ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d.exe
Size

706KB
MD5

d6fe374bf65c623dc0ffa5a576a901cf
SHA1

314677121533de5ef80334fb4550a026436f37d1
SHA256

ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d
SHA512

38e16d49404107740bbe0b947e2f16fa041903dfcc26706a70d327baddb27f0c6f1a5576a3adbd7365bb168e5878bd14a872f004ecadd0c73eac6fca4b1eb798
SSDEEP

12288:VWiB+tj+m3FUr4Ae214qVJpXO5otRZNY0S5hDZzlqqgv2qE4lzlIpo/VSBaokjH:VWiB4+m3FO7efQp+5gRZqZrDZpqqgv22

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1760	alg.exe
3136	elevation_service.exe
1148	elevation_service.exe
2468	maintenanceservice.exe
4336	OSE.EXE
2340	DiagnosticsHub.StandardCollector.Service.exe
3152	fxssvc.exe
4256	msdtc.exe
1568	PerceptionSimulationService.exe
4160	perfhost.exe
540	locator.exe
4024	SensorDataService.exe
4364	snmptrap.exe
3608	spectrum.exe
3604	ssh-agent.exe
3888	TieringEngineService.exe
316	AgentService.exe
3544	vds.exe
3068	vssvc.exe
3796	wbengine.exe
2464	WmiApSrv.exe
1500	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1b96d33fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eeb4a2ed0e96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d0e5fee0e96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000406559ef0e96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000501489ef0e96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004265b3ed0e96da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000148cd9ed0e96da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9f2e6ee0e96da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d262f1ed0e96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2c4f3ed0e96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3136	elevation_service.exe
3136	elevation_service.exe
3136	elevation_service.exe
3136	elevation_service.exe
3136	elevation_service.exe
3136	elevation_service.exe
3136	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4348	ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeTakeOwnershipPrivilege	3136	elevation_service.exe
Token: SeAuditPrivilege	3152	fxssvc.exe
Token: SeRestorePrivilege	3888	TieringEngineService.exe
Token: SeManageVolumePrivilege	3888	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	316	AgentService.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	3796	wbengine.exe
Token: SeRestorePrivilege	3796	wbengine.exe
Token: SeSecurityPrivilege	3796	wbengine.exe
Token: 33	1500	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1500	SearchIndexer.exe
Token: SeDebugPrivilege	3136	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2684	1500	SearchIndexer.exe	133
PID 1500 wrote to memory of 2684	1500	SearchIndexer.exe	133
PID 1500 wrote to memory of 2112	1500	SearchIndexer.exe	134
PID 1500 wrote to memory of 2112	1500	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d.exe
"C:\Users\Admin\AppData\Local\Temp\ea4bb1788a7ab692672ccece105cfb6e664c4a6aa4a84fd557c771386546186d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4256

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c648b92321306896d7222aae82a80689

SHA1
f6d0d4930ab5ce408b464091742a410221f27fca

SHA256
60f5e9184925284dda5c6a6fd11426763562e22d8099792efb7f3a78eb8618d8

SHA512
ee5b58fe378c9c71814d9668894d4585fcf540c43f09e81b78705aff0a48fabf2581160c2e868404cfaac9415a78f0a6678ab4a791aa006192fbcdfb6d64055a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7734701e35d7eb9315273cafb874f311

SHA1
dd6fe73b8a00c5683e2f4d5d3b581fab9d685bc9

SHA256
94b4543df95cc42ded66d8facc1e3d727bd9b03c8ee01d1393cdafde77673306

SHA512
2a4635e81e41a2ccb184ea987254aa752d2397d14589247a33f6c5ff0422669e832e7a83f4a28f2d13a86a6b0360b5bf7a2bd03eff9061a0dbd08cc17cebe289

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bfffb25556550b4e8ebff2b7f0676902

SHA1
6dd0931364b26d86061c1aef63913a68efbfd34a

SHA256
06a0e0aa47c7c4c89c5cb4010ab781275a0638bc873cf75761f49e1273889ff3

SHA512
51f36195da98e4df0bdb116d5bd8fbc40c9b28769aa1904750bf0b754f6a1cebacc5412ca63108a2a262dc4e9c0ab5b8d24e4f378c9b757e48f05e1c6e95c856

