945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae.exe
Size

1.6MB
MD5

fb55cefb59964942225440ebb413988e
SHA1

a20f27458f0ad6e309d75097bfd68cc00cf1c1c6
SHA256

945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae
SHA512

04493c857faa78526bac2ffe8698c064096a3960821d35398dbff9f132e6ccd022a2c608b5c35a3a29494da331d6f296b34b9f85c0aa776edfa9a60100fedbc0
SSDEEP

24576:e49BN8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:eYNgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3920	alg.exe
3264	elevation_service.exe
4844	elevation_service.exe
4084	maintenanceservice.exe
3148	OSE.EXE
1020	DiagnosticsHub.StandardCollector.Service.exe
4552	fxssvc.exe
2712	msdtc.exe
572	PerceptionSimulationService.exe
3380	perfhost.exe
1932	locator.exe
3088	SensorDataService.exe
2500	snmptrap.exe
2740	spectrum.exe
3720	ssh-agent.exe
1736	TieringEngineService.exe
4484	AgentService.exe
4164	vds.exe
4952	vssvc.exe
4172	wbengine.exe
4680	WmiApSrv.exe
4316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f54ad3774f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a18a4c3d396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9bb25c3d396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c5680c3d396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009be14bc3d396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021b7dcc1d396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8abd4c2d396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006390d5c1d396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3264	elevation_service.exe
3264	elevation_service.exe
3264	elevation_service.exe
3264	elevation_service.exe
3264	elevation_service.exe
3264	elevation_service.exe
3264	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4512	945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeTakeOwnershipPrivilege	3264	elevation_service.exe
Token: SeAuditPrivilege	4552	fxssvc.exe
Token: SeRestorePrivilege	1736	TieringEngineService.exe
Token: SeManageVolumePrivilege	1736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4484	AgentService.exe
Token: SeBackupPrivilege	4952	vssvc.exe
Token: SeRestorePrivilege	4952	vssvc.exe
Token: SeAuditPrivilege	4952	vssvc.exe
Token: 33	4316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeDebugPrivilege	3264	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3248	4316	SearchIndexer.exe	139
PID 4316 wrote to memory of 3248	4316	SearchIndexer.exe	139
PID 4316 wrote to memory of 5036	4316	SearchIndexer.exe	140
PID 4316 wrote to memory of 5036	4316	SearchIndexer.exe	140

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae.exe
"C:\Users\Admin\AppData\Local\Temp\945c000646361903d096afe800ba002628edd221c11f7ba25bc55a14309b7eae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2712

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4768

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3248
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
03a7f491b95da74bdbf7d3accad3d133

SHA1
c09e40ce6f6b2cd2fc7435585fadf9907329cad1

SHA256
a91f2334a2c0e19ffdbd9e1c41dfdae35e100c323b3d750d4e225a60bf91e853

SHA512
3c0acd08457c7409ec66c025e3e7698d57e3148bf410b78d2f25b8e5f70274bb69b7762ffb8b5241454e11dcc52449ca9bc11b0b3275b98d9e1aed4fdb0a6292

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
04a80b4ea0e7f1e9f5cb15cacab906f0

SHA1
b721929f158685f4badd04d4f93c89c0d1498ea2

SHA256
92427a4bfef2f6c8f25481bf87d396b4d8eaa1a5d83c0ba71252f77d258c2200

SHA512
b539e354a0e873a29a4877f9ccb77d01f6b75a7936e4b4b73dfed8b61ec2ee8bcf7ec766a42bb61231fa9d739277e7e375ed25a07e21f515a0cfea9dbb7b0a97

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
930c9eb642dfe20646e690e1a207b171

SHA1
c45864822d1b9b92d5d7455c329fc4192172b911

SHA256
471aa265921a4c67a79ed7df17eb710102f75db13c6398af6326ab8f4b525300

SHA512
0649011860168b507699dcc978c1aa2ce2c0277b429252a5e7117e2c102127c632d456771a1ddac1f610837a1d02853e355f60ca28cd0dd21b55e081397932c1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5a202deb33372a7a93080b923df07b2f

