32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 16:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed.exe
Size

1.6MB
MD5

e7943dfa3e888a0d05c462f41d0bac47
SHA1

31698c0fbc7b4711c0d30f2a1e0c801652fd2138
SHA256

32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed
SHA512

7891c4aa1cd2ee30e696a5972d46f962b9b431056d997cfa8407619bc5d1ddebfbebe712567f177ff5e85d681995af3a5aaec6f1e166edd2bf150721a2ec510d
SSDEEP

12288:Wh9B+VmUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:Wh9Bdatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4740	alg.exe
4220	elevation_service.exe
2332	elevation_service.exe
3620	maintenanceservice.exe
3912	OSE.EXE
5080	DiagnosticsHub.StandardCollector.Service.exe
2372	fxssvc.exe
228	msdtc.exe
4364	PerceptionSimulationService.exe
3152	perfhost.exe
3608	locator.exe
2392	SensorDataService.exe
2380	snmptrap.exe
3404	spectrum.exe
3060	ssh-agent.exe
3084	TieringEngineService.exe
3080	AgentService.exe
4712	vds.exe
4552	vssvc.exe
4476	wbengine.exe
3196	WmiApSrv.exe
4328	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a63d15e8102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe1353d72c97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a79a9ad72c97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005937b7d72c97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2a729d82c97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d776d72c97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e23d3bd72c97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5c544d72c97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5d2d3d72c97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cc463d72c97da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4220	elevation_service.exe
4220	elevation_service.exe
4220	elevation_service.exe
4220	elevation_service.exe
4220	elevation_service.exe
4220	elevation_service.exe
4220	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2116	32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed.exe
Token: SeDebugPrivilege	4740	alg.exe
Token: SeDebugPrivilege	4740	alg.exe
Token: SeDebugPrivilege	4740	alg.exe
Token: SeTakeOwnershipPrivilege	4220	elevation_service.exe
Token: SeAuditPrivilege	2372	fxssvc.exe
Token: SeRestorePrivilege	3084	TieringEngineService.exe
Token: SeManageVolumePrivilege	3084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3080	AgentService.exe
Token: SeBackupPrivilege	4552	vssvc.exe
Token: SeRestorePrivilege	4552	vssvc.exe
Token: SeAuditPrivilege	4552	vssvc.exe
Token: SeBackupPrivilege	4476	wbengine.exe
Token: SeRestorePrivilege	4476	wbengine.exe
Token: SeSecurityPrivilege	4476	wbengine.exe
Token: 33	4328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeDebugPrivilege	4220	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 5352	4328	SearchIndexer.exe	134
PID 4328 wrote to memory of 5352	4328	SearchIndexer.exe	134
PID 4328 wrote to memory of 5380	4328	SearchIndexer.exe	135
PID 4328 wrote to memory of 5380	4328	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed.exe
"C:\Users\Admin\AppData\Local\Temp\32f8b0ddc74df313c55ba6d2aaf7e8454ba9384070434b52adc0ccf21aa657ed.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3620

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2392

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b577788b78e5897aeb37de3beef2b282

SHA1
aa79ac86a5e64fa1dd4e1444e92253118689e087

SHA256
f614c154512904ab4fdf4efc03e6951f5ea224d6c88549c52f4c3c6a6c011c51

SHA512
fafef018da98679c6827c4b2c1c25d7e2b360dd157b35e91cbc9950c4be8accd51bbdd1d213d01f1078f88d5e01e6d068be6de9a61e1bb67a9f3b9fd61d82241

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
b0b5705c316a2f60b538ca9a979a65f0

SHA1
c697f3b5750a935a42da6604b97d461ac5efb7dc

SHA256
76bba2f7192d372b1579e2261e529afeee9fc35c3114d2ef68b66e802f94470a

SHA512
9c8693e08881fdfeaa0bddb2f01613f093b5eda43e5a6ed62d8a59c08cd3f1bb3889b72cc0526eca616109f605b0861ce7f19eef8f945b7d296f8e9174ffab8a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b980c421c578d6cf549e4b8c44c55450