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f5175a829673f010f996c2e298cc8a7d

SHA1
af20e6ee459cd7ca5abe4833e14c974438d06bca

SHA256
b86230d18da7030d78410983d33b7f64e840901042569fa00d7a10ddea24d68b

SHA512
5a980155675cc30da51b916942dd6eeab898fa393c8eb46c3d39b876c7b8323b8317e09cbbcfe111c6d9f10c8ff05e951d7e4010742b4314edeba19544024d2e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4bdd0bb9e4c35006179150f004d651ce

SHA1
2d1290cab40f95fe47970814aef7b88eb98f6929

SHA256
e60fe1bf8ece8a13ce3e5b1bd614c1f513c4536e7e7f6fcc348fa17049883609

SHA512
873396ef3387892ec312ce279987d3d8407aa1e625b46ad3904fdf36d660f9a404362f3fcbc5ae4a69e76f26d6cd975589fd65a1ee245d3a32c2af737ec9cbf0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
02f890210ffc0c8736c97f114734c002

SHA1
1eadec21575b7cd80685dd2ab95d68f47af08107

SHA256
00342aad2797c6702e2cbdfda5d11f2ca1fb7e52af79ce65029215a479cbc1ec

SHA512
238c19703a6b553b9a2cac17f41dd718d0b49e67430367091eeea0d0740111af98567d2cf6301235616b4ed13600ca26372c8eac7397eba90ead724e31df6eb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e57ba426b4177adfb0c429f4f0fe00c6

SHA1
ada05c1d820ef0f556478ab5609576c857398ff7

SHA256
5b20b11d767155783413fc6db3f72237742f1a1248cefa2a122487edd0a961c6

SHA512
e085d427aab07f69e23cab5964ddfd0f63a4004faeb8edfed5637d3dd87b971e2047c6390bf51cd2cae7b7775131402ba8f91f5bffb4096b1e62e7f1c5348e1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a7ac3bf01dd338e5a7ef6caa395f60d5

SHA1
9c0429e90c00fe0b83c243bbc54f26b8df02092b

SHA256
56a70f969b9d8e3640f0ea0b4d6759d978cfa7045d1adc4c5e17df89cac0fbeb

SHA512
d33aaa2f80aeb1e1b99bfd7fb8da8f8407233eeade6222c3723de102f56cfbba5358eeec1b3905241b304aa61998ea07744a110182d167a22de28e91f1e9435b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3ec87ea7b9e6f6f600f4c1d6a1a3f5aa

SHA1
5889ec570aeee196c1e912eb3ea608c8b841df40

SHA256
a1f4d8acff96dc573f10818808649d0ce6d1d58dd027485604f5da7a80a806da

SHA512
f6a37ad7f5b237e542b165e19bc26578ae82dc705783b1a0b8d2d36e968757feb0f508beaabd5bed2e28601b2071b5c16b08bbb4fdfb7b04d20b93115912a754

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fd910c23ad5fb913d2e43c8c34d30f71

SHA1
42bfb4d14b4cf5df1de7022229f5b64ad76122b7

SHA256
8f2b269e625b11c5c5d86d01630b3ec868477a2d954e1ae7202f747fe33dc6af

SHA512
40e39e81e3efe6b7b1b3532c736f2c77521eecf25ad9e3e3fed9683c05224d819f0ee20a4401c2eeda92bd9607979c38ebe1c162d07e761619f85b05d2471cb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2b62ce6bcb7083c697057ff057344a68

SHA1
a831f495aac468413b9abf90458ec57468b62a69

SHA256
3a79f8ae04309cfa43b7f99005295c5e8943a8e68af098e36b7874919f2630b7

SHA512
bb74b833055851ce68d29eafa0d8743c89522db9ff911aefa1f3a1d177e20eb6f621eb141944e84946e5567d264ab2fd09cf132149a6822f43ef559c5e5eb282

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3d1c7c7a49972aa7cae133df0a4604d8

SHA1
8a3016bb0de65b430f15654e2c7b3047a42bd9e9

SHA256
a62d9bb5b5e88d6264ae391fd47483d90c386db0cc9fd91131333264dcec3a80

SHA512
6fab2b90faae16184d0275fa55049ea5d609764309d7053e3b8355cb0bf526862d8b7628658522df24b0e8428113408c9138280fb1011523428071f98bc30e72

