35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa.exe
Size

1.6MB
MD5

265075eded5307dd6af2918ec5a95f8b
SHA1

e2a2f52d83c7f359de532c79276f61346d58fe1c
SHA256

35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa
SHA512

90230190ab936bbf1059565f3ea7b5cefda109111f56a71ee968f676b0d075bdab26140c1327b343cae794b635adc78ac02787a3469c56bbf8cc1f87e8d57cdf
SSDEEP

24576:NVCKABE8S+LbzQkWWbCzLLB+lMP1NFzSRY:NMKkE8FD5nb2LLPrFmRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1312	alg.exe
948	elevation_service.exe
2768	elevation_service.exe
2360	maintenanceservice.exe
1876	OSE.EXE
4584	DiagnosticsHub.StandardCollector.Service.exe
2268	fxssvc.exe
4288	msdtc.exe
3268	PerceptionSimulationService.exe
4888	perfhost.exe
3660	locator.exe
1492	SensorDataService.exe
4396	snmptrap.exe
4504	spectrum.exe
1340	ssh-agent.exe
3952	TieringEngineService.exe
2352	AgentService.exe
2188	vds.exe
4700	vssvc.exe
3216	wbengine.exe
1156	WmiApSrv.exe
2660	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d5d29722b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9edd7771192da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003fd47781192da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cc5ef771192da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f733e781192da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003aa0c9771192da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
948	elevation_service.exe
948	elevation_service.exe
948	elevation_service.exe
948	elevation_service.exe
948	elevation_service.exe
948	elevation_service.exe
948	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1944	35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa.exe
Token: SeDebugPrivilege	1312	alg.exe
Token: SeDebugPrivilege	1312	alg.exe
Token: SeDebugPrivilege	1312	alg.exe
Token: SeTakeOwnershipPrivilege	948	elevation_service.exe
Token: SeAuditPrivilege	2268	fxssvc.exe
Token: SeRestorePrivilege	3952	TieringEngineService.exe
Token: SeManageVolumePrivilege	3952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2352	AgentService.exe
Token: SeBackupPrivilege	4700	vssvc.exe
Token: SeRestorePrivilege	4700	vssvc.exe
Token: SeAuditPrivilege	4700	vssvc.exe
Token: SeBackupPrivilege	3216	wbengine.exe
Token: SeRestorePrivilege	3216	wbengine.exe
Token: SeSecurityPrivilege	3216	wbengine.exe
Token: 33	2660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2660	SearchIndexer.exe
Token: SeDebugPrivilege	948	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4588	2660	SearchIndexer.exe	121
PID 2660 wrote to memory of 4588	2660	SearchIndexer.exe	121
PID 2660 wrote to memory of 3536	2660	SearchIndexer.exe	122
PID 2660 wrote to memory of 3536	2660	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa.exe
"C:\Users\Admin\AppData\Local\Temp\35e33b87228f0dbfdb02635b0ed5786d9cfccbb4bdfead4ec832a1a48c1ac0fa.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2360

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4892

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1a48c2b4a3a82fb5d58bfafd272c4ed7

SHA1
709304f5eefbf764f3c796baf6e28f181d318209

SHA256
812b8dc3dfe2024edb51214a20a97ad1f70f95263bf78cafd442ca875d6ec2c0

SHA512
f796c7da34f9937d78a89c0db89802d6bb866533d1cf49a0617316ccfda715314f156d8324cbc308376331b92743beaf47d7441776042e8104c5b49bd867fd2e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
1e7ebb42c13d07b208a567c7e6a221be

SHA1
4303140447144d37f99571968a1651da3cd3b502

SHA256
0d9cd01ff6f6819bc568ca0ea38f8839b309c90a9be9e566e86190812ad1489c

SHA512
f3195ed878a6ba9816bc6380d11756233280641f07bf4896468ae2bae0d74e200e2cfc981d405be0b46e1ee893143312340035801b9aa939ebbc6243f58e9edc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
bff55c7959651fa4b450035b0158953e

SHA1
2bb3769bbe7728abfe3dafc169e1027675777244

SHA256
3b8a9880b34afde283787ffd637847f2fceb6d607d7677fccf2da2eee9c3f17c

SHA512
17d16ae318e4ac1b8301b9f907cb9f70512ba3a884520c67aa33225daa2ebed8a1a41ee375cc6a7398f1a739afc11e00fb5b9da803f1df9c9f1094cf48c31e41

