a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 02:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b.exe
Size

706KB
MD5

8ffc8b87e2a1af0bb05e24509346c7a6
SHA1

181ae515eb10f093fec4f7d6e47e27428d230350
SHA256

a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b
SHA512

efaf6008b4b30ee186cb1bdd29bc138de743635372b79ccab122e7c4b11d2f13e960d811fa095400aa3562584efc183962c024491416ee8d03375ef0405bf5ff
SSDEEP

12288:0WiB+tYGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh9:0WiB6t/sBlDqgZQd6XKtiMJYiPU9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1516	alg.exe
4812	elevation_service.exe
2176	elevation_service.exe
944	maintenanceservice.exe
3852	OSE.EXE
3312	DiagnosticsHub.StandardCollector.Service.exe
1364	fxssvc.exe
3668	msdtc.exe
3940	PerceptionSimulationService.exe
4132	perfhost.exe
3404	locator.exe
1456	SensorDataService.exe
4928	snmptrap.exe
2408	spectrum.exe
2868	ssh-agent.exe
4012	TieringEngineService.exe
4128	AgentService.exe
3768	vds.exe
4440	vssvc.exe
1120	wbengine.exe
3856	WmiApSrv.exe
1724	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\14d750a4c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dae8e499293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b04b8c499293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000923798499293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fd2d3499293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	496	a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b.exe
Token: SeDebugPrivilege	1516	alg.exe
Token: SeDebugPrivilege	1516	alg.exe
Token: SeDebugPrivilege	1516	alg.exe
Token: SeTakeOwnershipPrivilege	4812	elevation_service.exe
Token: SeAuditPrivilege	1364	fxssvc.exe
Token: SeRestorePrivilege	4012	TieringEngineService.exe
Token: SeManageVolumePrivilege	4012	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4128	AgentService.exe
Token: SeBackupPrivilege	4440	vssvc.exe
Token: SeRestorePrivilege	4440	vssvc.exe
Token: SeAuditPrivilege	4440	vssvc.exe
Token: SeBackupPrivilege	1120	wbengine.exe
Token: SeRestorePrivilege	1120	wbengine.exe
Token: SeSecurityPrivilege	1120	wbengine.exe
Token: 33	1724	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1724	SearchIndexer.exe
Token: SeDebugPrivilege	4812	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 5436	1724	SearchIndexer.exe	129
PID 1724 wrote to memory of 5436	1724	SearchIndexer.exe	129
PID 1724 wrote to memory of 5460	1724	SearchIndexer.exe	130
PID 1724 wrote to memory of 5460	1724	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b.exe
"C:\Users\Admin\AppData\Local\Temp\a518150e8badbad80563fcc39b395540c78746db62629198d0bb14865f44069b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4484

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2408

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
13e0d9564ff987e2954edaf5c0abc6f7

SHA1
357d84fcbca27461e3c564a7924c02e5de6fba83

SHA256
148a480c4ac39043efa01f70889e9086af6b4da91569ce01a6ae437fcbc14899

SHA512
d2b2597b1cb297aeb6ef04dbe9cf18fd1e463badd86a91dbd2ce107624c301cc03671fccbdd8fad44438cc13a81df4ebc05c674d029e771cfdee6c82842a9ea8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6e646dd1c21f42405a8614abfc1fe50f

SHA1
c321feb7cdef258dcfca9bcbd1a369285fc898bb

SHA256
9cb9a463fc6fb1a58c8665bb0c29e17d526c0c724b7d583cd23b9b1664f1c332

SHA512
c517f90fc05fd1be4eca53d6f14d36ddff9e688faec2574fadb4748710a10ca9df9f3115c4a37ba25b0ff80e20042b2cf2c296ffd56bceff87bdf5ebfc3ef0bb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a1f9c4b6238bf40d6dc5fde1211fabce

SHA1
bb10d0b912bf35106736c18a93c3ca80fdf0579f

SHA256
55fb2f77732fce91baaeee5351cbdaf1a4ab3b974ab08adc7c4e7541518a03d0

SHA512
f940b1c238d07cb4f81d85114db73717e71aefb5e7fd7c3779f04695eaefffcc28ab1a56e507a800468fdd824acc48a42ba4904279813446d4f8895dec560ede

