757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6.exe
Size

705KB
MD5

955e4a810e5a844ea9401a7a794e5e99
SHA1

6a42f3e90b5bd73fe031376aca0c83cb03809dc6
SHA256

757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6
SHA512

def7517e895a94d20e65207b72eb08a4e7daa08df5c2063992db74682f05ed39cffc964be813026707e5f9efb6da8d1b0e01ffe6942ae91140d87679c74df637
SSDEEP

12288:NW9B+Vt3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:NW9BOHofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4856	alg.exe
1540	elevation_service.exe
2608	elevation_service.exe
4132	maintenanceservice.exe
4080	OSE.EXE
432	DiagnosticsHub.StandardCollector.Service.exe
2328	fxssvc.exe
4324	msdtc.exe
3256	PerceptionSimulationService.exe
2740	perfhost.exe
1228	locator.exe
2168	SensorDataService.exe
1124	snmptrap.exe
680	spectrum.exe
1608	ssh-agent.exe
2020	TieringEngineService.exe
3500	AgentService.exe
2488	vds.exe
464	vssvc.exe
2708	wbengine.exe
736	WmiApSrv.exe
3704	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\47e651df7d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad06ad718790da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c4d75728790da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068fddf708790da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a266e728790da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d51396708790da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070c1e4708790da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1540	elevation_service.exe
1540	elevation_service.exe
1540	elevation_service.exe
1540	elevation_service.exe
1540	elevation_service.exe
1540	elevation_service.exe
1540	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4760	757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeTakeOwnershipPrivilege	1540	elevation_service.exe
Token: SeAuditPrivilege	2328	fxssvc.exe
Token: SeRestorePrivilege	2020	TieringEngineService.exe
Token: SeManageVolumePrivilege	2020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3500	AgentService.exe
Token: SeBackupPrivilege	464	vssvc.exe
Token: SeRestorePrivilege	464	vssvc.exe
Token: SeAuditPrivilege	464	vssvc.exe
Token: SeBackupPrivilege	2708	wbengine.exe
Token: SeRestorePrivilege	2708	wbengine.exe
Token: SeSecurityPrivilege	2708	wbengine.exe
Token: 33	3704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeDebugPrivilege	1540	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3812	3704	SearchIndexer.exe	123
PID 3704 wrote to memory of 3812	3704	SearchIndexer.exe	123
PID 3704 wrote to memory of 4424	3704	SearchIndexer.exe	124
PID 3704 wrote to memory of 4424	3704	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6.exe
"C:\Users\Admin\AppData\Local\Temp\757b89f70e40ef357322ee86a923ea49696e4413919f7971091b35c4c0a2f0f6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4132

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3120

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3812
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cf6d7153e9d8fde97091668c73fb3d77

SHA1
9e6ef7db2b3c9e1e0a121ee668a1ac171c1c1cc5

SHA256
18d45a803a8a95935fc920d32698c2be0a85980f1cee37efdd55feb7744fdb0a

SHA512
cd1d6cc01ad4a03d79b59ec1eac779128ada43a45f45151f6543cdd0dfa12c1784d22c2acdae078b0f9ab49ceb797975c0c2376e5d4fc051fb3d38d06bab2e4b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
408c7a76bccb398030779d2bb99566bf

SHA1
4990f82d6e0f4f66e4bfcf4fb3516b4c20f707ff

SHA256
bb3db290badda7eeeec070d2ace66fb641d8dbd0927b4ad6988dc2dc24fc7ead

SHA512
50070535ba0f8d77b28c11a33b1951a3df30e7f5a0591dbc51dde1a0d3395d45ae6eabd0679a65dc1fed6600f93319d1d3c5e9f45783922ae3cc3bfb64d5adc6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
62695f683efc4d96c680ab96de6efdcf

SHA1
9bd4280732325e0b261fa9eb70959331868b094f

SHA256
090db62954250a0f803280492ae7df7750da2f703c17996dbe9a1e8a32635669

SHA512
c54a72ac584e8675b085a95adec832835d4f92a184b6d35abeeb0faa16e612ea52a2bf71e562bba45c39fd0875ad89cae22b3308b2aff855c78fce1b8c9c4246