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cae337cea9ad13d4f41c53fb64dff759

SHA1
e6a0d7ec30896e2cc1a9eccef559c46114774fc6

SHA256
7054bdf7e3ae9b502b41fda09205f93b3506e9bef392f928a1c035aad4164e61

SHA512
076ae9ca0d5be2ba5a160d43ed697fff06fcbd98ec6d3dd7e6cc940235c7230ad551cc3309ea59fef140a911d1d216558e76fae0136ff9b48eb01991c26ecb41

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
93475bf12399b73ba1b806dbf30196f3

SHA1
e94a30f7a512fdc2da5465874a1337397ad85785

SHA256
6ca0c474a630004a9c8f36fa7200c236d6ac496f63b343cf905e375c50777332

SHA512
fad711c849c7b2f852067b9439f7f55906b40f806c11708cde3c43161bd153c60e2a5e668ddccba227ab88d7b48c5b7071a266749f464003d31c4135ea57772c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
98fee55af0b0e3fe98b5f20ad5d55ecf

SHA1
5c16dc58e36aa758ae574f7f62b82122b9dd0da2

SHA256
3ed24f766349f59b123e704df9132df33baa799fca5b05be3ff88bce2fea2cd3

SHA512
83b539fca3f4114d1698d5effe3befb8abc1598a69762e6678dc2c1da6bbbdf001fafbc90c735f4528a1b1cc10e1760dbe79bd49f9d3887f1355ec38f673743c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
0ef7819d6ff92e6786b2c42c17aaa3f4

SHA1
fcf4f85759782d4bc32b92fabf4b322bd1f8a2ed

SHA256
cebdf806a24b940cf942717247d014d68db81c20b50b6189c93ee15d394c0e7b

SHA512
5189c4c9a63fe38abc58a8dfab0de4e05234dbc020848b35c6a30d50ee25cd062f72011fa8e80cc92a10039b56fce96ffca06027440d071f32332d5f070158db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b7091ea3f29b05186af07bc44e4d0ca5

SHA1
13627da5d876af2745949a63ceb9108c80036ada

SHA256
17d738f6e6c0268f4dfbfd391ea915fbe969fcf084644f09457146648a981205

SHA512
fb4990f80fd1eb2d82cf080bc9b844c4d9e3cea622c170544437149242a29b4561e4333b209390ac3e15ac8a46b5ee750b1342d66d89ad92a09453188c8476b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
667639c2d91555347671297ef90c98a3

SHA1
ea2ccf85ec71dc62d0ec11c8e6e2272cc157810b

SHA256
a3af50558a2e82160fa30219b5fcd4c8c08293deed0fd41394f37be794640052

SHA512
11e5a0e7223a90b9afbc3b079ce0781c50b77d5fe8b0025e55243263c022c0d4b9c0ffddaaa5fefce60aa0166272210876854d0bd297a2f6460e4ea076806b36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc28275d51795de56c5c519d317f06be

SHA1
29e8acff89da436c5fcb4184f5ad6460b423c751

SHA256
a0704329fc52fd1014dbc2256459ec027517cf73e8ef34d10db25bbff83ef78d

SHA512
5f3f5d88ee003d67421933b68015de9cb8efe9b643407304595c3404933a507a44053094355eeb26218d50eb9a261090700a0f99d4324a94734d0e0d7ed79ea4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
84ea34bbf5e5b0d5f3bc19d6b35dc0cc

SHA1
1aaa78ecda94a8a8cba20b4e854ea2105272774a

SHA256
4667378e83d6bbce4c82f3ebb5da0707885174cfefb1abd5bcc33295f15d83b3

SHA512
5703df8b225b533834e4b5a3cbb5c27af1d84cf0e2767abca403fb7ba3c873dc16507cc00d2327805b45e6117a9e624b19b6f741fa03a32a2499ac8c83772e3b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
769a6087766f15cb37fa000028efe8e7