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
da49e179253acdb3ca6672a78e7abf48

SHA1
bd2904a5b9ca0e104ed85bde4463ba9f8f4b8502

SHA256
5571113e93057b2079f0cfd8ab895b0080813a90243bb5290c319cec0e5e9321

SHA512
89b064d416f4a11b0adb749a0086f0e6a26eae97806f483d9a12082067ce310f7b63e45b5615d8a95f290da1757cf63c4c7a7d2a79af937067f2c2f95cccea00

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1615ac22e92135047312daae134aec04

SHA1
676964a1d0df2087693fcceaf15fb32e3b1246ee

SHA256
90657487befa46b5f185107b11d4fd34422fd6ad34a64ea7f97408fc2224522c

SHA512
c7d467ab96dfa667c95513c45451a7050ab87e4b7de532b6e91c775eca58292461c64f71b45652c51fda26f42fb54737d8a8c098e995d5a7a42528948ee1de14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
044b13f64fc793a6c26a02787adaf432

SHA1
6c0cb3ea0d3ddb6aeef12b020daaff028a2d1bc1

SHA256
79bfa89461f135571eacc63e0627b0418f37629c8743e61ff18e8a14880e7147

SHA512
d3511b481986b19667c8af82df1d07761e835ff47c975071f9f1ce80523e032d8320c7132673a36ca75769adbffe5adea0573af443f004feaeb7b1fb511bcbc3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6009937ff53194115d8d3726ca16a24f

SHA1
d78955a466ade5c3a8e26f9b51505c24a06bde0a

SHA256
5b0433a407b2ba9924829fcc34053aea60512cd647a6ebc625456a56b17eb821

SHA512
41e715952366313e8dcbbfc4122bbb332b3107b52deb3e9015be32c568a87affaa5ebcdd7fe45b93b31f7df5fc46dbb1bb803ec1580752f46f982ada18603661

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4ae9a1abcdd84d67ee3cee207921d76f

SHA1
45b21e0edac5049a3e4cbb2fa9c6416e571b0cd8

SHA256
2f4712b0e70fdef1f9c77cfcc3fdc87f8bc281973fed51c239eb0aab93af3cf8

SHA512
dd982169559bc6c1cf935a1ffe2056db6ccbf7dddef993c156e0c4c1a0a0aab02b32592bb49f07f9c2a8fc9d014f517c570bc4d00d25267d97ce43c3fff6b22b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2074da567d029f5b186a6f4db75c0969

SHA1
6de54069af7e5b0248af3d43001c380ec141636c

SHA256
cfa5638a6b96b3a0c82a7e8e34a1fac5c7762771e00d2cdb9d2c5af4134d7dd7

SHA512
bf3815b9d22da7b277f153ace617f11d2138fc31de9ea8b8672939293e7ce35b3ad4de5785987218fabc9cdee79710443abff7ff336a89c0bd04222383a933b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e03342f4121a1b1173939100ccec79ed

SHA1
faf6f547a11bb1033bae6e3da1b2232deea7f2a9

SHA256
d42c6f4eea555b32a86513306783d6c74bee6b0617d4f596d5adb46c9ad27030

SHA512
03c6ad149527226ebd13f8302d1263d615a73c12a3ca2b4a67838a0eafa701dc37374a4b2d47d50c93f977bc3a0be8a0632d0391b113cbbfce72ff44d43c0fd7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
29580eef7b7a599265fb9b8385ced4fb

SHA1
58f38b5075f20c2d652f47d060ed7d9a411446de

SHA256
089dda5dbdaa24cb880ea28312e35a18e787693dbff87a0684946f0468241da6

SHA512
39511c505c0ec5d3a1886162b7c7289b088ab92cd1aad81992ce84a9b8974bfdc603358f44e533d5668d725623f3a50af51ebe6281dd3d179c205b5a008dc09d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
5b22e549f566278d75a9591b3828a4f1

SHA1
c10403ff6cba2062634d7bdd7e43955bed0f2c82

SHA256
75a2bcf1c327adac1ce7850d0e535ba5ef34f851d58abb82e3963b7e67191799

SHA512
1436454f39921f65c9e5eb160cd664c3d7e0bca202d6779844494e6e3d38e1bbc4d8b14325f56278db7d25f06bfd02fd777aaaaf5f9819ce8592876761cc5a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6719965871ee728365c30c1d04ffaf4b