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
097960788d9e3dd21df955032e1522a0

SHA1
5d788b106e72dda995fde57a58ee555b3f888ef9

SHA256
507afa4b103b064f935c71fa9f55d6a6b793739694492df6294112a23a00b563

SHA512
a8415dd863770a52ef28acd6d0a32b4a65bf925c5c622774d34c5d88472f3d52c8a46a5f861be74738f3d41a473634195d12038855ab9bc56fb61bd0a7224036

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
37efda93bd1224510d847def322db9e1

SHA1
05474394b81a4476fb89424836c7a37289c0f51c

SHA256
3af3cca8d83da978f0c8f4435534a861cab3a891b06a8ee90ed96df404f7d8da

SHA512
3978b34a7a64e886e798699279d6ff9b5451431c4fb6e490cfc4fdf32072e1f3a859c280f035a66eec81656f1bada11875b184b95d7a0554b40ea195f1e6d31b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
51493556164a32ff2f9bdf19629914a0

SHA1
4e5e69d87a813e86968fd38bf8eb9aaac10c16ae

SHA256
8538a002831a3105b7e1fee2b537a1e8446e35800c6f3ce8776508baedb3849e

SHA512
dbec864fd472cabce936ee41afb78da4abf07c556475da30eaa45bf80363bceaece54c48d28a0f5d314bc4757e9fba110b91a6826cf29e63a3a90bc88d009ea1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
dd973ea00377792c64777ecc0da7acdf

SHA1
c9399b31c6b98d7cf440e7b7cd59238b8d763da2

SHA256
40f22e023bfc4bb6ea21a0505e8047d28a67688fccbdf5c57c402e4eb7db8218

SHA512
b5d9cabeece63d27703ca77a9a1290fae3fbed6e6e2f4ccf4b0d6da12fef92f040d9b264446b50ad0ff78a637fc358f97c132d1751fab65a25d2d6ab080ccc20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9b94dec622e215a5a72d0768a39d146a

SHA1
ed774e70356eea9d9f4117e5648d49af855feaf9

SHA256
5e1422031d161656a5917844c34f083d338de4a09134f987f5100b1a82301b6c

SHA512
93c3dfca0574fbc8260b9be91f7d4adac4514becd0f745804df1343e40ee2187e29db9ca8b3d5910758c1356556ee26dcdf072d259e81b6201e6c1a51e7c6367

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b0e8ed918571a52d71317b62f0a2c393

SHA1
d20356cee569b8edbd68c3d7263fb7c6a6e10fd0

SHA256
5c45d54c49cb0f5626973dc1a27de01f1e957fb8e4da979983c48a286aa85444

SHA512
fcee0b9f744a7dda4a56681673052af67c67abb05b09f1cd047211823ff297b3710ce447bd9074d13f1467bf54a85d891b399061eb1c052670d16b0eb5399731

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d128eb20564c64e084121c9f83d49f91

SHA1
f1014bc6434880f5a1838f24bb2e86e1fb9d1c97

SHA256
944fb9069065fa2abc00a7f5804b73a6b95b558cebb370c8fa52fcfb8bc1dd71

SHA512
dfbc56715612b73b82e4e59e7ba21ddd735c0687d4a1b4bd691f5604377e90c18c77984f92bfdd7bc09f27e03a941daf387452d9c814199e019343aca9c93107

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9a11fc924672470cf4336705804635a

SHA1
a531231dcca239a1c5dad73213930ed4bb8977df

SHA256
70ff774aceb5abed71e14546d517f82fe3e6d525411fee8cf36ff2988dbfd928

SHA512
e96cb8e63e7917aea8c886dd569b4d50417eb7917ffbc0f20a7272e61d2e21158d25d9b8973ae086d19c4cbbb7a48647611a8343ed09c4ab926ad617b5f77b61

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c4a92fc6be94b882b3e2d6c8b6f2109b