SHA1
110d18b2b5a36f7ec217901420f0e983b7ceb1c7

SHA256
5177a3b290abf80e36c9d34503f76ab40be8f25bab66ec5f55d13adc76236d55

SHA512
691ed990c20b6ad0ceddf5922d723bd1a1afe5060169634e76a343e25a507db006085080a6de01706bff45cbad35bd49b053e8c64b8a75864e651434ac9993d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
172086199e21d082b56ef68932a13399

SHA1
63db407a8c68a9439330be601986cb055b56b82e

SHA256
1da63706c7896d1c35e0961e6b52fdbd8087b3e05b4d05055c4fbd9305d0885d

SHA512
59ceecea4d5df4bde91b3b0c07f88c0ae64fca0de6436fcdb39dfebe58f455f6b8223b153f4e9434b5450d84ae2e476a4fa6b692d1920e30478b5cdbb20d56dd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
57dca93eddde5a8387e2b8decc86531d

SHA1
609c83610eb7f8cb3143101ef7499e9943296520

SHA256
8197de9a2e29af9a484565d6badf0567ecf64b73a025740bbd714291fc8ee655

SHA512
9b76403c32e655e5b307e1d8e532d50415a1a2670b1c48912d64c78cd022b6a3c4d2a400286a618c453b9a7da1c823b397a4c2f7e2886b20588ad48e5dafcfa0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
0aff7409a1d012e4a5aa8347e1f1b948

SHA1
4f69fc2e625724be3dae565ecf0e6312ba7b5e5f

SHA256
105ffbe0fb22304b36c3657e230e438eeb72e4107618a9fd4191f6eafed73901

SHA512
45d6d186fd57ae31682ab808e35205ab9dc4415255a7a2d77b0a22d59095b3bb62b936e91b0298fe3a81b717e70acdd7d2015a4d19f9b5e4d515cda408257a08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
c77fa3efe6badadea7dcbc6291673d14

SHA1
e33c1f79e6caf0cdccbe08c03e645dc39ab70a5b

SHA256
412da5b070c48c55689905d2677c0f40b66acd1d987eaa2e0dfd32f05b91e0e1

SHA512
fb6811360eb8b1fa0ece8ad9b6fcf3b376070a07e484da579e3e54c564dc5bf39197465cef2deee8b7109c9f546c5b93e4283f202d17fc2e16c7e18b0d1316aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2166f835219586d71618a9c02bd03e18

SHA1
dc4b1d60b47a83fda89b786b853618050016de8a

SHA256
411fb3a3c48b8fbf3b000c74e5fc2a7870bde7ab48babbf8c762ce01cadeccd1

SHA512
95daaecb8a6b262e79ffcd47241f46d52237f11592f0aae752a61329e21299a23ee69fb2b15fcc1f0b3bf1e5aa71b273dc0aa26235c6c9beb72041c0b5e20254

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
545da702c386961b3ccd4fd361c93370

SHA1
c53ccd1372a23ef49de30723bb6ac249a7daecb0

SHA256
c5f50b31bc842e363f59542fd67d182462235bc9183866afc0d10f87356c3c4a

SHA512
cbd7199fbf4247ca172a4eb848e8983ae81faba7df28f7879fd4e2c2e4267421ec683712a16953c0bfba970e7694c1eae2dfd7e0ab8300bf1f525143fc3f4494

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6dc759146b6018f81e3a89a656be64e8

SHA1
fe5b85db074dc70d40f504f33bd17786ffb12502

SHA256
756638db2f5b73be2476837ec111843073b363002923948d53831234c5e4f83f

SHA512
c98bebd6d92fafb627c1d868958cec3be53a9e6ed8d9f20acc8ac019d4dd9423083a32c20244ffca5d7702b9170fed08ea63d504cca7486e0c62ecb90953461a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d338489ab7cfdbe5c9cc6fa437419053

SHA1
1ee5bd0af983b937540eeef4032611e47d5ccbea

SHA256
7f41ba00d2cc3c40e982810899b958dac776f292579ddab70db22a25023ae7ab

SHA512
7f38b2a2bdb8db386964d4b72fbfd3a9c424e8a5a8c248159bab63943ebe02ddb234363026949d134b350aa2f8ded800f9709a32923a29b0ff2b599f043aa012

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c281a9a21a6da1843c49dcc6830f557a

