde70d2c940299a8548374b6be7cda48122fef8bb5

SHA512
fc560c54a9e0ee98f57822a3dd938ed5e58693097e6d5be48ca94fa348098b8e19a476080f846dc8692432dd30cdeac7fa2317f7d1c86157702df42e25024f9d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8feff315f55c2a37826bf64e0f6efffb

SHA1
ce55821efb778bd7ba3e070da70d65c2de4415f3

SHA256
9b75197be11a8faa744159be8795ac0eaa4800a437081a62e2254c7ce0ff664d

SHA512
63612d3a92153182428062b490c7f69ba2298a28da9a957c39ec451714d70b2e47f8b6054b15d9fa581a0b4f949bc37d87b97de2b5b647234911f85ccd1ab635

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c86e63d6dbac67059271d878c528228e

SHA1
9872c61a33b3f35ea771346ee08765b2fbb71d8b

SHA256
a2f236436de7d0f056eef5704d02bd10f7ef8c130566d6fc28ccc91f56a9a9bf

SHA512
818247ff400a7de75890ddd88ce84e3a9a39ae151970bd27de29b9469358c5101682dbf546648bafa36cd8fb3037eadbe0d66825c80333d493709efb8f3d4b12

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d3b003e8aa5de8bac4af0e9449505085

SHA1
482b2d6fadb4c746b682ddba5d53a9703d78916e

SHA256
353e29ce45fbcf2bd1b5bb9d85d5c626ebe549e474b0e8080c96be8a7e0bd3b4

SHA512
d78bc6de90623f4de816a3173da4dbbb63c110d45419deef5a45fe3bbefa819d08e07af6403addf37b7a75b3560ca042dc521d5875a9611a0e6d326366518b41

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f540838380300a9dca50915c922d6935

SHA1
b41320a4c8e1e8d767e425e74d8c410706d25e7c

SHA256
e8d6eab08a006e0a99d4886122947ff1e7784eddfa93ec8bf31f316654483268

SHA512
4ea05529901ae12903edd0c25a09b1b2528d7d90aa9ede8967e121a6bb76ee8e0299e26db1796703ebee08052610061be750548fe3363d1a20f17bef09dd9059

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
87f14978b6d2457087ed9b58898899d5

SHA1
b062e3ee86449d3dc30eb7ac50cf3c985eac6e89

SHA256
5da43645c14ba897f0a4f52bcfdea521e8aecfbb51edcfa8d19afc2a48861cbd

SHA512
c1b3411d342fc85f9c23ff5da803f01ac33f00fc132f1230383956cdbf5ec21bb3ce4023b2039f791e203fbe5515ff7681700101e1bebb0d63ae4d1e27064134

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a8ede13675ec23df92420959698a34a2

SHA1
1a850fde82070c16e48a18e695c567cb56be1dcc

SHA256
67bd9ee610ab6e2cf5d04c0e6f63300bee2e0bba9c32232c36b95b74ff5c25a3

SHA512
dbac7149ea8f9aa40cd385ba75160276f469815c9cb70abe1b32031b38eb5b4853b6446d14aaf3ed714398da6ee7eadc0b1fab5d85e87d02011a2e13584e66f1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
b5b23c20450fb0635233838fc90f1d3a

SHA1
3506639f1f3932175c448c19e56d8b34cad7602b

SHA256
6dbdc38b7656b347a484ef1f6a3c64037cf3884c08afc9c6907dc0fef8b5c482

SHA512
5d249c6e1d0fefe45ae0f8dd8fb9c2cc0813af817fa5a7b06793fd32d48b7e752eb4278827bae4f51bddcd5b812e9c236d9020f9fa5dc4db96eacaedef4403af

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bbc733ca7d1fe4b662a04ee7e4df9898

SHA1
6d6602a7a5f5cd83badebce36e828655a19ba6b4

SHA256
f8d308697dbe67c15e5ba94e47d8f3389c9a96498ca14e736cba0c930c0b7c6b

SHA512
eece5785dbcc6db1ea58b856817baf4370833cd0fe8caddf646ce05ae7acd37d443aef1c3e44f1160cc4760303c285d64d4440af7e4f67329839a4a79103b4a9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9877ac3eac53be08c3347103f0da1f3b

SHA1
cdc6e81f036b96559c127f5de313f252f84e0fa6

SHA256
db0060c45952ee0c4a5aaf9cd34c6811536e40530b772bca4f32e055aa359db5

SHA512
ef821dac586f4c6288f53acdf2873693738c3622bad20c04a075fa69a7e3c7eed1a50904ba030a8dba9d35baa08d4aae4d8d3b65e95a43fc9e34445ede564938

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e6f6068a5b7abc7f99e3a45469b246dd

SHA1
4eec1d597f1e7f3a2553c19a18a0b249a8223fa8

SHA256
05fafe6b27e3fed48a3ebdc686a3d5e38b11257c17064752c4447a4d4d9c5f34

SHA512
339a7abf3a8df5d7695b0d0fcc8faef2ee938c3851938bf37f041aec7f17fbe6bc4a8c7f7101cfc31f3ad820dd0234fb6cd84948350f534a74adfd14c0cac45e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
eeb3d0f23d7226b177879cf636d3f15d

