ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe
Size

1.5MB
MD5

abc0a2ea6a56d8e784154644a0853548
SHA1

eb8be5e12cd286b03e8d3f535fa58fe0207e8a8b
SHA256

ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893
SHA512

6793d1029f55ae98f85627ef196a2c6b96eb82312e566d7e5908fc891be81b59657ac49ffcd1fdefa76312cb768e0723767bc1edf77cbea64971b89cbf518d4a
SSDEEP

24576:LUzX5RGXan///EqvLZolCzY0hEZr3kkv8n///EqvLZolCzY0hEZr3kkvxsqjnhMB:wD5RcqvLZoUzYXZxvpqvLZoUzYXZxvF2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4304	alg.exe
712	elevation_service.exe
4328	elevation_service.exe
1940	maintenanceservice.exe
2956	OSE.EXE
1664	DiagnosticsHub.StandardCollector.Service.exe
2612	fxssvc.exe
2888	msdtc.exe
2852	PerceptionSimulationService.exe
3608	perfhost.exe
2044	locator.exe
8	SensorDataService.exe
448	snmptrap.exe
4264	spectrum.exe
1748	ssh-agent.exe
4332	TieringEngineService.exe
3356	AgentService.exe
1588	vds.exe
3052	vssvc.exe
4672	wbengine.exe
840	WmiApSrv.exe
1104	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

msdtc.exeelevation_service.exealg.exeed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae2be5e7e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\ExitAdd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2c6bd857799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9b4a7837799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c26c0857799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d3ad3857799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ee232837799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007289c2857799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a04b6837799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1200	ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe
Token: SeDebugPrivilege	4304	alg.exe
Token: SeDebugPrivilege	4304	alg.exe
Token: SeDebugPrivilege	4304	alg.exe
Token: SeTakeOwnershipPrivilege	712	elevation_service.exe
Token: SeAuditPrivilege	2612	fxssvc.exe
Token: SeRestorePrivilege	4332	TieringEngineService.exe
Token: SeManageVolumePrivilege	4332	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3356	AgentService.exe
Token: SeBackupPrivilege	3052	vssvc.exe
Token: SeRestorePrivilege	3052	vssvc.exe
Token: SeAuditPrivilege	3052	vssvc.exe
Token: SeBackupPrivilege	4672	wbengine.exe
Token: SeRestorePrivilege	4672	wbengine.exe
Token: SeSecurityPrivilege	4672	wbengine.exe
Token: 33	1104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeDebugPrivilege	712	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1104 wrote to memory of 3020	1104	SearchIndexer.exe	SearchProtocolHost.exe
PID 1104 wrote to memory of 3020	1104	SearchIndexer.exe	SearchProtocolHost.exe
PID 1104 wrote to memory of 4924	1104	SearchIndexer.exe	SearchFilterHost.exe
PID 1104 wrote to memory of 4924	1104	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe
"C:\Users\Admin\AppData\Local\Temp\ed7611fdd6abb75bfd91d0aa63ad31535e9d1fc0ca58151afefdbcacda7e9893.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4328

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1940

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4264

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3732

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3020

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
d1cb372c664f9cf181da88b3d957ee1e

SHA1
47f7bbab234df27fba12391a858c4a722a60fba6

SHA256
91768fcfb26fcd1a7879f86ba37d852d37a2a60deacb6cff303852be484145c0

SHA512
71cd2513a0e704f15cc14d722e6898138051fdb208be179af2e7cd81ab8d5dccc6521216d7af22df7f772578f0aedb65461e411176619bc27cdd4bf81b1a8278

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
346b82b21a62576598752a55f539b7b4

SHA1
94667445746861fa821c2d86b2ad5544a4f07320

SHA256
bc9e0a7f74ffd59fa160c24dfc0539b8263a198fe625939a1f26480c703ac10c

SHA512
7471135f61a1bb8b9c37376fa6aca5936d70e5c1bd73b1c8960cf07bea1324be0b870d97fd8ee70cb7e4ecda829b8c7325a72dd3589e8d6b597ec77cf0d2cd97

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
9cd2dc26ad70a591ba59441de1f27afd

SHA1
4ee49a34ca8297a957688d0b57af28622fbdcb0a

SHA256
c9ac8844d52ded7c3a31f6432803af2e78618b5375e54f5734e954272b86c379

SHA512
0a2d5942dab07344c8290d971210bc3db28ec43109b5a0336445444ccd0645c94747bb711c253b8d9a808acea8cd30cfdb335f6fa46d5d292034fc2a97c63889