SHA1
954536801ed47e1d1b61f96505990fbfc2b15e66

SHA256
1e13c671764edbf92756aa1fe6009de006a9999590a0ee7480c76f4dc8aea17c

SHA512
f809ece07a987c40b022cd5ebabf1d9b1f7428a3c605daf331993d2046edcf10849d268474d87b7928b22c68407df5f4435f794973967d6242f214aa99a027b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c36670f5bd4a9e2693b2552eccee5c5b

SHA1
5e1ab53b436ad5736e80f837c99fa9036e00cc84

SHA256
49532ba2dc1e7f64f30be3176decb6d5b1e1f4af2853524fd29c8ca82d34f8b7

SHA512
1617979e2151a3716ddf916dcaee1852ce90d16dedef50693e8803072c130861ba3111c665dc7dfd25c5e50bc1bd38c6afae7ad30196090d907b817f27dfca25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
300d0f1fcb542258f41ea1ec060a180b

SHA1
0b8e7f15b661328334694ab3ea7ee38817bbaba0

SHA256
72bd88e6adda952a829af66bf4506211dc8546abb3cc5507396776d85c93f2a3

SHA512
cea6d2719e155d982cd2185d241872e6d694eada383ac89bead51b2e91b30ffe2abde20d1add99595262d7f10b955d2d3f3109f34406838f43aca6d768468ebc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b1791faf4f157328b4fe33950afd3a3f

SHA1
990db50cd7c297ead3af7cfddea427c4238796d1

SHA256
1f63403bd443f27a476398edd4bf59cb258cdf683746be070a4bb972db660b08

SHA512
dfd028bab22d5be3d7b6742ed4faa96a4ab09d208bf920cbe9c41cc5dbb04a39c77b62d8f3ef3dc8b60dedeee6ad471f94f313c406bb914782dacadf4b585de2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9ce8742a54631a7dc3fe11cc519d5611

SHA1
424fb8b71a32daa086c8b54af2e03b4932fae567

SHA256
a90220bc62cc339b9483f05be131aa0c20c2061765cd3e591fc9706c450a1d59

SHA512
cac94065356e8f9a1b09e37a5b6b401e0ab9f3718c0fb73a04b03e1fbb9c963b9cbd3997ebbc6c934f2f5f247deb87184ca9f330a24cbe2a515c220d442ed088

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8ea19cbd868624174f78e12246be409b

SHA1
a770af1404ff19f5524421b25e1b0cb2e6a762d2

SHA256
67e7700f7b58d5feea247b426d978fed1488a5b78e82d7b7a3d12a4c5130be5b

SHA512
d246590c057c3918a64c96c34e6935d84cd316fa61f0c33711b0b4c3ad05a8c5698939e8e3ae4a87a4549aaf1e05cadfdf0e1be64e75dfb1202f9317afc318c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6439cbc4ac46a77b56f90fefdd37a66e

SHA1
37f0872b47b95b84f3adb8fa4b97dd66dfff767e

SHA256
ef374e41aefd3d867eef95a923a468dc1fe465120f2fa505ce2ce2e381cec0a2

SHA512
3c63ab358712cf06eac3b38b96dcf7a4ac3787f2da6e01318a1060b32d178c204547b6ac2bdb705aa3a91b408c74607399627a4c0a75e920964f88210501ee1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3e93a0488bf874687b4a29780791af77

SHA1
c3c5ffd9667e3ccccf0f4d621c7067159050ab19

SHA256
444c3fd4a1e8de95bee70835210909f154c5fc66672762393b04efc186e2774d

SHA512
d26c27d521ceb9384cca6baeea54f9ba1d8699d0671a26c5c48888d0681efb77f8ffd44eb8e0cba8cfd9b37eeca9ab88ad18b172c38216effb0950a2f7f070be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b16140e69d1c98ee85ebf027f6f323c9