SHA1
9a517805c8773a8e5c3af027d28529a83fb7357f

SHA256
0c511df473c6378a7e962227ab4403aacf06f5f940e0068109bfd02fc5a2a917

SHA512
e30422f837b359bde19f1b243c75e4e8a6f941581e0466718d51988c9ce4d21844fc9b8311cb763814a56aa30bda977e15e2ac36f0e243202f2046afc5d348b7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3932f2c9fbf3c16fcc3a975af2b49f18

SHA1
06fb23911217e564e86af4e46999f514904c3ccc

SHA256
7405b9db01e3aa22288b099d9be1c4b91bd4ca3efb630536806b47c04afe7a6e

SHA512
1a197a637c5575b424aaaae47bc33cf863d72bc52775345f8965166974aef66701054b20213c8c0c77af144c32be73bbdc7e278a0b99c0063f70392e4f0f1884

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
41ba98b7cce19dde6390ea416073a2b8

SHA1
83366e42e13f87a7602c7a42f3358f7713ed8a6b

SHA256
5c731e1f53bf1fcd4c31f7100e9b16f228e832ebecb3944de2e5ab46a891ae91

SHA512
91618b80d59cecd9ff27acd851b6fda3553c952a2e7e1e86fc885bbfcd3845bb636eddaa00fb6e1950114b404603d5e8ce4d49adb93872b861a18c4b7b7f4901

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cddfe64b98dbe9c980f396806ec6bee1

SHA1
7c7cd0839180dcfb4439748a8734b90475194a6c

SHA256
0ccce3d29a863f56d26db0074cf3f991fb08450ba6ef4d2dd2139e58e43e0d1a

SHA512
b8629202e6e365449aa2c7f9962a94f61d9d077fdfdc688016914ed213563e861851adeb2f0aa62d04ff197742aa2d96606107c7feb5d66bbe01013a1e3434b1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
699426902e101af5f9d62e031e044764

SHA1
3d00e212a28094dc444314c8f59a539ddfc3c46b

SHA256
4fc4943bc6a905290fe236cea28cf463f95e4ca737647be32f7cecebf342c691

SHA512
b63e00af02c15377aa78dddb004d0c002a5d960e8e574f1441eb5b4894f490a88ab15dd161293067577b6bf8976140827d8c36ca98723073baa59911c16a77c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e747af3145f3c865bacff1cb3d805ebc

SHA1
dc25701724616a858750aec28f8d5cd1093d5b9f

SHA256
f68f9a9c2f4b040ab098b050011d13d8e8cc7cc4f291f99178f6eeb89b820a41

SHA512
5567d184471afcea28b9c67e17f27b86c4d9eb83ebd2e4216e746df18ac73e8f96c5fd739a4ec1c53868c3b028edc0a3d1327302bc74c988003cf4c2651c9118

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
5209fba0a097ae34437863c33cf92750

SHA1
0c5e450e1ef82033819287a09c8f8718cbf8bcb2

SHA256
90ce71cc83b190b2191a1327a0880a985f9010d78b5baccbb6ffcf50011e7a3d

SHA512
416cd1b10f635a8a0ce8fd3690dfad6486531faff19b19f1a0af38e5ab209c8205fec8464c057fef7237a6146a9b6bcd3b7ca3d6bbc6e5bb3c3fb8c280d16b01

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
355ca1a41b5c8f0aada0b357a345cb0f

SHA1
dc3adcc6a049070bb108156b0dce7e238f067089

SHA256
8d2c89a57618d0971c289b97ac59ff5d6c26cd3098c7f140ee55954f20107b9a

SHA512
386b57ebea9b1aa97f509b4f6366303a9678d4d5d2781b8791c9b3b1616d34be16306e56cd473b6eaa4a3a26ff6daae6d6f1d5f40ad9f885d4554f6aadad3cfb

Download Submit
memory/228-13-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/228-7-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/228-1-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/228-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/236-319-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/236-311-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/236-378-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/640-374-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/640-364-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/640-433-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/800-229-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/800-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/800-27-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/800-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/940-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/940-399-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/940-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/940-406-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1112-449-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1112-456-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1836-359-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1836-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1836-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1920-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1920-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1920-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1920-332-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2400-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2400-416-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2872-299-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2872-363-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2872-371-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2872-305-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/3136-349-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3136-287-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3136-296-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3436-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3436-380-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3436-387-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3552-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3552-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3552-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3552-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4028-263-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4028-469-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4028-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4028-273-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4028-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4028-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4176-64-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4176-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4176-66-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4176-237-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4216-250-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4216-310-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4216-244-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4216-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4216-242-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4328-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4328-429-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4540-56-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4540-62-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4540-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4540-50-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4540-49-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4740-407-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4740-346-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4740-339-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4896-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4896-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4896-185-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4896-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5040-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5040-442-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5084-270-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5084-337-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5084-280-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download