SHA1
a875fba04fac6b6ddc53299aeb558cea4521caf8

SHA256
9140ed9d5a483ff852ebc33194655c44ce29f8498575012bed52ba269ad1cc92

SHA512
f7129e571ef578d74bf9a7b70bea18d202ec09c51bc1cb5166e1c957873328b38362c7887e235b0374c2ec7649e4b727083e1085c9fe73cd4b9a38e2c561130a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5c7143b8b735c983dae16610c6300e83

SHA1
3dc526530a8fe5bf16a0adeaf97fed47796660d5

SHA256
42f0bd47c6ac620f2f9dafce0df13dcc03e6de8e96b58435e73c3acd11080a86

SHA512
d5f8b6c0bbb095796606dbf72bcb99021a4bf7f39b4f5c288cfc9e086f6fd94a15154503775f00a22f5d2fdc200d33bec639ca14900c91d0875aea61b10ba9ee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
1d20a7f972acea8c6aeeffc8ca4e9d05

SHA1
6bd3cd5747e0fef43fbc8aae0d656ce3654b3a24

SHA256
768085d7808a0d9384f2494b478916da6203665c9a4a535af9ddd1114de7e4c1

SHA512
17be12cc96c72af539521b8d4f540c1d51c057413b0e55bfa287f27bcac6493d195bd858f1715bdd6c90bbd8770bb0f109af91c7ff4a6718d8f4cb1621cd1dde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7e77cc831b1d9d658840795ddd5c2976

SHA1
ca232c8ccc40b935eff98e660a98b2de8dce4054

SHA256
599ebfad8802f51fb159811c4f26e1283d10d5905679a1e426218e668e95dc03

SHA512
3e695ec90e91f91118bffdbed6de1072aadff15ecfc9702acf6f4f967c75cfc70c5afd1a9fb6e5cc4238c77c4a8e5eeac46b7923d44b189b12f62b56bdfba342

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
734df18aa63112b15a54311cf6034716

SHA1
1fbbe2951a71612a69a9b603dbf2fe132a6c1d7b

SHA256
5993e8b3c795f2bcfccb9f6d1fb4e72a1c20000fec0adc163ed1975d419a9f7a

SHA512
28e61d8936f3b511395a55925afbbff3f40b6d1cae86fd070a17e15da35dcca1c0190d99783cc598dd9434ff49bdf3cdda75533d0379785963e6b936bf6cc38b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
df5f6cc87591b39637b344b44f49e982

SHA1
c18a2bbc1722aef5495aa62a1821cc8797ec9f5f

SHA256
139a66b8f4980f88b755673c5175517c627354f5b3b5144bc3c9d090a3cc694e

SHA512
1dd58a30099b349afb20c9410cf1db90b06d7615f15f5b308b8c77e8ac0721ccd3ccd436f1e0d71ee591e91577c92a387e10d0a6b2c845bcb7b883ca4bf381a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
09cb770d9dd637a07ea166cfac24cdca

SHA1
21fa8bf4dcc09d204214407bf43f4a5334a81561

SHA256
36903fe11a0e43b31af1c65f84c62b3ce2e256549ebe90df2f5d57d3a432d7dd

SHA512
52aa9439fb1b00100c0905e18ea8f77a7dff9aeeeb6b76700d36e634bec9c11abf75b32a5c4a11573f81f9b2f2f258442c0d7d855ddb8593ede8c8b700e60c20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e2974f029cea5644df0b9375c2ca4156

SHA1
89f5f65170ca132c6ff5ab640855e63110843eea

SHA256
c138a6c4a7a6a1d76c5719b89d21167bc79f9bf3eec6d1d0c363ed663a4550e1

SHA512
cb147d98d5b3e8d3eac0561f4e60e16fbb90eef9b75f5f815ad66a226531c9552008e5bd29a55f71d5ea5c975d05c719fcaf5ef06e1999bee8a04416cabe746b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9a5e970481ce7fd1477aff82877011f8

SHA1
6815da7d5f9dee59f921fbfa4c29d8d71b540f97

SHA256
df5cb0b868d950f20c8b2427ba9ae42cfdd200be67f7dda892d359d95d78f1b1

SHA512
3eda20f2eb3cf4fb8e3e3fd77ea4dc16ecd1763ce0f88966f23aac388a2f8a9f2b2c409fcac18dc8b66ad56bbe8d3e570abc1f6c53ce1d2589399500a46a1f88