SHA1
5a3fbf604fe6e029d782c3f4b271e2b13497b588

SHA256
73451e0b44eb8c690398e3271467c1ba62683a9198190399b534e59db5ecf583

SHA512
ca3997e182ecd1d1aac8b59c381685a17e56486ec68bd0af1907b76a52981fc60e72a97bb05eeca5f19b2460e39f9b97b26d780b3730df7beca2b725aa0a6bb5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e3951ac0622e9ec04c9a1be6754ed15c

SHA1
c61fb0d63f442d8041aa88bad6f7c7a113cc5276

SHA256
0aa727973636e7d7dbe25d6a2c8a4197b7a42ddd9d110a63fdbe81b79988ed4c

SHA512
ed8e27c30684f2f5abc423a46b3fbb01a03692a142b2678a5f373364925d27dacca97e35070c38ba5576c6b1d2a061640cd29de9e69dc4ab7f9e81e121242f3e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b6f9cb20ba15b268338186930004e496

SHA1
0d51d909e2d8a799d52eb76fb23ae31f5ef9baff

SHA256
82faebf73fe99b5c06a989b609c1c7faf36da5c6d57e7d28c175b249572a9854

SHA512
5bc3ab68a3ee372f201ac3d156b06e20e373b99eba00166032b42e1f4247d84f8332b267f0dcfd48c6ce12e61d0da4740aa4a9644f3f122e3c31a5905a797fe2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3d9d92770e7c51fdb0b4f9209233ca70

SHA1
2a3efc82b938e0b0d1af41fa12069857abd33e95

SHA256
8a83caa4390f7db095c5926d28e25832174988e4743b13bdee2412b2554ab7fd

SHA512
70f2427ec1ab2d8be76478d842c26e42a4b828cbd0df25fef5d738437f97255ccdb622deac1103702ff5a96540a989ca183b476e6a7596d3302be19aee56e2ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a6e59a5e117a1ba6054f4d61710d88f7

SHA1
6fdfec672aa86e30b786d443506ac7b58f1b9faa

SHA256
b5df47edee77e0339a027966b5bd467627f3a4d2448dcd1172cd6bcf62f4e979

SHA512
4baca55e9eb2971b63c2b58141ccf0bece42ba7169f427c1592cb26004bda98b29feda8d399f52d8b947e5ba07661aa423f6775db8b87a9d6772a4355eebdda1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
82cf6289dd6fc24edc8288605904380f

SHA1
6c0df4f9c92caf9b9d7d5b59554d631bb3ec4da1

SHA256
a07a4a56e7b63f917384a90222df615245fcb1042c1a3c06ce3c0744a7a4630c

SHA512
682d701a4ddf0a5ddf1571fbd7e7e41d2ef59edf8c70a51a228b8a640a592bd1a54362ebb63b4a7fa342c4b999b76e66d799bc1a1b5fc8cb13895d63a576b4e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b548f9ffa76031f4761f73e29e4f2de4

SHA1
06979f2669b95902b95e1181f35dd21c69c9c710

SHA256
bb2b5e829f4f010cdb448b7f158a50f7a474a753d1e97bbbb032f94f55eb6154

SHA512
5dde6a13e526c34758591c434468cfe6825ffe2caf4ecac93e33b920a963b094daacb973fa5c73cc33d9a989f65327a3b3c5086b821c3427e0c9cbbcefc3b154

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
66f2397952065f0434f4b57984c9a518

SHA1
6539c9fd87f95ae3c12b1f7f342f738cfeb0f6aa

SHA256
6b48e80fb933cdb32c35369b3f4f11b4725c65d7ec43d73b98fba3f99a0f31f1

SHA512
e8d9fe3557af501cf2ff1614dcb256bbc79123cb5d9509fc830c4738e12bfdce91a78f44277a98772ff93aee5a5cc4707627d93797c12cf66b931cfe03b99972

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0b07e0070d9d6cee7af41803478b0e13

SHA1
9e5fea5a13e666a6fa678f8e5909900bb6ee2327

SHA256
cefd7f5f94b7a618b30b5141290561c8fe6e1dacf5354f0f37104f009ab45dab

SHA512
34026fe6bc3bf8f46720d52e2718cadba5bf61c175b178bd126cc98dc7c484ae82a207fc20684985479d008d162b4cf5ef937e06213b20717eaebbc1d62bdd0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
700fc71d4f8a62a367932fcc5dd1930e