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1be3888351c440dd59ce7fd376236f32

SHA1
3b9028a486179f10e4b407629906b21b77e05336

SHA256
aebc8a0fadd90160038738f4a32fd7412fbdab1583b00c86efe49346dc7b6a8d

SHA512
aa662d9bba1511785e5bb1714d448dd70b90221e2a7bddb91743ed482a57a8a59ea0212646e7206d2a423f771c21557df117956dec974b8b7b67be7b6e3a46af

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
999163334c815d7049f1332496096549

SHA1
510a459862439d790ade21f43c6adffb70ea27c8

SHA256
cdc67f400a66c35fa74fce5102086b6f0083caf557aacce01ff43b1f0ba5d349

SHA512
11e249c8ed96ce7e6d9f337380013a36caf7787eb4b6beaba28808fd0ffeab3325d7664d3326e7416c0b6433d8e01916d1042bdbbe3fa797389ad4dbbb34cc28

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6be693e6e1d9be0a821e1fa21e543bf8

SHA1
252f3a9815ca12e0094ce9013e69351f67e76463

SHA256
fa4e77e93fbf2b6dde9803accb4e0c4fc6f789134f12bc416c883580a7a83a39

SHA512
cf80299adf77aac8d8cdf3415f7ec66f8042a13639d3bc388b58139bd299db790177c283a731b99398328e64311b207d470bd6ba922f0349635d5a4d87a7ad30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
23390a098b57c65630b8176383d233ab

SHA1
8a229a5a45c27d5621ed72013d2391e2d485d3a7

SHA256
6639d43cbda6499288d229618db09226cb9d758e75026c1c1e8a2133f5930b72

SHA512
094f62bd51482941647444fa05291ff8ecced153f20469fa6f5abb84328c1403a03f45372964fd315285b84d94421a7e41668c06d215ded48de83c8a726b38ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bcb458bb1d05043d3690f80f25748882

SHA1
09377bde513737cfc8f10c8927f000373c26f2c5

SHA256
9c71d1d1032ff6c3fa085b16559cf35769a63034c0c4aa85e2ad99a32599abb9

SHA512
a2a2ca2a5213267b64229e678d9fe1aef437eac26d51d73f91328e058319e6b3ddbfc02741d0aeeb03b5086dd54aeb2f5aa5bfa41b7298f345fed17e426ab372

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ddcbed7c86ff74819312cc591d069b14

SHA1
c61985548a34ebdfca42baf327b775f333e1066d

SHA256
f96ae7864c9e593a1b4d95988fbd5c7f804e619828dab4d021c45ed9fac3c151

SHA512
5e4536a296095737c105061a7e75364b24a27f6bdb7e6f44f19d091f336a0a561879489112410be3a0739a026dc6cb32aebfd6bc4cf4675d449a7e8e45b4cea1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4d200aac5901ba3ef6fa7030b97068c1

SHA1
60bb50ba433f41dd982086bf462bf9dd2d0f5e63

SHA256
e825c22d92436722e290523c2973b832c090ac02e76c90f67ccae894a2e24062

SHA512
c1efd3e4018c136ac4c3e65adcaa26ba118430a589016c58254a57e6f933b8cecc4c18d8cd305c2486644a3cd6087571128ce908cc4aeae1200534052655cab2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6e987708865ee7c6b2e72f51b9299ce7

SHA1
26e1e779f670963733720c6ec427170a37b8149a

SHA256
091c5d2f1cdf8042f9c6deaf4d58512dac7f326328a70342eacc00d4fff22dc3

SHA512
af9d3c2ee04541eca18629891b23efeb9b639bd5d8eba8409b07c3f1303280fae6e7369c81ec4d8fd3c44bc4203a527b901bcc305a0ca57cbf89d93a1a347ec8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
19744c5ce8a6d500193680f9fb4b0584

SHA1
9ddbd87a9e635c8fd890c6823c4ee4da2589b22f

SHA256
a6e50cec533f5de36241e0d16fd585397f5a78b6a01bee52fa3df122e3ec886b

SHA512
ee924196e07168ca441f9509f188b669ebf91a3e735fa40de012ec65a9b519e904800450715d8fbdccd77423c8e8b9dc6e9c1f5abd6cd646e66697d25337ce67