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
f9a98e6ca437b0361676871256112010

SHA1
357fead08a7ae21c8c70d3c08d52985c862f5f00

SHA256
37f77233e77117c1f845de82870cfc50af5f66393ba33a2d2baebd8a0e0aa8a0

SHA512
ebc8aaa803c25978b07f16f4dd6a311e693d7187c0c0f5794ace3cb50104e7fce37e48fddcca5aad7cb6e793a6ccf735887df2393785b022d8f66fc1387773c4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
27a11e1ec93f28c29c2d8a9260c7e1ae

SHA1
145a1335ac596d3382758697687a01e1dc679db9

SHA256
6db2a75a3a9e79b0bed2c31487e5f5aca8d7bebf44d6532ed9ba04a3496095f9

SHA512
71ad93e7d56e81fa4275eefe147eeb1f3b2532d572b6c86f031639a226527a75f001d63048f943fbea22282a037ba5dce6e5c0e994374fbfddf6b41f9dbfbbb4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4f9ff046467c3ab740ea74cf93811e5c

SHA1
4888cb7072bc2a771dc7badf9c288c9a142cdf37

SHA256
3dff0a5d2af0197627a96adc6d2e1a5cee4b9b583bcd700b91a11df6d7b64b32

SHA512
f2ce67bd30bcbe40805a7f362d5bb068057791a393db05419a91c0d8081bb5f653fb6c5ca46193974b9f351b58c73a6b01d5e7784041e43162ff8f1d13a9e77b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c029f767ba6bf9015884894c345c019d

SHA1
68609bb6cb07150d3a41a251f999c27dd80b26ee

SHA256
a911cc9ba91b816533f5a7ab4f9e3443b2b14accbe770e131419073c11594a91

SHA512
1144ebb70be6c2fdd36150670888617b15ec545b13fd78881079e667629cadfdea28a12d3e01bf9a380b01786e7a10c4a5d744cbc570d8d178c1626d005e3f23

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
271dbec2d9f345908d4a9e43ce94ebe0

SHA1
9786a2457839a68ca07678cedeb9ee203363f55f

SHA256
6a5c0c1fb1eeb93e43f61101744f79bfcf86b1d997f92997e54634facf0341f2

SHA512
879f278bfbe6c8f0481a0b30dedea6d32c9167c452541e51f0eb6810cbee0c89c480337dd89c6ac886497da023615e9c55b9a95fa45b2a16d5822476ea073a7c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8eaca18dc7e9cb643786175c7c84fb2f

SHA1
73b95f3ac367659e1cca1cf36df960263ad980c8

SHA256
4ae88de44b11b0557c1c5df717004d8139389b74a1cf4597f72c02559c4be6b4

SHA512
71761da75a2a02795a0ccaeef21cf885a8eb75f33f7e069bcf81c4ec939d2a99be436a4c2a3f4cec8d1b0a79376603e146f2b475cd91684a185f0d063cc51d55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d04a4031d491dd876e0bd24f426953d4

SHA1
68206e50337861525a70608b685a503468f77e05

SHA256
5f83efa2d2c51bec8bb3473f551a992939a48200ebc929018322bcb3a3e7cdd2

SHA512
73f5892598647e543be6218daa8e70e209b059747be802a4b01e512f78308897c4f6f181c437f41aa47b9f7c1fd304697e3b664aa7ac7c79db8abecf6ece64ff

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fa714cbfb3f1b067264b18bed13c428d

SHA1
e9a55891a8cc4d66c83c9c6781128d29fec04866

SHA256
6f5259a7e27a3bf8929547fb1668a9f75d73f2d59c560dd837d77fcedad5206b

SHA512
6428526492d416673c7ace662b4682d0b58a7769529cc3bfa59e5f74c348f5369fb876ca61f01e5c481b2652170768e20e32ffaeac5d08a960aebe6389d7147f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
b946b4195ee91a28f0520486c276e617

SHA1
c9d83d808662694e087c09ed1ef2b5418b9e32ee

SHA256
0ca8ee7a2cb2d50e558ea18c49cd7efa00d7caf5f08e91c30461f06c3ddf8d79

SHA512
b97651f62e82551c59f0e299d3aa1919d924ae3395f1a98cdba5d93f919ada8d8a23a6da9a769308ebc25fd4cfcb0619ad7dfc12c7932715dd45fe025b255c11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c8662d193f5ee42b2288b49e320485f7