SHA1
a01388e9cbe38686c0d43e3f51319dddf0571c91

SHA256
ada414715f12f90616ab8925ef8a69ee2843ba7cbfba94a27ff0736534eb0b63

SHA512
83d44de49a482cd3bdbab2ffe8430b86e5e2963bce53fe149cf9910ad8c33885d10962d9b3b39f09433da46a3991df895f750ef4930e3b52a677ea7a3fc165fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
561ef5f524dbf83f69fa699081e6206b

SHA1
00ee440d7fb5a61ac200f1e9b15bb671dd6a99aa

SHA256
5daf7e9e5fc475b140900e33daec60ad706c122e43594c27f73dad35ba058d69

SHA512
850cc38b28a863219a20e78ffc4296e7cb3c9a231ae3415eb327ca1b7586a13b95110d93f6b62aa50038410c473fcd6fdb21e5ef0a1dfb74de5f1c0ebbb21ae9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ae4bd172373801ad1b87711ff24d8d52

SHA1
2dd023c011f657a9a7fe59b0394d3e6fbfb9aa78

SHA256
c832e55f738810a792d44e601326d77fe2adb591e7102d2e8ab88fcdcabb1169

SHA512
b041e134402591dd718cad578d453021014d3e22dd55449baf1ea4103a0f5486a9421872570b1fcbd62b28bf49e3878a7f54f1f0e3b575a1c5b05f8b46d427ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0fd8ec57d0946122ab779b4f7e2bac10

SHA1
0e5ca8a8c8fbf50c75e831988dcae413a6514376

SHA256
468798f556c12a82c94f85efc4f5e956b56fa7bd4b13aa657dd514c0b3f9fe1f

SHA512
0ebbf7ec4efd8c71bdce0cc400bd2df160142c0d2ce5577552ea6c4110e9efc474dae0a59df755e7899c639a1ebd0bfaa46ba01e9cb7859f67dc56f86b7b64d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
92072ccdc94b728db9be388eaac59fe0

SHA1
5bd46e4d3515e08109cf9779a41d1f60c3a259e2

SHA256
94e005495450c1a94ae0ed59704623da83a121fbd04bdccd39ea70d48cde1158

SHA512
f684399bbcb40dab02d28965fa4d4b8e3b9e998c2d1886cd5e17f7418584ea55f2cca85664bb36e84d5fe4fcdca549e400dd6a3feb57e4c308207bc2ecc71c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2ad58218cce6e079e569caa125b14477

SHA1
54e5bec8e46cd27e27f7fb67467d5fdd1f54eb11

SHA256
7763876e6a2d50a257af2c79f55b61325f46ff338a247deae71bd4de171e14e2

SHA512
2d35021aa354c1967428ea6b220e009cc7f2bbdf161a610cc841fb7cf45cb19962cd12497bf327794d78c196b93e0ade809df1095243b10bfe3c72dea0356a71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
75e261369cafd9f2471860324f202278

SHA1
d4ed65a86fb60441f29c4ec872fc11eaf1da7288

SHA256
782848d88e7ddd2010665567594053f799b8c8093d390c248c4fe4277aa7fa02

SHA512
d0d7eba88996dded5a9079752675c0b207b6a412913eaf455c945956c1d959d047712a7631423c7e07560df447f2a2034ee2eeda1681147b41453f6c056fa56d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6423e5de8aba11f79ea4227fe3fd0dfc

SHA1
4f24a8cbe932b723c08d56bb5ddc5cfaa0b4423f

SHA256
ecb47ed2f37fa99f407bb741c305dbe1323a36309b35f6c94174680e75a1971e

SHA512
27be190b4789769153f3a6e8394dd9b3deea49712888e4b93a8571c881698366c9f64705e86b12ab61dcb3ae214e889a5d45f9ce77a4b6b07f3a6fb27968e881

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
77f37c398e291a1922632a43e9285d99

SHA1
568608f3f4ef96afe307e2028281938191adc705

SHA256
04bd8bc8aa14875f6b81feb61256076b23078ab2bd49faa49004513cba7d416a

SHA512
734e8fcbbd0ca4478f9e70ad050a23fe9dc6ac8f5318ae33a4c355fc7b54d77a5b0decd1cfe10a9707c9ab94e57f249a070f750f3ef228db504bb80a8bab4707