SHA1
cb1a345403cbef5fe5ce69cc599581032b95c6fb

SHA256
177ae9bf584cddc0d5681a02f272d8732df5f80fdb0a9ecbf73b353c3e9d52df

SHA512
a0790d0f331796fea9602b2029b2eb9f67599175fd65a04f8aa56fb0e03a186d1f6bf6d7dc9a31b75afe870a9b2966980b749b1a5147ceba866d5d72a935683e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
376a44da8e8baa00ec1d52ee2468ab9f

SHA1
390e80f4f7c3a9fc1895f6771883337f875643d8

SHA256
67ee7368df59e373187e3a24c48cd9d6a0818c9e26b39cc6420296131fd3d676

SHA512
90719777a7152c4fa7799e25b134519b1a6f44a7003e7e62e479894e7d47592f92828f7bdbee7c1cd0fd3e92005410fc213bdbcfe041c02e6fe21863a48ab073

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d5e10061c793efcef5facbb181714688

SHA1
b4b47e85fa204e9332e8079ee0a387c1fd0436c5

SHA256
f58d2c59d91bae9cf985c3ab196a726955d3d45943a1926df1f30e9c3ecfb4b1

SHA512
454a8307ad8a2b0b9d61982cd92b2e254455ef186d522c433220d7a700d9c6172ce267a22caf1ee4865d3eb466b0a1374df7684345569f60fb310288c46ee011

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e205ebf8f1d140c608a4d8b581474ce5

SHA1
236b1fe57bc06c3291dfd1b9c362e87c15437011

SHA256
1c9049526ba9bfa735990e1c04baf3d3a49513654faf102eb5ed4d77f8e5e696

SHA512
95494df48c1c64d60f66c5c1cdaeb1db0f6dfbe774a2993a7d131f79e1e2870ce29d4dc4112ecbfe81e0760ac0dcf6e639bd6f4c4071843a5797632d7073158b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bc367c31dff35059bc3fb59d2a76ffcb

SHA1
b25c2c463be374af81bf4cc2749cbea486bcc4fa

SHA256
a06627f7dc5e4817a56da937175fe94bde997faeeab4b17ffb38db26ddb6708c

SHA512
8f271c2cdfe4011dd79b56a0b9032f492ebaa9b874fe6a360a4b86f61fca9b63b3395cec4b1e0c7c431e8276601b3c98140ba83e0622beb31217da6a899db4e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6d82e9e1f119c2022b3a016ed66717ac

SHA1
14638e70ac2b4622929284e39ce3a0ba8fb0bc29

SHA256
7cba701857cb3b8a35c5a1a64d23697e0887250636764c171d673144823fa382

SHA512
26eb1fc170d7d23b328dea7ab791d546f6d0bb30610637d78f6abfe7f1d65d29d7c1d9536ddada5b8df3d7508fb0185c1352f273843a0a8847a68938247dc2ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
12dec06d9ecabeaea9d1b4c03286874f

SHA1
7888a6ff1f40ee3860c4ebd8fbbbafc4cc0d8f91

SHA256
42a4a9ddf76ee01a5004f5162b7a5f8ac91e1bde863cf04af19252a0516454d1

SHA512
7d19f05935a71d99a9815d1856ea898ed2810cb9f7ddf991e863c9514924ac616c120505bbe42677732576917fe4eab50b6ba4da0e49a06db12a4486388eea94

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d0998f6cbf50782c05acc982c4d179f8

SHA1
132df17f0e22db54f6d1119cb85cbebbf08a8d7c

SHA256
4872d21f8b3306b1ebcc6f10ca489057bbfc7a37c8a36c616fb2edb0d492950a

SHA512
87628b83e427cc4c878e0629ebd4ada2907dfd64b1153040400f595de042e8f2fee5a272b585df8eb03c33650e2224b16a94fb3b438f5acee81bf6055f0d3670

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2312c8f83c68c7b742cda52aa690fa2c

SHA1
df63b3811d598050e80a5a6488ffa3620caf97a3

SHA256
23eaa9e9da271f075c470f3ec1f93b9b404a6ac10bc82a125dd9faccee4b7c45

SHA512
28b66066bde65fff978689bedf198a2a57fae530d5530d31ec950c369ecfeb9013b428659b4472371648f791758dda0371cb8284b526536cd771883f2d16f7ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
bddf88c074e4046c4e890f7403208a9d