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8576aa52e31e7ae49a808da397254837

SHA1
e2510f5643a135aca0e01dab08b1c09fe58543c6

SHA256
6ea38cc315312798a0a13913e0f152197c4a41e9d9794e31f27c55674516cc9f

SHA512
d3f75a75208d0ee857bf82c881983899ac591b18a8aecee26863499f3ea84223aa5b3d382863021ff9f6f498332c2753938bcd8ee3c03375197d7d996bdae8ee

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
351eb906e0c893546b09f89dcd3ccd86

SHA1
0daec1be2b76ed42519cac1c42727e827f616f7c

SHA256
f5fff40706b4eef389fea428b50d69015880820e7c7ac1c5df4e0722ef967343

SHA512
4d64c7fd0a930e8db6ae42e6c9e32a4e892eb9e230c9dc73ec44e79fd21179ec7e0449f415894c67653e7e16d4d130fe61a348113be6b57355908c86c68bd5fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b38e4969b2e76edf1e68888ed5dd9b2f

SHA1
3bcc1d311b7559f4f85492ebb8050187fa3b2ae9

SHA256
69ea6a3e983682064b9ca7eed58bc66fada21257d978b58b6e8a007bbfdc923e

SHA512
0e08a6a02b83edec0530fdd316092223a6c5a7f5b3332892990d935698c3e8585cbfeef2c316fad0f4d16d4fd36008c3da2b1283586615af9b9bdbc671eb6a56

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7292719b83435e276c1fc6fc4c9c2cb8

SHA1
f09919529007dfc05a798994a765a44762f35319

SHA256
28f16b7592d3bece28fa0c9b084c072164f5857dbca29835cd49b9cc2dd47cac

SHA512
d6403f354fd367e1975688a89334a549214bbd6ac23c415f9636580730ecdc6082fa1800f715e7dc569ef06059bc31ae25b92a99a42bdfc2a3e0bd120db09b8e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ef7bbd09baf628496919252726872b68

SHA1
a2eecd69d842b99f523ed58bf9426ea06a653a21

SHA256
a4a866af125565a9975774558b0d31dea4bf85f592e8285eb34195472a6816d8

SHA512
d4e79181de2c01652a955a569b8988d6e3ffee626edbaaae090d877e27f5348931d6be7ffbcabae610e6fa6f96c2c70882b2a0803ed2a8edf1c1e64ec5c5246a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cf675d092067a4aa6f9984c6d9ba0a57

SHA1
9895c5c9b0ae581f6549a12805fc0a8e40c79aac

SHA256
b5eeb0828c9f89d7c36c2bc6c3b773880ee1d77dd27cf6981abcc92729d7f7f4

SHA512
c7428b9112083802f3aaebb0ca18fb6940c8ade2e2469e9c4ba5096393ac37f9f6406ee87a38576db6b97b033239afee56c5168c3054b531a949693e69c5fe24

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6773b1cf7d92560b90dfc2885c0ea2f4

SHA1
0fc9d0ed0630926fcdb52c4a42ce5d7e417b6efb

SHA256
f2fa0e080a0ab8cb2d513961bc7b0238b50e31a65e925ad1c786a080607e151f

SHA512
6b099f2979c6ff82e9ca8a57762542b6822000e1de042bc620b72dfb9ae49996d964a20dbe94fd2b360ec7fa8e4f3568b505068548f01c92ff7008d45dbb6e4d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7cb7b2c56ba54f11e36fc4b76d6c490d

SHA1
6c9dfbabf9b0f3dd127f3014133fa0ab27b9f57c

SHA256
f71af428719cb7fb22ad0f44ffddcf5aa67f898075605ff48699e95189ba7cc9

SHA512
5394d89539736b5844ff8e4ec14019926ea4ca17f5609e2e14c1389041d2390ff0878058beaab25cdb4a33239ee6c80459777a2a98da76c1e1967485804d8aaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8cbab4fc3d32f67f11f9f0d48777c32d

