b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf.exe
Size

1.3MB
MD5

d0b7c77d67bef40d453860d58148cb86
SHA1

991374d1912fbca5a7853a3b0da82dcb2470087e
SHA256

b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf
SHA512

f558edaebdde4ec77144a9c1c311e540e385a1a082a016031d86e29fa537bc75b63d37b84c8b56db0c654e34c9615b0f47423513e48b10e4b9d3b6714e14d739
SSDEEP

12288:h0iB+tMMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:h0iBySkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1148	alg.exe
2044	elevation_service.exe
2604	elevation_service.exe
3152	maintenanceservice.exe
724	OSE.EXE
4812	DiagnosticsHub.StandardCollector.Service.exe
4456	fxssvc.exe
3352	msdtc.exe
1932	PerceptionSimulationService.exe
1764	perfhost.exe
2476	locator.exe
5032	SensorDataService.exe
3108	snmptrap.exe
4020	spectrum.exe
1056	ssh-agent.exe
4856	TieringEngineService.exe
752	AgentService.exe
4728	vds.exe
4104	vssvc.exe
4972	wbengine.exe
2592	WmiApSrv.exe
2288	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e77c79b74f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eee7f2b0892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000432c5c2b0892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d89bb2b0892da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e851632b0892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017e71a2c0892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060c8592b0892da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f14a62b0892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6ab1f2c0892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2d8aa2b0892da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2044	elevation_service.exe
2044	elevation_service.exe
2044	elevation_service.exe
2044	elevation_service.exe
2044	elevation_service.exe
2044	elevation_service.exe
2044	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4808	b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf.exe
Token: SeDebugPrivilege	1148	alg.exe
Token: SeDebugPrivilege	1148	alg.exe
Token: SeDebugPrivilege	1148	alg.exe
Token: SeTakeOwnershipPrivilege	2044	elevation_service.exe
Token: SeAuditPrivilege	4456	fxssvc.exe
Token: SeRestorePrivilege	4856	TieringEngineService.exe
Token: SeManageVolumePrivilege	4856	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	752	AgentService.exe
Token: SeBackupPrivilege	4104	vssvc.exe
Token: SeRestorePrivilege	4104	vssvc.exe
Token: SeAuditPrivilege	4104	vssvc.exe
Token: SeBackupPrivilege	4972	wbengine.exe
Token: SeRestorePrivilege	4972	wbengine.exe
Token: SeSecurityPrivilege	4972	wbengine.exe
Token: 33	2288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeDebugPrivilege	2044	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3032	2288	SearchIndexer.exe	122
PID 2288 wrote to memory of 3032	2288	SearchIndexer.exe	122
PID 2288 wrote to memory of 4828	2288	SearchIndexer.exe	123
PID 2288 wrote to memory of 4828	2288	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf.exe
"C:\Users\Admin\AppData\Local\Temp\b1fb25c1f9ecf86af435318c6044ddd9d96e928f84d44bef24359aed02ce14bf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4020

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4224

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5451072dba4b4d34b04ebdfa3794dece

SHA1
50054366d231dc984dc6a98874d308d49ea47458

SHA256
c395567eeb42508b037b5eb1a26210714aa9fb7c343c38328376f3e340343426

SHA512
6f9168382c01eea0d47af35f477708974fb977491848739b3adf2c86f5891c3c75ce10c15ea0c6e9f63eb7a690f2de7f0094ffe00abb9d1980d6a6cce4c41703

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7da806ba97b1ce993f7dbcd3e087f626

SHA1
d5c58476c8f4baa639580070df7189754059f792

SHA256
07b887fd69494153bb350e4537aa4febea22a485617ce1294b13683b1e2260dc

SHA512
f2813387dd57b55747e8b0b740ecd939a538fd15e60f798a6e0db6a743595694c58df5dff8dafbc5d08fd1e81f70c15db322d01d09ec42496d175b9bfa8f9e86

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3bfc1c5ecc499c771f21ba3c1ceead4a

SHA1
c877e9248d5bd1501b8c5c0b2a46f09b9ecb9b05

SHA256
8414a5d183bc6e42f63342b22ddf5dea717da8d76cc78ecd1570959e9c6ef2d1

SHA512
24c2985fba61b76eae4537f332270946dd61cb9979d5f1234dacead44bf107706c617652e424b802f79b35b477a9edb88f1d612151d03f1aff2a32294203102d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d22e7fc770fb4be03b65bbad50b5bd9b

