2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f.exe
Size

716KB
MD5

c767cc307df035fdeed7ef99c4c8fac4
SHA1

3c972c337af9e217f7810131e518c18947988e1c
SHA256

2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f
SHA512

02492e5a7b9ecaca0dc5fd4b1a80abda7104bac05d9330bd1eba1c301ce458661e02b4eead91277a7eebdc82ced78af0b13520ff0ef922ac5ab3d6b3298b82fe
SSDEEP

12288:93P/aK2vB+VGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhC:9/CKABXt/sBlDqgZQd6XKtiMJYiPUC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
8	alg.exe
4976	elevation_service.exe
2960	elevation_service.exe
4000	maintenanceservice.exe
2388	OSE.EXE
4840	DiagnosticsHub.StandardCollector.Service.exe
3020	fxssvc.exe
548	msdtc.exe
4420	PerceptionSimulationService.exe
2876	perfhost.exe
2152	locator.exe
5096	SensorDataService.exe
724	snmptrap.exe
5084	spectrum.exe
3048	ssh-agent.exe
2824	TieringEngineService.exe
1944	AgentService.exe
4680	vds.exe
1248	vssvc.exe
2204	wbengine.exe
4908	WmiApSrv.exe
5108	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\478d3e34c43e60d1.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000949c52c1a591da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8ff54c1a591da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005672a8c1a591da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b39d33c1a591da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d24f25c1a591da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5084	2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeTakeOwnershipPrivilege	4976	elevation_service.exe
Token: SeAuditPrivilege	3020	fxssvc.exe
Token: SeRestorePrivilege	2824	TieringEngineService.exe
Token: SeManageVolumePrivilege	2824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1944	AgentService.exe
Token: SeBackupPrivilege	1248	vssvc.exe
Token: SeRestorePrivilege	1248	vssvc.exe
Token: SeAuditPrivilege	1248	vssvc.exe
Token: SeBackupPrivilege	2204	wbengine.exe
Token: SeRestorePrivilege	2204	wbengine.exe
Token: SeSecurityPrivilege	2204	wbengine.exe
Token: 33	5108	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5108	SearchIndexer.exe
Token: SeDebugPrivilege	4976	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3024	5108	SearchIndexer.exe	119
PID 5108 wrote to memory of 3024	5108	SearchIndexer.exe	119
PID 5108 wrote to memory of 404	5108	SearchIndexer.exe	120
PID 5108 wrote to memory of 404	5108	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f.exe
"C:\Users\Admin\AppData\Local\Temp\2248a2ee4c31bfefe8924add7278931edcf20241342ad5a4219a76533010ea7f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2428

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5096

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:724

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5084

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3024
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a096adb7e2c9331f4e0b48af7da5fd89

SHA1
33e3d82214d0ab8fda2b8aa2f7f3964e7c87d87a

SHA256
203654a9e19a4b31e655b99ee8837cb5b51a2be208f76dd0f08e4f5ed300f556

SHA512
cd4d915e3163d39e81c0a35ab9bf07bd02a2a36558b83dcb62e969c625751eb24593831573d3dfee09f62d62f685dd6633d62dccd5b735d3c46c888212e7b9c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
996339bbc32d0b632f1d5f4da6118440

SHA1
df78ac1ee45dedbd4c521a5e1c347db33fc45960

SHA256
3227732924b0cb5f117ef02b8a938ccd7fa3c8a1fffd3e115dffe751336c99e8

SHA512
57a951962e11d55e59e1c2485124a1a3789254b444a8d0a63a16f393c812c4d1b7726e51185b48009facba3ac0a13d0a56c9897db0e05266b9c7da753910423d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
00ba336d87bf2fdef28c1b47c8e08ebf

SHA1
f0f2f282d9457f4decc9e3821f0e8c6447c963da

SHA256
abdbc012ea8552111973a44e5f2048f750027b1eccb70211ac6ab549fbfe9e26

SHA512
f264fb392d9ec074f9394718e1349adfae5cf18429422eb79e3e6a80935920dfccf03d755c6c95c5267e71fdcec6b783a59365f3c56b4eabac09ff6cfae0df34

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1608fd6de0e66599f1e8fbc2b7c157c2