SHA1
5ed9c55a155d6aec6ee461f7d5c135d901f19833

SHA256
8b834a2f54b0b482edad5706f937c90a0522e1790d10d72bfe82f7b93cc8be0d

SHA512
0de83f25899e23592bb694a014779d1137925db21cec25e8a6a6c4bedd02873ddcec73d294a5e4a27fbeb5bf1284717a820af53cd25062324c496bf51ec55aad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fa319ac807352f705dacbe8a9eba25a4

SHA1
ddec209adcd49db0b97631881920b9b40fdea391

SHA256
911fb5cb498a3892fa880c4d9c5773319a5b0501f6cf338179f23bbf6f60488d

SHA512
39047794c190b49c7ef84a4b96ca9f7d614b21f32eade1a7d891f69ed265ba2c90de19adfea3377279051274633be8074d26d6d67eed8e7c8f6c0c58efb3b96c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5c403f6acb0f31b0ecf29969a71f6272

SHA1
1c760e26667583e5cf8c6b7266d4a1050c93c255

SHA256
b003e25610c7a6288f541e4e21e54083e02825e5e2b9a14bf1585cb9afc3020f

SHA512
a7436dac660f2b37bbc63a5b3914e32c08a68536b274b20db3fd01e6fea70d6ace48aaed115b0fb2a76d16f2371a1f3168d692ff8494d65e058fd709f234d2e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
11779c7cf8ef2315db6a5c6ee9af95b2

SHA1
1dd9c018a02836947e2ae6adcd024b21473c1393

SHA256
9f8148c5eafe2105c8b7f03b09de1e7d48acbae7611aaa72b20e3f4763205132

SHA512
7224038234e7e8d9d4d6dc0d223280c192fb30d7592afc7e9cca32a8b5d400d4af190a267ed7a15c280bf5c799ba1b04703cdfd44112d379e26cae734b67a003

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a835f30a22b2a8397ce53171ffec91e0

SHA1
b8b4b764d88c67a96b5996ad9017cb8049e0eab2

SHA256
364329a827523640e9bfbb8b2f7a6b2b70fcd9fae19e2f720eeb0fb65a1abe88

SHA512
32c8da35e3a29ac92a84c7b46bf68ae63493cbb7f1295c74d32e8972126a26be4201ff5543591d7e5ec8a55c68e46b32d822c37bf0971ccb6494d773e341c079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
596813931db1d4e7b6ebc05c81956cdd

SHA1
91e5ff6959e5b9e88a08b802e9ce7f19a3d3641e

SHA256
ad5ea6d7ef276ed9ceef3eb9dce3d6b1ce87b9aadccf26f37b185f9cc7f3a38f

SHA512
75aa76a83f3e603e6cbaadde345c86a3a403a8513d4b19e9f1028a320bf3b077e1a3445a57f7dd8b8f0c88578c1d2818f14d0f4074cb512585b48dca829471f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
597ddd8650c1f44f46318bfa55302d17

SHA1
870f02db824650c86e489286b0c8d11b1a230aa8

SHA256
494d20da4370f3c2b9667f5f813749037636c47e576d94d7dba193e70690df4d

SHA512
5b13434b6f40506a7a0f89e0be78c3797e49b449b98f28d8387c0d55e0801979017befd841cc770202257f777f2c3b86b30b1fbf64082e70c82a3c79255121e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ed74fb5893603d9eab67bf9cc76c4379

SHA1
9a8566c31b479d115ee8d06d14fc13164397733a

SHA256
b3c490043cb471489c8e9cc55cc48c78995fa911ff3b5740c83d59b1ea36a9ec

SHA512
6658ef63633bf8c99e04678e631c1404403c859f035335dc28cdcfac6a8511e6d22ab271a7c5c54abb85cdd2d36c32c6a9e49d2f810a864462451a8e34baec42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3c4ba2c9218af49c19984ed050e3bc0a

SHA1
d787a17fa6a4aea5810d44ca90b39e9b7cb9e9e5

SHA256
18cd221ca6a2230e04b8f46f3cc8cd5cc7d6349a7127631ab890fc8d0c944d0e

SHA512
ac363992b2689a02a44128149096dd192cda617e0e71dda73081b2513ad7c7794241694cdd1b98c56eefa2f9e93d6b0df155bfba83bb801156b681c093588dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
381461c8c54771f4b9f53ec3ef0a7445

