27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50.exe
Size

1.3MB
MD5

7a794e6eacaca43b7dce2c9169cff155
SHA1

380613e234a91228a6166c99707ad570b95ff34a
SHA256

27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50
SHA512

f06f81366f875d84486a76732c4064d6aa96098b5168bc11142605fcae4f994568a0d14dff492af3ef7f3e1807deeca769ab9b363c0b89754cf051bd0e19d795
SSDEEP

12288:ftP/aK2vB+m4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:fBCKABr4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
796	alg.exe
5044	elevation_service.exe
4756	elevation_service.exe
5088	maintenanceservice.exe
1696	OSE.EXE
1592	DiagnosticsHub.StandardCollector.Service.exe
1716	fxssvc.exe
3696	msdtc.exe
4672	PerceptionSimulationService.exe
3648	perfhost.exe
1116	locator.exe
2656	SensorDataService.exe
1976	snmptrap.exe
656	spectrum.exe
1712	ssh-agent.exe
1412	TieringEngineService.exe
2860	AgentService.exe
3164	vds.exe
3292	vssvc.exe
2068	wbengine.exe
3904	WmiApSrv.exe
5096	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c09111cf7d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036adc6eff693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000142bc8f0f693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004466c3f0f693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a118b5f0f693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000556e28f0f693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad98f1eff693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069e43df0f693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d0ee8eff693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a70eaeff693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098cf2af0f693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5044	elevation_service.exe
5044	elevation_service.exe
5044	elevation_service.exe
5044	elevation_service.exe
5044	elevation_service.exe
5044	elevation_service.exe
5044	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3948	27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50.exe
Token: SeDebugPrivilege	796	alg.exe
Token: SeDebugPrivilege	796	alg.exe
Token: SeDebugPrivilege	796	alg.exe
Token: SeTakeOwnershipPrivilege	5044	elevation_service.exe
Token: SeAuditPrivilege	1716	fxssvc.exe
Token: SeRestorePrivilege	1412	TieringEngineService.exe
Token: SeManageVolumePrivilege	1412	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2860	AgentService.exe
Token: SeBackupPrivilege	3292	vssvc.exe
Token: SeRestorePrivilege	3292	vssvc.exe
Token: SeAuditPrivilege	3292	vssvc.exe
Token: SeBackupPrivilege	2068	wbengine.exe
Token: SeRestorePrivilege	2068	wbengine.exe
Token: SeSecurityPrivilege	2068	wbengine.exe
Token: 33	5096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeDebugPrivilege	5044	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 5408	5096	SearchIndexer.exe	130
PID 5096 wrote to memory of 5408	5096	SearchIndexer.exe	130
PID 5096 wrote to memory of 5432	5096	SearchIndexer.exe	131
PID 5096 wrote to memory of 5432	5096	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50.exe
"C:\Users\Admin\AppData\Local\Temp\27775c7f9d646c54bdb2fe9a849d117a795a8e7a5d200b60a438042db2bb4f50.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5088

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3820

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5408
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8d91e6f826343b98b3530b40342852a8

SHA1
020d3cc66d9ca190090402d62b71925293f34551

SHA256
8d8893dcf89bb3488a58c593feb32e3852b4df5163c0e7a082645c776d2a2610

SHA512
f675d36da4e37ac5a7a905d6efeeb8368dd14d8a0760e939416b66ea68993ebc7a0eee1ea547ff3732514f87022e475299c4f74dc5cdc20e7d47755d3d11e32c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f0c012c258803b7e81b8d08bb2f0d65f

SHA1
68757963ede3e2a0e5941f7008b427625f254f2c

SHA256
045e69d12ccd3653f3c1b8e1f20193076e1a0164e1f3cda19b9a76eba17c700e

SHA512
a61cfd467b8397c4c47d663e0b56c2c664352d730fbe8bf45ed8a2fe512c65257e8f010813fd612a12e59e23306d11448c7559befef075b98a4dffddfe4f433e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
44798dbc598d04c1dc4cfe0c06f0323a

SHA1
b6479ae22761593d55e39e6b7e48390064124043

SHA256
95a61cd1ba0b4c32961c8d5952acc8ab0070bc511397785f684889750463ec1d

SHA512
a8b4eaead33cf36cec5c38996f9b54298bf38162e862e6af972ea5fc74a817fab58421dec3a1a430b68317dae54e1a32925f826514a4c4b9b46e89bfc7c11e8f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c12e2445a06fa8954f1f81f758c06485

