4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434.exe
Size

1.6MB
MD5

69a3f55ab1a27f09c4498eaa0b30696b
SHA1

36c78f91395093c75a8addbe62548ed49d6fb4c9
SHA256

4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434
SHA512

bca3b86d091215f70b8d5d08700fa84785822ea163191b12d1bdbf6145762866198c3a6c5a3da3b7b3466847bb0fe20857fd981104a99b04f6a949eac7d53a53
SSDEEP

24576:S49BN8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:SYNgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5056	alg.exe
3592	elevation_service.exe
5052	elevation_service.exe
4384	maintenanceservice.exe
1720	OSE.EXE
1984	DiagnosticsHub.StandardCollector.Service.exe
2080	fxssvc.exe
4524	msdtc.exe
2652	PerceptionSimulationService.exe
1376	perfhost.exe
4112	locator.exe
1400	SensorDataService.exe
2364	snmptrap.exe
4720	spectrum.exe
3420	ssh-agent.exe
1756	TieringEngineService.exe
1264	AgentService.exe
524	vds.exe
4140	vssvc.exe
1256	wbengine.exe
2564	WmiApSrv.exe
4072	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\27add2c11299d6a7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124781\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f49567675d90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020d362675d90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e53484675d90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080b4ed695d90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000324f9f665d90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094f88b695d90da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff2998665d90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d94cc1685d90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b732a3675d90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034e675675d90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3648	4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeTakeOwnershipPrivilege	3592	elevation_service.exe
Token: SeAuditPrivilege	2080	fxssvc.exe
Token: SeRestorePrivilege	1756	TieringEngineService.exe
Token: SeManageVolumePrivilege	1756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1264	AgentService.exe
Token: SeBackupPrivilege	4140	vssvc.exe
Token: SeRestorePrivilege	4140	vssvc.exe
Token: SeAuditPrivilege	4140	vssvc.exe
Token: SeBackupPrivilege	1256	wbengine.exe
Token: SeRestorePrivilege	1256	wbengine.exe
Token: SeSecurityPrivilege	1256	wbengine.exe
Token: 33	4072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeDebugPrivilege	3592	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2324	4072	SearchIndexer.exe	117
PID 4072 wrote to memory of 2324	4072	SearchIndexer.exe	117
PID 4072 wrote to memory of 2160	4072	SearchIndexer.exe	118
PID 4072 wrote to memory of 2160	4072	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434.exe
"C:\Users\Admin\AppData\Local\Temp\4850064090f81891be04bcbcdfe1be790f8f5d76d5e2677bcb954ae914775434.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4384

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4524

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6ec73bdbc531b3a802ea2d0422fbbc8f

SHA1
c251aa2f0be0dc3f2d4144c51e4b1ac252f3f10a

SHA256
c106a6bb09cc0966f9daa9cc9738a62e4323bc2800d300724bf57df03fe3b790

SHA512
0e4260f4a1fccf17b5ac30fb8a2a3e91810360948de43bd34f4236b4a7829b691073fc6e3240950fb939e9d1c73a6a03212f2d74d6ef745b19eb8ae4265745ed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
38f3a3d64c77fee7c1d218b5fde26309

SHA1
606f43c48fe9ec1b35eb1584690b265d9d3a5a97

SHA256
79ccb1a60cb4949478e169bd8f0fdb30c0e848c1fad32ab1ed06705cc9e153de

SHA512
bdd33adc362a671284a7f7bb7fbf65ebc1cdf090c75683dacb0b515a91448d019430e6ecaacd72531c79b59a7e256a70fe2d7d8a66b33966170131bbe3f70d53

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e18e40e3a2c00f41511bea3817f77e9f

SHA1
c28856b38bd343d1e016388589fcb61c4ac3f039

SHA256
d04578e63e5d1ff0b6d032b8cdbe4492999ed992ec99659945ff328aac880e8b

SHA512
924feba77c953be372420473d9d9c1e4440ed9cc5950f3ba1fb7d69ac74eba011f0f6efc6bfe23efee0b8ece31bfdf5b4be1d7c6eca9dbf8a38c1edce20022fe

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d92bd8ea56657e51c932b69d36099a5a