SHA1
fed9bc90e6abb0ee6554ae04a45fc8d3a0c5882c

SHA256
ce001b2c49477714823fdca71a34e03c18c47d33a15f09f8452bfa7a0a5eed06

SHA512
af4c878941d7be339b4cde08d08ee188518d6d3d183a54b154c0dd0617c6d5d33397310eb48685d5b1a0b041e5e0f4a436665a62f163ce60576eff9b60d79d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
862dd458ce6be4d9b67b6b9010c06b7e

SHA1
40972796afff2aedcfe6c41d633c3ce10c56f689

SHA256
65dcd0e7c872646a57443916b7ce765490a3e131f98e3fc29cc1449a081da9ef

SHA512
51e78d04c3fa030261471a2785c663820380c6d04fa148d26fa4b8f6adfe36415f8289b6178ea751bd250bd0f02d01adb26819bd0d006507114f8d454adaedc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
571209a281f4766f71bfb43f216ee03d

SHA1
0e1a677cb4c0dbc7ec023cbb001f33094134cd90

SHA256
f0f9af452031b520a97cf6768bd6b8e84d604ba1f253d4c460f3611ff382ecda

SHA512
db9833350bcf01d54fab8f3a5ed8a5eb817ead851349b769ab5cc43bac2df9ffbb84c1f855c90ddab2626463813bef80cb20cfe59209ded99fa1f2137cb04b8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
251925ef5b66b2b9a6f597f813086251

SHA1
be50f07fb4a8833eb0dba70470804c13daa85736

SHA256
b3ae88f49c346a742cf4e3ae0013cad71f56dfde481c58cb3a8360eee4ae1191

SHA512
0051b314b07e4dbcf1fb1d432a1656b02e6aa0c1d9573f04194c71d7dd0ce64cd396d416b4b78d2a835ec84c2ca5a2772953c38721996eb5674e2d13aa05e157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2e292e50200a6b191cb951c154a1e5fe

SHA1
7bcf230e566af0fb9031769b5f88fe2037d70723

SHA256
7b424ec0d0d86ef789ac2fbd06d12c58688930fddbc4bfd18dd491e26eeffd4d

SHA512
9bccb55bcf187e3376eb773bd5b32d7b12eccc92f6131d19b8dc6ed1f0bac14903defbccd6deaef1aedee30b2bb45469b6522aa744368e244244886ac0abdcc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f157fe367e4f8fa89ad288cdcb7aa8b3

SHA1
ef9ecb06fde4313773c48d224f10b943d3bf8095

SHA256
58dc038a6b248fc726e9dabed512efac128d5a56ae6c7689a3b81b919a9d238e

SHA512
73e8b03a78743c9da253847a9f42041036571617a0f032a05ac5003a3c364f1657ce20ec085856e5d2d197c105958a53f778021676dce627f2dcfba729de3a1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8da5898ea53dee6550838a35e2ae6099

SHA1
9a433f7f1f9142660d5f5c9ca6872c2c99860248

SHA256
da607a17d28fb41790b62f6e5794d9a5e53ef101e1249dfc7b7b9c6f278f064f

SHA512
0067f64637f5fd390528acf90a29c57a2d8931e3a83615dce3bf63cab4bac0295d4931a88ffd47b2942b9fdf760ac315a9027a81e770961f36f54e8bec0788c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
1a35681b20340ce2c52e30c33b4ca3e8

SHA1
7cc106db3471d7fd6fca8e0d8ee500a935871c43

SHA256
ca9f13233d27b1c264e4ca43081d9a1adfe0de7e23fdce8ded620e7a3aed63b7

SHA512
269c0d754b44b35fd5f747f88c578d2e09306cb4181317fed7e0f9a3c85d5dfef9d1d5be26a7ab8d6962866768e862a17e75298baf87d430399a022068ab6b28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6a2923ed5f0b456d0ee181f370b77a2b

SHA1
77e722248adbb80fa8c1523cd5789698e41ee707

SHA256
23080b435d326b1f73817b3f2472c215a49cf1b236a0b6a1a9ba83e6b2394dca

SHA512
6fed4ffbe484ddb35cb1f80d9701d1c3ad2b29cad915ae18fe229b2d84ca069598bd1556f3c96a1eeb6ccd957d20d3034fdda0adde933cb727bf387924c652eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
eef8e41aa517106decb6d700c906612a