SHA1
b90b6b26f38726f2b5e4a0440614e2e068760385

SHA256
b7bb7bac1904cff44671c5271e485bb01879e2a581a8fe2465ec15aa70fb2d80

SHA512
1dbb1d988c01784c706d83890e66c1908daa6078c4cd33752d5f6480e81ce8dfe29c6f560f37ca9ad01ab3a91a4b4a4ad07ab23acf36280d07ba259087d0e42d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
269b03ce31641cd4b6771ea31c6d3aae

SHA1
795b52b127157bf0aacea1412cc26f262677d62d

SHA256
dee68e38df954de334cd57fb21a186c906eae16edb72c62337d1fc5749b3897a

SHA512
e8a333c70528eac95219a3b862c654d283299a984f785371475db24491e1017bc27afd3b65803f400665b287a8244c7e94dfbf09c5faf16ec85ee1fa19cefdfa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e8fc26f1409268b136a54c52d137d2b0

SHA1
e4c9b55fa73dc67232c180ab7373ed293375b055

SHA256
6ef0f5f939ee545f2d37341fd3ebde8b53303876a46039f71d44cc64c7180fe7

SHA512
2bcb621187e0684d87e599633352090334bf42a7cead9cbe863fe0cc2a2cfc91a52835be0b6c9c24a864f46b73433afc1003988ff0c36ad7fbd467677cccc4b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bcc07b8810d5670458d5f77d243f966d

SHA1
c8743db5d6aa3f0dacaaec1b94470d034adc5d0b

SHA256
3141f42b7606419f4bc599949681a2d0a4a7a9dc671c515216683613269b6e65

SHA512
df41870b4d0ca83b64a80a7c115b0c5d35996ed95f37f458fad9854e1edb6ed8e2e971aba2d28f55c3fd2f5c4c3e9141bd50c3355778058d3e2352ffb716e046

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ef970ce3718f8df4da0e4851f80e93a6

SHA1
52aa9019af4fe00e7193a12e560a34ae7ecbcf61

SHA256
6aca89bc514ef6ab62690272c9bd4911bc8b8b0b31eb40b56fd2611f2d29c4a4

SHA512
34dfd2454c6fe6b7f135f3b8a0fb81f164eec672e50e500746c6c0e6c5ed0db415b7cce6f67d9f1f1d42ce611e21573f81e0f90555b3d6442f9a8a6ed290da7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e2dc8ec298dc56343c310f6c1ca20a59

SHA1
7bfb30f2533f858918e57d595993f3ebe728a7b1

SHA256
b8b1880e6401098ade52b1cfe22f20c74d85b63236a2173c2d5ae2500cd8ae6b

SHA512
95a3cfd751b7f17529b2f89780c9660a88dce8042fd355b46db279f45431b0ea8747aa00d102f2d5069710dca8310b221e5973e32592ccf3f2917c4d92a38441

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
43eccc9c3bc45f61975dc187e48d87ae

SHA1
d3eaf2aba714789b5ff79cc829ca4d52262fe894

SHA256
19ddab4b3f565c8e0638c77c9f95dbf8eb0ef29289f940a31ebe10b67815453f

SHA512
cc8ea3fa60043854d2ac1432f69e613795daaecdf3b4a0906a0a58060e04da4d94f96e6c10456e12529ac74e9d79e81a27fcfd0a42391e2a3da3cbc9517365f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b33dd91cd3e015d7424715fab09d5b40

SHA1
fa068ffd241c89f0c8e01a2f5210c75603dcee99

SHA256
76c86aa55cf22775b6985bf3339fdb5ecccb29373c184d488511301dae3b4ecd

SHA512
5d2ae0559ca17bf256c06e5b72ae4c3592c23504dab11302709e7bb66a1e2e82ff363d79e802d949d1992a98a65b6a5af019244d68f54a58c4d96c1577099caa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c04e55e76f525917695915122dc2e31b