SHA1
be7bab1aeecb8404a8c7c0c41f0bf5a6264fb702

SHA256
e34697ae519aeff3f9347589c0f0b85714beed136866f1419e7a81e7e17025fd

SHA512
7f8e5146325aa6afa9f789e945cff51c8a443d912e8409f77c58c4b4395a071ac96b2966967138e4a2ce6e60a79bd8a9e262ce87ce10af07dac44d86429b6f5c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
b77231c8a1ef96356dbe42b8fccc7796

SHA1
ff776ad81674a383d8f0366f52f60ba935c390f7

SHA256
3737e99872708bf7dfc20a52822aef1bddce1f3c54e7910f03c9d54da02ad8a5

SHA512
bd6150e69296934f5732ea1ca53a83f47661f265d677108827e2f43835f40c3b7cf769e1f09d3fe1006e37e79a19451126666ecbfffa3a3f108fe79d2fab2127

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
fee391cfe4ab144086df3a91db469ab8

SHA1
5da1fdfead05aa354dc1d7d26e90f061d5485ac9

SHA256
cc735ed8d3f51c31e396cea020e137e6e6a7d27fc4121fd833636aa33aaeb6aa

SHA512
1eafc18f64441a0fba42a0505aee484a60b350db7bb739d81244aeb141e202f690017f38b3e40d05751d7cc0b1ad93a1e9b2848eab18432a47e7c957c1528a64

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
fd238e77c31e00508cbe258977568153

SHA1
62d50fbdc413a3a0ee666750dcfe7f40c2d12716

SHA256
e74bbb809e0a8e0184c4405fb501693da6946505a4e283abec9e7bc7232b7b84

SHA512
fee532f6d850b3649c1af48aaf1766af3256bbad8b22bd2835d7e7021160814e1e1e1ca3d74cfb8883b5f0140129b8bd0bae6b8449d1e00446f856602dd4e196

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1ec963dcf219b57a399b0c7378ebe2a8

SHA1
be3eefba320b85d4e50358859d065f7776fa83e2

SHA256
531161107a4b0f5213332fde89d04e16adea20aed9f839aee956b6803cc5d44a

SHA512
d552fccec07ebaf77fb85f161fa00cd3ccbba07e6f9cc0e59a4fd5c7dc875cd898b28e078b1e4ebf645d16b73433fb9be545b1245bd5a37f2132ab4afe24000f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c1654546cec91ccd6d5a0ec74f86f4fb

SHA1
c444280c290fd9cc48d093209ad8e11db682d6d9

SHA256
0c172c57b06677c761ba014ee02fed8b40a6132544c6bc04cfc3dc695ec818da

SHA512
4eb92904be03c7798badc8e937db408a8ceca4a49c6b572a931f8164aca0135edeb981c7fdb73baacbfc26a23f9669aae103dd920044a76e42568afb369d5b76

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a4fa285e781cd4340bf4c60bddefbc41

SHA1
ef88d7caa0cc92f10febbb099ef9293b779e8432

SHA256
c8f4e127b7a1a1131856cad901fb38f52e58230d98d9e438fc5a22fe1584f0d0

SHA512
5f688f8acaf0217e6b455a255edba20342afe5fe2ed242e4d8deaf86f30a8f759f1126aae634a6f51a1e0141db25e9a68d360d1e7a8e9438cb1cfd07782c6506

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2b606dc866efaa9dd14338ec338b2a1e

SHA1
8e4baee1c35be90117ea44b7a49d27d53b8b07b3

SHA256
ce54ad7e9e3a0a9aea50278b8805cbe1caff82b7d0cf165a07513bce48b9d528

SHA512
cf166a589de9797ea12cd1c73f7f445906fcede3d0731ac5277077d925ab3fa8021c9f0eece2e12c00d93e624097d131f5d9de8e8b35536e3cbd4fff67054006

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ec18d8638fa8024c8084fa6e9faa7634

SHA1
cf06baba0f17351db13794a0416a4a0fd2e90043

SHA256
cbb7d904bb8dc2640ffefa1da42784ac8fc780389cbc598c81a0a1d31db162b0

SHA512
a098173b006e2f29cf8d7070dfef58c25a40fdfe674e91f5566497d509ce1f29623bee7051868d28c47f7edc28e6e94f30e5810c62655e553c0e17c4ceba726c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e966edee5a30d315fa08e0fbdf9dbdae