SHA1
f1d71ae33c75de8aeb65a375e09bc2a47dcc853a

SHA256
5391c8c40195e1481663740192be12b58111e7a61a7c30925d47892977ae3cf5

SHA512
563caeefe2feae2f2a97b1eed692b2a9fef02367af134818db41c009e16b7776312ab2bbd5eb97b5f2eb3d7a8d3de3a17b8b97846416baabd4f5bcd4ef833026

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
689d052638c6065e43b3360fdb9de76f

SHA1
5453726e55ccb7d1ba54bc26d074caa29203ddd9

SHA256
05a5126d110e5d3a05e792ce7f544cd31a10e5d99b5b1d87602c9b099625a545

SHA512
70f9b5ba7ee9a70d3641df42935021e86500dfc94d7dac1dad7c0bcaa101a20fdb3f7636beb2f841dfd012e3f30a23a14822d73d917380a3ab7b80f969c02274

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6ef24fd84323421c13c32652510cb71a

SHA1
6411a327d44c7ec1996e17a7a29d5d2655f8f63d

SHA256
66cd5fb6e57a041d612906f9d64963b24d6595f484251725fa866984b101e048

SHA512
6846be0184b7880ea1ecfe1d1f791c0e5042d650278171d519969c31861d2883d401f7b075cb462a8ba8fe1779ccb4fb906a33f59ae92e7fb42e493d7d7a9039

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5ea5cfdd3ae56a9377d6435b15359b75

SHA1
82e13c2d306d5044e59f442ad4d56b33fcb5d150

SHA256
a07158a2e9d1ab7056eaf2072b521d71b8fa97a2ae3aeb7cccb4a1cc234406c2

SHA512
f164c9ba5a09aa331480880690547a507ac6b01d7aae4291a6ea31a8a30dcddd0fe011a626057ccbddcd229171b0ea64739407605ee9ed405ad8c4e399335d96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6cee1d9c100730c55205423aa1f9502a

SHA1
1a0ed3ca4abcef1a38125a779c424d1415d0d82f

SHA256
1af94ade6abfb3d367d3b7174ecb27c98413ffef130b9fd148af10fca260cc56

SHA512
5b3a6f44461b3a1b838ab12bbd0f1d3a6cbf2be1de7c9b212353cb6528dab704ccdbb2f6551881be8a7b38b8c30f498478d3b9008dbb9d61006d019499302d92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b8885cf0782b41e0ad27bedb6725eba3

SHA1
79a7d865a39ae60b8a86ab391de55164bb6c0753

SHA256
fc09398183313f238d7b0e5a79005b481cd742d7443dcb208f77708f4a0dfb0a

SHA512
056805bcdacd73345476d064e7085973a06a9bcf0105908372586eaecd2d2ee18747a86b3d8b67b2b078f66c5d9b1cddf3af99dcfa863886f4155dfdefb4b849

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a988503c506b677c17344a0c18305eb3

SHA1
f8f0577a19ef58bf12cd99184e6e7b2e0192269a

SHA256
ff7497efc69b4264426e9eb22b58760630d93502a51c7d82c979f6f19e31824e

SHA512
7c85a3a45096d2a62e8488b5edb7586003d7ba0ce990946368689f48e52256f0b4fa9de23776ece2a67dc6b9d7fd2ccc50d8320e3a2d12878d940a055022528b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9dbb68d8963fee98043f0c58ef1f47e

SHA1
a8145c69216753bba4382978b76589bb41c596b8

SHA256
68c7778466fc4d9512c21a4c3a00213b1ce23102b7124a9f89701a840915bbd2

SHA512
5d7d9215e34f03e52389e8e45dee88495ef838bca9dfb9301a7d5af111d38bd5c38df5b87d1c9d1843ba2e8c34b196140a6cca5cbc331e91c8a19c08d5e2026b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d199a0f5c3680d5a0b8a68a1ac500da3

SHA1
00bc9f96684212e0a4adf176d61a9541c9758070

SHA256
f155e4b92c42b28193dcaca4e176fe9f1d3c0234f2e9b9f1f0709576bc004e9e

SHA512
08a855c6e788a50c8d8f412faf92a4119039aace89e32dc1218c3e5290b727bbbf33b98cd36a600711e15b5e599057f58efb16d46c8ba50b50a739d65a0604e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae3705511dc3da357a79bd43f6b8eafb