SHA1
7009109b40f3d4566d45134d30153e21d1547558

SHA256
89b378a84b51e3ba8fa93a97df2e407a0726b0b8be345d67ea3d1b8e9d725905

SHA512
42481b58c31050b2217b5ecb7fa6bde3acd94f7f897f9303da457a1da0df785ae7e94cf342ca1055118d77a1b84f27e2a9195ef66c44b09c67a0cf8957b575c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cefee521b5ac7a00b883c108d42c85eb

SHA1
95504c6fdd38fb6b82cb21886d3806f5a8f1298f

SHA256
5ce56d5f8af647aba478e55386a069fe8f22eace5214f0835aca2c3937af96b2

SHA512
43b7cc69c22b5db726f39edd98796ea1271cc2aa8a4599d2e914f72c771a3a95ca917dc6580316ced75ddeff61f1e5c333d0b6cd658b59b577343d81365e127a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e65b2d2168839830922de6bb883ac885

SHA1
9c6d1247f6189c6b26ddb7a45914858aa14ac79b

SHA256
1fffd8cf29ef9173416dcf163a9f03cfb9c3679554f60f7029fc43d674fe9f98

SHA512
6eb65566c7e34f99b349a4781af324b49f6c9dbedef68a0872cdee63da04a4850c889ad49948b28c7f7eff472f6232159d0b325c7a434ebdf01a3d8098cf7666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0e5455b3485560770c3432f18eee6987

SHA1
992caa8448a062fb4aa2f9a9bf3b4c91b8a2861c

SHA256
035ffe961b0a6c4dbdffda860b66bce9fc31f0cd43a8c0bcee5b569005a0bd6f

SHA512
ae66fc64f1389af53e078d21da89739335c9c92c2484f700e3bb67966f75ab04005b6c7d930d711f7e2a5538108c2a6ce181ef505eb42632a3fc9dbc15fcfbed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d824042fe3eebf519146fe9a374110bf

SHA1
47dea84526384ba27fcafaa86c0760116c3e14d1

SHA256
48af477f2d20f03f268f0c92f81134ba08380a84564a8a585b6dc287475cc46b

SHA512
c30c4e89658e808ec0e209915e458d8ed56e53f3d786130c99ebe81faf0bcfdc66db752f274dbf76a8ac52b292d866f1b1b5901e522a6f1fd423bad24f071799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b79e5942b3f0f402def7a53168b2a56c

SHA1
812219d27908e903f220e6ba6f423a9e91867a3a

SHA256
22d452b73bc1a3a28c276d8a8248b18132a3f302f3f420a8ded649067fa7d795

SHA512
3200955ebb0254da620210dc63e30f17164611fb1a64af1f9f695d7c6ae0d637e1d1b8e9ca2ee5871615824800746dfeebbc9ac492d18e9b770d989a343a9d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3ce8452cb83f909015bbfca4b628e3a9

SHA1
183f1931faa3f459a4f7bf78beb3f585090f115a

SHA256
295267ce781eda118a9f1d0eaf83ead6e8c06dbf80b73cb4ecf580588a888b37

SHA512
d7997f0289ab4d4204200c0319e226e39adbe5690c1bc707113cbf03a063ce03e154bf0bd8e6eb371ee53426444b0b82e9f5b86ee32d0b37021bce4ba0ebe2e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e89aabc8bc00094b7f206d1e160978f7

SHA1
99b99d9583f71f560ab09c8995783d39d94316e3

SHA256
f0b4823fd0e4619c24510380b1051ffd38d74afc6dd0b2c154de54a4e2259050

SHA512
a4aecb87092b4295f169779fd2607dd2463176f6ba209c74356ca4d8bc6417a62ee473977d38357be44e79268441b50a8397306e4a473795b5bd0714477f56b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
b1e13a8b812d0a448ccc180db7d94f42

SHA1
f1324bfef81649141a324cdc5cb2856c4fc4a9d6

SHA256
38678a7a0268fb66d4dc7895538910d5b60267afc4ed8b911a4bfab05dfc9383

SHA512
69d9bd56a3e09523496a5aeb48f91db2512f3c454caccee0d58ca43b892d90148c36ef31f0236953ed1df3878c7fbaff73fdf5ef1816b50bd23d559de5eff117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
b429d8619d1112b84e0c1a88cf598eca