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
cbdce450b95b4e76d582b0bcb6af60f7

SHA1
c7afeaecefcb434638ecb7b6cddd68cff153925d

SHA256
a8d4649e80e836387f6422ff418ce9b9d00c8b4a365362a7209175b1b05cfb63

SHA512
96c1ba717f8f47adfa19c14ae638cf5c5dda50bcea057f1e68017f7a00f8ea21a60f2d00c5e4f7f042b8a061b7c67b83ffca79622eb428ecb9924d2d2bb0fa3b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
7c6c0a2320200860af886d2a7a2d7ba3

SHA1
c525498502bcca9618505634b70389ba8d5796bc

SHA256
f406719f4acfb3edb674408088d98919939747a6cd2711b1164833cc12a2fe65

SHA512
31ff020f0286275e14d68d047fbe0dd6de667ac34a99df555aba1cf048b8815a04ce826455b8df2ff6c1fd1a8bcd4e7c1264186783b9a4d26cd5d32275354f7b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
14fca86d66d6f3b9d6225f8e0c55a38c

SHA1
5f82f6c572698230099e3d94d6a5af8fa2907eaa

SHA256
bfeb9906bee6a7cdcd6b8c85ea93f205b2983dff5d9a6aec316079f1f17856e2

SHA512
57922c757f852e3af4103be239c8a53c3353834e819fb20a48c98e2a76d564b2ed1130893f42671b3eb9733b539a0c710e8c80855bb785845f1c931924dc6a4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
6c8e198be3c33e79c47dab613600a97f

SHA1
73334898b181557a4745df1e3a5efec8c67b845e

SHA256
4024c04222d333cbabcf9c87b7b6eb283b9ff5dec995092f4fa51bc9a7ef0479

SHA512
02d7fc82a7808d9af3e750375edb4ab5c4e13bcd13e3830627f6ba312551b43010dbb3cd6902d40f0380f2f226f8a4c6b223580a291000e0bdb4b800ade0040d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
29c6ed6e2513b9571994352e851a9481

SHA1
a1826e05cfd2c6100a1004e76b375e86608f27bd

SHA256
3198735c712f18d86a7aead96a560b7935decb4ced363482741b64bff4760438

SHA512
7cbfc03ccbf9603d154968c98b79ff9b4ae8e8377606bf9878b625b5faba3297cd634a8d5ed17bf2882b89cfbfcf5dff2087260e1885e30bc16f2db0688495ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d070c509fa1216dbf7aaac9dabb84c8f

SHA1
c000a6f93470561838cbf93d6671ddfebc32c790

SHA256
6d8beabc1f75b8def7677ef42586e2c06a13e7ff343e965409dbbe3f646764c5

SHA512
5ceb5cfd29a667f34a9f2da0a1da891d3c97184d3c2cea06119d7553d6730c9600c76d03e9d1b1244d750976c741e8d2e8c8f19c21506afdd7940726c681f185

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
434d3ccb481fa591c08b01f1fa11fd7d

SHA1
e093874dd07145468282c8ae2960648b4943e797

SHA256
745c0216e23e83bee9346a34f8a2409e5358b114eede788737f78350311919ca

SHA512
e49bd3c52ebf7cc6067c3ef9d069e3f13b2f22e9bf63167464183f1565242e0efb10802175bf0e78726f763f516b2fb90aeab5355700faa1dfe431a34b1426ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
824f45c867e683118368fed9e3e056c9

SHA1
abd355bec72d004814ab5787626eea4857828951

SHA256
243c86330dd053302e28288574890d28372abd94348e67df4ba4173837f1feec

SHA512
d89a132077d21e6a4f6877eae93c71057fc4e5cd4bac088e4d22b4fa95b594de64393a54454241cc6b13423ae5c607ab5eae027ec99c7c8fc3d5950d7d535626

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
8c789d70f94efe72c000dc5ac46fafc3

SHA1
4f60a715a52a9661b5dc395c1e5aff38394bfe6b

SHA256
36a6809a695aa720a9b5b749a4a2d964cfa859a2e3171ec340458e6745b3ab38

SHA512
d6586df73d1384ba3098f63b80b4e8aa910e7adc42766648d429a57657866d46932cfd2b3a59781c6fe50ddc3f2636ec35a75633415468e65e5d3752facb0926

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
2b6be8d0ffc8825f1d4c93ee8ee3baeb