SHA1
c448d9dbcfd1b34a2cfcb54a8966763b1145072c

SHA256
b81ef3a828fd3c847dbe1c0a241e7eba252cc9730d9fce178abfd8157d065b7a

SHA512
7c958ad71bacd7a7f9cbd32f10ff954e70f77f0bb47fdb91525f0e09a12aceb87ce6bd8c87f232d0201d47bcc7000afbbd29ea41a33a1625f34a180480c662e6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
eaaa74cf318085805a51a3b0a80f6fae

SHA1
b62b8730a2e7d8395d958546b62a56d31a4a5611

SHA256
be8a47c6c3e0cc7e6881171849a45767a60add9a0bad217ed470f9d8cbcc37a8

SHA512
b172af2f8345d20d6690e5fe2a4e2dc9ace6466f33edcc8464e36a24f6c93517d4d01818415d4fdba3509880cb6fdafd7f4168e243ba3b4bee89cde6e36d7fc1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5de7bd1afac861f83d3cb101b832a853

SHA1
9270ce61b52efdd9ad51225533dd15af5a99a567

SHA256
0a0e0ea07d07618eab1128fe8a5340742b9ba3c106a9bbe600b699fbbf644cbd

SHA512
174e94a10aef495ae69865fa7c8b4bff656f915553e9dd02e42345445da47e2a1c8ede0b602abb02e209d5f5916d52cb3f229f77000f28abfb183289af63d09f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
db179a06b006daa52646080042c8587c

SHA1
063a3b306d0d0b889236ec56422ad7ad923a45a8

SHA256
f8e2837c24bb7c8006e906f4daea577bd38e5752a5e6023c4cd3bf1738f9ba24

SHA512
bde1884ad227ce83ce2f7aba28817f0408d3c0353750d04d36b4d87d59a6136c5a3ee14eacb1429c91e4da93c5f9c5789ff667309578e44c5a9ce6401a79fa52

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
57c27bbabdd3ee060c2925b2ce71d48d

SHA1
a2b77bb5ee21da65078ae130bc75ceeee13c0990

SHA256
4a2326ca0451793a288aa81a6d73169fcfeae78d48ee10960d0625d90e2496fe

SHA512
6e306a3ed879fb7c07714a914c418648865b7e4f5592affac7342dd7ceb20f2639e4a43959a46fe29568d69eb5b34607fa6da1228ffeff1300035c3b906274e8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
230f7e159c4be749f505a4bbbb89b9ae

SHA1
e510c86f5a2a31b8a26cb27dc739f3f98978a523

SHA256
acaedb43f66c4bcd707e3007641114208c345c01d3d9fc2f21eb693b92df3f50

SHA512
9e4dd984b8aefd1e03724c1cbf384e07190831a09cc4f437a5e0c7c03f310fbd9369084f9df70bdc31078d06a8af84eb5dc2b384914b949bcab86b1d616f9cd3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b3a260f59998ccbb5e9ca64f24516d86

SHA1
ec7574e27620181db246ee4905483cd9dadf4594

SHA256
0864a1530dfc4dfd76657907a72ef59b4538f4cd5020786bf4bcb0fd8e337042

SHA512
52b15bca04525168df84e11a66a61a033dfadc4a075c834c5d11ba91654b378e401dead2c476f1cb0119c3bc7fe1cd89d997e689d15aeff6284d7f7199c2645d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5524b1d23277c582ccd3b815adb89380

SHA1
62c53dff9c53400a9a1c6e1563c1fb8e0899bbad

SHA256
91bdb0bc8bcfe6489d3858595caae7f5bc1432eb40802dec8e0158c1ceb9e843

SHA512
997f45d1e669b164f87fe4269dadbf5ebd50328cfd0df9ca4ef47b918fd00dfddee07a3712b4564d82c63006a3e662a1597084d3e06a4505ea46f274ba16d769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
72b6ad95be424aa82a406fef02eef979

SHA1
0063d89b02d78e23e21fc0c626eb0a5874b7ed10

SHA256
498bcc25925c4eb980f2ad7fd4a2a5d158cefbdd6ffb6ba3e9c33fb8c12cecd7

SHA512
64e8ab4ebb8482e8ac3a17994e67338db091f389ec6656adbdafae6a4a7aa6a4f232f80715e7ab89789a85e960faa745124f0f6b146926b3a3ab077dc2b34e4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f29df43f0120b85caa902c4381a83741