SHA1
39da64f68f9f56e58f3d718e99290be4bb5406a4

SHA256
85282ad47d0436919f99e5e12a25cab35e9fb324669663327745b39ecbeb3b66

SHA512
73393c9f6a7ea18de3ef4f83f67965666ded1b7793466926f2c280b01f0457b8b18cb652f31b03f2b221a4e1b88da1d61aa3e59de720a5f6899a4454bacc6669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
efa5e0a45228b20186a69bb17a061f8c

SHA1
1536083778fd51362de449fa40321d9a6a195c1f

SHA256
71449dd3d791badb4848a7f9e6bf38f6a0772f54c318033d57b5f7ca05f81097

SHA512
e06b93878f06c6109ef3904c135612515c4af63be1af997d18b6d50932a11791c61899aaafaa0622020cf0e5f49ea622229aaae18b57eab5c8d70eee75cf1180

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a44af6067cde30aa97e6c29fbf50c54e

SHA1
b76eb154dd3bae8c2d6bd9c308deb36913e23405

SHA256
bbc334a1f0c88f744a7bef6998d8c1b01a88341e828c96dbb193fbadfc83499f

SHA512
94a28d6080a8fa0aecf2ca45e0a899a6d856911412446fac86bf8f64957cae482ddf323f065e7a0f49bab377f32b8b8bd1351e9db8c837891f93461ffa7239ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
5553cd271c6fd488ec9385fafe6dfd39

SHA1
5a93f69a024ee0379158b9f3095728c056a7e7c7

SHA256
533908058f75255674913bd3409d741f9821afba7b304cd0d0c5bdd5adfeb239

SHA512
d2dbe42a771b3251731f9f5233b9e44ecd79febcb96442d513f78f60872ec1947bc8c1b4a3ecd0191763695b45b724d11773842f700148a41ba4b5186c2d5c80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
d2baccffc5ba6d6a87569ed075d864e0

SHA1
e73beb05c52ad7500c6202d10fae8d220be7d181

SHA256
f717a9964ebd78c8ecc2a740217aeb43e82720d580235fe213eb6310d18b02e5

SHA512
fdff8fb414350878a0eabf5560176d03c62b0a891d62cc88d811bd6e37ebe3173b7a223bb011ccd92a49deb97943133b8cf693a4a1412687d965425438ebd5ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
af7bbd2ec4e97b022c579c23ecf1154e

SHA1
f92b4cd10aab0d3028ba8b19b084127e33dcf707

SHA256
d978b449aeefc9f6a21a8150db3111318731c380b945f5bed68f0f8de37793a4

SHA512
6b3cb3c3b10b9f80f7c81dc7ec9b579809a86b62325048963d7ba4646603f41e45b84a3f1b9312fa2de13d49a382078442679c9f5639e90271917c044abf320d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f9518f5dc030c137ccb271534d0eb6ac

SHA1
2313db01df780815b348f31238dfd0433da307b0

SHA256
c57ee56c4b648bd481684ddafcbd7a10943fc174e7f717db1094408cd38d6ee9

SHA512
0051caddd9dcf14a4a2a08291f535370bb6756726ea1f773f0eb3f046bd0bfd99a17bf04d4e93dfe47bd76e71bdd6a24b9bc3cfc78639b2af3766299ad79d47f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7d18d032a9d2d892c65cbfb3f4a7497e

SHA1
0ffb925fabe41743f78ca56f47291c135708fb27

SHA256
2b8e0741bc5fa08a8a84cd1f40f4bde286a9441de333769a2a723690a112d378

SHA512
4248adf1d09e38c12153a44dde8a55625fdab5f557e75fc6b2729fd714583bb5f8e87088e5c81cf0c6285ac2a0c73e5e28630a1489415b13157857e7eacd6dfb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
df66d69bb64bd55ea2ba28026f8b6b6b

SHA1
f79b26d3b541e033b6b8811c0518145c2b5de85f

SHA256
97df9b54bd06ef8e90ecd3454ac377f44521600640de04b0903ab032adfc8d80

SHA512
ab0da4cbc4e414728f21f2656f112c5dde4d5aff44370d55cc6951f545333f95aba275172b3e33a8b66c8a37ed446e3f0a2dcf61468dc0c518e1b2894e25cf25

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cc97b5fac61f4819c2c8cb5246ce5667