SHA1
81167b9ef695cdd31f9f53de3781b5c34565d8d1

SHA256
ba83d0b4648485f86d6d417509ae893308d600dd66822125cca8e187bcb6c938

SHA512
1cf96bec4928e14122a106fffa53d3c5be5793bc514152868dfac118384ae93a8ecb32abce2ae6223e1f63027419f2bda48d57961dcfc21a1ceac16b08aba264

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bc067704504228e6b0adabfc4bd285e3

SHA1
b4edf55b177c7b992fb6e28b03642c13d06c5d88

SHA256
29d63e571e551180c83a6f8aaa7da3e40bcf5747c8696d0c014379d50c79c57c

SHA512
9891801232ffcda52fa4a15c185ede7e928bafa1b5a2130844f3d3f1590dbabf9489a5bfe8f3fd8f85eed7694abaa32341db7ba1f874ba8259fa444fd22ecacf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
65a2c4ab18dcfe89922a891e9b482df4

SHA1
472ef184c1eed5366cc5eb5e792a9c42ec789c91

SHA256
c8332568e2016963961ff9a80a559f1bdd338da8093b60c9839aef1e4b587c8f

SHA512
a1cdaefa19ebcf76b25a89bdcbba6f89c0e0e427c7c6c19acca006592d735be0686eb27d73b68faa565ffe46a1366abde993ab22cfa09be6eeae944195da039a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a7dcd94e2fa35ca66a585296ed73dd38

SHA1
c812f8dab24354a02839f857016ecfe7f40df66f

SHA256
ed8c475e5837d7637c8ea68825d7e35c9d8d55740e2e15419ae4e3950351ddfd

SHA512
0791ec305a16350fa70501d2146a2ca58aac7592f2ffda72fe05301a6186580f91111ded5b60403cc81b93958e451e6d4005069a64291f7723293c2109fd85ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
82ed8156da3de00e2cac78b937eeeefc

SHA1
c9cd47afafa6d185902add7ef280a634f01a1773

SHA256
bb2b191b5d40f316f71d6ebc80eec5d9dcd3dd34fd2ce504f694dc1f10e4830b

SHA512
2344fc43b2931ba19da6145dc8f9d3f1339e879f021f53b461b9590c37e212a563ab754e022466099a84f694f4aef7f8ab35dd09136bda1fa6264415bb34855c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
d9459f601a7365ee02375cb6036f4ddb

SHA1
d48a04e306309fa447602c4b2485fc701a4ed1f0

SHA256
9ce04e457cf7c2dc7f5e671a6b3545e2a8fdaeef5ab96599a876e26a5ce21ee1

SHA512
c74d6e5bfa0b75bfe0da61d80fcd74792e64113159b8d72e0214a0826d92916a9f5f8aaef62b802da12e9a0d9041137c6aac0119e2f5ed75fffd42f204532c25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
494735a4196c9ac93d19f3112f754315

SHA1
52163f0950863561b6817f59b16a50e86acba8b2

SHA256
128666b7806fcc767847a0df274577f843f25770801902a8e8c5e376d3359e85

SHA512
a1e236061886adb738190bb5fae26469cedc46facaa81a849966b2b2920ad7b91014bef12537a041d5127499d6a4a971f997245aaf4621b92e47df4dffb66dbf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
67d25910e63d7b7ab497809e3079340c

SHA1
b146491f52c658b9281b8091cf14bb65499283e4

SHA256
ecd61c16a66cbd7617c7c64f259835838dfa846ba984cdf04c39dd78e6770768

SHA512
b15fb906fd148215869815588c4e9ba88dadcd9b313f04541a2e566f2bc747be9cdfd44928638db8d3f105b850105b54945c11bad391f1ba6b1d96767388b08f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
877b705527122506b6c46f9144f65af1

SHA1
60bcfd81f63e3a953498c8e789058aa7c91b3ee5

SHA256
497c4c105029cbb1c4718917d6fd5d718b56340c0c92506d8cd157d522b6bd83

SHA512
fbc80e3809204be5211fb831ecd3df9464fa83d4118a9346cb60c08576bb05b1e8f8c36567dbdf97e6495dec3a002991d9b9e57c44e14245ae6cf05ba44c0054

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ffcd2dba03d853831b52baf897f18f3d