SHA1
157e388700f1961f67e028fd2fa69fe3b29149bd

SHA256
6f7ac1f6af8cd92f2de8e69db335c6992330b499a1cd4fcea791f1be1ed9150f

SHA512
298010c81cc6c1ffd286b39df7ba8b49fc17cc921bef1cf1c490480e74a553d3f29aa0930bc53945c8b9fe974d794feb21f06a0eb954f8b6df0d9270c80cafe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
4f9673858905f30f6c545c6e8d350d36

SHA1
6bc8229edf0e527467874b1307b2e55b5fb48279

SHA256
8c555a96a18588a62341bb33483f3d470e1b968a9c3dc5ef4782d8ce0c30693d

SHA512
0c7b9f6f6b01c19a41e8e8ff5fc9ed41173334ef7ac176d9607477f8e26c6b3926ea8a4da2abb48d5e4bc0ab67a712c587ae5d33bd96023db23fecb4586914ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
1af512dfc4d8b9f6956cd7bdc8f7eb7e

SHA1
4fd3d7ccd85e6f88fa2d53b4a05b3f78b14d1fe1

SHA256
69e9d2d081429262c499d04db7db97f77f12ac2d4fd23829a6347e2fbad62a82

SHA512
c6054ef0348ccfe34e894c09ecdc8d918ed0d369e8614523c3439a1d1067997ca26aed10c4f2101c528727dbba883e1049664605142f158fdc8f9c0d11c2ae3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
f65a0cbd5f03998d5957e076b29d2a11

SHA1
8817ba935ea4febe6e69c2b869798b81eb4f1733

SHA256
d1aaffe89c98e5b374dd569980b5d7068a5595861b754c55c472284a58c44ad9

SHA512
99b23a4d0ab0ee0a55c4eb6f5f325b0db7b9ecaf3d122f663c002dd3c686ba387b10dce1f3aca935285cee1215335871a1b6a9469c0e64423fc92acd34b8bb66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c6d8c312b1dfa3044083fea37ee029c1

SHA1
bd38c0d1996efdb8e621dbee453c1a952f35af80

SHA256
7f906cdd5f9e46f4641f8bbb7b165428d670f1170b20004f51fae8ec63cb346a

SHA512
6735343f45e79a0e32368c29d84eda8d257f8e8ea19d76670867333181d56834b99c6130cb5d69588ebfb6ab28db851ec6f6998810a8cddcad04230400554836

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
95f046bbf7114baa4e66f60465a11c61

SHA1
6170585da92578c9b57324cc8359663ba3778df3

SHA256
2216ab0bfe1d886f2a97a9392c3e1382ed92daa0ea2b8ad2aaa97bb02661cab0

SHA512
23be7f4391c3658719e3970f1398da83f00403fdfd493877719b585bceb411bc98d21cf2688c7eea75dc6b32015a48c960e522218ad03bbc6d6ca2fc5f167868

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
f4bb5e2fb8d8a9bac00e4bc746f52ced

SHA1
a3d6285e871b824f25216025292f0a7cfd75a60b

SHA256
e150f419f5c52282dcfac0d61690f5caf9ff23b250757db83febc300476bc6f8

SHA512
2327ab3c2a40f2ec30658041adfa93ef2a97c9fb67017e9ffad315f358de15b057bb2136b54bbf1694c3b02e7bedd7e0426e4170378e91176cb356b6899a45d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
1ddff61e268fb9e3a9cb7496d57a78eb

SHA1
e28479165f83633c43ae27157336807afc653265

SHA256
86a0b5bb16a8d742c8763abb451d9ca2e61cf75b2305609426115a80500101e4

SHA512
935f3949b9c7fcf97aa19f5a51fce59793ea792570ca3a170177af27dc48d5dd678c1e0dc7dad6e9e31d9a1b5494629b97acf23807daa2e0fda8583461d5987a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
e2048c69997353c6df75b0dac0b0f0e9