SHA1
c3d1c158f338ce149b1238fa4f364dd39ccab034

SHA256
541f5f1d1cf66af0b79700e9a1708ff77dd0018336959112a89ad3553277b55e

SHA512
f8b99fff7f2a836102578cfc6a33c6919d9f914a52a7ab8af93309ac3b7ec7d2af51ddedaf183ca0145b6d8c6168ff6de4ab2c6432b1d5cb2e4905b789b087ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
847e2c769d8768a3a2f26fdac58f43dc

SHA1
c362102b868d11bc07c36be73b30b5469dda8c93

SHA256
f60e3d1848ac913b35501fa8ebb13965dd1c276ce218032aeb9f3faf058a7674

SHA512
b91873d804cfb8eed32629032e90ac26607bce4175eb9eecf2db8574acce502a74e182b081b416a263184e7751b42bbe61c670af73512fd653fd3dab142a0178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
a79e2b99237ea241d3779e7111a1a626

SHA1
469b7c38b2743e2e84013f3730259f4d9ad8a74c

SHA256
1ddf42896b92b28c0fa8d64cf4d66ce4332aa61276dd7ecb3e111742564a8bb8

SHA512
64485283b7d79b6730084dc1ddad8b1a6fe920c7704c139d8d6ca5667f098ac9812855cd950e9986ffac1db47c2bfcbfcd74559899c608c53a95cace8fe73f8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b0db3196b1a06ccc5ef58b216116a15d

SHA1
67191efadbf9f3e98e7adaa33eda7fdbb0fae55d

SHA256
96bdea8f372e75cc006735892a9475ca6d96937db5ea7cd5ece6d624dfb88c53

SHA512
4d021efc0b79e290c849fc5b597bb983383af1328ab1afe8aa3dd5c5b9caa85cd38784d0ba870be37597de08a6e6bcb4e145d72472cf99760a1ed286967662f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
27cf4c9684c58ea88b70200d1f5d55e9

SHA1
344312178de0d04b03c076f444105c060aded08d

SHA256
79f03d4187cfb8669b448c953a0e97db1790174645b11d30a1158a47de2adf57

SHA512
937ac2d277fdc8e02ba31404cd4c04d7d7d1785804b127b7d49dbcafe16b0e1993f48440952fadba8e15130fc4719efc7fb08d3f5ebc47b60bab4dd991b09cd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f99feebf2e66dc777fae678e0414103a

SHA1
8eac7f7d556d06a823fd082031702e5bf9dabe8a

SHA256
393918406af2b1d65f4828bcab34f27fc803984230589422fc5274f193fe96fd

SHA512
5259301b7e5720f17521f1e8d8feb0ab7fe5172273806e8992689bdb4c890ed0a1bc01266e32daa339330e573147324067fbccd8648dd84272517ded68ee6c23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
37f9c3a6e1c01e7ccf6f64e91cbe8735

SHA1
ab76769fe8dff24122d06fccf63e410dfecb349a

SHA256
024cf4f6d7b70fbb6b6c24701ffa6ee39c0d3b14332500f6179899f9d3bc81df

SHA512
026ab912b92406e35218e57517c9f27d6a7ae9f8e8494927576664ab2444540c287b1de54ef80000e085c98754c30b1d667601db6e698da6c1d5651a628961a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
a9476ef721bcd56ae2bd65223549df37

SHA1
c8508c3448517823ed44cbab3ad5fbf8553804d8

SHA256
d641fea8cb1e6019a9007e932bc4c1974b30dc9341c14ad1c6e0a7fd9ff52d7a

SHA512
bfcc5ac24e4237ffe82e1c79b22c872d8e7fd59f557dbad9a856195f96a98967ff48e945f018fd1afdf3efb8a325df630c24989b9109c73a7f496099d9d194ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d4c7a8b6ef80efedf36cb8661ea91ace

SHA1
e45ede797fbae05ad0bd34420ad84b5f534ce954

SHA256
c085c4fbf6d32de903c7fa1fcd82f7a8e61c8b8bd4c9bf1c5728b09c088165a8

SHA512
d99f47df102713af1fe09ca0e744e94c82a6172192f8339be433d0f7fccd194c550d21a4e7d1f07acf67d55d14fd404fc8e03085cc45160999636dc7a08cf0ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
c39d7b1c04ca5efcb1c75f7f1fd70158