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8f94781e2275afe020390c6c8ce560a3

SHA1
5d870c7d85a264295cd126ebc655b56cb5e41159

SHA256
8dcbebf02145cd261c44139f3ea9d982589c492b3c7d40395b585b385d2ed7d8

SHA512
c1298e41dfe9764df1779df0944f3948c3054612bcb3cafc301c4a6d4fe4badc931a86b79a1ffee1f6ed1ee7c9e830c2cac85eadbbd7f10ba3356287078b2d77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d7e21134853bb64897da761e43304d73

SHA1
38d32dbabc865a79b047bad2c52a0ef6ef17359a

SHA256
03561e257fd554c0abc0193d501a686aa374894deb67809cef0de19de747b5d6

SHA512
542290c83dda62f94875eaadf3c876cc51996e151c4069490d14da86a0ada44287be1c034110bd42ea5b9095540c3b82b0cbdaeb6a8c3da172fc5a146dd992c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b016600f485aa11dbbcbc28e099d2b2a

SHA1
727c4223a9690c59f5f27a6f77ff949f0d86d873

SHA256
7c96c2fd482f967329ad96c3f89edb1417b3362b599511014bb85018f4bd9fbb

SHA512
22a410c48d86c01d948060b94d3e3887dea0053d06cdb4a7c3aeafdc20f2e32fc837611f55bbbdd64887592495e49336e2f6181d643f0b5a19649506855beac6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4ac7b2caab845b61a26c13c3e2830281

SHA1
9b1e4713fd094927b149f2c6af941319e11f859c

SHA256
1344a70111f6f4a73e13beca651e419450baa4aa02f8f77632ebba1df262fe1d

SHA512
34109cba23d5bdbc9f3406702259c3dac93e4232ea35d088ac523f8963f2397f98d470b47519667761bed4b5dfa3d47030662a726e44be256a8bb6e970941ac5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
682d5bdde4e07e06d54b769196d8e93c

SHA1
9eb340c7cc187d8eb4f88cc0dee81ac0dbda6d57

SHA256
946cf0d5b2db1a1cc55ecdc5ecc0a87274725d2741c9b486d1c86653b7ccf8ea

SHA512
bb1952aa996577b53010a3a955ab3cf531011969ea974cd04a8126229c1f18a155fbff99d769c9bd500416321c95dd2fc43455bb5d22049e9d705d2ad3d55f03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
165a8d84f8bb5678d29d8760680cc609

SHA1
9a1612f3d644fdd528fc964ccc489bda7be4b72b

SHA256
4eb63f95545b0f6fb9891378bbe8f33d152b5eb69bcd7d66ced2f88d243cc712

SHA512
e5120d49faa8f856f570720e181d1067a7f3c44960afaa5b874a21e127b5ffe7fd484811aeb72c7e55fe266f3725fad58365ca7b5df58d2a0a50b59dafde4b26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b7c774af1e90cc3ebb2c37bbc46133c7

SHA1
685a489e1ba8dcdf368651820c173884c8b9e913

SHA256
98b77f8efd6fed830ea7fb3b650ee294fc366895837b4fad1f5492f810ca0601

SHA512
85e9a732ae7dc1590f830b777a9b07570a4ee7deef64106ebb0b6a6317d198eba5ab706f8b36b30e514bccae4d6ab25b7b2b05dcfd9e1355b1aba17d4f89620f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
2fa11658474873fd6f57df58250be2af

SHA1
b8c98a97a8ece787c2f3df00d8a0915072a4aa38

SHA256
c28bf48507205a315d5e57c27fb8b3959bf4b20a00a9a92e35e93b0144205c33

SHA512
2736f4aa814ee3e38960bccdda3f56384697b77b4f4484599acd1581066c8816025a21ced4717c47fa53330c1e0df1b49e91c2a3ac2d85b46e9e9b92c35ef575

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6f3be4b83492a425543863e8a7edf5ba