SHA1
e795e2e30e2d07437172ea2fa79f46ce2357b9e8

SHA256
fa1176b45523f08dbcf1570ad30c6a42f6c048831d1ce464d707c0792401155c

SHA512
d687b4bcde25da62fbd3f3cab3375004307f68736a4d8d6b91ed9bf30a371c9aff77ea4eed4c3c33aa1e4c26220b4aca20129649afb6a1586372ee4825e22ba4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
f1e8766e9499d87d711385d2f8ab10cf

SHA1
3a8aaa5cfc4b70a1b41c0fcc1ad6392faef9ec93

SHA256
f441689006947115df547fca64dcd699cb3c82c936f603fca6938bcd9c0889d0

SHA512
374c597c6cbd885e692ed695bb64d06841db779a204717a6bdfb99bca13be13c0bda80150f280dedaeeee35699b6d93460d1343ffcab1645cbf4e616f0195f2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
29cb36f29e01f554c553582de2394311

SHA1
3912171134597cd84ea79e4f980391e751b7ec45

SHA256
355eb7a042bc8cbbc159e3b5ed07c53117535f99f736b4ab92ee50894068f757

SHA512
e71e0ec00f2757b76868a97b69fc18058333e8f298ecbf8c2ff4545427d54da3f011fcff544ee2b27e9cfc61a864c1b98d737ebe8cc04bb54d3b6e78efba2f91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
37d831b12122d47e1a9bcf8cf82ff0f2

SHA1
c5a7bf73b74bcac04b5365e550722217d85dd9c3

SHA256
5e5c374d50019b0aa207e6718acdda571487d6c56c131a84c424a87b073bdc0c

SHA512
575ba1e774939c140768636f8481b9d3f73f8a5131c0f3fb16e86fc34439dd5b5addd1cd6e5b916d3962680d33c1d038c45050d64302b9beda168dcb3d9b60b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
7b5eab890e3334dd31be77ba0e5e5574

SHA1
f1ed3177da4ecc43e6ea8986293df3c171dea45d

SHA256
a6fa4301f1ba3d61c3e0097c43d5e55c89b625c71a7b5b901153600fde9e7352

SHA512
578bfeb07c3310ec08fbbfb357372e8643eef8fb3c528ec168f4d96e684dbaa1610c21ad84769fdd921b42bf7da76529a764f2bb828f4fbe380d71c09f14ebf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
16cb2c63fe967110555e54b7e5b50665

SHA1
e17601c3a1cead8b4353c39d2dda520c6269f4c2

SHA256
8199658978ca6388dcd1977ea49a3fe40a11fdc3ec76e4a6f595beab7176a563

SHA512
1cfdbeb90ed5ad9090bc65362c3a53b9b213703e52e6b8015a79815db811c9ca8e21dabcd1989b0b2a2e5636f93366134310525eb3161790d99346a6ae2ba7eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
11ef611d05a3c47b183acd88ffb04720

SHA1
51238095f420d5f19f8fc49c667c1ee18236d8a3

SHA256
c3da156800ab4679b0dffe7290b3ff6b070f729aa721d4b634f06fb84380af8d

SHA512
4d0daef002dcf8ccbdb7d7672ffcd7c4ecf5b1f5727f32fd3a1ad8d7d4ddb92cdf6b7894174c8ae919f1d30540ae3b8fffd9af4c76578272494869fc6a4bbd89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
5b9fe25da7b77fb5543b20df4e67c4aa

SHA1
8b70dde04490734e11baf16765efab90a337f240

SHA256
142cf9a737575b4cfa460cb680cebc44c4860b4657e3f99cf4d945a01922f0b6

SHA512
da9b1f1af89e97c232e285efa829497847579a97c4fb0ecb2f2bfd924c9658608fd87ac3245f422eb25e08170bd0489159a2ded0b5be167c1c1ff2e55cd6c688

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
34268097310e0f5c481dfdafb46b76fc

SHA1
4afb53873ee8240aeb78badc6a6bc870f7a2f63b

SHA256
25d778d3c8c0e118062a6087d8040b1e05b8453c7091525ecfba48649f09238a

SHA512
7a45dc00ac0020afbe9db840adf39cd048cb23b5b277ae8438d2eece425c9ed99cd84c1b6581414f8bc970334fbc44e098358c8f5d1727dd56b4b91dbb98ea66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
206746ef2a142473d6925d68673c4b59