SHA1
84aa79d024320858be82447f2cc160d7659de7fe

SHA256
3a2ef60e5945480dc5cf5c3c8efe417625871a98b1d14015ca858b20a9a3642d

SHA512
95d35c1e205494d7663d9abfe4ff216f6f7cc8f46c13b4dbbb92ac0ff562c5da32e21c3c21362e474719ab3f5461df7afdf928a65e50195c8a82bd2824c92bcf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3c2a309bfc7241c77a445ac9815b132a

SHA1
272c20ec8d395771f24fbce7b556f52326d7587d

SHA256
2293379f683322708e1c569e4f860c9ae1a49fd125c2372277b1d8c21061167f

SHA512
a22cbeab97b6dcf5d60c79206b5f46dd8572928cfc03b19c4ec83da95040264c8d9512eeef2f0687e6a2280d442742e0c4d34a6235b16a9b18328245aa8db6d5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
ca066ccecd4391e0ff89bc32638c9dba

SHA1
94127cb0558e88d41b11dbd8993c80a05c22d780

SHA256
54a015ad0b306448c23a588dd4c1face920184c00ce66ba1c897badcfb62c1f3

SHA512
03cc02603ec9441fb1383f97c5a7d1934908a5f7b2db98b966022c7f9c999bc12aa2c836dd469621415fd1cccde98cab1207dd606ea05aef14a1b026b2ffb2c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
99efdb835a72ed881126507ae27e34f2

SHA1
d0fb82cf19c7dc37d2cfabcb328e5586a82c9f73

SHA256
f38f2e48d292216e8da4dffcd351890af0e4c0df9192d09ad82c72b156f4f573

SHA512
cfde8726bd592d3fb2488d6f54e7c52e4f94343582aad2af660cd42d31cfe3bf080667454d0963505abf39b2f3b4d549aeaf643c48525930a120daf87fb3a25d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b8388b696eb237cc5cd8eaa9fdddd2ec

SHA1
27e90226e780916547ca8621dd26671849313bff

SHA256
f199ba8c4a6156e9a79dcb75125d85c970dd60d371cfb8068a49f0c687d10708

SHA512
329a0084587d4645c9f8774df894b3b82b50cbf5d908fb716c70ea18fcf5d5adde119c41da7ed0592cf3b865f796de25d43449b3a55cd00e83ce8e10fbecb94f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f72f6ab8091a6abbc4087c890af1337f

SHA1
8e005d0f3e70e9c51811d5fdc6efb09ca6a38925

SHA256
2d46d77fce1590e11f395c08a4d61ec188dd77ff21f5abbf767297a5e3b9cffa

SHA512
61873819fe26404fe3686d6bc1c90398b085ad3c9a8556264310710deb3255bb295341e8eda26aadfe0da7588f760586cb424b332bf1a0235c064395b1cd542b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ce08a3206040c63b26bceccd9a43fef3

SHA1
0d5e0ed3b60c010165bebdc67655b3449e877c97

SHA256
cf2cdc84a5b282f37e8185c41d3dd3db86501d021400916072f03874806bf0f6

SHA512
fa828ca53911d9968287af2541adafca2aa3d95a43b5bd31e5e5396285849e442dbe0ea5a896359997b7738571a7fdf47ddc402472c35a0eba1397bc43f74bb9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
db7b41f37f58476187a036dc28305e36

SHA1
8d7f91ce7a796b94b236ebf9a2e1374427f8131d

SHA256
252a74ebb7cf70d1f5b2497d31d958577387f918ff265886506ce6a371800768

SHA512
2bca8183d54403fad7cf6d5180d263cb80d3381927fd0bab2b9be5332c418eeb3e3e2255b49e939b2ebc2e3abc70d860959aa1ed76a41c6bf82491c8f66f2075

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
88a6a3aceb04e5da77ffa182d22cfd9f

SHA1
5b3205c07a9c846c9e518b9fc1b24f5c0ae7122c

SHA256
9533c6e284486c687958809440266ffc77f6f876f47e629424e4a77a0234f6ae

SHA512
cf07b8ebeec49d8f8925c7123602b4d857dd4e84c15027499f335b2b5c6ae8e2290e39fab2e7ce8cc2aa26ac2b53039bd90afc3199f738669aec2b6b45e100bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fe06f26f1195daf21dbefa809e2d6209