SHA1
8724f7eccb63d4fed6aafa07fa91d7a2d17174f3

SHA256
6a2e3679fc4f707ca78682eed692edfeacb319f93093a5b6e8c9d4fcda9bba39

SHA512
0b4eb21712e9e27116de844f4cc622ae916f230798475fa555f6ecf621965b1e4a59d9c282c79f8ebc805f21b08985d9e94a629a4eb31790762e400a3bb96656

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a61f5ef82bef2c8bc43a5b3a8c9c6d49

SHA1
d9f1488c3a355bdeaf1cda5e673be6928450ecf8

SHA256
dc9e9d39aa8fa83a1be123a4d303d6d1f7a0e002248178b586fb5ee2c5a28c0c

SHA512
45fdfa5f089c5697387920e94f92c2aee8633aaee2806058ec96a822da7debcd4fff2230a351b101bd50b3886df57394f0cecb279c461ca2e04413ffac833c02

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9f03d8c6b2ea726f461d47066868b5f6

SHA1
899b3592368bdbf75a23e3ce9dbfbfe8052fcaf3

SHA256
769bd4dfb802b5a3353da1c8669c5618695e6c532cbf1d96da584a042484474a

SHA512
f89fe21df0a5585c3a68a333a2c6b736cf5e47e1d9f904c551444bb87524ea0ce7bf8e0e75e8a7a63af2a76eb59c24d6ea3163c24b95c25d7317c5bb681e9484

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
1ba26e00a493a5e84df45ddba8b59b0e

SHA1
770fc4c15887b2a366305b48c3410fdbe109a654

SHA256
21db7a62db4616db2e54dc4828b6a7a47e344c84d33ad6e8fd36ad2dca6aed1e

SHA512
f94b649f796c36cfd40b77fb4084119d36a0abb0dc801224590eca7e9b2e742e955d0579aee5762432bee1ce2fc53e0387fd9c5a46f523f68f8d2bacf9c9f72c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a36f7b8aa06cafef527265c53e1d749

SHA1
5303816b9cec6b19d4b40512c4b17859a81361be

SHA256
0bc6a5ad2bdaf821efbef52d5e01b6b71d900667c02d524f929935012c6e5e47

SHA512
440ce8296cd8c996298edf3477cad8f67ebcbe2ce3f2c6aaeddeb78ef60c96dfd8a5c78b232a709ca321e4bc38138e54ee23dbe73c7d4cf69abdd01865ada833

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
515a5ac562690d52661df351e64b11bd

SHA1
0e172a0b009cdac0b7825b97976aa1bb8480372d

SHA256
74f4757cfd48ffa8013d952d6a3e53cc3413cc276786bcb45e7166cf7e8ae4cf

SHA512
c8d8ca03588b0698001088b5e4709ce0f365b3e389be541402510880296b73966ada25a2b434eb02c61ffc47650f0e2037ebccfef854928282f088d3b2a336f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
795c91c02dc00a8103e208443feb4bf1

SHA1
d2a1bd547d8abaf93ad8cbbc4b2bd9b7a1b7a3ea

SHA256
069db553c1fd371f6cd8f30f56fd2d736d03e976fd48f33dc0341e7694abee0e

SHA512
0c5a59f9e3a369f71c07ac95549dbd34f48a3c867884b60428b204b070ce00e9b32f456d7b570b048e4bb03dfb02db0de92db9bb3febcf5fc8a7743d8d210dac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1f5389ad4d5ff7d2b156f24df1b016e2

SHA1
f22ae3e6d117aef0580254bedb9587185a7c21f6

SHA256
43fa5ed4daeebb5211b6579174bfef028bf9867452cd77674928a7653a4fbc0a

SHA512
0595c56614c620b89d703125be387ebfe1ab897c97448fe5346160d459a2aa2c9a40132ee0db3d0260672076748be5d2f3a1a016651e96e408b424bb31b996db

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e506eb1278a6831ef6715fc795537768