SHA1
049b818318109b987c3a00043171c05d1babc491

SHA256
fd3c75a5e142fa46a2084363bbccba3bfa0ac08dbb7d60a67640d6617a96774b

SHA512
9fbc9863119d29491ef2410c2015b425394b7d7686ddb4ff87353965ff461f4d66a2f8e1e301f2cbf46307bd025f8707613734a9ec60bcac388292514769b2d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
33d4c9023b7856536c89a020c6790e36

SHA1
7967247585ad2209725517d4b0c08665daf87984

SHA256
58c22d77494392358eb22676a67afacd1dc68a6bfea7494b6eefacbac015cd33

SHA512
6716f4164ffa08bfda6468bb69cc34b7557202b1a4785451f2aaaec2b3b52d2ba779b3e74c5f00f1bce998bcfce6107eee72bc6e1eb0f75baff3cf8bd1a3f571

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
00e345b012e0d28c580335fd45c83fca

SHA1
80326be86a69af382797cb910c67867161df9f84

SHA256
e7cad933173b31679fe7b36675b3d62dd544ac9cc2752b93e357b0e090a4ac0b

SHA512
835d5f3f776aec01995166a4649aa18501d9a8a6e49423510ce4e3d69fbe82fffce5c86512ee76d06127edc3625a58e053e897f52cf534e35f7750e9a0b287e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
8d5f9e07ee6f3092abb7188dfbd2ed03

SHA1
d865e9bb2abf20cb59fa53798bdcf9970962af3c

SHA256
cb16de110ac5a79b3dca41d2c011ad40943996d76c0d8e7871bfd46a0ae0e359

SHA512
692456e1db2972d96485cb44094d30490b2d399e3bd3a52064fbe8cec4b6c616bd194b48b52c40cd3094fe98e8c55f71fe85f3f06fe1081a8b6da11be7643232

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
bf2ba821c4e727c6967b7e0bb4a0c86b

SHA1
795ee9932320dfd10b8a2823811c813720b3d888

SHA256
78993fcfd6470e9e51721c0b250b33a0c809bbd40b5524ee553f868950fa0333

SHA512
a608b8344759a853ec92306312b4db2eb1e333d95c3e497eef6f053782379d96f44811fb516d0a1e0c73dc74593e278366fff194b8cf4d3da0ff550e1009d0fb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8d61f0e0704f496b3ac335eb2c9e38ea

SHA1
8d610eb44d6176a9bcf90b12d50488b5028de96e

SHA256
99140f777b5a2bdf5c95b334a66c34ac289a6ebbed93651ef77d74cce4f9fed1

SHA512
191c2ec1d04b826646be406362150883775bec0220d994f4d95b4484e832f0d97709e8f785793f1d93273a3f58473c29cc9c172df7118a681cfbe5abf7669aa2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d85bcfada46a0ea52cf2f6d176032784

SHA1
3ba56241468652d7b8922dcb09271a8026d01d2e

SHA256
313e8d806df9cd3c1e4d9bebb7b9e6d450f63fa7e16a5b59ee7724865bf28c23

SHA512
09d8ea9f3cffba76c71e188c01b4623178d346310f0dd62cfdd7d7860b70d2f0dd9177b253a7136ef693884470ba7b447a1f338b32a094dfc1136eabcc53bb33

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
933e298bad9c928f75f60248a4ad1bef

SHA1
404981fa09cb51e10e9fd09b2cd4a9d3719753f3

SHA256
b03912e5f4166b8cad35aece921c205841d3532bac5795e9aa26c7a9e86bd5a4

SHA512
423c6510f73f5812cc20299b1d6b8418766952693f5186493b7c18f560baf888d1eb9dea748530eca4f2a96406cb98f836e2d587113cb0d56b0dabcd5d4ae7db

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
46efeb4d981c1eb0885204055c525a3a

SHA1
f53cf211d6a09b1308ed0e6bdee40568a553a735

SHA256
3cce0a985c27630d9554e5b763de8f3aeefe3582f2ff7cb986fcc09192f9bb0f

SHA512
369f20625ce008f49fa5f1f552814013a6f0118819ef19cad5225a5a63f35091a120635050dc95699443e2fd2db0596165981ec750aefa8e61695fdbccf1380c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8137d75794095136386690fa42fd4be0