SHA1
c86e6c724048c367978650782094b9626d10351f

SHA256
db9ef2e3c47ef56ecee99b7a49e7cc9691c21b4375d4a7cb43923ae9fb0a7719

SHA512
f9a11b560073621e70de4b06ba03b52685fa8adc5789d0c4bcb0dff32e7dca0238a313889da88c4e8751cd11920f8ec3e2038d9cba78adbf5dc870d2487892c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4aa7f6af66d1219aab71fb94475390be

SHA1
f899a1ead8e3ed1b7ffb42973f6b47c3031f0828

SHA256
2cb63748e69218411d9062e7bc682a9cbe9bdc0d2d4c6085d6765861547424fa

SHA512
6df7982b5ca9dfd22c4600be2e14ec32c02fba95b83fcf8d46a65a602b931fe57ccdf22f037da371db5ab179384622babbcf020b6ec4dc115a6814a26541d79b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
88915253790a6b013b936d4caa9bf675

SHA1
e16a3d5b5c8082ab332d38add27ff10997c58fd6

SHA256
52cfa9fca56ada19037a7d82b4317d0c36f882e8ce67be70bc72b87c6d6f860b

SHA512
b0b773c3890db7f6104e4a6c2a952c655e5e520eb0b3ee8a917733c62df0dc7389804ce5e7bb1c7d2490f0f5c6ebde333ab0962f20748d9aa2fa30d147385214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b3ccc046d184f643ef942996147546f6

SHA1
5c14d8a6f0d7aca544ecb512e00ade01f4e6b261

SHA256
6a457fff912562173b5b866169663f700b46bd2e073bf3a0323eb3ee0b00b6ee

SHA512
c095f1f4dc832004c9c53076a345e1f9d26da21b858f603535755ffb14b92e09233976d034febfeb4b3f180a9db9fa0050bf6a73b153b5d1b6e327e5d9847b1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1d5149992748685e5216ad20ec7f397d

SHA1
a0e61e64f7b81eb5a519662405ecc822d1be636f

SHA256
c190a9d313ceda20bf118ffdd3a98c48d85574dc3523d535b680019f44963177

SHA512
e3743e3176eb87d0713d264217e3d669052a7d71d0014269150d13a5c3ee94a9db3fac4974f99a5b22e7a3c7e74516f63687717e212a1fed2554bcea721b786c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e61146af8f05e2e59c3e9a4a6cbd7b1e

SHA1
997b70c03c3b03efad739ebdfd386a269800c392

SHA256
886c9dc7a9c7c6915a19f1e5a6f871effa9ae8070dc3eed3ec6ba7814a04b54a

SHA512
4d4d54a0794f61f11aadc403f93e47a5b1655032a1469f224a1a9eb7b3dab24367385fdbb26d8b55c25157328b584b7330863252f689b44e17ad26c15f60170f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
62cd023e988c181e88666c33bf398852

SHA1
8df0b2cae637000e49854516d2a9412f9de717b1

SHA256
54fa7cb7118a2af1a9d53c6f8bece210ca9969d836a0dbb9e546326ff6ab0210

SHA512
8949c2d099811cd298dd1058b0ca9f1fc8655f49b9de91a79a8bf863b337f94797c96cba6730f6fd27299f36145cdc4500bbe7ac399a2ee1dfeed243eb2b2b42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b2e595e6045ae5e324bf9852e257e56b

SHA1
794dd727e458591464ddac2d325f0687c10c336d

SHA256
5681209be1e7660554912f587e267d2a27e5b4225bb4691df5a5078e37b8ef2e

SHA512
b9232419f21708a5bc274eb9c96c0994d126dcdaa2f97c5ee7e3f33fa904ddde53beab968988b05a9483c0426a945e1cbcdaa010ad7e4f45ef81eef1354e5c24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
db8e2f20d897f97df72343a9ebada457