SHA1
4d375d0442bb471fdd21d233d4eb1a8a4f65afc7

SHA256
a0abd612c78bd26a7b5a3fbe4d2420bf8cebb2481f70af296f2fc5434b1273ff

SHA512
95e5d2f23c95563c9f84c802f8c01324c64eccf640645aead97180a2e8c28701a0df25959b457d04cb30de62971d58df256db82a6ffc8587810bc7c5f6000780

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
193da5cedd28aa5627374e3db7f82512

SHA1
a90350cf728f45a94a416fba624d8c911bbebd22

SHA256
5265daa9d8745a9bc963dce1a544095ded058fd2d76470db1cca8b44b6cfb6da

SHA512
0d6d76f9c4229e71e2c1242807d1b9d3d557409c5ccea558fa9bb9c89c2de7e36d221977d338f3767f3acf18f1e830dfda1e35522a12c6970566357b761fb377

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
96e79ff7592db0c4656da6e8621c28ff

SHA1
94ad67caf093e9d8c89849455819c8bc5bd2d536

SHA256
106b194afe1e057fa6a42cdfc6fa61e972679d60776a740ef13bea2cdbccf913

SHA512
be49d05c081075b157881d02af08a6a2e8e29a7b3c128fb694291d6e2d5aaf645f0569114470c92ddb0905171f4c0d2d1b46c72fa03158cf24735c9905da1e83

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
04941ae6737f68d04d7f22c0751af3ed

SHA1
aa7e5d09da1b1c309e6e2a04115dc4558a6b2b68

SHA256
5da6380511e48262513880e52f8642b99f8fc48dea6f561eee951c4cfe2c5d3a

SHA512
1b7903482725c2ec3ad898bd375db1b523f73a7209dff220748a62aaf85d8707a3020f2047b86e33457fffc4f0c5abf8b1676fc227f129f7c135498a88bcb207

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f2d9949002c71dadafa87f1bd1e84978

SHA1
b71be762d440fca00aab83c5a2f515e76c27712c

SHA256
6242f88b756fa1ab1a482f66f91aa70fa7770430ac23c0cb24dae55c15530548

SHA512
4d797afc399efd39fd11d3c9a52facf521adcfda5129a8a7ab9f1d4b294b7e5613fbc6a785a60422f2b4c550478a27339f4aa43b198925c6bd0f8927a5e7d569

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
09548ea778bf664c3698c769b141fdbb

SHA1
113277a60d81ff977fb803a5be836ad6743d4a40

SHA256
8ca9584498667aaf837ea479b720c47c710e29a926adbb61e927f4559f754347

SHA512
75b78e83f710ef36c2fcdcc026be44aa900ecf4dde090b5deee0d6d6f28d0128dbcf22407be5aa931b2c6d0997dd5cd65c2974402b9fd2aa7c81f79d83db2ab1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
53112a7118b5d405f69cde59dc2f92a9

SHA1
f0d087ecda8a9fb883ef7df501de9daba04c06e4

SHA256
edbb464f7c873f32c64c98906ae9625be875a4c36cad765156e171672b25adff

SHA512
edd795a26d375829db46481660a09f4bb5fdeb56c4da334c1e046d9611dc84dffbbd78ca282f0c975429d01f6e72eec7256a5717bc18e176cbdf6135adb519dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ca23adb484c78cf55d22afa8236160d7

SHA1
e9b2ea4f348d5b579900e7b5a0a3fd99d1b182c1

SHA256
52026f6cd5cecde48ac791232e328b650b05ea5470f1c0f6f47ae96acaaf06e3

SHA512
db113bef1325b8c26abe04d8aba02fefb62dad163a4880dfed2a62e6c4d8c47d5f8d6f7c7de6b2f32fa59efc7eef439f17d0497bfa9612e9976829e90a363efb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8ffa0418471fe5ee9ee9e43572595c36

SHA1
bcf4b6374d161bc2e6b69f0b0062390fee1d1e4a

SHA256
1d5b2166c04a9b4a4e0971c97354475169e365d56c4fccd52be24e8586af7406

SHA512
4a45937236c09e0ca2dc9f678b7eb6785cd4d56a8d432b8e9896c51d471642bdbbd6389d50658c95240cc4753047e632f49dfe46288ad5cf7333db333104af48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5983dbd996c584436b6fe0cfb778572f