SHA1
d4552dbc5b646711487bea8b456c9cbae54148da

SHA256
d563283631f63a8b5a78caa41d9340a665ec853a0710f981d6a37273b3c7dc9c

SHA512
cda1343f332eeddd1dfe709da43c416d7afc09c866040f3c58b93b349f213dac7834e64c1fc726bee32e30a170b8f7b18f8b0e6a1146c14bf77f5edd17c4183b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
b67b05fc993dbfb65ada8fd0945b1810

SHA1
5c5a994340c8b5c89235a72ccdde85abf6eb4e3f

SHA256
db13276da7d3ff91683d8485406c7595c4821c4b22109112787168db64d0f0ac

SHA512
ad2713275737f3ed08faabe23660ba449f0fcf9dcec179bfaa615865230df8bd473154144f51eb3b34477ebcf9ac290097726d0221ce32be5b088b7d9b05c22f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
792b1df7b401fc28bc60f61d8942eafb

SHA1
695eb0696318e055179ba7b6054891f8b5318124

SHA256
008a6bd2552ea9a6f2490390fee9a32086cf6088ad934c47e86cfcb7bc3ace19

SHA512
19d18757332a1b80ec8831be7881a1a2a0ee8b33ea039687b34547eba916cf8cdcb4c87b5cb060c8cad0e02713ee726842fb8501dd9e301e365df06f392a572e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
096bd17ed38a541bd8cbfe7ac8f042dd

SHA1
8c1c23e5386220d9e3dcf55825579c58b761792b

SHA256
041e988f9170d12b7cb0821d146a052593793f68dca59268db70b14634001bbc

SHA512
574f7ea59d3acaf15836194c691ad4040b3c23490d0e896e0dbd5f5ef2e4db48793701d0566f28cba3f64dc53161b6901d1766c892d579477410fb02714f97d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
dfa4ae0a4606b39933079fa4cd805b2f

SHA1
1aae2afe4bf785f57895507f39060ca953260429

SHA256
0120573ca50cd96973e969d7042f479ca24442f58cbcdad0404bd9f7aae97eec

SHA512
83fadf765370a5a5f1fdf670182f2d9726622e8b831af3057c005dee242248f1acd70f89e9b1f0f500d164dc57ed9de6846df89e85d603ef6f1f3a61851798c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
8878efc0c8eba48896a92033baf5136e

SHA1
0b81bdf48fe0817934115e1416ec275dbf91252e

SHA256
14ffb76bd8c9d2ee014436847c35484c348fccef54ead577a5d7734a98207682

SHA512
bd0e5a9f293366292401529024069128e49b4f72ca7db3d478eaa13d74aa424e5b8286071e2d3982c76cd931721bc402d9bbf0e293d8f4dc843333719421b2c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
b45fdd6ceae9e565894d6298c8e9a65b

SHA1
60d53d1bcc720003ef545c21ae5017c2f77ee866

SHA256
b97e0d94e059811c72a08ec6c185c6243d543c95ea155c0439fbdcb42fef997e

SHA512
77aa86d205e6bf3822a800383d792cff0ff84e48c5ca1b9bc26c3ee7467d48e36836c83d6976778e8873e3cb7ee04274a42ddf50efa0f944d58157958f67072a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
e77e715969fb6d6e6af53e10c209d441

SHA1
0fab2de875f7e79f87d352767d4d9d121484597f

SHA256
cfeb86bbdce3045ac1e506e4ac030ed3e1f35ff830ac7f0589650071392a1280

SHA512
449b2b1c82c3cd1dd8becf8c3a2fe2ba5106b9cc4d52c9a7afe7acee29d8b35392beec7617340f7dd16041b3b5828dd0a180d075f64ab67bed932857930e3f91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
d0b6d7255aae611f37de7ebd6ed895b9

SHA1
ba19696d638a11d4a4672a501bfd2185c4c38017

SHA256
d15931ca5bf5956001bd9495b3adb55266fd10f020fa1511f911203f2d07edee

SHA512
cc51dca52c37ddbb34caa1d767f3d67ffe166643eaa0b8ffbe12a7efef85b7f9f5fb5428d363c6538594500f340be8be22488cf84a4a07a8fd715e1736a93922

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
7cc0cdd34c4064606371434bbfa54168