SHA1
9842a04178f3387ad56b1beab9ac27955233a8a7

SHA256
42d4ad978b635db8bba795c40c94dcaf923c48f69d3e75da0a56bfb8f22fedfe

SHA512
e736ae316e20355ae2d94fafa9fb521099d183cdf34884fc65452f883004dc758f135aa2148aa573b716ee47ca22e1fb81625619e2c50549bc10e3f2715c964b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
fbe50b309a4d94045f755ce29d2497c9

SHA1
e35364a20b45f9a256e39ec443fd4cf140cf8d61

SHA256
fbd400d69d841de63dbeaaa1f0d7b899884da00f10a90ee87efddce94318f598

SHA512
442dfa5d119fdea2b9fdadc2202845f8e5840f66439a3956ee8af8a8fa28362e8ed937057e9dfbe2f1b96e7e9dc79d683d935e531ebb2d12b2f79e209c45d515

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5c0dbd31717a277eb06360b22f4b6f38

SHA1
b43aef950eaa30cf95c4439088ca2ae7bfae74b8

SHA256
5654b0d1538c1eef133b2dc5935503f41780ab9ce08132bda9adae4b61b08c0e

SHA512
a6c314e9c95db8a97f2d1a5f352ea868be269a592541aa3e43f968829de02061ad4deb3deeb16ed4213853a964e2618dd47d579dd6228b1fad44656fbf439607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
125b112b794f58a85fb305aaf78b9866

SHA1
89055783f4cea4d919472140069d29124a392660

SHA256
236b8b680950c0ab7b8cc736ff6efbc7d8fe6387efc7be74c84e773b8af81cfb

SHA512
7b95e4e7ba6dd62fcbb4f1fccdd2b7345d58dd99dd5c10f804346b01e6a9db69e6596cc2c130a2473a68d81e3a6d40d0f6f96b3527f6095a47c0aa175e47dfb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
289696c031a689d870b60d760d700ae4

SHA1
fd7e1ba61142bc0e0e20aab145edc77a2271af17

SHA256
bc507a155bc35c315bc1116e5939e89563a946c9f4c8829923a03945ff1894c3

SHA512
88a38cd544089d8925c25bcb7deda95be5a949b11d6064b0eb66af15fe5e27ddf186f263ef5fbc7fbcba6a8ab566258d5ddba2b4c0440917b374fc8b8ccf2a78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e976c9dfb00e7f1024eec73603b750e3

SHA1
4f324ad41ca7210508d40caa570f216f9c8e03b9

SHA256
62a30d49fd4749fd2c64765254e04182d25bcbe74d86ade86f5a22865f637295

SHA512
86b969dc1e7151592c215f3101f2bcf4f0d7df97766be81d1c4967190adc8ed12100a9638e1a6345d845c692c530004bcc72bdb406829604abf2189c1285425c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
372f6f4375575e150b49a0a18f0cb3b8

SHA1
d7f5352e685441e1969fe3cb90c3a267e297a9f4

SHA256
b0ef044fefac0f94598848205cbbbadcf813b7aa4f670bcc9c14a9882960ecf9

SHA512
895b28cc351d61686d2156e9ab7543e7a6a1c4a0804970c2a4f3d1ceec3198152e8634556d042adcf094fd90b0f5378170b872aa3b7053b5812886ad5957d10c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
67c8ad1636cb067f2c36eebf16df67d5

SHA1
305506cba34205708b148eb03c805b92e57e0ea7

SHA256
493ab5be996bda42ac3226cca0ac5f9b8dab43e24873c47f24fd345705d6ba0a

SHA512
4dd477aa1d468b96535f1b605056e602d6b7e92fab9aa052ec1a06e616ff957fa5da1231a3540ae5d5b456e0ec73f6232de8ba562ffa09e2948939d10bad143a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
6055b59abba4b523a48ed1a3096f7911

SHA1
0d55954231af9a03b4f769e799296dd928f68018

SHA256
40c677972b6351d9f9b11a184847ead16ac201a9e13cdf8c4b6a651bf6f57d05

SHA512
568c2a3307ed6022ee94e5fdd6907ee871d9b4d737d91ece78dcf0244806b1ea986905b167612e9e2a62d72fb3a474b5f71c7f1bbb6f1615ecb637b8962419f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
a9a91c988b45bd0d13a09210fc6cb73c