SHA1
2e97f73e6e540c3b78de9bec9711800f53ba8942

SHA256
be826a1210c11b33c12580e7288c24a1184552b296a6c855ad08ec8f17b8ed67

SHA512
2812780a8662ccceff713c5dc4e7f2f63845a640d2334680f17d1aebafcf2ba0a018accd12ab1fc71cb7dd19bf130e136a107abbada7743e298af894dba95b37

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
01a1c9563f1a7ba3243240ae485546c8

SHA1
3b5e1bc2722a25cce9fdaebae36dfe0804c45b57

SHA256
d7715aea2f3b2f079af866066bfd01d5f15a0cef2da7d1aa068bfbfb0c46fbfd

SHA512
0aa3937dd13d95415614ba811cf5990a3d2dbcef0b53c072274b228c4f80f1f0b885a41304b61a7e16ef7098506a020a25ca0011325c5557f837175974aa171f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
af7997f7b66a2ee4b0a5dd2b8a2f1d1f

SHA1
d838736407af818f7a5ffe0832b20c34e43981bb

SHA256
56db649242af4ef22fb9dbb16edf6435b1da6b3d2c18f176cf1f6767a64c8df6

SHA512
ca6d8a33a93d208504ef613646e188d2ca7511747a15c96206ea6d415027a1ef69cc07184f541748603caa2fcbed51aac1f90c312e7c1c046e804b4b01e7def6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ac454879847ef4aba0378cc3377b1aad

SHA1
492b2a2d596b3862fe5eaaca167278b10a3c67d4

SHA256
ff6692d47edf7dbf8d53dc542fc49fd04dc11396147192ac9899fb83b520e031

SHA512
5825e5c40fe943e0b4a1ef984e39ee3f937c2a00ced1dcc028e7238a73b99f7e6e9d74d5dc7aee397e3d6cf8583da4b2747c035fbcd66434c77f6849f3aab2b4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d04fb0d77432616e8419925849a9259e

SHA1
0ecf2e6d244aaed5435e3dc738121e6e1e63e133

SHA256
3b003fd7d04b2511301d61edfb9d2e3699378c563252e935eedf96ee5822c09c

SHA512
19872b4eeb78ccab58c156544291a9c632cdb5d3655b762c4d8c91514b6d88f7c2218cb3cbbbbd92b50300cb7fec4ed84a4f7d516925610bab5960f80d2ad796

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1021cec7f5f25b46c792095aabd08f1c

SHA1
ea279864c646780d3292a513d2f22d11b5cff86d

SHA256
fa9a632bb59ad3eb5e189534c57404f3ba91f76e092bd870b27ea46ce8e4efe9

SHA512
e5b1f97c12283385f308a028735d8bd527b73dbc8e8f6ade3d97ad078db20f3df66ce5cbf50c9a9014417abd3e4139fa46fd4fedc82300738123efeca39d7be5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a6c439be3351e814fc2cf67989fb0684

SHA1
b5095ce8e2ca70c3e9d02d281bb7b10eb86e5ada

SHA256
fe288e75544dc3f7ad187efc588f98e1385df03e168151e88b24c31fac3b7817

SHA512
d2177d197e2d2542812d5fc5232ba8336c321f330aaff1d8921fe764a6c655849f26bc59d30d0d5cfa504a7a15710766df1118ed370789f929512102b69af8e8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
31f6e29bcaf44701d1b44b80b17ab637

SHA1
225c30886ef5ac6c71862543b1bc00143fdb836d

SHA256
d5649b9a6c28c02637a91a6c351069c22356589bf0e077d14f6bc2f3ba59db41

SHA512
ff69d7660ae61c9c41673d21a8908351217106c25f217cfab303042a3d7b1743806b2426e189ef8afcfefcb31e3ca5aba1c2be6b66d11be48000f6793d81fbd3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
af5605cfe6faf2a0995a5d6cd4bd243a