SHA1
243dfb311cad7bc1355d2384bd343ac272693439

SHA256
69bae4917b2d68fb39e890e4a5377015beca8799c6a6fe2f9a10934e7bfa6800

SHA512
0d0fd6316d9d307f63e71e539a06cf091f358168832793d5ff4826ce84588d3f5f343bc4b63bbf9581ad30e46f557b9c6b51b49b7e8bb2de0650f2ddb3c4637e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3af6eea77da27a03ac16d5e0f838565f

SHA1
3ef5c430b3f0c87dacf0985dec4603adf26ebd54

SHA256
f1a94de09ef8c526ea3b54d07215540cb2455b8cb1ef4a5842c452cc556f7cfe

SHA512
e94c38f46693397dd912510df1fb563ab3af02b047278e570ed3d3a459acdc0196a300e331fd4abbd4406de9cf81a09065452335171c1ca12c9afbfb8feaf371

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
78f493ace0eb6cf6bcd08794f49ae8ea

SHA1
b0b4da878f4d4d808b23e0d9f10dc6bb95b598ec

SHA256
c03ecb586ed03aaa27ec52abfadf1384ce53c27a8e347f3f87acfd00f584e4b5

SHA512
0ecdc3f3401104ec156c40220e354601606188c691152bce7db59fcd3daf278cfdcb86d37049d91558117b713b8db07f72d463b05a13b602715ec7fa154ae119

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1bdba7bd7def00903cde45b5a98c4805

SHA1
2414b4c6cb17906e1d9c37826d05263e06d9e2f5

SHA256
27cedb351be6c964153491931c4cb2b5a1ecb44f11fe0b4f4d3727595b221b49

SHA512
3f7f2b77830abdca4197139218e4e8207c2814ef92975b25d5c5f6dce6627334f9c070efbdbf456ca8a137b241583979bca021a12ddb94cb1f7266aa09ab814f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1ed1f85cd505f6583fbb5610f7c78e3c

SHA1
3c4a5f615810b0a60fb1f8d74b9665ba2e8f8b58

SHA256
2d3790c2231c5a5baa5e47a66ed0f0b45c952995a95d270b7c84d62e8e937f98

SHA512
d4d72b71915349cf6af1bdc3bbc5f7cb074e9a1e4d484b4cbea065bd2449e215a91627c53922c9c28b4f840f1d63e3bdc3e6b91a282a0954c703cf411316cc0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9c6ef2ae472da9f38db877bf950f89f9

SHA1
73082154aff071942abcb2692c2b71d56cdcd397

SHA256
a66f3979d64350e57ff959364e1d44d9f9b63a8b31ad1823be6d1a1e52d2e9fe

SHA512
e7482385dceb20ac478f1a0119535ff74dd626d8fc4fadb8edc289fe1b3e89b60181cdd685b3b9632a2ad60e2346b1155e62e34c07f5be8310e4f207fbb9d6c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8403ccf1f29478d26e96bc9a0eae16fb

SHA1
f768ff5689cff422a288ea15099e68692b7cbf6a

SHA256
fba8ea220df3fcde93366fb8ad37d1cc72b1d1dbf5966f5423cc720fad407ab3

SHA512
8c3760281a534aea57f13ff8e803a0f43ecbd252d71dc0be4818bf4e6ffc3b8fc92f3b94e8d623437fa620f333c68657d34ff5d0f1a20a631cd4d187be1c1856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3a8d4ac18cb76e04e82865c880af4703

SHA1
ab36a23448c38b439244c1e86de4f1f5572d33a1

SHA256
ef6e227cc61b2edc178cb94a2df53aedae774ac2c73d48de0273385a27404f3c

SHA512
af4af99564f79de417e4010d996f0992f07a12bb43b64c6fc1c387c55625b30ade61a05d163cc3592f1f319b310be272b4b8a90432b31eda30a5e64e729c55ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
e4e5024f066844d16471fcf0a4b4e02e

SHA1
835656b1cb01f5e772d1f1dabd557e8ccc092ef7

SHA256
8a9a45fbb082bd205dcceefe8a66b7ea101fd0dc0eb9b6884b8ed96b3815f48d

SHA512
ce21490c8863d1839ce48de8d34522dbe5bd150b28559d3822313d4318c9b802a9b8f1a84f4e90665a193feb714f188632dce38fde28de79cd05621dbdc7b1c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
2aa8a261716ed333886fb7e0068ea870