SHA1
ed722f288c945e009effdf382e225932773753d5

SHA256
1e8bdfb6f53c325fe6362aa5444abec210ffea1a4538caef12eef9d9e5af5d04

SHA512
3cab36a751c16df8ff71caf7ba62535720a47d4581c4589a724b41d420e47e9e653289c5dda8d6ebae099b02d2b360edb9cb1e786cba4911ae6f30c2ac0701e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
4ba7bf2c05995def843ee15a74f07149

SHA1
fbfba9d2306d76a1a8393e8e80aed1210c0cc20f

SHA256
a57707b1ca09d44dff888c0b53b09af0b502124329e94889dfa48daeec8da864

SHA512
32651032be4683a5e012bc04f2e2fa9b5b524ca76de1cfa535c9bad587f3ec93892e0677b74e68c898fd05981f6636db0a0c9401a47faf0e618c572ee804488f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
eb8c817f271b5329a5b3fdb4eedd5e64

SHA1
155a873127adcc92d2a428ee6d300b01f5d897bd

SHA256
ba15c77a6ad1d7c94787ecf15897df89c133c076d4ed4c0722abe1d0e97df798

SHA512
e8750e945e9705787e5c6bde4b48328636a53c1566ca0789b71bc3ef4783db437791c72c3f2a22b9ede9bd2374cd001e3a890c4f56d3d0c243918f7a5339d8ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
b8ffaa0cf7598dee5d49747386b863c0

SHA1
e552354fa8017f2198126a6f10f88d9cb6113f02

SHA256
405e0f5282339e9bbc1040c1afb0e8cdd582eb8f1299fc4747d009412aee6032

SHA512
b7e8952fef2004fc1fccf03e9b621c19b914a595478908f839d76ee1bba4d7b1564e270c35494afb93a5c783f6e03ec8495081acbfeef722bc3aed98bbb8de8b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9212e0ae69d741f99ba6d9f8379c0320

SHA1
6dc24bced68cab0e0a3888bb20f76792f5f59f5a

SHA256
575fe1640bb819719d175b3b935fad6c1fb5fc68bd64fe1a75d2c5331843df67

SHA512
7c8742e651b4a712537982664d4a8cbe187e6d9464456e39c6bc9bd1a9a8084e0a35449066831840267a4a5c4b25dffa4146b773b7ebbe1e0676b3c8514bbc4f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4666895e11b5ce75ebd489542cc95e77

SHA1
028c63a53f1f70df11efea3470ac53f3abe2aeb8

SHA256
7de17e0ab732c8debb0e26f801e6ca18dd3c02081f4921cfb49d2744170bae1a

SHA512
34e35309d5cd6bbba2cff3ec10f980d0a3d2dd8e86e8047c7ecce82529b42537116130e8b2dc6b3b82135a811c894bef3f852f1dab6aed010e8090b859450050

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2cc1527afb244cc20e55c4bc303b6ddc

SHA1
c85f85f35a8265da03a793d6033c2ebc1e8d42cb

SHA256
8a84b5960af23b3801f4931e2331e159195b28e1345c7a10d24165b9e77bdb44

SHA512
f00da4f3d3503ded20dbab10d04701a29dfb59432cb2fb866a42c59c0486330b0fdf82ea666d365b8c59440b8d9eed8b16e8ad5d9dca6e727786cd3d45ec7bc5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
481b7472343864dbc5614bda15b064f3

SHA1
cc220dc9c2cdff6f77082e1abc5ef19737b861eb

SHA256
d516f41e30de47100fbfe5546a4f3c75a99f5415dcafdd7800787ecda830e29e

SHA512
65aca0e7736a2c43d308186e56171a4a14294306c23ff59cde071b361ecfbc640ec757fea599adc4f60234c92cd1f03f8859a35a66ba39c9036d29ab469dbe9f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
14411db7d5b908dc0212bedd94baab59