SHA1
18736a3bb4fddd5684eaf7d0f58fa6684d7ad654

SHA256
da6c78451ff5ac040baae5deaa38048f8e41eda29686804c8e1e95c024d3db7f

SHA512
b917b1d6a109934005a3d1cd04d3da47f38c4d2b558f246f552e1a81ad934dc610fe27c3a55921cb5746fb1dcee988d29b4a59e730a5d94075d69d7da036b1c9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0d33c960fd20caa36a4c684e0e9ea21a

SHA1
311ae978dc44e35f55195cd062ad520b0962c3ee

SHA256
b5c1794400ebaffcdd26d13570e1efa78b9034b9bd46ba30f45505f1e19222ca

SHA512
0533c36aec1a2c5c22d7bf3d62712ba0293a1b914df8f57b6e08a3b14b5d1243e3009f15b23ebde9142d6dfbcfc826ef9343419f20ebc72158b99885509a3b66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7971c006f74eaaab4e6926ab97ccac62

SHA1
a7a82b2270e18db70d0927e9dffd43065e2e043d

SHA256
16661c60960604953160f0c56356e9de7d7c09e88f35091a7adadecece63e195

SHA512
4ec49c8e9048594da9560294cd6508ad7342870e09f6f252f085d23e0d6c2c7f4ebdd51e314ca6afd75803aadf08737513234f7941113969d343948bb02fa724

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fdf8b377c00c72c7746f2951e6e1d33d

SHA1
3ba3b0c6b99222b1c8beaaf8c8a6e8c27e3506ae

SHA256
9ccf61408de479134710cfd64d2ac29ec12739cda2b2732c03bac3a0930fca33

SHA512
5b91da80d86f1b399e3b2668df8f78472232ff45e56a1514c68c0d98e927abf0407ce85064f26a97d3f2a36875c4776b244331b9720f9e660ad293a61041479e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
55212814afb6434af466ec067e35fd4d

SHA1
1f9c61ea2b446f83d8ba4cd4d695adf4d56a8ba8

SHA256
2c0a35655841f4f70d6a451ed3e9a298d40fc49db26cc22051b0425e0e6289e9

SHA512
27da13937c09e82009678f0f64d0f43d6ebb19481ce27f131d0a30af19ef84b85df51642607c622434f5b97d6639c8af82cf0e727c9f565ff303e443b4af0992

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
54ef4de2b2153bf79c4e3f3bd48b5182

SHA1
45ea2a258763eea42965c92624b43f1edd6827f7

SHA256
706fd079551eb0742d7ec89d1e1cc687e708a2e33dbe24eeba981b5ca5438116

SHA512
60ce0df64b74d10400fff7115967ff11f28519c4fffd1e4ff157a71ce211119d36af14f8866455c982e68f2b58beb76c6b313dd7d6ac2e3c33c3f4e539765757

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
58db6345327efb471d9996e2d0a0af5c

SHA1
2e15d00365908e59276ef9bcaac8f3b73ff4192f

SHA256
cea7440fb782d3e739935b01cc3b3efa4fc715c12df565231ca77643aad2c64f

SHA512
e00c753bc6d385e749cc66fbcf8c890a2ade0c38baec7ab88b7fb9a44d97b038aa0ce21616a0a9b56cff57d5b5a81103dd21183f0daa0b0998e54026e8b28bb9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
baecd7bc814716b808c31b07af34b4de

SHA1
732a70739ff2d701d04978ea21d3dd7f4d4700b7

SHA256
126894daf9da64054d7f8165326614430caa687cf5a4e649815551d7e35754ea

SHA512
3253c828b2db2dc89526e090d3124fdcbf335dbb994dc7791d246f8257cbe9f01958292fa797f23147bfca8b45466fa4c7d942fb13507db77e40c61a3c514617

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0ada0d8da2ff4f1cba30302282abc0f8

SHA1
724d76b718088e95b206ce5f3f2a70bf642248b5

SHA256
3492116708d59c0042356e0f5af87fd64b0b4855a8e32ca101904664cc2c001a

SHA512
b93ed200be1d3ca304985af2d9d1567dd773797c8f94aa840efbc02fefa22ef0e3cea2e1d4f76a886d36dfc51af183d8b1aacb35663c890df501dcc14920ea4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b0dee9765819637187c934a784c448cb