SHA1
38d2dd2c6d8e7fb7aca509a9f1a1e07b5dae361b

SHA256
a994db12ed1f64c987b1f597dd374d502708df64c8eb6ae3ccc8dcb7c3da2ec1

SHA512
9d2bc14ac59b10698ea4a5fb8d67ab55fdb7d17318715166303a8aa736e05bc15cc1a4258970b40b393ed351666bb6bf0d25f7d16cd21c63d2560defe7028a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
88764cde4186aca714226747ee6eb45d

SHA1
405bdf6a130355a04d48bbeb64566d98866dbae1

SHA256
b656d3d6921ceb5c08f92c934e47255b955a77b030dc3ac7fca55ae6705cca2f

SHA512
75a6e481986cb7fd35e69b130f1effdd386513deecb4bb15e7c37755a52eddd0ea39d3de96294b241d390ffef54c797dcd406c303645b08ca808f1b1a90e1612

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
bc5912d8380a14838181dde1ebb29f2b

SHA1
978dcc6b360bcf3ba4d720a5f4fa18cd4e70f51c

SHA256
3215dd54511a3ecae8073bc78b4617fb8974403ae32d6ad065b4d465800aa94f

SHA512
ad3dad15d7fa1378ddaf668b8ef5fa818468a5cf964b15935600a39624957460cf828049d278d1a49d8cd56cca23c7d6fc2b8a3b284143798846afc5a7dd4522

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
f92ea18d4af9a773085cd2ce0a869db7

SHA1
3a82e7c3f57a578d0c01d7ab4298bf35a7219f19

SHA256
bf91127e39c6155794d16a000fd5f92945bc3b575bb7f5cc096a0b80756ce528

SHA512
a5648e60378e7e347c1598d9cc098ed6f717a9ca2b5400fd71eb3b050d839419acfcbb62580e1bfa38034aec0ed223974021a04b8fee4150f55c42f2453e2e6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
693baa35dbf1646b643046628fb7ff37

SHA1
ae76ef2b0a59e7abf03148e10c8edeb1c1cce698

SHA256
6e6410bd927349a44767d35999e7c4e68d7204ddfc1384f74d70ca97922029db

SHA512
1f1c5ecfb7ff22be4c1e3c847434b14a7c898dd2055cb9a1c7760fc0d0507af2b69f7e9c81f1b7ff1f812975f1f8029f1145b3c46d448009466898ed55bbc111

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
627ceb5ecffe78f7bef98ac29acfdb01

SHA1
c8c52dfc45124f042cd230a6fc542370cb3f3ef9

SHA256
d08cbec4d7c5851b9fac491561acd9c1af2187c952cd0570106ed2e55bd01579

SHA512
6c825eb90cc528fc3b70c4d64c7c942c565f3b99b77b000bfac592cc570b625e58115550292ea862140e02cde4b38313a310aaf1a8f04eef6342475630b32fb1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
532a6de5b54144785efc0b425b0b54dc

SHA1
cbf6143772ed4f26fa9af484eadec4223eaf942c

SHA256
a3c9efd5e16a3939c2de70572f5fcf9578f15b4621ea02b782ab75aa757b8746

SHA512
9e5ed95ffbd54ae09cf2f58a1a29c55e20500c5f648a1b709b8ca1026ea0a4e49e13c1e893d23c8502261d976aa928ea93b15a965ac4656606061be6eadefd75

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bc10db59e3876d2c9ddaf3d3ba6e97e4

SHA1
5eecc5e0ab5c4a58e762ba7d199e800a469ffb15

SHA256
fb20a55ab25b945cddd2b020343e1172670ac10b26bf19007ede9d0bd7f505a5

SHA512
a430538a77bede9330bcb459bf75a31c5c8f9eff429fe6377f89dfa77256c70e0cd8ee60963e941ecc206f74a87757b0b866716bf235cfe6ecdb8c16b8c867fa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ac4c2457607ae4a623ea193ff79577d8

SHA1
0c93048b169890584ca2ebee325632d8956561f0

SHA256
693f6bb09f38902eb958422d2a86e2bfb285e299bd50f32e91b16a2a3baf3791

SHA512
352d86645bd93044766aafe2ab88d7efdaec50cef2f530a1f5fa8f1218927c71dc5eefdabf6c20bddd395b893b0cd2337a4b4f86cda25e691c2a84d30e9259e1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6920c7c8ec1d56fc3558cde5042b703c