SHA1
2e817774a65d322fe852ae69a6f83f6957e3b3bc

SHA256
906669d225f606686941573ca5e4d8c674d304ec90d5a9c28d570ac3cb5f1f4a

SHA512
9beb7ef21955e03a3a65dd071fa6bb3621a10b4a8af51728729a4d59611eb6539dde9e9b0a259d5422dbde3cf7ed84ec4af0c493c9064b590017a34bf48c18ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
65c72594c2d68c63dca7752417a6ef1e

SHA1
86a6d6a6e42c2131b70451913342b0cadc1fdb4c

SHA256
b2e0b094f5003d68a6e6735413eb53877badf7633178109f41fe3811915116f6

SHA512
49ce6b3d5f29baf64ea287c19881d5c5c4fa37901fdd8543e55a8fcdd189544bf8e571eecaea956ce761cf00a3a23ac0a910eb5145c7d8c565875bd1d92a1500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
01ef56e9144b561eaac332a0f4e3026a

SHA1
c6761487c9a774e6a4640f808b7ca9395b458f62

SHA256
0f4480218652237c187da612da94c007d3ac3d0062cc38cf02a107d7968a908d

SHA512
31c0b90e8c613a23e5eda081fc266964d5d76d2dcb86292f591b72518477aa89190eac1845644f3b4318817ee23d738b25231970acdaec4728d6c0b04645a45f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
99c98fe3706bb1e5b7eb70ede2e36696

SHA1
69d8140a9939e608cf6d0d00fe47e415c6970de2

SHA256
a1b83f635ae7fd800b95fd075cde0703e4b566146aa85a02d715fc0b6f22c2f5

SHA512
8e00b7fe3ba9c23c605893cae4efcab08a02e272a805890a1b99c88617ae31f0c5a51e3f73257996bf4ee38c0bb3532c47aea4ac0836454710261ed6cf1f8647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
eb0809029744db01ce6884ad79c355c8

SHA1
e2293b0f0316d804591387069d24ba393ac8a96e

SHA256
e610c0ebab7e842d7bb1ff34f1ec1e363a3cefc4d48f8c2319f4f05fe1e663ec

SHA512
5b64badb9fa5bdb4e702ab76c8c9732d1a6e9d37ce1f959f6982285ae5833c65b86d5eb35f2b76aa9b46b91adab0a97ec2dcc8b9829bb0fa63dc937ae7a185da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
088ce6d99687990a18757c19d5e48572

SHA1
7d979208ecda8c155df189f1f040e2a4b603d389

SHA256
60d98ce24531295b72edefb9987f18a15787326de4e0baafde090e6ec5943605

SHA512
8a60049cb2cb5f34fbe1c6f23713caed11d9c81acfad532dc5d3936c2240c5abf37885b3d13f2dc7911b60fbd377647575d5f91f13d98127bbde85bb259549a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
97ce0f7b60b92920e4685af52705045d

SHA1
1987b942fb5b75e1c96adf0391c6ebf87a62444b

SHA256
5169400d81283586674b1b1864a36232a5c3ec7e8dd86a7927e4b8159cdd97fb

SHA512
b0f614dcf993eec5f584e8583c0c922ab645ef08bf4bfadbd23ce578b972c1fdedf81fd3c3e7e28026767ba75d052fef2aa143fc03257b4dae85e7fd7b29ed3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
f6506f613603d4affbe4155075013260

SHA1
24f568ab384db4207e5bd4e0d98f3378f579904f

SHA256
398f1917bf90f4891fd3ff6d9c183b93e8e2646cdd43d2408bf0e1fb0f024de8

SHA512
5c723e354b5c0949ba890a236ea3b44e6449f677233ea6664376626d827c9889fb8e4142fb9ff5c2e2aeb2835dea9649bf5b8969f772c4f44e8186736f3abccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4a68ea9b803aee1c200381d9429b04a5

SHA1
1435e6c576fa0413093930f7e224685288dd4df1

SHA256
3c2d9e198b3c620c94781b528e004ca7a42571fece4162a3045348c3fb87a9ed

SHA512
dc07828f491901d3e9d509142761407b8c589c42aa2e7ea5bbe0a892d7a92252a27f37429bf713042129d31b9df30b53b2145f68ad77c66b783f7ff02531b1df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
097a2d842c25fbc13b410642d6ba4784