SHA1
0321b67e95422f4d4d89fe1badf2d1873bc1579d

SHA256
a5e0b6c760dffc8b5b6f9c3c0ce66c20f413be26eeae93810bb007c6c6707a6b

SHA512
41cc4f0c2d1e21cc9c48472f4b4a00d23ad28e6cee95e38089314bb5fd5bfbcd0dd6031ca428939ca2443654897388e79f7925e1464a1f96f3510c693a9b6ba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
444addcc3d766572eefb9cbca69fa40c

SHA1
04b5968ad928ed68d374c6810b9156ac005d2164

SHA256
2ee540a291f1e309fa55280bdea1d7e937153242a0e50998a1c4be27f46e80b1

SHA512
851bffafa4ae93a2094151a5db5ffbcd30b7fa720ad33c14932258ed5bbc59cc971aa9e1bf206c63683d6d06745967e81cd5a8241459b6677032e06ed83e8efd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
023e1cbd82daf173272e8f3fe41c11f0

SHA1
530203544e05ff4612cab02b1ef61b705978ff1f

SHA256
46639445d861dd17f64d079956a8ab778e5d24e17a19a6148da769eea3f504ae

SHA512
67452073aa48d78ff870c499b6783e692fcddb7944600827611e69079cc7b1f6a5c762e3cdbd663e899fa099a21a62ca3990884891baedf4aaeef74e88129f10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
a7d021c104b362f74996e4e201503f36

SHA1
1178ba7c871438194d1b7a018cb57799dbbff1d8

SHA256
823133c9908d91f7cfa40e787ab14ec4ed6ec88d64c4a0c6a9695083f08c58dd

SHA512
bdb314da9343b0bb7f6de01ff7fe261dd67be36f2986ec381a0935437c10ddd12d7ec7dbab7cb0efeac55e9f199bbca89ade87dd36d20bafda54b98d79a7c1cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.5MB

MD5
c4555f0798063fefb34c1dcca8173f50

SHA1
3dc749f395c770ccf4a9516b8c47b2ebdb1f109f

SHA256
b14e98d13eeebc2e30e0dfeef988048b9d10a0e9459150270ed69137bee21826

SHA512
515a482dbdb6ea38d6689de1575dd43526786659cb41605d327bc2a7553d3277651e7027b8b69955b9d289d4ffd95f4c156b0c5ec1d269b4e81776da0c25dd93

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
837328a9f92fcebf69fd9f659a0697e9

SHA1
3ec90c22229c8534d665f7bd66730c64332837a3

SHA256
00dba3eb493ba20b7322201abce8bf15bfc7f1fad927242dd817b44983649f2e

SHA512
17e6b292af08fcc652ea1404da299e3b6c6d60ba74758a30b39c1e8cc9b945ee6e65c69a5e0e70843a487564f78d21736aca56a6c079799d01df9c9f601b36a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
927b632a80ab9f0023519d969ccb3bdf

SHA1
dc6bf052f719e52dd9107a1d0dc834a2613031a5

SHA256
8063399657ec3afc01234ffec4a4625aa9b12c03295ed088875ba7ced591d351

SHA512
c4805881da48c7ba88c39f1cdf33478f7fc72ae3d007f84a083ea1b4d9759ea4878787550d3f95ceb345585b116f456cd504244fc6a3dd56aeafc33a3fbcc463

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7effad94e209b61eac75403523fdcf3d

SHA1
9586f641dc09ea890574611187887c9dad466b46

SHA256
817d5dada947a425912498fdd46b35f87e06adf203ca0fa0c7ead92a39f5a073

SHA512
dc9fedb26fcda3533c95c7796d7cc667e9aa47341c0f05b21ee6938b1c3a35ac50e8fcf4234db7dd6b2bab766a1ff62e8686945351292dc3b4c40cece0cc8771

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
6db146056edeedd38f8dbe98f67a5053

SHA1
a6ab25207982aaef7a51cdb72a66a6a637306c05

SHA256
5689c6de5ae497d87e9e072405b718f911f80846612ce3a95a3c8906a19e3480

SHA512
1423d29f231c3dc58f5b1b33d5858e345cf4477006153e4f9a8e34bfba524600eb330496263333ee8d642490c6eca6efec5c99048af305b6259ecfbb8d5b8be9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5dbec6bb38c01354029c0c72b3a8e3c3