SHA1
a7622e99b4574dba5323c35c86629bcd2cb0c32d

SHA256
21adc293ca7137c85c8f085bd162b5abdc4d0a637c01b74b5e1ffb1301f1c4c4

SHA512
7172d747e7af17868d834e133755fcaabe7096727c3ad386fa5cd73fe299fbec687167b60c8cdb98c95b16fb55ee76bdedd0479d4f072201dd7921524c275ca4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
361a0e831f2e6fa6ba76009eb4ff9f54

SHA1
a9664e381c945149d54e3bc9f17d3e93d30b90aa

SHA256
73ecf7e3be7b66ca4382e89fd97dc207d6d689324605cb53fb8cc484154d72fe

SHA512
4ad755b017680d8cf11341b6be0e5fe34318e3ecff3b84db9e773d1f9be8d6884c0fda4259a1164ab8c4c2a1984fc430dba7f11d150dde0f7e7af73d778be209

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5acaf426e125890c95d56bf16a898811

SHA1
3e6939f54e4764b9976e5538b9e10dbc4d21eca6

SHA256
14506342b8e5554c3b1fe9ba7265f927c99f49932eeb258c1a48b54d11da6768

SHA512
350cd66f5be94ac4aeb007089768ddcc47ec900976c36750ce92aa5a351dc2848347233a10e1e902ef1813f28c413ba1c69c31b10ecae4c11b19e086ce6a7bb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ab762b0d8002c2d5cded2cef6ea2858a

SHA1
ee4fa165a0b3b27f0bbfdfd77f88f95faef9a5ab

SHA256
f77880534722d219a4a8f5eebcb5e0ae267eae6703bf6e97824e9b1f0dd1070e

SHA512
14834be8e84f5fcfef864b50352b460870743feab405a2cc0dbee31b7df21a9a93e3b7ccb708927183ca67d1e68712eee3a8d43be30fdf1997955ed52109fd3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c79fc1af063d6ae91b0b3469747012cc

SHA1
8f23f2a51d6399272706196b520f8b9ea13af2e3

SHA256
5b0674742dd590b6b7ac7bcc0d4663ee2d7d01fe2f586a35194d117cb8791b6d

SHA512
9747dfc643d86f1ffaff06da067f7fcb6d9e91ccd06d2c9edb399b63c90cc8d80150e4e473e4de3bb403d74f94429846424958c25a288024e0a2d2c0d8b36566

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
62d101f24d00b41b459a52531bacd733

SHA1
192f718d50258d3650e33d2253a5c8112751a1cd

SHA256
8c5c98585d197f48a745d1e59b5386832effa9e405bb5455af85e9101b39dd9e

SHA512
b2b987ceed5ab62cb1deab6f0dcb72b1f9b65c28cfbc48c2dacc0ced0d88567791acc5ca452958c119ad1606911daf74da95f7e1a73670944a44acdbcc037f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c01429aa3700430f3b410d68b3d3cf64

SHA1
5862169a3e28ce86b465306173c75daa6e962f88

SHA256
9778a011227a52f00981cdb21467b3f989b67283b7e300464e4621c27f1316f7

SHA512
9236ba3020de55c3626c0377e41e6ac641618964f1d592aa9f36543eaa76e8db0c0b4aa39fe9240d2a92b906cf33f83955c833e890abbdb0b05d6d20d0d70b4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
ac141347e745a48ec87f45b98f67200c

SHA1
d7321bd2c09220b00aec4ce08338948524e7340b

SHA256
cc6c2b61399817503baf3dcdb69e7928d80d7a975deab038e80c90cb0150e8e1

SHA512
9a08a4b156ba363acb8c33ce17de48b88b4e1d2b796f9828effc83d92f03262bd0dd6aa0eb1c8377bf25347098a19d3f42dbbf4372a4d35c3b63137de9e70794

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
06a722c9fbb5e9486afa3f67523972dc

SHA1
e02719b2ae58f2d9b343a6b709f57d11584a36c6

SHA256
0973de89da060ac9f06781a9eb12b4a3f4817eb8d483b2d5c875455610d4c7f9

SHA512
5c849d5f304baf1f23fa4ef69284346f8cf5a4bb27cca5dbf93a8b9edb09fce798b8baf2a074620bcaa2a476a7cc6ed983ea512ef71e0bf93569a5d810459995

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
476ea593df20097f701731041b3d43cc