SHA1
79fce0d1f56ff2dd18b6713a5b1c498b0dc1c749

SHA256
02e9221b0cb52ea327fb43f439c67a848f0122d0c0fbeabc648d3ec23054da77

SHA512
78d48b3f22e418dec14a4efb5b25d3c50c759350d3fcd8b11540b5d674483d1ff01d6bb7b13d28413cc9cc457d5dad46087d85d53e5040b34055758154e0c4df

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3216ebffe6b7f687092b35c9524b424a

SHA1
3368eb33aba75cd085b41d9f270b4c13b403c93d

SHA256
e2847f60f6ef9a634ac03eebe06fd83911eaeb99e7313b0bb7de08970fe56896

SHA512
c7f509f5abbcd25bd1d24677937e052692f3ffa17b98ca63edd9f144688017e54063a1de59b4eaf58ccf07b64f56519c45effcca2670ca71808e3fb61d8d8dee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0c5d3a36a13792d5d0097e99671bd05c

SHA1
d8f48092e7aeb185c736d65d24a832557b625f6a

SHA256
11d74587c4a54d1b5c5a0d95be7ab59b5a26a097d068332d61805f99fbc4c1c4

SHA512
c7be286a6f64d7c0a3fa8fa7d250564e522c8ff2607cc91eb31c6f0403bfb2472d4dccdda260db577e638e74b46444912710a87fdcec3eabd985f9af6bffb330

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d84076413300b4744d0a7d84e7bc2e09

SHA1
b0776434b0dfbf5da3bbe25713af4a49c60dd87d

SHA256
42bb4f00adce8e7f06ad6aea228e015f573bb8366672490ec7fb2db8ca2a90f3

SHA512
64e4773c3f26f488862ff82207078365699b70dbc6cf98643fd4752caab34de7f922a32b7733e95a5dd677ab48073ad0e06da5aa01f68df23edea7abe1364dd3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8525f5b48b0f058777f1e3e99d469586

SHA1
031c613bcf87f5ed7221abb3b80860a4af8e2e1a

SHA256
0a351b2e8a4b36d1fc694b4d876f715b9fd2d2c26205c85091d30194dd0cb9df

SHA512
fbcdfe14d9c4c9920fa693af214816101d8aa24e985c50ec7e701cdd29a604bab257bd7f9ef081c6f6830e525a1eb59e9b484cc3af3ee70207787bfbc948a03f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5c61964d41d2cd723e02eaa22ec5446f

SHA1
0ccfab998e2a0848ebc21f02f80caa76095d4570

SHA256
9cbbb3faff792ef334db839ca81a2f844513ef1ba3f97d82852a1bb41d696041

SHA512
5fa81ce44e33e2bc82f34a4807af00f59454c8aefc6cbb9b43bc83ba213b815bbc52c4a192fbfd430222a1378da673359a10cfb44c85744bb6a599e4a405e3c5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
50c00ab58ae9169c11a7db65a0dcfa68

SHA1
8fe85cc9a3be8b3d6d63899886342f09a6ee5ab6

SHA256
d8ca7f1f90fa4542d32079d755fca9ac43759bd32ad0aad4506ad16c3eee67a8

SHA512
4b7849a5cd88e1076f246bff0f76f897e1f17204ed73e2d3bb9841143d2947153944afaba642bbaa2fd262c6915c09761ab432c762fbe1974cbb453cccc6de9a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d498d0e794edb8bdcc15478b0d8e1340

SHA1
62bddc9d841ab451e16d318514ed2258bb82ff33

SHA256
9fdb08053d85f389325869959272d277472dc25c7ec08f82c106fa58beb20ba3

SHA512
1e1e298c38643cd6c1a17b2c3aa338e5460cbec69117ebf628f139f9811912f150cf77bba03d31ac3d3f0812a03947e637a3d874e0e0e059e8d18a5c44bacb51

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
976267dfa3172c3fef851b5ede555e27

SHA1
3782795bc4a16b15b4d11562917f9a3de593de9c

SHA256
8b158fdebb8cadd0e4d7eeea3502536dbc0aedd90e48559db6185640e81ec625

SHA512
8b75fed0bc203e48a388cc027cb391ede39a11600da98cff50e81752905027d61145204aa13823e492f9496127969663a65a8796252c9e3795cce966094e5ff0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
09b0497052e6e8f1083ca22528035904