SHA1
fbb49cd27e40a1db566574546ae39ce0cf438fbd

SHA256
aace864a9120af76be12aa0797eb9aa5a169da48aa68433749206afdb9bfedd8

SHA512
b716e4f76869b3c8a7a96e9a21ab61b7dbe0439a28337ab650fb375993ceae12d2381df6d83178fb9ad608164a12d0e41499a87519d8c71dc17271e337aee69b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
4aa1a9afe03ab2632555b06dfbee4378

SHA1
57ca8410241e157a3300403ac4b996f190567f37

SHA256
afa27a276ab4dbddca52e76af091af18bf8175b82a7cc4a8ce00b20f1e2d3cc5

SHA512
08ebe654982ed9d284fe30422898c18e8e92fbce6487a82121fcce6ba9d74c7e129572534794b6a0b0c588c7f594fea9bb8bf01ccda29b4ac44bc20f5ae4326a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6c5ce6ba362018a9b10711ff2eb45e0b

SHA1
6cda5baa2f26dfb1ce16171b30800ea1863ceb3c

SHA256
ea8ac597dc4ab720bcb5edc2244548a393ba67ec627c3946f31babe7963219c4

SHA512
5b6cefb9819924096f07613b438132d3ce828e5fdcf83d2aa18b013be7d039c27beed815431b85767c168a106ec3e5fae220caae1e5e3815736f569f013d543e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
64f5e0bda5da8bbf0c753396f0c3a92b

SHA1
f09bba043cc5453735a0fc2025ac36df05d1c649

SHA256
469a5669d98d381fc789a2796c5df19572b10c2c3b7017ebdbbb1ec44bde8678

SHA512
469349c79f4fad96948077bd61487eccf1a8ac3f095e52c3f88b06b4cbc3f2eae128c210733879f39f08f8f66fb60e0169c35ea733b4accda633cf93667e9d4c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
69da37c25d27a19754e411acb9611feb

SHA1
baa91eb1d0cb0e3a46413d30dff6ad19fa351b1e

SHA256
e95d4e7d440e1be8695754cec779f2db8cae4dd7e1637c68e3fce469f32f5274

SHA512
89601843cc53c3b8aaf0aa66d62a589237168cee49d8cdc1f45fdeefbafa3178585aa8f3f3b570858d895969b0338caafc533884592c45f8d175f1060505b6b9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9930f261e6adce5752ea3a77475ff81c

SHA1
3a24c9365893beea440d5c36dbf67cda0cfc564f

SHA256
8dc33f696e1cd601b4e8633e14a7b8fda233851c8f86355fa719f0a9bbe7aa5f

SHA512
e33b90cf97110ee67ad44769e5b3a6c80777b4770d953f1bee647d99a4816be65a2ed1eaaf19060e17f96cf5ed0a6d13ed8fceff3c8bd60771dcd1dbe26fc51e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ece583767f0a2d6b0e6af365ce912cea

SHA1
ee27c6a36d0217d614a30bc3983e483e8d25c063

SHA256
9576c1dfeaaa4dd77f19376a9c1845a99acb462f2bed248a18cceb9f8cf6c007

SHA512
4d35b7609c4dbfc131f9a09c566a1969c7d2d010c167ecea6a1213f6138b6ef411635601e4c1a580ec41f5c192f5c31dd5dc0801bdded29837ad5c90b8862ef0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
91315cce9a7db4ad2eb6734ecccd3b95

SHA1
8ed91365fa5583b54eb9f150d567802d576d4573

SHA256
6d08a16870dad0b0eb23595772f0344cefc6fcda85543700a646f56d3da305f3

SHA512
0341b456be1deb00e15ba3304745dde1005cb8993365d6799c4f602fd1f4c4fe877a66b5933b5c05fc872fa0cacb67e574e5c56449e299942a38811fd0779d0f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c49f34af37bdda4d1632e8aa0c851b1a

SHA1
5d1fb977dbe21be2098fee7642bb452f5a33c813

SHA256
6aebc25b4966dc9756106f5f965bb37fa287ce538f910f55ed2269a331249c69

SHA512
dfb369b67140463faa298059a8c610a4752667ec9dddfafb414cb3cb42739d759dfe928ea38eb43163d539cac1e92c0c0e5b3854f9dc0641e882077ef6b23856