SHA1
c78e2c85fd7e756fdbf47e0534c0d9cc4ed4f4aa

SHA256
1029cdd1d54e056106baf4193034e7c32596b7d30b520eb34d119cb4816347a4

SHA512
285b98c222996253cce9a779a63b86a0ea9cc049e59dfb7bd3e322a45c6122cc2f6ca70e9f358551a928cd8516248d927bd171447d6d37de4b9c228b2fb5a759

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
84516a5840ef486fc88f484a0ca8a136

SHA1
4b0514a656a520b9fa0e77b85648024854154e6b

SHA256
8955c03e7b67e41e3c734a852bd790bdd5ac3a530b5cab60950efdcf965634bd

SHA512
6f0180491c1d0a1633e4026f60f6f881bb9dd874500237431b627afe29543e7f4a53a7836ba5a9d0bb2429c2bdf945e843a1ae7cd20a15bd1abb0d7d1d69903d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c9c472bce0a7744ba0af70177ccee315

SHA1
f08d493e9eb2112572b28da921768aede6819bf3

SHA256
66d4d65ad0ea4a3c559975235cdbad08c9930a30ec6ce250e926940da4a657de

SHA512
87dfeeefd4920ef5b427781b0ac1475376d13f15940b4f8eed7be11e414e3afaff49011c0b789d55903ec41903dee8f3c5e67e32c518d639c9475519f89e56c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6a057f7bc8f19b9994235aab1e3a4c1c

SHA1
654ea8f174f7ca131b13c04a93fd8ee4f45715af

SHA256
35ebb12f594d115da3f9e732b2256ae966c56cef37464cf820431bf69812f074

SHA512
97b5f81c0f9dbc0848018011052ce25a111b1195a0c8c3589f4745ddca577e12f3c0e543354c2be07a9008bd5643a87209c754f54d9905a30c24734337446aa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
4462fe11542ba26603f30bac0672be18

SHA1
1bf7a0b5471ed5db27ec0aea10bdeb1ef7655f47

SHA256
0239c3f4ef5d6dc1277e127eee574b083b43298d66da6d1f299e10ebef586b62

SHA512
8e80092fb1202f48a1cf169a68028e2efc0d48fef622564edd5e386ee8f05a12434dbfef578640b855731199b5bb1862f1cc53464a7687d58a4f48e91675f2d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3d999b867446353433cbddf7207c96dd

SHA1
3c9b67af3e5f56d52dcb9b223df03811641e4016

SHA256
d00e32deaebfd1fe957d552c4688059e24ad1bda10b3c19d5b8052f3e48cab22

SHA512
e9d6b4256490e9bcee99a6c5f325d744d3c74b71016b8cf456379530eed5831ddbff688a33e558d0319ab204c7dd34bd1727a5279e815506ae72a98d574d9556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0e5e7963f962a4e1ef6528eaddbfeca3

SHA1
c753a878d18b89fa705212b43d228e2b0cb855f3

SHA256
ea72921f703b48ad8b755104dcebe888dbc57f7cff281d4fca19dcd63d29c23a

SHA512
8deb0d2c57fcb85732a2ae94fae6cb9a80b0c892cbec579633345485a4eea18ab03b52519b021ba142167dfccd9fa237fd95ad44ee39b1ecec21077650adc3f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3d1067e40efd5bd561e76e2f99e85f45

SHA1
7b8425cb1a9f5728736876cb49675509d7788851

SHA256
adf35c896c21183b28b5ab9efa03d59b772aa7976206eeaa2d1f447ee3d632f3

SHA512
ac8b8b7e2bd3ecb8f5f1465701897a8fba98b71541849524fcb6012d2101481fb5c06fc472963c538208787ed855b11dda095194b90ac6b2834780c4f1fc51e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
e43895ea65cdabfc29267a23cfffcfc4

SHA1
27d25b04c4c158a0e61f7e52ee055530cb73f61c

SHA256
5939f9b6d528b3757643546c62f462abab14332bec71c48641c5fec3c8246449

SHA512
4925e749776ce81a43d94392ead4a559a61b185334824cf51878f4b65d7b334baf1bd3364f4295fb036ce46b01cfde9926fca2addb4374ececd5ef9bfab67501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
e3780077a4e29d89d39006c6b5b50f0f