SHA1
23837bb88bfddece12b67beea326cf76f0df0d73

SHA256
face6230920846f9623b1f396dafcfc083c3614ebda371a125d31c721a909ba7

SHA512
362559e13ed0019dac88c1b3de0d374ee4e830100a739c522614a942de805fade0710cf331554d295ea0ac4a73e818bd210ede8d1ff390051b4c2f4e03610cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ebfd14cf62e1c8a511ccdf215cd7af01

SHA1
3acbaeb999449e3e82c478824ba2786f270b6aa1

SHA256
5d73a0e370d39639fd833041495499c584a5ac2e6fe8ff10172ae8602d50efaa

SHA512
91714b985d00cefc24861adfb4ad735ff88387e62a8343f0af25e3f65765661f36d9153285521ec431e017cb501fbb370a602d0dd19053ffb09a55efe5e83138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e7716c8b370c0898d705fd9edbad5464

SHA1
17a71de42f7ddd8d1b316899deb5b5577171a9ae

SHA256
1b18cf5394201f46f36f7773f8d7611344af0ad63be078ca0ed6c7cb89561289

SHA512
449a4541c32efa65d8ee550d29f965498dd47f307e193e4cc563e9efb59726bea14882ed11bf656d35c71436b2479116e043f78961f795098421300b9488d8fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b39fb9c76352e02391b1792e19898f25

SHA1
edd9955b86a7c454c696efcddd41667c366b1b9d

SHA256
273c13d3ad2f416b4a3ec509379ed39a63ae941f31ed013cb3b62d99c83277a5

SHA512
e40c51efcc0cbe057537d9b28fe148061f89a99b4088db14c0fa62601ceff28620fc9c9280a78c724662c90808769b0b205ad13849fb3512a6b5d83adf89b085

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a557930e527e00b2e4ded3a3a254a105

SHA1
7e3a159bf58e3d4301224e1f1cc8d0aad16b0d4c

SHA256
02e44f627f781350017b99221924009bc0bb250eb8b071f7ca5588ee479d2c78

SHA512
a1be8ca2f58d8c604aa8a0f6b18b1040c652ec382eb5cdc844f3f51f796f261f28ad78760ca6c2bd60753b9cfa116821f71beffbe6edc94f7332d67ed6a4555f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
acd55325b62b2467300f2e526b3b1cbb

SHA1
47f342d6bf28ff285326c6ac1f126051e9bd5fa6

SHA256
75aa5df221cc62842935b0313fff94237c550f8c53913e4a7ca73f73562a89a4

SHA512
44099a32552ecad5774b80e017f12ab8b41bc955d6e94712ccd490e271ff2e97ae39fb8a61f9c7926cfdfb07113d6bbe89df4f0846cf513d32cf242337f862ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f92b061fe210f5ff46b510aa71c3fa3d

SHA1
671ae90d3d4408ecf3a4aef3d7e4b7557e7cb293

SHA256
d3c25a6533cc7b1f8c91e48b6201eed26049a72c0aa1771393c10d2348b5b6a0

SHA512
676ebb4906909db0da0d2d09fbf32d3dced94e343b2e667ca4054d78c2dcc775ade8d5f50e0b451ae9363d7275de7bde9ca7c17a47b1ccd739b57bc4b253c525

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ad6821b6af717b8a5612d870f2fc0097

SHA1
f60201ac21a514b8ad886d6bd679f68b33e18d3c

SHA256
f6eca3a2be02cabc9979404d543f258237b4a3f7acebd1f9eefd1dbc91b0e366

SHA512
f28c7e93d36805bbb2c7067a58cdd26e4f20b18ecadaacc7cb5a4bb932c45b239ebea970601c95b36718ec7cee63a5d5a21f1076ecae5f4d3c8faa1aee3c6b83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
475373359fee9ebac63d795ae2e9632b

SHA1
d913d473cd4d6a2bb3b94fb2a5d39ac2bbd5d45b

SHA256
72d208cfcc4a2784aa384d4ea38449ce47c4471f88e230a161b0ca9b48f69f4b

SHA512
09f6c2858da458237fea8815b54fd425a978edbaaba839954ac51ca8bedc07c76d05557ecf5e41462dbb155fef266a5a153a4c1115f62b93d8bde991723f40c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fe28f95433bb14dce583c3458c9ca5f4