SHA1
8c27c4ade50f0475c1e697d95f04a79a8a034c06

SHA256
b41d85a1e33592924786b019b23d3640dc09a413443b044f692354e82e5c0819

SHA512
7321e5f981e6598521920671ae8353509eb558fa6b22bb20c23e1aa94a4be314964e0f0df2f6617c62a8c81a20e77e3da4da90c2cc5c21390caffbd6f4268672

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a43616e12b4e709818fa05c4fe252d87

SHA1
411c7f430eea1e5f3d7095d4b008b3a56694a4fb

SHA256
93a2edd03880ffdeb5f57940c61f9c0f199fbc4b908d755c1f6f8ca0491aa7d2

SHA512
66bc864f8548009355998f24c5ea3e7379bb5fe7098aa4aa12aed9ec59c19634149f2c262093195851931e9d3a07e34557648f8666ced53a41cd098d79c1fd29

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0493eaa1b2198504b25b40ca26d64f84

SHA1
4cda58e21420ad4b0a1e648a4479cbd911ecb318

SHA256
53db2b8a0306819be1fde6051b2cd71de81847076e1c5a7330e58bf7ee0df330

SHA512
83fea31d984dfe68b955c15ca4f723cba95bac8fc11b24fb38b3cafa86c7a6b707d36bcbc7dc3dac45921b14b693ed14e76fd940b53dee1a9fa3aff2cbdbd1e5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
65edef0aa46d8d3254cdac7cef3fe4b2

SHA1
2239a703bf8a80af513a635a7646bb17e36ad060

SHA256
d9ac7d1a0043bb350f65cf9c01a56860a06b653eab97b0f97e9a0df576b44a82

SHA512
3c27382d6be8124af849a0a216aeb09fe31e843d1b3372986cb828ce20de337316a6fe28364500458478dc3eaba973519589e1c7ae2055465d09b450841b6877

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b9422de3fc752c89952b16d53c8fee66

SHA1
cebb9a332d6b7ba962e2dc0749816ec86fc7e132

SHA256
69d7482559917f3822c773d10f63e03244d8385dc3b6104484d8eb36560571ac

SHA512
baf0b27b556ded21ffc0a457a580ff93c2e2f7a4774ee8555233031fb4e0a413f32ea4d88109f76f0825d500606fdd8a1e00aeefdb32c10523f7b320b0420500

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b1cc2b0336fa16296c5f88518292509e

SHA1
6d034a6fafd961f7e89d7e11aa62eda5de52c78c

SHA256
baff8d769ff1a9f30107a4d36fac1faf52b93ea6e5e11d5804e6ec2614507efb

SHA512
627b39b4066b339af39c6098b305069695c2a6ec5e88fe901b2cc3d7f8ca54ad4fbe1019cbae93c7bcb445dc297ba93bae8240d099c0b6ea06ff8bb622bb6f3e

Download Submit
memory/432-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/432-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/432-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/432-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/464-421-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/464-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/680-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/680-350-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/680-411-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/736-447-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/736-438-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1124-337-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1124-327-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1124-394-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1228-301-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1228-367-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1228-311-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1540-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1540-28-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1540-35-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1540-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1608-424-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1608-354-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1608-364-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2020-369-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2020-437-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2020-376-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2168-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2168-389-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2168-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2168-322-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2328-269-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2328-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2328-254-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2328-262-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2328-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2488-397-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2488-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2488-408-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2608-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2608-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2608-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2608-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2708-426-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2708-433-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2740-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2740-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3256-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3256-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3256-294-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3500-401-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3500-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3500-391-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/3500-403-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/3704-460-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3704-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4080-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4080-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4080-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4132-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4132-50-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4132-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4132-57-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4132-60-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4324-279-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4324-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4324-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4424-545-0x000001A438490000-0x000001A4384A0000-memory.dmp

Filesize
64KB

Download
memory/4424-544-0x000001A438480000-0x000001A438490000-memory.dmp

Filesize
64KB

Download
memory/4760-6-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/4760-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4760-7-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/4760-1-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/4760-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4856-14-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4856-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4856-22-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4856-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download