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0a24a429518a84148298a165b444a845

SHA1
f837ee3d96e5b3439c1723afca0732842788267f

SHA256
e91eaeecb1644e4ebbe001a5e5bc4085ed2917f86512f04f49d5d32d6e5161f6

SHA512
47698ff9e50c965ee67ccb8902b66d80d35fa230c24e7c4fb9639c0107a8d928afcdcf5dac8a9d1ac5aafc2ca73af0e5e8fe3070e47e467c42624ee18a043abd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
68450694e5cc4c2f01269f4b51282d3d

SHA1
33eb5646452ca84a04fbd61f7fe9e463b4c82ade

SHA256
88babc899cae1648afa0c8cb126e33124b78a7b331727cf2174670de5472571a

SHA512
dca731b278852ef985784fafefa54bd4623bad679e8fc3f62209b0f796145c60c40a2efc5ca607d522161dc68b9802857b9cf68742c127bf07df10aa1bfa9238

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
e0a0651554aad97ae0ea0c265dc4672a

SHA1
56abd1d2b62b9c6ac5e83a5438246e2459d83f61

SHA256
1d880fdeda8ea8ddb3f80f9e5ec5f87573f5d090d88515b730193f8d727aa5cb

SHA512
fa7393aaab5b1ce35967d10482c87402534c993b7e11248f026dedc3c0f6c77aae633fedd33864d8aa45b8cb2d8466d07321c7c55fc2a51961c7c850e469958e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c9320037927ffccf85a01ae63bc44ac

SHA1
f72651ec424f2ea762890ec08988f3fecfe02cc1

SHA256
e41dd3068488f71d8f048041a3eb5620dbc02ce2627c9285fb685842c2a0f520

SHA512
3576d5917795c41feb2b645c0b1c230e8e6e44002fa2e124cf5a659ab09b187e9c849b352bbe2941d242c275a3dec48cb83e52b69b6cd40ca6fb0250f04cb757

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
2663235f1ea773fbe38cf3de3c6b3213

SHA1
af3b83eab9dd886b8976192e80c10df17eb80385

SHA256
77684d37053b6cb3f45477e97de895b8b9dd7af1e0f94ba8d8306f2ce84de5d4

SHA512
90f0645f680dcda255cef03a7f243fb269810c6a5322dfdf13e61d3c980da8eb8918e7512104489fb935c53fcf92ca102773ef95d04102fa6cf72dfe39e78895

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
802334a9cd7fd7108c4185ba6296b789

SHA1
8c485fd9f3206df8440b052b3fef933e240000c6

SHA256
e65405bca1f9e84d5d7c55294053d70e91e927690053bdeeb82bb06d97afcc9e

SHA512
1dcffaf22f22f0e6ec342ff946126aa64cfbe889e09f16b2d2983acc9ed3af1edc13a47b780fefa7231d09e31bab65914b7591869801205b0bbfc73e566001fc

Download Submit
memory/228-337-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/228-272-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/228-281-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2116-6-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/2116-1-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/2116-0-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2116-13-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2116-7-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/2332-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2332-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2332-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2332-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2372-256-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2372-263-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2372-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2372-270-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2380-338-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2380-398-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2380-329-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2392-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2392-325-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2392-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3060-365-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3060-356-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3060-424-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3080-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3080-396-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3080-390-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3080-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3084-371-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3084-378-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3084-437-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3152-300-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3196-448-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3196-440-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3404-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3404-352-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3404-411-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3608-303-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3608-313-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3608-369-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3620-50-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3620-51-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3620-58-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3620-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3620-65-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3912-239-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3912-68-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3912-66-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3912-74-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3912-73-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4220-35-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4220-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4220-27-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4220-34-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4220-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4328-458-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4328-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-351-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4364-297-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4364-289-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4476-434-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4476-426-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4552-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4552-421-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4712-408-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4712-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4712-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4740-230-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4740-22-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4740-15-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4740-16-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5080-311-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/5080-244-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5080-245-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/5080-251-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5380-544-0x0000020F37EE0000-0x0000020F37EF0000-memory.dmp

Filesize
64KB

Download
memory/5380-555-0x0000020F37EE0000-0x0000020F37EF0000-memory.dmp

Filesize
64KB

Download