SHA1
991f8c9435ee4189549f6c6887c215cb8473bfb8

SHA256
05f789d89a14c851cec5bacb105a7566f8e4c2bf916bba8e54aa527adc99fdb6

SHA512
57705ab4f2bdaed94cb9edc7eec59ec5ca637d63ec5f0b24df2e4782f85dcb375f5e55af3c8f575d6930bf01964fa1868e23a50d00fd8ef849c59001a935d50a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f80ee11f0607ddd949902470286af4d7

SHA1
98f30bd00074f8467563caab7938e663d2a4f43c

SHA256
49ba0d7a1c6bfcd0209811e51e810d08a1057fc29d03da6e453dc5df10384819

SHA512
935d50dc4df9f3a2074938b56cd978e91d5910f42aedcf2c9219488fa85a6bd2efc696f45d22dac09afafca26772bb7fc5f38f75b771fbdd47531e5d5325fc97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
62185d1da7b6a5039158141fd5dd4488

SHA1
5bd63ba9f4fcc721956d0c0a9cdeca978af4e134

SHA256
949a336dd788f772bbc9d3d72e5385f5c02dc7d84a44a8d79e2e43cb545635e4

SHA512
e0b51e3dd694a3ced798344c9e179a7aee12e8d348127070f7e58aaffcbca474d4481b75ddf05265f0675a5c924f7223f3cb67d17ac6f9b519a27310be7d626e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
06e1f5e8bacb1a90cf61ebe248760250

SHA1
fce6ac3945905435c22dd92d2398741e8536b9a4

SHA256
248b7fff4f8b08d753bda2f88879ccf7e37a71edd9aa940e02ed6bec733e6e5f

SHA512
f2b6668ca59de2deba0d55bf10361ce542da0642ba944346950d90556ac714a9a896803e61a9781ec97443a2bcec15bd0864a7550ee603925ec8e9a10e32805f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1cce21df2edf3fffa8709469ee000278

SHA1
79a268f7d2f52ab6e9fb1c78fa5b3d158a07a53e

SHA256
e65c85dccdeb9ee06086b9d9386497ebcea9d047d35ec5e499f84f53fd13a66f

SHA512
719ff01ec0ee2b82d2fbc86214f720c2dafbac703acddfa55064dc3092edc48ec77b27dba43e66161aca365a1b191fa5292afe58d167729db6b130abd02c6b65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
5aaf6668081f60678956991cc25a7f5d

SHA1
b60e6254ae08468f17d5a9218de5c999a987cca1

SHA256
b03bcd92fe5e8ffd540c3dab67e623b42874300c9fdeb0604ab9e433edab55e3

SHA512
bf8da39bb6d4283127ced45887e735bd293e71516fa7b34f605bce41021e7ab61401fb8572d37f6b5059e7e318d8d6641b1108bae2a086383e7455ab58106267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
896b67d18d8669206231d978c4bbfd52

SHA1
a17a95ffeff1c78cc011bb1a211f3273d6247657

SHA256
988b65a23b99daa5f230ea2955f1e470e148888791c834e6dbda2a9e6456d3ea

SHA512
ffe0380a09f129d40980ea14a3e251f38a5fa0031ba910d5f4152f258c39faf0843ca1c60b38a3afa9026f9ec1beca5eec19aa2a2defef66ab080957a46f41a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
aad1bca9f607f1b4d19e8a8fb985c943

SHA1
95cf9a6558c61f2c5d104bc80ee9e211d2799b90

SHA256
57601a5f7169f2fa33b1658212316fd879fff227ea3cc2caebfc515ca2778134

SHA512
4e0116a77c57c6c40160d7775e489ac3181f3f6e9bb321fdccc5161fdf15833b17e39d5b595d5a519706184f12c05bc6137ab923b65abe279cd0301e6dcf385c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5d42af3d6e00f679ca60d3f1fecbef90