SHA1
6bb2ef6e0130870f0adb055ea9dcfc40746afb67

SHA256
174bea1a5a16c21cd53f9d7b062e7d7cb7764b199125250fc4670310865a753f

SHA512
e492b6098b29772369fd1933a7e826c8abb81c04e286de165455dec6e5e582a20a817a6094ff4579f151d643ea26a6e62cb450c0fd5bf52c773a3c9ab48cf780

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
91f42de27b081634f9ba20a812804497

SHA1
72288e0ff6e232be7487119806e92060126984e1

SHA256
942b6c7a2baa67d1845596e65f9bdcf410681c3ef169a57ecd4fa162d3905b1f

SHA512
7da7dd09f4eb664a43cf2c9ad269459afa15d8faf03f6fe0feba11ae94adc7229ef83b6a2a5b726a12cd774f2bade89ac159de4c61744bb917e5f95a8ce22429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
74b64bd73ec61f0bef3b456bc5b140b9

SHA1
c6c90c93123153a641aa5bb1cee3e7b52bf7b5d5

SHA256
c3a7bac66506ce36e17fb64b43c6a25aba26844a9ce2c80a99a073e90afce687

SHA512
dab724744ca21d1103b17f959f7a542de9a7caa4d9ded12f88f3e2366069bd73837a995fdfd4476537f056c7927841be4fc09424291d8f1bae5db018f968ccb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
b6367047d23e7eb27ac9e934e815bb9b

SHA1
56636410ec3cd138158e69aada8163ea7d0ce8f2

SHA256
88f32ac182244b8c93900d7a09a5ace3ca75b076d22e2ff01e99e63488fe8a10

SHA512
cc43bf1eb2e56ab300ef309b170e744e2095a027cb3f39e56d16a2ff4862a0c6de6e95fa1c20f44bffcea575f41a4bb639be472368db2729d41c3d793fcaaeb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
11f882618c85232bf65d95c3c97947bd

SHA1
5a00fa0daa1a677806b1aab1759a999e6430573d

SHA256
5554ea18fa1334dd4d1aef926af8109fcff2dac69f68790218eb60dcbbd12fc8

SHA512
6b91db8258ba36ced4962362a08a7b1276bd6e2b9c2069f7293bfda73146bf140bbb1d0264cd85a9f2067c1fbf178200082c2508311b580d20eb544e78361722

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
a5783cb3f2ec4e74013ddced0194b4f1

SHA1
8e64c23e78d33735432c217cb5565f8e5175dd26

SHA256
e24b6a35e351c6a4af976f7ac52757125f43188298d5457f71209c67aa1e74cf

SHA512
2991e7151476186237fcda1b848e0975188bc5de56847338f624d8960af16fdc24c6bb3b6e452ccff5aa16cbf9f9055b4a459a22ed3e89f4f543b6b8f3cacb2d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2b5068f8141408599002acbee6059dd6

SHA1
2dfdfd7c85e0c88233cb23a90181389a7293f990

SHA256
99b8d8042bc7ff2102aa63199965b0e745934e4e64bd30d16f7adea4fa5a16ac

SHA512
3d88dcbeb32cd8962d28b6708a2ec1848457dbbaa7653a873afb1c45c69c9fd53dd1fe612adc9f6b2330bb1c0cbf4119fe7b803d259018696afdad665371c804

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
85219346b402a0563134e1b1435802e9

SHA1
195e877aa9880cff90d608b70e40234abc3704b6

SHA256
deeb04823d3306a3293a326e73b7ebbc9f562f135237fb920587b122d6016490

SHA512
ff50cff345e5a6d20fddee369abf3c1cc0d9786414ceb15a15e87cc1cd1f0695735f79df3282aeb42b215c0d6dd800ac97eb7575f1b59804c056fd0deec346e5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e75f00fb8574d9df0b33a9f1922b7bb3

SHA1
4543d620a67d54ad7556d52ad2b00b99d449fd4e

SHA256
84186a7d01e23045d2b9a4153c0c595372e67cd89c82d38d228780721a7b0f27

SHA512
154743449a20e9dd3bee4cd00ac4570420e1138acb2d0129ac710ee594bff7b5ba5d8752eb847a7691eb8af1ccc1b0793c862ffb6fc7f56553a7933a61a09fce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e71ad0f6c9dac349542d1b784f0694fb