SHA1
4307a20a05da4ae0030cfdcb7c4def56cf58bf76

SHA256
4afe6229fafbefb52fe40c533683a4033187455c970aba7330a008e1dd89766d

SHA512
ecb39eff41c7050d7290c3f1e4c374de7fdd8277de6a32956537c539c5ff4e506ea4908d51b719b12b331079545501000a906d91ec527111a37e165cd0196eba

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bc552fed9f5c678b83869e42e385a3ff

SHA1
d8a007604d5f85eaf2d6331f698448ce90b6db2f

SHA256
12f246460934111147e82ed4f9c3d8f2f435ba78718d7d71c327b5783327c761

SHA512
b09184e0fe3ea486d621e5ddaf84ca7d3559173ec19ffacb1c14ff945be5dcdf618a58ee36cb0d99862db14f238767c10eabbadc09583586b86b2d07ce704290

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6513beca5a758858f2e34e3805c71f5a

SHA1
93af53b8b7c04d22d7d809987c3a3a64ebc98236

SHA256
dcedb8593cc38f6781387b372eeafa8ffcf8eb19459d2429f6281e993bea70cf

SHA512
dc927f8acd90b6940c5d72dcb24385a27e9b3b762cc2438123d464671d9e7ae00d19ccd9f20b287b04449059722eb918eb22bfcb5991f823f31ef09edac5375e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f36faf377edd866fae60e0af6e367f67

SHA1
841a5e7ec96ec36a116b7450ff9f640c8ca2bb2a

SHA256
4d82e92ed4216fa58dd16785f432575f1e904fdaf5b1601b0ddaa8266027317f

SHA512
1f87146e327c5077be15455ad428667d571fb20f43738f9588b84ae89544dee0fae8106b0222027d6b201a8d750b6a70c8800e0767d68d48da4b232a11b92a9c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ec6f103bf5938ec84795f1c5c9b0a36b

SHA1
ba29cd4e58fec35f551681d5939137ceeca3aa95

SHA256
6da7ae380f3681af652855e27c01699f9b734b0b2ceee570e3b9c009bcf5d10d

SHA512
0c63eb15f069b973b5ea529d60ce8590345fe47ae07d133e2e04f7025ca7c729ee8e552fb5a849ee689bc0a76af814143075b84ea7d306ea9c3916d0608b0836

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4370d338e3bc806c7f7b0dc8bb8c0018

SHA1
6a7c950499f761f5500398776ecf99c09b837d47

SHA256
4bcce0df57052f109fef12a65ee7e426056e0d77aed3fafd5780fd9a172813cc

SHA512
1c14f0a424d32e3d601ae196f69fb2bebde6d5098d4b3159b7f3f0ad1fe81b55b4bb7c20d9d47938afb7dda45ad4774e12abdc9212f7c55578d121432e713eae

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d0d1ec10308eab6f6441375f125a5a51

SHA1
6ecde96d048a5045fe170673729b284a332077d0

SHA256
5e0733137c7303d865d30294734ed721aa803ad1ee34bc475ff422eaf5250389

SHA512
2cd073a8898f2cb7a90db463aa7220fac911837de5680146c44c85856137bf4f4a446d65eb0f569ac2f2965c570ec2b8835a88a44f0226a0983bf4ef5ab09868

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6bd235e06f9bbf11e2395b06b79d48cf

SHA1
d0e10a321d63ce345f15d83fdd039fbdb6b68b38

SHA256
05df17bdb6af3c0035b3a5aac23b16f0ded824536b537e4052af51a5a6abf1d4

SHA512
502942784c9945806007d20635df06e1cf00024ba117aa16fd35717b5d5ade9926d39123b7d0fecad054b40e79805b89bf3f89c88dcb3037d31b3abe7b6e471f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ae80efb37ddfb27b45325c55d604ae8a

SHA1
c10d03e9606618e167003015fec3c965941d5563

SHA256
dcd7c279699d7d21fc17d3194bb10bacac2d0fd45708383757f133f4910cd05c

SHA512
4b9fde2cb9d568c486062ffe566b82c2f07e04564f3d5a74523a73ccc71507c915ae8256c6f7cd517449e2993a8a97500f3117d28607f11207cc646a2e8c923d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e099f6af653e1acdf32d11a20eba3e07