SHA1
3723cd39f6c26d4c5a44e4b721a0adb14056bff1

SHA256
d73e4293f8ecda49e2e4fe76f647102bddebf00075426aabec0f05f2b3778716

SHA512
a6cfee1fd5e53bb91c5b7a01674db84ea3417e88fc68152edc18abfc4026a58f6359b74458d21eb3bb05f473a402193c982093de0e97d72940520ffa22ffec8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3251c54f77e150e1397286f67cb45f94

SHA1
c5f354d76e36915d2c8b80de91a41564d5b36542

SHA256
e7d5c54f4ef381b26713deb578345bf65b18d2b9c28f26865a58ce3be7e99b68

SHA512
98b6c9f7bb1d9967e5b8647efa9ff68af448816b4b987a7b854d57138387bdc5c597abb1813816d6f7654007cc0b98a158918fb95ae91e5efc4adccbfc5ec84b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
93e42a329659a5fc1220171b8735287f

SHA1
34cdc5141c1a3e8d1470870d529d05b8dc3a3baa

SHA256
5953db3cef6a0928ae861d2346b88e5cd73163c45aad014cd1c3b6350ea11979

SHA512
bbde3301c955959fd82883528e9c6e7b8fa0bd2dc50a1f9558dd2904b4f82923f47fb61b2abc679ab6b74b067264afd065967bf49fc2ae5c7b5086650ac252f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
efaa30fccf66764ce1ee32e79d62e47e

SHA1
d8946c473f68ac26736da83a604fd5b14c8abb47

SHA256
0d739480850220aa085668aa7d8f7474dce24bafbdc597b67f58eb9654fba7ea

SHA512
4fe7573dcb37f1459af12ac3ef01f77a34400433c6b13c79db08e85f935e2ca67fefc6f6ccff3a710dedcc3e058b20074bacf7bb7c144f26eb069ad2f9fd93af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
319a29b718a6395f9f40928e08dd6945

SHA1
73f7cf5da435a4a2ea8a941e8b27aedaf8d7f317

SHA256
863ec754780087f7b22abaf50fbf28ec9db5d49649861ad99e448c071554eb4c

SHA512
49c6b10704aa5d8a6ee86b78a27f8b2544c1d8e37ac7bdc9e90a9f05379995d94ea97df3a6655ff667c5cbc74fc6fe5269350f4b921fa88bfd7e1c58cb79fba2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
cf40c7ff3ca133864986763754a5e94a

SHA1
3c89416bf1d2d52446aa1bb1b58935da53ca06d2

SHA256
7ed47c9c320bee0a7c830b38804d37707d0c9e7ca88207705996b9ec9af7f884

SHA512
b3cf6a1901bd209a515381b5530e8947beb8bf1dcbe71f0cd56722388a7191aa3a4a336bd810edfc02fd81e3cd47de57e6948388af1977bf5e17002b4d6a21c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
7f254d4edf907fc50a9b5e5a2c9787b7

SHA1
af6cf309c41d18b1d52e794f3b231d22c982c9ed

SHA256
fccd95dbbf3af92db52e5d08c8edf3d4e6017dabb010aa3aedc9afe22634eb91

SHA512
6b9b4652405d0f216d1ae2dc9841e83ee83e24a26a68ac6e3fa0a2862c7763948cfa7057be62b71a376901e1089bd9c8d1fb15ba0bbe31467d5d289a4e5d0291

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
5063d28d16414b2e6708fa98264cedeb

SHA1
c71cdf2c0b58fc648dc283abeb5bb465dc6dd218

SHA256
2f49a5980febdf0add530e9954f78e15afe7e84da319a0065be66f70f62fc318

SHA512
6a70e701d62240aff94ed542a1aeba1c6fc664b41ca0af15314377ad71af4ec1ee496d66ce408b0cebcc69915988d84f1a7c4be6a286a17b18af14917576b633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
69dec87fa9864b19ceba6ce7c95bff04

SHA1
182bf017b8413b27a097d4fd4e4aff9dd79cd70f

SHA256
37adee5dde7fafa7a2b2c07f6e41963120cbddf8fb48e39fb232e3b064d17aff

SHA512
5ca61d9f21df823c975c54c18e05ca38091f2ff66e621c53fdc9fb495f140bc03cd11192654c8e5fd1d54758bf9f3e936e4862e0a20d59003207748fb926bb28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
f188347c422258e85274717c3fdd6996