SHA1
814a4669e091430bb76c3bf36f39ff15ce94ccec

SHA256
5dddd5f76011f19846ae93652e9fb472f937b86475162c542ebbc2b33306372b

SHA512
613a545088861ef09193352ebd540d46c0f22f0077184aa53299d03db49c5c10697944d390ee6945455c3f4728d6c7e703f6980661cd3cf9057bc93f44ed67df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6ab6278988d34db2b9c1df7f2c874b4a

SHA1
267fd5c8dffcd60a75c5222c6264a1898792b6ca

SHA256
d698fcc0e646fcd2eb0d84405ed4cec121d13edf4edb2695c1b344a2a2d4ab81

SHA512
3ec29acff0fe2bfae39b7be63b5c3cdf84940a86a64ac30f9345dcc5122ddbad0e18c68ffe267d861c16bac18a49817bdf69ee25c8aa56c5d43bc409d4bb3d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
29635040c55f4a57bd05c41098dd1231

SHA1
1b35d5e0200d24c7a88303bbc2c31a61ee925bff

SHA256
d35b738827b46015884fbfb4aaf7438f13102291a16c8194916c9811059b4275

SHA512
4d82a512cab65e7507c643d7565d77da6d2a34a65cc8b3e63c3f06efd3e25b36ff4ea4d2c62e15b1af057a95da4fab7829f09407e462bcbc3c351120fa3de121

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3f8874108ffc2c0aebe9f1cca4938d2c

SHA1
a043f1c24424b812b68bb740803b413b68eaa306

SHA256
7af8200953001d4bd65557b4aa8417d7a53a284396e379c6cf553e076e3dc72f

SHA512
d26992840edec917d8d7ae85d20724faba22dae41e2914d40c674b83fa455052fa8a24939497f23ecb9c7446d8562398679853c8b380eb1f1b3632d0b5e313fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8238d05751e3710b7fc43683a899854d

SHA1
a95dc6dc9f79da53ebed47a9fcd28191f0d7d7ea

SHA256
d96e69fde51dc0803a8ed8f108844461b4fa27eb4b5e8ddb9cd63e54d32d705b

SHA512
068cd01165994ecca81fa9da9b291a435ad2eae2246820d505d0ee88d0483edb51959c4dfc227d0c27e88e1edf3cd043dd6a7036742d657a9c25e896024346d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
137f6e84177b955e01d1e92640ca188e

SHA1
06079921c4553500b7a8c282681c66d1f2c3025c

SHA256
4ff89b98dc749ca484593d9534b8eba5d5d265b197bfeaf3dab2b3dc7d1782ed

SHA512
0d00d5f120a5495357cbb26eca7987c4e0140a1573333a7dfb2d79f5343ecd43e14cc5fb941fdb0a927f835ca540a3ef90fb376e45eba9daa5556de9462ec0a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6984eb173527534316db0c6a87623e0e

SHA1
1e1b812f9e4baffc48c3ac58e907c93c67c70bb4

SHA256
f5d06dbd4098737bfe0c94758e42f0836f946f5114a52786d89688e0e0b37aff

SHA512
909b9459828fcdbcfe0746a0c07cfddd8c45078aa8c890670cda97d7acdf491826eb47d814a2e819e59a5191c6d1ef65b76d79530e4bdbba76b36f960a9a178d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
27499ee3dbfad89e9b0e814444480926

SHA1
c5445cc41dbb50374dddcc4b0ffed36d2077b276

SHA256
6e71a9f1354cd9cdd4afc00ef3280b1846946c3a2b407f57cae9273e417bc38f

SHA512
78975d16485a0da754573d5f50abaf611104540810976d0bb0d1c8f555bfd5e41f233918fc24509b4a1b6563f1122faf30160b1bf3e8baaaa4d13fc7640a77f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
0ff84e11e84891734ceaf32ce61ed90c

SHA1
5948500ebd510dec48e00540cae205afd8fb2219

SHA256
0231ed66271ab14ac8fa665fc09f092b606205856fffefbe1a7af9091b90fbf5

SHA512
d96f6e31230c2feef31817bce3ffacffe0d40f32646d479bd32b6c50ab33940f768110ebdc52fd4f1a51ac73c0ddbdf979b3f109c487ce61d48b11cce328741e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
faf4c09dde5343b07550107e8cf179b6