SHA1
59a7f37d5bfe03117f6126ef0692afdb5993dfe6

SHA256
3c5889acc6a75cd758ed340dc8822219708b97728d799dd327df24e1eb154557

SHA512
f7b11859bcbfea30170fea8c4f1c5e0f12c7420d018ac665fc663fbe746092de222809920666bc41f635ac16b32863d8e92a05264e6b8ad65c86e4ad8e94b77f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
684649b03da0f04645400ec890b9cc1b

SHA1
aecb071a708a3780608fae69f1f5979ef36ccda5

SHA256
15cc4f2d242c7e2d41d98e14408acb68ba73b2247cb7916d85303e47595d801d

SHA512
2fbf1647ac5020d848b9ab050276cb69913b30bbe9a9a7cbd62fa1717f44755ed148e422a74542218355508803d651a81d858814594d2313378495df45c49a9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
4c7da31de6761d92d7a93b9b37f755e1

SHA1
819974becd70b8e8169f5d10bd38731c531aa096

SHA256
60e76762593811d7065543aa17fb392e24170c95e3ee304111d020ee3cfc2019

SHA512
ffb37f8e00e05a5434bde1ef89dcf1c8348371758d58c880b1c5273d7321e6fdae66cbd20943871dedf5768c51c5e772c2ce94dee3f39f8c2c5d6af3b435575a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
3e8b926465b627db5ce3844c22e4d323

SHA1
6fab289412f07129f31114885dfa8a64e961b10f

SHA256
3451927c81cd52597346fcf6b907f639de709c77323aac3d9c387e04e49a9292

SHA512
b165ce1c9cf46e54b7d742c5d69e6df461646d6b6aa8baf39d62bc522ad100c4b3e926134dbe88ae1d26e71fe2d919cca230de21ce401868f97684575bb5e1c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
d6ea4e6e1eb9cc26b209e4c79c8ea76c

SHA1
86846313145fa63143d4445b1bb9fb0e2ec5a9f1

SHA256
fbe6ea61c4f1c6dec94474db30a4a0366c133261570ce9a5cda49c1ef30a8d53

SHA512
199ea7dfcbe872d37aaf260e2a7a0c3cebf5c6e9415c712740764fba26f401702ae232454340b5022ef1bd8c08f7d17a8ef18958edbcfbdf859c9829d25322c7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6d719d17dbca43141bb37dba000fb462

SHA1
21048ccb3338b1cfa65cb35c9e936e73069c3da9

SHA256
901172a471989e9196d2bd7c62eb2ead5a25edff422bb21e34e229eb25fd788e

SHA512
19bea5ba98b6165d428c8c657f9e3290e50a769f2174d7d03db9a0bb5aad2c52be5f0ef1a544e8c2ed3cc1d897dd94aa7c83de70c9631a28e1c19611efcd184e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
3797dd903758db3c5ca7c8f708a242c0

SHA1
f09e6c8e79e7495881f2e9530daf22769c116f02

SHA256
c5c582642379cbdef1a50a5144456ec0a0fea9d00382a2fcc59abdd28573caae

SHA512
e98b9a1860e7d980fa6a81a2049ee614e81654bdb7673fd1e2554314c88c7e462616548a6f019fd897a1298f548e98482dd39caaaaff4a3fc035883ccf62063f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2c2bdab45f18e0bd980c71eca8b291d2

SHA1
39d5042e2bd44afd64ddf03371907991b0a00e86

SHA256
9e0b53b07ae57034b35a6799165b3764b51c15dccd56c80bd84f7b44d34aefd7

SHA512
7087121bee76bce208ac982142a2f732e2fe0d02eee0e5198d4f4adb6dc977dbff52258fd179c14aeba796f5c2f9d8caf78e4eb6d7d653b05d93fbd751449030

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f10da6cbc0d47ce0a1945010f960ebfc

SHA1
ff2ddd3102279a582e4d88dcd25d99418f1201e6

SHA256
67c562f350c42c14bdcc49555a44b1e18db2c6c616011e453f430801a07afdcc

SHA512
26e6ffe05015ba0b57a99e43f7cc8c0117620aadf8058a264a6b5a93ec50911ed17877ac29d1f11a3775bb2c5cfbe2ec62e9f9d79731556b19e45ef817ef487f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fb51c70f4984ec5dca868e26d2b5c0b7