SHA1
b8413f3aef8a3512e7db7a805906f3475fe7d312

SHA256
c73ab7611424221d40e436f4f62eaca689607ecb615f79a44c0f8bb7bf3e9772

SHA512
f46493aad25fbe6ff43a52fc35a63483bbcb0b5a5bdbb401b0f973d547abf1f492cd6fe0d264b74f98bb837d086569bb71f71903eed3ba9f8ad4ebdbfc848591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
04f9154c7764950d5a48a872b675e780

SHA1
6fc2a94f8b660c627fb8e1ba638c6331254c4aff

SHA256
8a1ac5b559bb5006cd8a1250fa69dafc42c726342b60c5dcdd8c07a75584981c

SHA512
37b53c3237670d1698bd484f21a0fe9274ab917cb1c57662407e435d2b3d2c2a638864cf8cdd8656783cadfe741d3c285e00a5f00572ed734bd0199b98cf9144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
abd9de7319bf05567e452300d1bdb608

SHA1
1b51d35864b3a98c025ad018df2dc3f1ae1327cd

SHA256
acb96a9b333e3ba7d6642e8163a41b47cc90f814ae6174b5525f537ac14b272a

SHA512
517a1e0e7538e121c0f6268b4c2374c77344253fc18e4346ce6f6303e995c5a91383752dc0428bb0ca572d6e3b23a25effba89ad1d75137e6eed663b302db34d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
f4dc63f311bfa31024343c0c83e9431d

SHA1
e4fff5e0395a0727aa516f24b08a322c9ebc0fbb

SHA256
5c1e4c71d227bb79be5663a51ea719be87ee64155d5ef728b84333bb1f26e7df

SHA512
4da5b0317bc7d971f771566f12f5c84f09a915c6579716ce45e45173108d1d97bfe479fb3e654265f2e347b77ec5a6993058d3ed1c54683d808dcdea37743638

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
c13e3342578c740170b0b7e467a5ef2d

SHA1
f7470dce1e4c80266b2015ecae628689f59b9ae7

SHA256
48efd99ba6110ecac5a0af6e69568cc3b28438a213b7d59f8f5550134a2d42b8

SHA512
2350cdc78671f3e4d5e669f0cd434922192d3a23ab402b9acdbc4f189dea927df6daf6325ff2e6df7a2a696bdf43163ab92ca52a2f46bfe79f96a20e66308a5e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ed5f553bb869646c3ac378fdf50fcca0

SHA1
3b0897de2f861dd554236024bb7f0a2f10de9e61

SHA256
15ae572e38043ff3f3a80bb769c20e5d1bd1bd86015e16bc12f2c409080a9e22

SHA512
d625429f04a36f25994da485e59776adf41af51890c50579116b3e4be8a0106cba26dce774d7fba972cdc5ed1218350a07c72f14342420a760aed01cd7b6ef5f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
df2e956fa724ca7ea7105b9465d9c49b

SHA1
89c3a0964afba1541c59d91ff34028bf464f261e

SHA256
5c78285ad6e10ce3fc14c82b5493e9582f8fceb1db220d6853594ca66eaa1426

SHA512
e6f239eb0d54c48a848d691a5ebc3726ef49122f89ef1657e735d6c8d8c825b496c3f0df42302c41705e5a07fa23edd5041d881743f75fc13719251cb61920b4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dbe0db470e8fa215a9989c16390e8a82

SHA1
377a55eb33d3d22c017e330427a248b52fe748d0

SHA256
8a546fe4a86e840de740d74f0c687673a1d9839667e1cbe299791db7e41a06ab

SHA512
734e933daa1274659008827bf386d3cc42ecc822fbbad3d3a717be2a2d2f52e05267d896ebceab2792c6d0bb984f7b4e4a4f91821595e6916e9f20fa5b9ef3ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0f5787cd1a5ffbe09c20dc945711ce89

SHA1
7826cd0316b7f099dab0044a82ca8bfa97021727

SHA256
99500fd47e00459c7e7e561fa0a2ff89d2c6a6e1feade2cfcd371c891b4d97d6

SHA512
daf2c6a6d227709a26653bf53613ed415b547ce49e345d64e480beab1b3dcebc2902de178dce7e3bed3cd7be6daa911d83b109d959db894879c764202e5b9751