SHA1
c5ff7292062f140ea3a0533485e54a3714a2eda5

SHA256
a188e02417a18f9cba45bc51637b9f6f273f6829a13b6cac6840f299c3f1e6b3

SHA512
e9e2139ad82823ba2fe313c5ec4f1b6b551cdadb1f57f56d3f11a3af3d5ec19af4f7c9ac293e451fabb9bb372626ba429a6ed370ba46c71d71cd3958be338133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
7d041ed44771d19b29b01682c83f8ba7

SHA1
179bba85593156f60aa653ee9e13bc8ea204f6d5

SHA256
150d5f5011f5cf6d7658ee14571a92c29730765a2d8fea5672245f3d99301d65

SHA512
4f56c8eb1808384a9293119eb5e2d8074ea212bb53b021aea1504f7bcdccce801d112c4efeae580c875b2c4af23f4edb4281d491a106afbaa165e9cb80c6ab5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
99bf981c32bcdf22f371d46a4df7389a

SHA1
748037bbda35da928d7f91d02bd33aaa1ee46d0a

SHA256
b344da20a6b5176628e88cf6e7f61cc5de80a4649571532c81a75124fa83a3db

SHA512
edd2ad99c4e4d55d3d4c3affc036394da2a39bd71e558c9b5c449267932488944b4471aedcbbe48c55b4bd262257580c3a219c5eb2aab5a459ffd91188251511

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
55c88fe7942e75cab4fc154e5459b41c

SHA1
bf3c23c210ab42e58f6c5d7562dc3d106d15a1b5

SHA256
fe85c3b2177e9cd2a275476151f23915759f8550a2eed0632ed3f7693e6ae1b1

SHA512
9af78aea0f7dc65e6e4feb8648bd77e2c65817111dfc03aa716c6897a64a995ddf47acb93c3b1c027165fc302e05398882c03feafb43491a9d57c2228a65b8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
195698ef5e52246bab768f2fb591599c

SHA1
21a60c2192fb4a0f9e7f0b1b0e9bac7178a9bca8

SHA256
b41cf99245a94aa3c23442c68de19ae81a561414488a896f350f7444665613be

SHA512
241d0d15240618dc5602f9d379b8c4e5f9d479bcf6c38d6883334097df4fe568c55255e4a6a9da4891646ace0f0aaf1931094d16bd2ed1dd2228b9dded7ec4fa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
409495df94d9af8b5d8404ada6e30538

SHA1
1b28f60a57b0ed0c543397f9e793e362358f3f28

SHA256
ff56b778beeb8e0efd9a98924ee498c79dd2e9d9d80417a12bc8f6fccf99b3e2

SHA512
c8cd7f057ddd3f179bdf940600642d16d1cf85995aa2dbeea54e91dbd00b2794071f80e2e7c80b1d22519af7a88a34677d2b023dec3b610f28c414a29e684970

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
07840c9cabd5481dcf1330d444a1984d

SHA1
2a071e2d54b4a944f924ffb265c0b2a2553f7ad9

SHA256
a47e5d9e99ce6a3b50e569b59a70d832ea03902eb4d785f20eea45ef9679aa97

SHA512
45d446e13325bcdd086de2d7a79ee3074e5aaf0d7be2ac78db220bb3c6e600042c7bdb09f78339dc761e2e870d914c79cca0def5f75f59b38d295968db3b48cf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7135f2e95aefcb7471262d1b0f28b9a0

SHA1
31516aca7132b9a9f65177fe5e164b1de43c22f8

SHA256
e85dda15165e92de35a7eee77f50a0add3e38854b168daafe2c5d33cae1f2b75

SHA512
fb889a65c0bb87ca2f458f919a677824040cf636ce1e41e4ce7eeaf6a27cedbc77e1193354f651e1b561c428138a139dc79ceeb89ca86ea22aa7f4b24e5d9de4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2b0a36931dd7dc2415be4dd51888b552

SHA1
e51a4d707033919c4dbc637fea67aaecca16e2fa

SHA256
71aa5193373f1a732abff8f7653c0ac2c0691f43deb24f2615ea41f503cd3bba

SHA512
1a31e30f790cb07fe410c0b2a055dab11f357f2c7189e04d93fb896a271156c33fae594abec6786807925e3bed020d66ccf38d96941534e6606e1c513a857f6c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c81645278a24063dc81ad56d018b9199