SHA1
a9b51d1509ab2e6417b484dc658e7425acdabaa0

SHA256
92dcbeaf8015f2edfd12177ce396f5359775103aacc6661834ea193858aacc49

SHA512
dba4b3f38acd7181e2612a6dd85b920a83e9eab2b99248e62360c4ec86235efe1ea55bb9e9bb1ebc430dc2bf5f7d71875443010a56600394c35b483727e464d6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
378443913f039d39c573080c26231eb4

SHA1
ee21c18da8408f89b3cf1c73943f848a108bc1bd

SHA256
7d0da6ca3030c063f81ce810891a8c060177bfcc410f1217bbdd7f82c3bbe053

SHA512
b0dd483a8284006201e9ef11dd2f7e5f2696f95e194e4e76abc49b3177bc3447d881becdcb70fcde281d521857ab9d559c61b61931f72918f6a04ed31f386141

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d87e92172e3cfdb6b764bf4b81d65d35

SHA1
718bc6e0404c7355a0540fd6abc1dd546ea6ce5e

SHA256
5a1c6337a9f5bba6f78ae9b0da112944f48127c2074f01035b9a4174c1fc656f

SHA512
e2728741c1e762fd7dc75ce959d1af567aab5c6def07150a976e8f0f820260b104052577d49501877d0ecb2ea6c5febab6ffe70696837092d715f559e16284db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5738d3775df7edb433e9980c5f27a150

SHA1
acc986a85a23c4828da43a5502c025d20720fcfe

SHA256
dc11af74ba8779a6fe000be8ec8ba69fce1123460b71a27e3497b9d671d9cc35

SHA512
1bd0d77c3ed97c684e258de9254b9f28dfc6a417d703300e769230bd58847a7dc0e14ed46dec4754981373f0098da6011153b692e5877e1fb80e832746e0085e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ffa9ea55a97bc7f6b881fe9cc696f55f

SHA1
3d9b755f78a78738c74024ba491df3e3b45c2759

SHA256
bb938b20646db87fc8a2d2c9f2570a6c631ad828133e8efaf8c7b2d5f5f8fb08

SHA512
832b00f253bfee2efa35d9e6c469eab88a49770e96e9b17dd54295286768fad1a360a89c30e1a7a94c8abf63067b77ca44172301c6e5a15c82be28cf9bf7d5d5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d1407e88cb8c78f0ec958df98187d3e2

SHA1
359b5c7489951735ecde7ac7715e815fec979de1

SHA256
e7322addd1dc1a221cce56d360419d8b8e6930a420d77f10ace4e67087698633

SHA512
ebfc3e2154cc212163ea767ff1a489732f1120d71bae1866d8ca0ddd7d5253e383350b1ac640b8df7437b4736d7d0157c7fe345630bcbe074f4b8f102326f411

Download Submit
memory/8-22-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/8-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/8-14-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/8-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/8-23-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/404-547-0x000002767AA30000-0x000002767AA40000-memory.dmp

Filesize
64KB

Download
memory/404-546-0x000002767AA20000-0x000002767AA30000-memory.dmp

Filesize
64KB

Download
memory/548-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/548-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/548-278-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/724-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/724-339-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/724-401-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1248-548-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1248-421-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1248-413-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1944-393-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1944-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2152-369-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2152-313-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2152-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2204-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2204-434-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2388-65-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2388-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2388-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2388-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2824-378-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2824-438-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2824-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2876-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2876-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2960-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2960-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2960-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2960-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-272-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3020-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3020-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3020-254-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3020-261-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3048-425-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3048-366-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3048-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4000-51-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4000-57-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4000-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4000-60-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4000-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4420-294-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4420-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4420-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4680-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4680-409-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/4680-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4840-242-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4840-249-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4840-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4840-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4908-440-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4908-448-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4976-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4976-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4976-35-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4976-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5084-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5084-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5084-352-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5084-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/5084-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5084-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5084-7-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/5084-6-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/5096-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5096-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5096-324-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5096-392-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5108-460-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5108-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download