SHA1
2629ff24b041ad64f1103e3bcdb7316aa26cf3f6

SHA256
27de6f3c77b609645a7f38c00418ae06585c55f55f4f3c93345ca1d225bff9a2

SHA512
7bfb2f110310464075247d523b79cae144e92124e8eebe5eee193915a4e70637df8f6e4fbb3f1f848efc3d9493c28b035d822583b2d471d7b0e50d76622f4bfd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b05cb9f3424eed5d1dde2bf804e6ca8d

SHA1
77e52df5123b6b726f2dc086c3b8ec143bc682b9

SHA256
cb4a1938fff701239f334fa6bfb9a91d2ed2cf3c02ec5e7b0791d8a225f676f8

SHA512
6197e92ff9f70dd7e3dc360148d2989b162ea2a2abd4d168c71f3320866e5ef7d09e748bb6c621a20512f506f434d6742dae2a2468fb8c8ee83da6e57626919e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
574a3857fc246890f7c058777391172c

SHA1
a654f985b80509c7bc719d3b51a6cccc501e44ce

SHA256
fb3cbb74067a926de8fe805b8a1805f4f1fd28499bd4c45a79c6f509984d3177

SHA512
9ba0765c655d6c611a3f1cf98d4787ee2d2d77a23e7ab42fb6a92ee9fc0d775d9d65e20a41b54a8204ac5fb4d6cf88cb427562a46313d64944440c8ea9e85317

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
661bbdc7a0c365e6f4acf165675aa314

SHA1
53049b70f54af2784285256281d6ff18667e2063

SHA256
d1cb0c43d7706948639027ef997b6b932526a525ee8fea03af9b7ff7731cc3ca

SHA512
d523f877df6e1cb591a85a642be5f0a8978a5bf0061a1631920ae02e8cb5d6aa7b5253bca3f92a1f8ebdce081833368a403fb91ac0a439f3e9f218a7f6ebcef5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f880588e04a67cef3709fb8ab1270a64

SHA1
df151fbfc41a9f8d173dcfc61c7f119c0636e20a

SHA256
77682cb9b99e1df3ec350499131d8e0ff56081d6179f6a4f4aa7a1ddcbe16c1a

SHA512
138af3e4ed8378cb67a93641f4a8684868a72c5cc34318a6fdfe1695a7d78a23e153c0016957f614a85bafcb260b3592d5d516e02d2d285ea13c2f7dbcc55a6c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d57baf1bf09cf883c8b85ae54f34d136

SHA1
0b09e83a901a0237faaeb29e61ced85e66d64002

SHA256
1aa58c0919a42929047a5bb5adff2c3f6932a575e2029998edffa68132bd25aa

SHA512
6b559b7d1701d880634ad1833cd1703f86e8efe12c03623abe928c53a5a8950fefcb79993456032c9939b23e43821235efb3a703edba0847043e8e0aea1c75ed

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
43a31b31d58d29016b0006cbd924889a

SHA1
8a4a07bb06bdc800181e1efc7b8240b5afca66b2

SHA256
8af35ea24db43788d9c336ea4cf98f820a57e7414301be66ffcd5dbfda1452e1

SHA512
06b3011ea3a3fd00c8ae6d286c78ddfe342b7389a866972e2cf98334fc2559e0ca4d2a970fd2478a8b99684ea5f110322c323e76eaacbbad3c4b7cba9dabc948

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
c8619138431a4ce56a2fb7719cf3a69c

SHA1
79073eca87cca2f56365fe4f8cfe4e05c76ab5c6

SHA256
932dd78077942b1c9dc5a9cb7fb0e6a300c96d563a117c0960de358b5d92f36d

SHA512
573b8b14b4b4768b31d820cdf22bef8400ce9ddd8f6399f73586e5c4ca61a54105c54cbb2c333b0a39e36073f393afd73ae87405f53199f33b96f1ac298902f2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
89a580170acf63c4479eff81f9f8e7af