SHA1
a6c032c3ed42d9b0be5622145177fe35b0697821

SHA256
93df04d6f7873a87594791a8d65042ad7eb60624f30a6a590eabe225083791f5

SHA512
5560d88094f764dd802e42c8fcc8be23fd60ba237673e8f714bd1da765c17116a8d6cf11bbdae06c75410840b56b39afeecd4269f480271dde4d82457e2f16a4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b876d744d9944e45344868249efed01a

SHA1
13a182739cdc639ba9a27d2746af1dcded69060d

SHA256
c4517c49ed39e2b80add246cf0237bcc21cb82d943dc404b7840dea19d6738c3

SHA512
d7c60e2dd109c2c8084f3a8343faee8171375e7442dd3fd56428808e49c609d6ac87ff5d231bd0a211c58e32c69e2aa68d42ad907139baae5eba44d0d015b413

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2efe647991b4f511f5eee6258d60bd6a

SHA1
f2eff5304700fac4d89031c58f7f36f4b44b4680

SHA256
1cbaa39ad38d7d791d9628a851ecae9f0fcc829ac0e80831ddc23990598f6343

SHA512
ac9bc294fdd37600becc122e774706a612715d8045ce156af9386e63c2ef784bd4f8b138fbc59a10c39add056cd0ae4950c8ba2bc81ff462be2b1ed1f3fb68a8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
33f6cc749c9587c552ff37bcd64f3f6c

SHA1
47afbb7ac3af04924a1bb9960e058f55e1c600e7

SHA256
f1b4650e461860e4f4bf606565dec26dde2c50f131b0d694bdd00ad2e051beba

SHA512
7a7e5ac07e515e11e9a6ab72271dc151c5e76416f35f4a7665c9030018f48575606a49bac05fd68fae3ddedc11c16ef3f05bd1449e09a4fa744128231e1d03d0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8f45d2eb2931099524cf3e0de41ce4cf

SHA1
6448c145a815523972aebccebe6ade7ffbfa7ac9

SHA256
ce23044161141ac98f79dcbf5f562ea777d733506cf72803a274e7b6a14347f2

SHA512
05731d31de4a33b4649b2788a416a5239e3ad0c790db1c7364141c5ff535760e9bcac48813163ebf0a06f2ba650a782187d5ee3dfb74c7c6068982a457ca1c3e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
48ea32953914462db053edcefbe74ecf

SHA1
46ba09ba7747456832f1d5ae7ad065566600f026

SHA256
e716b253733023e4bc6849c83cdc8f29da38265ec72d51c694161af5ef8985ca

SHA512
54f32e53baa613e530b1ca97e8dbf884ea347894993d2064b8dec739befb829ad468228949aa1e906e64cfdd827c636ff0ab5acf07b606717146cbb073a8463a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5eeb356dcdc152bf97d88569d10419b6

SHA1
d354fa3e1846cefceb63904dc65db7dbb39e1c1e

SHA256
1bebf17542e694ace180f122c525d60af14413f4dc71702d0506b45660cb671e

SHA512
51b0ffc48c626b5542f56d406fca34cc3d6c009c17ed508858451b59ff29de7b4e6f1258ac7a0de028a3d19c9bf1c5132acc32516cf95b75a157da6557c549c6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e724b8fdd3cac06cacee381ce0f9386c

SHA1
910b69218f51fe8d39c29077150f1f71754a6824

SHA256
2adca2480b06568993d6da87fca3cd4dac776ec6918419bbebf7149ee41fba81

SHA512
c616763a9ea60975d3f764630153dcf33925f8925d166005181f84472a41627b690acac893d651d29a1133edbe4903d6dfc40c5d6974b9d261967376bc61a62e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
94cb3b074e7ca23341b478e52f2f4748

SHA1
a0b536a59a55ab894a7ade2b2c37a00bdb9d7dec

SHA256
4d023d86a19d5d0958c38698ec1f3cdd35890ac802f7e4d42eb94dc4b591c9c8

SHA512
397e145c67497f1e396e0acf7bb6f9fb3ec32a1a23d23a7e4369c28e08c82381b695c20a005494c6fcea3826f2277dfcd8392ae6f3537301693cbe9240b6a46e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0af330afe102570fd3c38945cf7846b5