SHA1
68e9cf51588f5e969696a1597e04c0031b86c4d5

SHA256
18bbd30a030879b07f7003b9ac1d712aac2b640100239dd5f9998db6480fc03a

SHA512
42275a71a2d29fa2965e3b4ed92232e7cbe30e03cd90d513a08de115b3ee1d731551a331f011d941eef02e2aca7e393a87591d22603ddda5632203e091fde4ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
6d776ce1a4ae866b49c2db226b0c04d7

SHA1
8fd99beffe64d6bb972d510ec811e971ac4c0ddb

SHA256
14b29f4eae2919f7da57e66541de402be785cb65513d7338137cd4ab935728bd

SHA512
791c2b0b63beca3d5109dbcd5de56c54b3f21ceae65d06a848cbf13811d7633fc8f6bc52db99dc036883b71c8f7368587cd100ac03125ba4f136f4d42f654d91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
d97d40f56415b43996350a416ab58d1c

SHA1
43bc67ce0ab3fe27a8fc36dfb43e748561534c7b

SHA256
384580ff4215279e8784663a8b47c6b28472e377c794fafd1ba710ccbe73141a

SHA512
09b342c04dbadeed8d01a320ea1034c0239152183aaa5735313c041e9472132ee29b58fabede20d40509089bb889cae71d53b5f43a9251177c4b966424b9f7e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
d2e67bbc032f2e51e6841f2fe49784f6

SHA1
17f1a8766c7d5a236b51c3e4df255498040b4aa0

SHA256
9503fbf009bc79bc2b820d327489dc99938786f1b16dcbdc37709791c5c3322e

SHA512
29541c154824e8b2aa4b82c603953d3e38e34ff8208e99cea876977c713746d1cc308c6e643b074beb4358fc0f2c374917959045a45b571768c035cf9e3240de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
5f5b27ff98fffa2bba09c166876bd591

SHA1
d86d440752351dbb694c29442b127e933a8606ab

SHA256
b2f0f8bcefcaa446e1da0e10f09cd9698d6013d075b019215aab1e615d950766

SHA512
07ecc76d2e190a17c001c121ac16e04d1ce20ce93103906dcb2fee78b66d20c60338de55295d9a065f03316c1f7878bb81a5b00717caf14402b64dc76f68c4dd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
b8d52388923c0097f6e19bcb5fd8a6e4

SHA1
097e0914adc5dc65d5428f2bb32c0a569f1513e0

SHA256
fe813c407694d80ad32627a9ef22b1dae2e885398c590972e24b8e4ea954d78a

SHA512
5d35f968262e0c56007c7392c7150cbb3ff5baec37263f6493218dc78149aa14eef6fdcd9fa2d9e5f8a4359326cc9c2b1877fe74c8c4d986002205008689e195

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0627f6cbe3cf5a7867e1db599b4cfe5e

SHA1
5ab7b8f6d1adb86c7f0c95ab0141111bbe332471

SHA256
88518b0d7564bcbcefe5e1cc3fcc98e20c114674627c0d4dfafc713a452c17f2

SHA512
f004a8ce2a29c5d3d4dd8a25ffc6283539a5073d0df8c5e78edcfb8177ce85faf07ee350657b063c1e79c8227d1fbee864997113899fb6a950692cf73f43dc00

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f83aa4da5709cae53bf5cbb490906d0a

SHA1
77e534bd0290c973a0475654fdf25284a2271025

SHA256
8d306fedb48be004b8a34f0f91b0816732dfd92fb48ed90d08cacc4628aee6ea

SHA512
b2ca1775ce8bfec4875272f7dc7272a8756f642f4871939ebb772ebe8d7a0cccea4198f00909d97bb990f0aa131785e21ce1830580f50777655607643273b0f6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
f4947b41aa92829a1bb228d34cd2c2b6

SHA1
5d121e3493e21e4a4bf33c3f862b2d4af6efd541

SHA256
7245e4211c7b34d5dbebaaedf893e14f27986aa8d6e0042f578611a7914db241

SHA512
2920f8e327a01fcbec0c756ae1f22b0096559a4db020a2f7dc17686a533fe174be7e2cdc85118cb5b9ab37f0b897627a54ba51adf183d31bb38be79487b77fe6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
06827596a9b97980e66d716fce60d394