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1b2d3d6978aabf9e1dae170a3ee62fe5

SHA1
08e9873a46b764752ad617d814b02dfb69548278

SHA256
a10e81b9d4a4796484450eb5ae5f87566686c6e3d8812b65063591b36b5b4a6d

SHA512
15f86372d05d4d761425f1fb781fd521229bf51b582c9c8cd997441077fb1354cb4b94ba65b87542290457de3a4aece48919a2c96d0e5f060122b78ef1216fdd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
59a2da7a8d596b755392652cb9dd3ff7

SHA1
925c71a2da7df8102d231d1697735075699754cf

SHA256
233b1147f8ab27d994998e8b439d1b133a113299596e9386f5a59eb6155d16ad

SHA512
82e2e98cb73718ab6b6c1a4ac013d5ff884f1611d029bd1e69a932dada14e81dd7231c61f22edcb564dde4be918f3082203fbb5826d0d9d5bb6129a45f85b71f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
5126603d5adb64debf70c3feefdff592

SHA1
a4d38b10761aefb36f2edc1df45f5b39f7322679

SHA256
dda5c53b7b885f1a5d43c1177fad89d5f0f319ba9994f09c6621cadecb5fe469

SHA512
1abd783e7109ec9e67f8852f1d5ba81447a0948b9e7e3216b5bdf7f92a65ea7d9d6c9de7838af7f72f30cf64ad9b8fc46fb59fd144662f5e874f2adb7095cbc4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
8c560f4573cecfc41bc5f95a87245442

SHA1
db3fcd5d88ae63fe6c74b2bf4371606711224519

SHA256
a7cf79c8ea8a8f3137b9a0bbdecfc59b175726d48ce2ed20e569ee117540d778

SHA512
9d7b3cdaadacfff25a28b4785733ab554e016a94b868c147a75dd31f707ad65b9fa724022d5456423095e0205677966cbc385bc6221098a8191e6ace67b0bc7e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3e6eb1c9e568c052175f89b70d6d22cc

SHA1
ba42b3fc5908108badb37610e8ef2b367ed1f56e

SHA256
c5e58f448261371049b4ce3d6ef9b541848aa4e2410f0b4f32c784330e6a4494

SHA512
aab8feac21a2fb5a7aa178020fd2a86f6276bfb57ad411f8ecca5235e315fab24a4cf1ec97a78badb267ba54311838d71a8e58546d0adb798f317d77f79f2046

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4124eb13aa6632092043be10bb345d0b

SHA1
4bd10d47221c66b715860aca27de25e08a976b90

SHA256
c65f72967b88cb57e13989c2f03fd6e1438f2cb095811c81aababc26c1dba9ba

SHA512
8061d54b1248b06fe9f6f86fccc43752c9ee26dd36c1b3175b50604bafa3a3f1cc55e28eaaf811887344f4a30485ed7f4175cdcb849a5cdf2c26d7bf19bd6319

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7053ae60d057260292327c692363b7a1

SHA1
a6eb953dbd46dd3a938e4fe9db71208f178eeb89

SHA256
16efa703d94cb75a1e0fcfe7b43c14f0c41684b6e4649076d28d0cbb36929a87

SHA512
d30a9165756eb86d76fdaea19159faae9de53ad1ae87d957d6ac1265fb377db40ac461ebfa515ca995d7b2b89ebfae1058fdd9db9b6f1b3a3843910814ebc412

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
dcd2ba93f87dd865723a8c360e2718de

SHA1
73c3ef88f034f90b3c125b7a765737a90ccef5ac

SHA256
fcd90fae468f28db405d0d1602295ee1b5909a3bfa5f4de06eabbe9090f7ede6

SHA512
3688fb1fa9ca27ddfd342bc123ac710fce0b9db565b772fb13805a01b34720dc03f4052f138e0440234f4241788b6d90cfb391d66c74d8ba5772a3d955c03dde

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ac0d289e11e0d0c67d7ed0ef2db5cf29