SHA1
74c92bec37b24d9b8fc8e9b0ec7098cc2a599937

SHA256
992556244667e4ada0bbfcf5172657a28ff45b9608a564a405179a8e05310bc7

SHA512
7f5d1a58482c8f2568bcf1259e78dab1bba9ceee9fc5428b0811d246a0c9677c8611a8e5868efb2b1dcbdc885556f9b28db817c4a8c7dc1cc27d1d2d2cfd0930

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e4a066906a834733fe8a7b32191c28b3

SHA1
43de89a696462d6440a329aaabe54e97b83a4d4f

SHA256
0f4efc7d9edb794abc94a5ddbead1e530d10b2a91464c4b54f9b7fa731f1ed58

SHA512
7b4677143a72952375441c9371080cdd52de06cc915bb0114c268765748e7484402cb7d1d33cc21812a756c69e49c7399c8159b78945c1ad31f2a7753d1aa2c1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
170e1561706dfd4be8fec8abe940f734

SHA1
301a9bad6145df096c922ef0a0c624c438dc2203

SHA256
db9ba2fc4c25b8cf1ac545131d3ce0fc6fe7c90c18adfdaa75c1523dafa7dea6

SHA512
ab48fe8f61920d64cd862518f1e088647aaa1ee664109037df1cd4940efd1fc2f6edf339498b8c80a0b204b20b89c19ef1d35d75be09b04b732ed96682f2b4d3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8b583e2a9bd7c351630271ac1e1d1bf0

SHA1
8f9b75fc4692d43e0a6afcf04cbcea1f973d6751

SHA256
3a5989c5bb002c8710aef0dc7cbab00b2aeb8ba423f6315a20d56c4588b92d36

SHA512
bd5c657a3479a9844a8d9f5d56e4955eca5de57e95c5d2ddf791898ae53d3a756d373329e6b565744b606d877ada1c1ddf2450eaa3e7f8db9d0d357ac6ba2e93

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
58c6624623f59aca5fb9eb9547da8cda

SHA1
02b87c3639fe2e4587c9ff9b09e7906994e83391

SHA256
90b72799152038a74accafe762ce155a0517686f7afded5f95000a36c8c4c868

SHA512
9ac9643f71e1afb1c118b3d33b9a06c4fd9ed75f1c38181899f88e13475e3f155f58e9d42f379825a0a30e268bd2fb494ea9deb6c23e78ed04ee890ef7cffb11

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
64ec79078e254fa8f312d87e729f4145

SHA1
f7d8d699db7228cc2183a039f02f5c35438606ff

SHA256
93d7cf303ed7a83c182dc5369b42814f9e3f4908c21a30319864efde5bde767f

SHA512
043f511c2639a227a6156e25657495ff75c60271d6710f395b55092bc6050ff2faab912c5aa1fea60f16c5d49b40a499c3c6373a0aabf31d36ee32ffc1707233

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b8ad7907c17fa6c0abc7c5096e370ab3

SHA1
a598571e0648041780fd14d6b8ed1a823dfca73b

SHA256
5e80e8b4e0a124cbd5b6424c57170fce5e9b1f513cedc835f5420a651a90d160

SHA512
b72445d897ab29b0f64186faecccb9f9f49958eef6a13b3121bccbe4e5b3dec91e05d4916ce98ee50f16832c30f81a757961d8865b7c031111ef39018d5591bd

Download Submit
memory/496-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/496-6-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/496-1-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/496-7-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/496-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/944-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/944-49-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/944-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/944-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/944-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1120-442-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1120-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1364-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1364-253-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1364-268-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1364-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1364-263-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1456-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1456-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1456-330-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1516-227-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1516-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1516-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1516-15-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1724-468-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1724-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2176-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2176-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2176-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2176-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2408-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2408-359-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2868-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2868-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2868-373-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3312-242-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3312-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3312-248-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3312-308-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3404-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3404-385-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3404-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3404-316-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3668-276-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3668-343-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3668-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3668-334-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3768-416-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3768-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3768-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3852-71-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3852-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3852-65-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3852-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3856-447-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3856-455-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3940-357-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3940-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3940-292-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3940-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4012-387-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4012-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4012-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4128-405-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4128-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4128-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4128-399-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4132-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4132-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4132-305-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/4440-429-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4440-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4812-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4812-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4812-27-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4812-34-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4928-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4928-335-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4928-345-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download