SHA1
f889ba774a48f25b1e7a2702ad82da3e12b33eb5

SHA256
3c8b78cbe110a196f316c2a81a5ecef0843dc63a38a6a96508a35e66bd79935b

SHA512
8da9cfa2746861301c9a6be6d5d87485f7c4371e6c0ae5aa5fc079955f1ac72ae600ffef4b20d842f28c0a08b8326a1a95368448c3bf0fd8c94482341e54b744

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
28a1750053fd46b70585c1b3d02f7862

SHA1
71f77f8ad69cfd3cdcc5e5c435db4be57a3caa79

SHA256
31b8265b5f3682f10722684bfd3ecf165acc0e9bbd90064de50b71a6ad2db53c

SHA512
027037a92cd8e9006970dbd940570ca26adfbe1f31d64e9a9f140083b5f6b0dc6166155413c3f821ea8eef191725a935d27b6abf0038067a674c839114cb477d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1504bb74335443292c3635a3bb07e6ca

SHA1
4017db9db5487513fa4d73a3291e16a938f784dc

SHA256
2fcafd43915ecc7ceaaf40dd30ff4471915755d9640d353ee03a61e88655779a

SHA512
ab03dde691139a580c3b4fc8f78ff1c2766e21f245926e6914f930d3c1e6b7685b6c5602080299fbdc54f06dfadc0c3bb938bb318797105cad9c64ecbd453777

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
57a481e1e84069be466c0eea2fecb6d0

SHA1
6a5bc7eb5d9051cfc21691b6149fb96091049afc

SHA256
3dec438dc2a6501859c1b7a4aa8a28ffeb9112d22b1663fb39ce556de39f1729

SHA512
f85ebde95e7766dbbc4cc647551932b99000a737fd6516c8af8d71f45465b17d0687139890e9cbfe852e991cb36305fe132bf14030de618db19931174b947a94

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2683bb454b03d19b5d24c1345b8da300

SHA1
ccf82a29af04cee2494a63fd2f142efaef8a54e3

SHA256
7f07d25518bbe03828ca2360a3f2022859298f32496d75fef0792045e7ce9244

SHA512
0e4e68aac930eee8aa2fbcd39d01042d132efb031e68fe4036f233690de3527c492155f95cc8776c81e0c5bfdc58149219eb0550b8a5745ee479c6a82079e329

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fb3feb85d43c2e0dbdf0d5fceac7eb34

SHA1
06784b3dc2423fa95f5fb513fde358dbea63d2f8

SHA256
80900e05998d65ee0399c72a80e75f986f5117f703869fa90de4f794beb59aab

SHA512
b7c59df8643991e171016b1db3e9dd4c24985f3e972793602e2db211e64a3c221b21d47206e4ac65e3d42debc873602fa7803d15dc89627cc5bb9b28937abf9b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
592274c8c9ef069d3764ca7a7413f157

SHA1
392c70ff58b79ecf8a1ee2c2b2435fe2d76cfdaf

SHA256
bc972d15f3ff4288c000565d2c0cd7727339afa44d29549cee25b58fd4678f28

SHA512
336d61fd8294d6f2bd954dedc4f799ca3c389e0e63628d465a5d83f81b961edbe4065759dae25f8c0794be72fc968078784c92c1150a66393e8b4c00a10d3648

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0fd7b5d22093604427f568d6af8850f0

SHA1
bd5542f0903e131378e724fc132cfe4dcd57707f

SHA256
09dd4dc588b71b58b4662147f0f1276f3efbd30c7d50f2989108d37d4368b033

SHA512
4e4a4039f1c201eaf272137fe0870bcc6ff8bcdafa0e42d144619bab197214102ab35243f5a30ff24acc0acebcbcb68bd1ba5b62bf2e517e669e0d3fe13b513b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6aa24c2d0ddaf950e9b8af2b5b59b1f2

SHA1
fa021b7b6f256de6e4de3fc1a367ef9629315b16

SHA256
ee552c432b0b1459e3189d12433def069a9307e58fd1e6c15e9bfe23c03eb5b2

SHA512
c939a0253fa9a6c2ec8b5ae769946684b5c4690cd97d5ac9fb98c3c61d61bc9be0194b0092a9bdad38ddb55cadc20de1c1cd660bd59e45c1463c1078a37ca723