SHA1
7ec5b65bbf4fe1bce736e854b400e19bb68a4f00

SHA256
e3666efba346fc7c29fa2cedcfc191a0c84910d5719633f7a65a3bf6213c0ff3

SHA512
c3a2678dcfeb78144e3a756a982819c65d0731b250a932e818dc6cc55430bb321f02aa2fd3ada4fe36a3425899ff8739f163e303bdd53cad2c96c36df6018911

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
52074771417943e0833e470a9613b76f

SHA1
32e75446abdd03785271b16dfb1873075c19934f

SHA256
304ab493cea60a544943d6a7d0a80363e67baa5b99c2a72a5bae9819311790c3

SHA512
de6035f0ab69ed693264aa80039f84f80d40df7712bdef489e22155ac26225df6b8c278d9e35f862348ef6b2d1d7d2fa721688389bf7659a5014dcc5c17a738e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
de5eade1808802cad21f03e939003fb2

SHA1
b632e1f61cb41f776b739dcba58d5902c01caf5d

SHA256
cce59fea15bb8f27c4d84b283f8fed856a81c451657179a120a491d4165af078

SHA512
f30628a96b432c20a9b324a8ed9f2cf193407217d6719daabeb0c66d0a37c9df2e151d7d609a0df8e8736a9a428ffe52b37c3706fb19f9f2eb88ce110c9f7649

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
455d736eec3b110fd078df6ba4328760

SHA1
9288161ba75bd6e1279723c8354aeab0a8829152

SHA256
8543a3505291e9a9c7239389096dd5825e29b7abd8f3c6a8521421689881572f

SHA512
ed1006d46a493525b8f7dc1322c718609fdc0053bc4946f07748411af135d65d08e064c579cd01e12863691239f90e20aa85479d9a5e3ce6171a9a0602b81d0c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
26e1bfc223fc50a603dca5e08f6d2a15

SHA1
116c59f4d06438c7e1e21704723d35b00d7304e4

SHA256
d29f9709b059b7fd571d610855ee78b52ec0a80b051efa493ae428cfa6fec2f5

SHA512
5ad096013dff81dfdf2a03340dd1a0994102cb88dcffa246b690d85cd219f74e2613d50e4670d3daa9a5631b653466442012c5483b88a086d3d8724967b0a518

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
df046d73136e3c1712a4c0d42a723431

SHA1
d7263e4ab0c5c483d3fe2e78b4d436144b8ccaac

SHA256
6d8a5cd0b5ce9d47ba26f11b1353461b8d13a44cbaf1539f8b203f5fa4c6bcb0

SHA512
a38069befb5b49450041345949afef53ab6086eb5c823798143efba2f6aecd2a92abaa2c2c2c0c0e22f876c402e97127114ce9f2ca2cbd3ba007282c4f0e309d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
de1db8e7e44e369fbc2e3e8b60e89dd1

SHA1
b708bd02e475120f579d7fc7de26c84ca3c3f2cb

SHA256
534b742db812402388b7a185b1965630da21e4ab5cd8eaef639044a9c4cd8bc5

SHA512
811f1abe73f22027232d600e37bf8702493da52104ce2bedbc9e4714726e9e66167c45ad7817b9c5e4447bc950d088d2c31e82ef295ab1898f13e1efb2921b39

Download Submit
memory/948-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/948-28-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/948-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/948-35-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1156-457-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1156-449-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1312-15-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1312-16-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1312-22-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1312-227-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1340-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1340-374-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/1340-434-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1492-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-332-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1492-401-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1876-72-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1876-65-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1876-66-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1876-73-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1876-238-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1944-7-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/1944-0-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1944-13-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1944-6-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/1944-1-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/2188-411-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2188-417-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2268-270-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2268-256-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2268-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-264-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2268-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2352-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2352-404-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2352-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2360-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2360-63-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2360-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2360-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2360-50-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2660-470-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2660-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2768-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2768-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2768-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2768-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3216-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3216-444-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3268-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3268-296-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3268-352-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3660-313-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3660-321-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3660-377-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3952-379-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3952-447-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3952-386-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4288-338-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4288-274-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4288-281-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4396-340-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4396-347-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4396-409-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4504-431-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4504-355-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4504-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4504-358-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4584-251-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4584-311-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4584-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4584-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4584-246-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4700-432-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4700-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4888-364-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4888-308-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/4888-300-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download