SHA1
5c5cc41c6f1160180e11b2c533b0db302b1126ea

SHA256
669f0e0f6a5669530c0630fb81af0e5ef9e1f521ce675f195f4612c714831855

SHA512
17bbf02bce44e18f38b289b93b0324dc5e5869363c04cf75b014bfd31ac10b3b7a21455e234170500e4ad990a049fc10531c3876e2ad505108b4fce76e810919

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
a55d0170684b9d7ab51b8142cc858348

SHA1
f206f35828829e0cbbfbbda8aa83e3a066e8da35

SHA256
b11dcbfb823a3e9d2a7c9b2df794ff174b3e7d1c832801029c20196ba9da6027

SHA512
e0c20d5b413adeee4df9fb397e1a1a98e89c84c002aebc673e05a34d376c7f2d3b6c59aa5141fbd4154b651307c27e2aa87a25c61cbb7f06754a08daf65dd150

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
d5c94cbf4c25433af54c4759373ee322

SHA1
707c8f909e0433d3b01103c315e206aafd5e2232

SHA256
df25f5b837eebc4d3032d684aac1418ade25bda6fb5e41e668b04e85f08a93d3

SHA512
7926dced87f51e8b61cbe51447ca28494506c97cdc3334a819a81d00a3305fd988fad2a11a94b4c142abd365a1c1acf7dfbafd651392e683cce705c79c696d8c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
1acb1bd223fc8da55245de7063b95529

SHA1
dbaea0efbb7cfa2de451fc6624ed9879a8a2b149

SHA256
e9e4f2e1b4c9f77d9427e321aa7f11e76ed6d6518674d825f469e72f05180df4

SHA512
3cd8ac3c46b0419c6df76c94cf87bccce3d3c569d13483e887d40587966c5464f7be47c4ada9c048a61eda7ab717347ad2d2f80d581e1f6c7eb4419a39dadc32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
55780316ff0397aebbe57c89fcd934dc

SHA1
cd88c6bc5b0ea8ab6a6578d1850061cba3465de1

SHA256
6b791082ccf746cabbad7882e464489cc0f9c67b1a889aa1c7ef88cafadb2f5b

SHA512
2277a4fa7915ed04a56b002e1fe09076f9c41b53c8df396a6668b0f4907a69c5e86fe4e8afc46049105f4f52c32236209d068cecb180ba3873f7dafc25b94078

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
f0bca009e2c07fc6fde1342a34f687f7

SHA1
fbd3ad551cc37b52379db8491c9df0d70e54f301

SHA256
1c0c978bbb9d882a3802148fdde7a107eb913b7d946059924d1c20c700f76c7c

SHA512
b7f6cbf63565a26cd96d05a46d04d6ce98b9b32c8e10c3cb0148efba1ee755610555580ebc10340b43d75f12d14bc00b05be31854d89d675ebd5684db51f4323

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e499213e4d8d83ae7afa937e28d24f5b

SHA1
30eb862dd16fdbb6f9528a4bb7edf2ce0b5da836

SHA256
6de8937ddfae1f470f59f7d19e26cf0b916dbd6f339838545a8a0fcfe313f6da

SHA512
e81f19c1597f33774b2f6e826a4f4d0c46bf682db90df5dc144f7e49f6f590a15849850874c4b5852e03ebaa57fbc3c976cc750f5d6199851430a9b7f9e55f2d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
e9d3bd5448cb1c90711e32b01fe14dab

SHA1
fe829f49b6cb858a023056f656a22c1548db8626

SHA256
f4d201f4754b12c9853cd7c1c58d0a448db9b82209f639972135d498ae3df87b

SHA512
5f7bad7a3e56f97959a0b4c309703fadbf7c52744d4e849e6a948443c6d31cb702c27521b2a2d3f85f9296f63d6090e34b4e08a9d12637cfd8a40bad8921986b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
1bbfc1aadc02906fa84fd4618328edf4

SHA1
e04c1d069d855e83c0293d7d8cdc84144d38b2cc

SHA256
98c45e24fb022fc74bf9837a336ecc56e6545b09c6a05887d27d892b2b52f3ae

SHA512
5201d10bdfd0b6917202f4ae572b167d399a29d3f804b282948f692227af024661069d300cdf0259df1f72fa72e4150102c7908cad3bb595213063e5ea820a65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
09296566b2b604fc40f25321a70aed81