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f5f715004e1a5508f8a14b6c68019a27

SHA1
b0ef609674bdc27431c2f8270be35e1a80912524

SHA256
1a61ecab6dd68e2a097f99a13e164a935a970a4620157a020d149c84cd723fa6

SHA512
bc220999fe400265d25ecbf5746847f16fbbdeba64e574bd02bed69c939a5bf624539a709e19d3e10b90690f16db556b1afe4d4d9a26838308d0341294752817

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3dbda6361c03b0b6b0943f88e2bf1256

SHA1
1278a2fd942818ddc84f90d2ec45dcff1a8137ac

SHA256
7e7c66f080c1b7e046d6ac8088fbcca38c860fc0cb45c875be101260b288e64d

SHA512
961fe68e28b9f624417b0571907965e9e88d6c4c0b95340b3f727cc460537569096df9b4bd02c2f9ddd48019cef2bc4362e568d0a1e376976a7f4bcddc97e879

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b02e9ed880891c0ec2b3097f6cfb27df

SHA1
91f42f490dede8ae8c9bfe08ceab13b793c02675

SHA256
4d84c7f2d2f85ca26e8330f92cd300d1e5527206b263c4a7890392889d1257bb

SHA512
4d406fb01d08d535c8dfc066f4f1df9ac1ad9b8b8bb6127c8c45710c3f0108db8cc066603da47b3844cf596415d7b4fa88908ee1b37d9158ec5d517431049deb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b5a816940042f0945394e3320cc12471

SHA1
ff787ca75288667cc1a09494b182338b4b2fc1a0

SHA256
588ad3e5c00e70d3cca700e2182aa0a5d3a70094dff3e4a8ca2fc52d3ffca219

SHA512
958b2cb6dcd8a7c662f94981464f8695f011993cd555ddc8dd65514c6a2f4b3ee964d40712bcf74a52f04a111af47b4e70215d92d3927eb4240c6a5d7cfdbfc8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
091fed4016cec57cc44a66e1da9fad69

SHA1
189853300c9161677b8522f9d15dca6d5c036dd7

SHA256
e510b1a227e074ad8ae808abcac83f549e37df1a6ef1aa9adde239b6583033cc

SHA512
aa4b17cfecba07fe2462998d98c050c77f98286c286d147c54ac07cd6ebd270df543de6e9ad53c7fd230c7bfe3f6a94759de32a7fbb4b852d85fdf0d99c733af

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2ccb0d161748529dc3e3bf7a1c66c8be

SHA1
da4d89f1ccb07285aed75759e09d554dec62ed29

SHA256
26884c99fc70d54d14b4f73fbb55ae07ee132bcc2ca82364dddb720b8d60e243

SHA512
3f5316da657bec2b90dc94d866e1e8fe648a86532dc892672415d778b1cb9e0d8379064cb73a2c168695c963bd45717795897358031682b3e8bc15d1dee537d0

Download Submit
memory/724-74-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/724-65-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/724-239-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/724-67-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/752-406-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/752-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/752-400-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/752-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1056-375-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1056-435-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1056-366-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1148-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1148-230-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1148-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1148-14-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1764-307-0x0000000000770000-0x00000000007D6000-memory.dmp

Filesize
408KB

Download
memory/1764-364-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1764-300-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1764-374-0x0000000000770000-0x00000000007D6000-memory.dmp

Filesize
408KB

Download
memory/1932-350-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1932-286-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1932-296-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2044-28-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2044-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2044-35-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2044-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2044-34-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2288-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2476-315-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2476-321-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2476-379-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2592-449-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2592-458-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2604-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2604-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2604-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2604-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2604-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3108-340-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3108-417-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3108-408-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3108-345-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3152-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3152-66-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3152-52-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3152-51-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3152-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3352-338-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3352-281-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3352-271-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4020-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4020-359-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4020-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4104-431-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4104-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4456-273-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4456-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4456-255-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4456-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4456-265-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4728-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4728-419-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4808-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4808-6-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4808-1-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4808-7-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4808-17-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4812-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4812-246-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4812-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4812-313-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4856-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4856-388-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/4856-381-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4972-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4972-445-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5032-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-333-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download