SHA1
74be4aaba678352d525aaa4263df80a6b738555d

SHA256
dded95aaa9e6e3566e06e8b3dbb29f7a02c0eab5c8d367ebb9ff7ff099aef423

SHA512
e406d1f04e01dc32109eb33ba86c88eef6e3ee1e75be9f93831d45a6c4b293fb12c55159309c7ad7591ecdbd9fb189ab570031ca4abd78365dbce9d371c26317

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
be29bd883f84917f5f33d81bbc117e1b

SHA1
e09cefa21fcba9e1851b5b36d444fc0d384f581b

SHA256
8523faafebfd64cc46af65effa8b94b5eae34ec5ce7a4ac4bea0cd2be6aa4566

SHA512
682e734674144d6c7c40d2e4cb8789f3c68a6b901e5b1b066d8704fd78d6bc9cdb1ca400de02dd75f37c5684582d91ed41dd097fc473fdbb9c1613a309f2c789

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ac00522668703a4125107fee47969e22

SHA1
b760697f6806cf22ce026de0a39ca9bd2b0defd5

SHA256
9110b26f5cb3aa4090153ac67f68cd1a48b5c1a0b1a2cbb591479fd4bb70a472

SHA512
3f4e8697a9e4767aedeb17dbd9c03211515eb20bc18985f2d7cee2c4b1c9a574c4a8df5a964322e24ddc8b761e402a3673c893a0943fd931ad32ce164fb7134d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
af3d59adfd7a962327b4cc0db9caf917

SHA1
32ee4344fa99e170f78820bdedf135542a0a4c0d

SHA256
2ebd0b7e3dbebbafad55a3dae499df9f661f6082897e61e85ee9cbcd7f0e7132

SHA512
1c16f12e3a4430a61ab7e11033bf3f83d2802b9488c9f036ba186dfdf44854407f9547258efbaeda3acfc7113621a3efd56a30827c0ba6f0c116b034eb1f84a4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a1caf2d7742e838c35b81df28cdba4be

SHA1
c9b69e24716e6227c1026c3c00d0fc0f2c25b357

SHA256
caf3d664fef7ff98a7c91662d9338ee349cdc953827369144c55c12e9f07a999

SHA512
f21dfbee9d0f940e10ba36945d7aaacb71b3cf83068d4bb00418aab8f764f276adc1be60ef9f183f2348dd2a151ec221bcabe23d6ffe49a48c41dfcebfe6e577

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
16b3a584a11901aba7604b1c7eace9e8

SHA1
89d533085f9bb85921d2cdd8f455c75926133e1b

SHA256
ef05b09eb664775829b3fe578faefd5e160c9ba5575dd07464b79b4d26474212

SHA512
04c672856ea1861445c0c126a6940120aff54b8eb50ed6ed2e3af5d294b4a76dd3a916e7ce3fb70e9bbaba623a6d40e2b45830c97d0ce2bdd99e94eaf5b24217

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
94bac5a7d9149d0079cb251dac249cc9

SHA1
679e248e747da2fd5bd1ffe02024ea57c6532ae2

SHA256
00136dfe82449ee665502b016aa3894c60e4101cb40b0aff8e476dd50acd26c7

SHA512
756dae5c72336cdc5ae0a5afe13b55042edd00705a1c8fb38997060c9393201a262b3978ee842eaeb7a74b3b8162093276a2954bba35905e6231be7003dd4bb2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dcca46e0a57dee21633025d2b3dd8b56

SHA1
11ffdcfa3afe6b75c97e09b4f7382bed6498bf51

SHA256
899f9ad0e4c347e01524b40be0c3d21de298ac00f41c1a696d8fc426f05bc3ac

SHA512
32f298507b044386714e87441f15fe6dbef0f779ceeecf5b324af716d16e4142b2baa513eb1fc3a03e4168f3f25fe19a2772e6e50db3254ef669e65b4c0ae6ce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
325b17d1a21c46b8d45f91bc5e4566d9

SHA1
f55d0c61e3b5288c1a6cd509dce9a1db533c06e2

SHA256
d283a7084430c78d1d09a8d76e6eb9c393ec2d156d0d4faf704572ea7dd5fb1d

SHA512
4a9b1326e92028903070f659d3e323dfe9d266024f32b1633b794fca24dcbd28ac5f20a29e3a998cfb5c0d78203fcd02707f5a9fc6d8e74fcf4d940b26bf564e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
54c39778d2e53e57b4463081ff990e19