SHA1
dce4ba106c2030c37044eb294f4fad1b29b93abe

SHA256
276c4c68358801fd532f46ca4ed372ff284e4d4f2bb88910d4601b4b594dd50e

SHA512
7851c46fac51415c308dcab631f8bb1aab191d35bb3a8026486fe450fd3aa68fdcb00c8b6a54503cd95570dc26b62cd193f86e558905a08bafd8ae28d03291b0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
43bc6905f5e6c81532bd74bf45b4eedd

SHA1
1b9a5f933c08e9963912a5dc865d45a28016447e

SHA256
a3bd933ea51173df6a7279705f6f4cf9ea8e117302a522599b0427e0dad12131

SHA512
aaaf7fd5bd0a386ab5a5e0dfe4ecfec210f353ea14d15d459acb1a02b469cacd9dcd8cc369d4c6a912bb4a8b3e06461c14e615cb2d1c1f32423ef9dbf67f6c4c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f6adba12acf8e4dcc7c829e57e3079fc

SHA1
13303b11a86509cf662411f035e5203a6d6d7095

SHA256
63c76c009e07bec6032001e3a18b14d598c6387e3fc8186fc78d380270179ecd

SHA512
016839aa12909b1db9941f9be4d6b432a33941a549974a28600bb0704d017316b17b771830d3edab69627f9c02e464354af3516f12b9d1e92d3fa7d5fba44264

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
d4fff2146af5bfa9740efe6ef85eb54a

SHA1
708b12564fe7f33c0b4e556cababfde17bbf315b

SHA256
41b1de6c300eafbac3a637228957a3c5dede933efc6a6343e7e9347fbf807a14

SHA512
eb4474c7dc59ee033c4341e55446d15af27c0a566d8becb83dff5b0d33c037c5153050e4aa803d04e051239142d0eb429062abcb207d9f2abe5cf9f171205ddc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7dd8412777b60889521bf0c6e5ca1fe7

SHA1
bfbca6803219e9a692e0e01894dd37c343cb7867

SHA256
f322711374e479b33e18a492ba7b9ec987ef1db10b8075338022f3500a3fe46e

SHA512
f1e005c60b07d8691647bf24b97b2f5f8ce3ccff3bb63051141e484e5421ac32af5bb4822cf09b93e49bf9a89d41422053388d2fc95ef2cf8f4edbafbd9e093d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c74efe88c1e6890641b61eed4936e001

SHA1
81680b10272c4bfbd032b782d6c1f9f18b8d4f21

SHA256
ff29c1f6eff22ff219df5758b3a805c009a34b5eeaf0853839a77ae289c74af8

SHA512
b72bc4ee7e8300fe132495f9c1af19f286eaf7cddaab4ce9f5b79bcbee088ca8fb604ec247c11a99d3745abcf4d38287739455f40cf7ab77918efd3b6d12f3fa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
986f51801445ab5e4d45d6728c481f46

SHA1
27f2c366a63324c5100c39aa466b4e7f41993efc

SHA256
f9f2f71b6c0f7944b3103822b03c0bb0b3d61ad35f05fec7c27e9ddaedee5552

SHA512
ce1c3ec17e365e5311a9f2bfe11abc1335204c8fa3b40b83db80c7ac6e57d242a41b1eab5c5f64daf39e09628a7b38c000f88177fe9005ae5a7987fe5f5b5ecb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
402a6bfe8cbe3d7579d3eaae2aec9be0

SHA1
4cdf1dbe128c49fce6b0887afd2d97e49938d1d2

SHA256
cfb492a09085b97165b85d2722a6e43619fc747c2ae8246d82bfeb9d1e232027

SHA512
e8e77ebf87b84a172bee8cc68106341f717242e628244b64d6fe1c9edc060bbb2e0a79999e889b4b3c1fb6bbb79627d45876a0fc38efb96bc5d217d12c44ba12

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ab6925e8cd04aa93c1e5c6ee3b8f8cf9