SHA1
eddef39a2b419fefcfc420f9abffc743434ff099

SHA256
7cb6aef9a471c16e8ac896f35afa6af92d360c2d4b21fde5ea4b4c965fcb5a6a

SHA512
93e5626b97b5b64e704a7ec5223e0a5a833ea49a5b1f831e8af48845e370bbc99e6180861edb6d99e214cac751690433a8571ca7dc7d868ea9f74d27d5ac8824

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
bf74e1d1670105642dacab32c59ce91c

SHA1
e7422277e418b1cbe64288fbdc30cceec79eee07

SHA256
dcd7ad5e9537af4bfe20627fb584d60b6f575d8840d27f8dbe9b82c84d22a1c9

SHA512
3ff8db5244aff3cbad02dd6645f31bc4eb6c0b56cf1cf60f3404c6e454ccdccd448309e371e4bc15e6f58645f00493354cce2859af236d55a715b5d0d188ddab

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9477d14f8bf1d95a2c4beef2a90d723d

SHA1
1e455b0434f8e37d0a3e64cf49db917aaefb17f3

SHA256
136b556f25b5248582a24813a8c465eaf51dd51c3f0a799b73202efccb7ebfea

SHA512
ef165675db4bab60a5de701d61db75135b7f4d618fb1418a27cc24d7f0f4098adadd11ab9366f72c097896d6ebd01f5853f172f5da78933e15dac17d99506eb1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
722a9275ae932ff723d4f4a2921e747d

SHA1
5fb8968b7e979b904721e779c3d4a1a2e43801fb

SHA256
4f00156a9265dfe701965105963f8af678e51511b6f184b36bc9652e48f17e98

SHA512
6f1eb203954c0bc1fcd8eca287eb32ca66a0f0e63238e4a964637e61e2e053a2fec8049427a18db35f196d8807fd57793295381a3ad7d7d2ef2016acf0807c23

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bfd938a95b3489c5acb0812e4f57e6be

SHA1
856d72aeebdd02e6555f9de40a1f938b72b8f7f0

SHA256
a853ef3729b4af888ddc5f9fb3c3cee573296941feec924c03155f97daee07c0

SHA512
68794bd019c092f48913c4673b0e4afb468807129232fda88ce0816a0171bc5b7e4bb599fd3cc777a184276648aeac1b3b712031688e14f9684e46d1a31fa55f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
b2e632e1666e101d17c18d1933e8df7f

SHA1
107f4f0084c79a4e9fab31ab9d5fd022ed88ad01

SHA256
d995fef558f0685fb9a237bac2c27ea71c1d7aa47d71b74bf261d0d925196c32

SHA512
8e1eb94af267c9aecbf727811f08e19a55fe2da01cfc5c3faf75d18d0aa4485e16a13e8ca7d5f344a74e4858f6f4fae11b0792e773d589fb910ee6d25815e88b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c9099a0bfe2d71dbc8cdf98c6b3997a9

SHA1
dd01596a0f5b84fbeca94ff8e8d7017c1f4f2b07

SHA256
26a6e25982066a5a8ddda84fc73e7218f0ed5381156d3c210622acc82e0819ac

SHA512
825e571d9b95349e1f38acf4dea87342745c0bfaf31f35d24c89ec1c900dcc7cb39942478fd2f9deb9ae07112275d76fc54079cf0429d20fa6d4451127ed76d9

Download Submit
memory/524-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/524-417-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1256-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1256-443-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1264-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1264-406-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1264-400-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1264-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1376-364-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1376-299-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1376-306-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/1400-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1400-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1400-331-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1720-65-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1720-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1720-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1720-238-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1720-66-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1756-388-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1756-447-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1756-380-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1984-250-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1984-310-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1984-243-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1984-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2080-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-255-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2080-262-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2080-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-269-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2364-339-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2364-346-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2364-408-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2564-449-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2564-456-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2652-357-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2652-295-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2652-288-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2652-349-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3420-374-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3420-366-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3420-434-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3592-230-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3592-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3592-35-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3592-27-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3648-17-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3648-6-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/3648-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3648-1-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/4072-469-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4072-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4112-312-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4112-319-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4112-377-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4112-387-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4140-431-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4140-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4384-60-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/4384-64-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4384-57-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/4384-50-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/4384-51-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4524-279-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4524-337-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4524-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4720-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4720-360-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4720-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5052-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5056-174-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5056-22-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5056-11-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5056-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download