SHA1
1959b7191ef9554f44776cf0aba4b6a87a490670

SHA256
1976b4f9c247c55f64ddcf53660822c5127214223ec9da300dc08817475cf4f6

SHA512
8db2c805a27b323a56844a3419c76ccedd9b52717f1793aa7f37e36a1f0caf66dc7a260efe8e6fcc32fcf32394d573ef9f57ef2c909e5a062208cad664a6a894

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ab46f3884a982d8434d2a7766211cf32

SHA1
c4c6d731754ce8e1190dcb424ce586decd75546e

SHA256
ebacf854a5b31ea8d83f9e292b2e319904e6c540ffe55e21f06f8500f91f6a9e

SHA512
5112cfce6838ace1c0985d1c32868b58794a75ffcdc4f3a1dbe1aeb8399460df05b7895a7303b456803907a481d5400f8d06beeeee51cb052f10d6d5ff8a19b7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0af8532c3f25035182568b18867d6241

SHA1
b3cc1d956c57db79038ca5a5584298d833463347

SHA256
fa1d0dc36b16ace54c1dcf246c8a4d19779a58bd1cddf35ed61321ce38cd75d7

SHA512
57f5bc7c59f1fd9d2c58d19f4945f57f8c8fce11eeccf8f77ec48725a1bb92fcfa7c468f0dc944ee6dc7aac08a143f225708142a58c9eab2751ad78a51b47eb9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
94d8891df8c9f357cbfdaaab94044b0b

SHA1
b62779211ed6bc777afd1f23a3a3937f1183340f

SHA256
8553b2982b1846ee49d58455c0142e67d6d7cd41886f4234929e87c0412d91f8

SHA512
e0bb363e24926b473f2a65bbbc005606f0eea2c890e9118e333e5354f3a0528e34586fff2f1f743e1827546486560aaa0ee0327eaad8e4f895ddd9bfec129bbc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e5e9c967a0b073cb416774dc5283d41e

SHA1
74b81d51eecfe22ef8391744f7cfa2db3c25ea76

SHA256
3115a17bc8eaee2b3a55b7c90de4ee18ae721f50879524a3ededa7eb7aa40410

SHA512
63c885e9d59e8b3f5cfba9cd199e1bf7a9429e42803c567121269134eab914f6ba20b81298f9f50db1d3d1e5fc9033ab0d5a41e89b070a3ac85a80756b205d4a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9a7d3b6701ab7dbb1c05e86329fa5002

SHA1
9cdf1108dfd3c7a42c070246a50cfa6268ebd226

SHA256
4fdee70521fe5d0683a1d5aedcfbb0b7b06c7a6fea02487e3df5f0afde4b3ae1

SHA512
0af02ff6897af32c31ac0218236ede14d704091993e0fa8f0a0f5f3b871fead15ffa130788842484b1cba22ac631cb0ced4d34340b6e84bc1e2b54dada73b46d

Download Submit
memory/316-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/316-401-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/316-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/316-406-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/540-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/540-320-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/540-314-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1148-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1148-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1500-469-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1500-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1568-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1568-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1568-358-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1568-295-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1760-227-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1760-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1760-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1760-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1760-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2340-244-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2340-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2340-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2340-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2464-456-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2464-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2468-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2468-63-0x0000000001860000-0x00000000018C0000-memory.dmp

Filesize
384KB

Download
memory/2468-58-0x0000000001860000-0x00000000018C0000-memory.dmp

Filesize
384KB

Download
memory/2468-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2468-51-0x0000000001860000-0x00000000018C0000-memory.dmp

Filesize
384KB

Download
memory/3068-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-430-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3136-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3136-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3136-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3136-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3152-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3152-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3152-255-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3152-263-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3152-274-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3544-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3544-419-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/3604-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3604-373-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3604-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3608-360-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3608-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3608-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3796-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3796-443-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/3888-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3888-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3888-386-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4024-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4024-330-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4024-399-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4024-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4160-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-307-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/4256-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4256-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4256-280-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4336-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4336-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4336-67-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4336-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4348-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4348-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4348-6-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/4348-7-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/4348-1-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/4364-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4364-345-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4364-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download