SHA1
241f037511b4dc89e47cfd94b33662e1ba0c3532

SHA256
8cf62bec979da3606e85626f6f262dccac8da96a6abc146d401f547a17a2b1ad

SHA512
6e22b5f24023b5a9a432e2e8ad362003e7be7fd63cc83d135f351cc2c704f1e1f570509a06404c62e70a319fc3e99d419bd42123d18dd26d82049017c286b856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
88f80f855ecc055fc2fa40ea46536786

SHA1
a5313e3fd21c755a01e1dccb709a8dde74d44802

SHA256
c7f1816bfe3e27a7cf965cb5d4eed199651a28a3f69ccd670e5f749ca0cbaaa6

SHA512
d799447c6249a644112892c895dd63b3f0e11bd3ccf7c5be31f15ff5455e99dfad7c15b85eee0f91cec8e1a20a2402b28c7f933310bfb4fe6373a4a9977367be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
d1a0594b681473749311b81706555e3f

SHA1
7093259769413df0f3db7242135694aeb8c7fcbf

SHA256
71e834d4d905f682f8bd35aa03ae88adfb7831de868d450363128a9eeebd05cd

SHA512
4c1e51beb31cfea87ddfee1906eb83f8b281465b26f60e5afd43c5609353d945468afecadcf8f0e337b5433435416b74d5f48805594aaa79953310da36cd3628

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
8cbe35868983525d237085e79a12d71d

SHA1
8672ef16c693809075c2e469101a90d292eaa4b0

SHA256
93c1188fb69d784545f254fcde5c2413b0498372cd3fca5d422bb1d0f46bbec6

SHA512
01efd3d287ab7d2c67648e1a0aab0cd20f23717c6b2ddca3662f3fed0ae41f43e967b03a4914640859f882da42df12e7871d6bd236b392e90613f29e1e04c330

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
ecbf7576d3cbafcc4734eedd9db04be0

SHA1
e4ee8cd7283dc7904318f219ab23ce9bac268d59

SHA256
1e43bd90ba7ac8cd50a9efbb3a29f0b7194e2865ee6d3e288f45f4d44c4c4601

SHA512
4dc2e73b3776d402ad0da7c3ae30be84c4d115af275602a4030ca016e855968230650c75bc33ebb60c0429f0ea5f655ae9cb42f5b7c001615071a5fb90e713d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
d2952f4913d03197adab2356f224889d

SHA1
e6552298f78c2425708b2ebba39df0072bb822bd

SHA256
46ad8ff853245ca111c6902f75e386667160df054d505b52008f49b56d5d21fb

SHA512
762e38c1fff2a0a2bf1250acfd644f76d6a7b363b9559661b865b84aff9a315a68314f60ee6dc9a03daa1988098080a8ee7a3031b6fbf1863b756867f964c315

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
74a3dc1189b4b7286b99a7c62653fdce

SHA1
8730fa19bd13719703bdf30bcc464d6dbdaf078f

SHA256
32619b725d7b3d11dfbf6e9c6707a73add5fd9a6f07108e7af1915876c7881b5

SHA512
a92ca65e67ab262ebfe1b213d9c2d1ab940acf0046bbab666275d741222099765de9f34e138234a5723ac4113a8c49f3f251380aad1ccf887c4ed3e967690445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
b7e1ed33212a9ce515c1a200e17757ef

SHA1
74e039516de53a5e4266cabd7d0893c50564e41c

SHA256
340c53972832de8c8158a8f6a678797ce50b59d41258257e3662991432cc631c

SHA512
7168fc5842894c0554bd507cd559f3e05795fb114df901ef5a8fbf63f7f7dab8bdc69f5a734db364677831d13b27d24aa239caeffbf69958d84fa138699bfe02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
55f8e8dbf1a80ad9682964b65d2fec0e

SHA1
07b43c9064d70f5719edad1403a5805988a32c65

SHA256
5adf21ad480ef183fbffb57c7479b286c5af07465020b4e295b0217c0e8bd4ff

SHA512
b18e96f987f5daeb3d5459413b576129a4ff11cb72a92744a8d4267386a18efa9a22caf5c44939513d862fc4ce8ab03490fbd0116bdbfa5f54284f71f6e09e90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
38b57b3ab4a6a66853f8d9baf0a49668

SHA1
472131029f06b33b97a3a31c6210b1f3a5815ba2

SHA256
0e8e91e350f18f36b22b7d9399787fc65a74aab21c992ff1757e2fcc0e43749f

SHA512
968a00b19defb7dd95016b4e8f3126fa2db09ce9aad9baa9b3827db7f0d6772259b3cfca8284fcf1c1026ef114558a1a2326060be1a6d134a29e7fc108345a50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
873699b72f231713eac5ffba8c18aebb