SHA1
317f514bee4e8f262e1f2f4283266148a3f9142d

SHA256
859dd19b348a6145fd0d5a18eea7979ba6649a3869d42501348790ff3f69f277

SHA512
8e1f39c051ccba3f3139e6bf3172cb6a50dfb2bf0c0cc2c188d216915daee1586d8e3d1eb20fe5f9ededf87b9f9183f854dc3eb46ed61757d605aeda7f86f2a8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4f8171914a4ab758952758281e964ea5

SHA1
6c0b4536d052f06daefc5080ec66762eb91cfbd9

SHA256
409b558fcac9e301c0774e5e249a726cf55da683ea33566c7fc3f4d3bc152874

SHA512
f7a2d1ac41c17919cbc5b65f15dc3e36d08b32c37c524dfccd6219a1884b05d6941a98c98eb9b82362fbd0958e28daaa734d8fd2d9532026816c8ba1eb9cdcf9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8005959f80fd306f9dba81a580168797

SHA1
dc78a44caa406b03da506a548e9200eff3209f28

SHA256
1d7f94d9c68d218787fe901f57592df3264f0ade6ea51bbd0b0284425a113573

SHA512
2d79305d8f334ad4e1b328527230fa06aca9181271c18c96a0ba59e6f7bd352c0217083cab3a5e864637eee4cd1785c31aeb5381d740bb65ab816884e4e964cf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5cd0be1e971ea0f60a5ff282f234242f

SHA1
48f6e32be239c267a59c0b27a353817f50b12de0

SHA256
724abcc87b597dfafbce5d5166a76b588439dcad6c94eef15677c6569a03bd8f

SHA512
521f0b307739a3240bc108d1bd5d8ba69e456eead9fa54834dfc2aeba5324d22b8798854204fb5cdb6b4d4be831fce06dac10f9fc05766e1823b42a5284c33ad

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
da3bb38f6a8475e360d83ee3a712fb06

SHA1
aada1da77ae2f22a48a3a5def35503f5cf834895

SHA256
0a6dfdd14c043a54f7bbd8521fcc6bf71479eff1d0afd319f510c45a54465f23

SHA512
f1228f2bb000b640c249bb1431486b8ec8b03054da682152c6ebf81257b7f7e7cda5179311e3728cdb9574b22af2e79d7c6fc5d2eae765ecd7dcf7c2623819e4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7901eada3547ef5868e409aa7b65231f

SHA1
4048478b5cb6f6d83d53e20d8d448df475467c5d

SHA256
eba951568cdb19b276319b028a8eaa0f89167a24d941b20ca19da14c8755712d

SHA512
54ea016f707a80ddf4c664d210eb578e11d7a569f82b64b4edae2a38dcbefd1cb7ff072b4a1ecbf5432606a5499516b375ea9bddc8fbab481a5c7f7666525ed1

Download Submit
memory/656-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/656-357-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/656-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/796-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/796-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/796-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/796-227-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1116-318-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1116-310-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1116-377-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1412-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-385-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1592-248-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1592-308-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1592-241-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1592-242-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1696-64-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1696-65-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1696-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1696-236-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1712-364-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1712-432-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1712-373-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1716-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1716-253-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1716-259-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1716-270-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1716-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1976-343-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1976-404-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1976-336-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2068-442-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2068-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2656-330-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2656-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2656-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2860-398-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2860-407-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2860-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2860-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3164-406-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3164-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3164-415-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/3292-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3292-428-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3648-297-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3648-372-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/3648-304-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/3648-362-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3696-268-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3696-334-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3696-278-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3904-447-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3904-454-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3948-1-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/3948-0-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3948-6-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/3948-7-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/3948-13-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4672-347-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4672-282-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4672-293-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4672-356-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4756-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4756-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4756-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4756-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5044-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5044-34-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5044-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5044-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-49-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/5088-51-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5088-56-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/5088-59-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/5088-63-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5096-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5096-467-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5432-549-0x0000024F36D20000-0x0000024F36D30000-memory.dmp

Filesize
64KB

Download