SHA1
293de1318aa18ccdacb6073ead353564a88cfcf6

SHA256
013dd19fe2f666c27e4da0bc98c1713b3422d6d6687f3b30272fcaa3acabffe8

SHA512
39247bb6d31efbbbbefbf6565fb4b1cd957356ca00ebb078ae6d4841c7bc3f979fb580352887146c6450d96a5c7fd985148c52da7852b1a72e27c700ca9c2046

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
d8fdc7873ab500795e955d048024f67c

SHA1
2064cde6dadf6aab49640097d6dc3dad39d608ec

SHA256
eb8283200d247742e133cab0b202f1b97ec8daa6e180a3800e04dcb3ace107b1

SHA512
3c9f58c027a9419fc2df8f7f6d737209d5c914ce58fc055f0e77615db2f85a399f5c16bc154799b3e519f6aa6c2455fe1f4275d1cebabdb1cf7c8aad5865d43c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9d7476741815e2365d7b55d326f9c535

SHA1
00c27cbc71329e664eafb9de521ea4cd1fa798b0

SHA256
c753864da83b333a7aca6f5256491bc644400d3c9f3e616ed646828276198a09

SHA512
c18fe1c7a5ddf9a22f6b8c68016633a17cb0074a49657d6ace62f1b3df2a3b0855e07bd29931ca1213da21cc28b79a34685c03afca0ba4fd73eca89c3536a1c9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3f73af47dc5ab13700fb02f1bfe0b51e

SHA1
580580b02f489f2c591d95a3d2b5086880dbb02e

SHA256
278e1422e7b1346c78d87d4f849f942c09a0aa5c323065f39a0eb0b7006ed229

SHA512
71bdaadfb9cc5fcc60c1c2348961870c07ba7db49a1e0ab8a19bbd5d90b50bdb7e80eecc7e1e3967a2decfb0565787856b672624179885ec530518b7a78d0d7d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
20208a9c5411d88c6974f52bd88e3977

SHA1
f0566c6f82feb4450ec42e9226093371879ca161

SHA256
c644c986b4d6cc02f9f3f5102cab5f62fb5acd5414726e2a60e75c55aad87bf2

SHA512
6f59b735b82e12fd36a56a0a63821e82d6c3e934d82f2984eb9f2d3ef41dee11761d870486f1ce737a10cf6c9d186a6d2739ab12814d905ece363003b3f5a662

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e585659a2df47b91fd847ac6a5c1809e

SHA1
7672d30f7047756378cfdbbd73c2b85e550d20b7

SHA256
6a00aa5738cb4dc31c114c7f4d6e49c550b683a5815ef65d925d61c4e10964a5

SHA512
6bd4b89a06b30896798843b3184a4a29b3c03db6b0da477041b13108a05dc2c1d1a999bbe88b49f75d873a180126a348c9dfe175c9effe5eb16c9e54641e3f66

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dfcb358575f9d84b6b5f57b7b694db1e

SHA1
29d2476f1151cdc4238ce0aac455b506d017d392

SHA256
3784c8451fc38efa7e0481e51a0d3daa0d7f049857a0788eac65fd48985524c0

SHA512
1a6e5f1d0761096dadd5e88f40b75204a03b1d48d1b1bc5e8044d8c941ad91e0ae547c8e68ff37d2720d289b885d192450c3bcf05d3b0f98128f3d03ea0b8493

Download Submit
memory/572-352-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/572-294-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/572-287-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1020-251-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1020-245-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1020-244-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1020-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1020-312-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1736-389-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1736-441-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1736-381-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1932-321-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1932-314-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1932-380-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2500-410-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2500-341-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2500-349-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2712-339-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2712-281-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2712-346-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2712-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2740-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2740-423-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2740-361-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3088-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3088-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3088-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3088-334-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3088-445-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3148-67-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3148-68-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3148-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3148-239-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3264-35-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3264-34-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3264-27-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3264-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3264-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3380-307-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3380-301-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3380-366-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3380-376-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3720-377-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3720-436-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3720-368-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3920-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3920-228-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3920-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3920-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3920-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4084-51-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4084-52-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4084-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4084-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4084-66-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4164-446-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4164-411-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4164-420-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4172-439-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4484-407-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4484-408-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4484-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4484-403-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4512-12-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4512-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4512-6-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4512-1-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4552-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4552-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4552-257-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4552-266-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4552-275-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4844-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4844-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4844-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4844-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4952-424-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4952-433-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download