SHA1
68065995fbd377f4beb2103f82bdcdd31176bfa5

SHA256
e9bf211110cf3c4269088263ae3acee87766d63e32d936a3696f35475924b267

SHA512
11e358972e8dc5b910e2bd6e1b9efb0560c4d1153c2da95f6936b3b68c4d15add1ba60214a919218a9accc335d9ad79c4c47e9720da4d2cf3af68dace817741e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
33e30be93b55d25d7de1e8d4084ccb9d

SHA1
d24c9b3d7eb1809d4972d513864c0e3f2ac9f1a2

SHA256
d21ff2b0353d9cc17a789b6e8996d45c49889105ea52c5e1c40bdaf8be9f4884

SHA512
7f5f491151f07875727514c5fdfd7ab5ea9c9c6a86b76a46f642893720bc73989950d06c6058fd7cf8302428f5c2785aaff43c75bdf1a1148e4434bc946cd37a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e9986b0a3b4aea9eb1ee26584abd6fcd

SHA1
cd828e8146dcbb3c3a49e8f6f2884cb4154d9f5f

SHA256
a47e9331491fe5d776e57f46ba2b235972d80022b4fa67e69c01c25ebab79cc6

SHA512
059916063a8916ab2c950b473adfbdaa98c94ff091fc83dc65ba973cbbb69473d53534533c25214066dbf90910b43e05926bd01d2320120e6433045ecd765786

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
d54597495aab9dac25926f858d33540f

SHA1
f61fd4bc44ad8fb94c9a2aac0ba397cab481606b

SHA256
8de63ed228222bb6a243570078b07bdd4c8c19585dff0e3e9074f73b9ccaaf57

SHA512
42ca2eb940c1b2e6e6866c1c925c5b67e4eacc1939bcc4a2a2b28b291a6d5e8fe677081655e35e52f2dba8ac38327ea5cad0f6e804011f24f8857cec502e17ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
fa42130cdfa98834e7ef919a30794740

SHA1
86f06083dbcc874db7ed0941ce9a9335cce84a55

SHA256
4e51541d2aca470c098fd5b5ead4e398f0f0f4915434920856c2bc0c3bbd0d4a

SHA512
083135668b721e7cedc47c5ef352a8d8dbe2df0f66ea814e71d3abe778224173b6d07d1d4492350fc80f2e51a609e6e7d3e2a2ca0a580cf05b6de9a137e8854a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
a507cf4c98929e1d25b6a8461886d0e5

SHA1
8f84c9fc38ca38838d4f43b1300edde749f43075

SHA256
065bb5e9f8a0b804d482f610777dd8834449cf3f15712766751af9580e39fedc

SHA512
42e688e3cde00bbe944775b45382fb55de4c9e726e6ee7d5872ba721893945e42c23d898681559449244e7650d45a130c332055550ab0dcee00e8163579b3f3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
e583e481c7ce9f3db873a079c8395be7

SHA1
d632b2599ffbb8889f02959a822e50ab69b92ae5

SHA256
7cab529969f8475ef5fae063fd360ef8e5a07303598460cff47da8541081aa17

SHA512
4a278a558c5b566e769009f891207d1027185fd699984bd8f4f5b4bb383eee899e858eb3e83d39c94d1471de222f886212571f7f00641f36396b8b22ee60c693

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
64936447435f2d95e9fd0851fa9105d3

SHA1
33077ad058deed348f0006b66dbb3b06ef50ffdc

SHA256
d36d357947fe675b91c2887c3ef65b2e894e75a4615527772f259686d0c4ad86

SHA512
fff7eca18a0e958dcaa19fa2aaa1367c468de669a0976360480da93a849a21b3eb026c318f4904f8c62916196c21c9a077e5a0bf00c3d370f948ddc7c8aa08ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
1664c2c1eee2f2f1741f40ea6776d67f

SHA1
d231765874dd5875c46c805638b0468120d3bb7f

SHA256
3dc05731700054d5ee0944299ee695bfb97e901e96e6f452a48f0d2a2f3cef65

SHA512
cc86b9b39567d4160291ad1fcc3baef825a9022634b023f76f5bce29214c7728801629238f1577e3f5dff1dde182ea33f5e99536cc878d77dda37e746639c94d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
ed473f29350af84290a952fac4282bef

SHA1
6af769cce6718ebba4804269aaba8c4500bc7549

SHA256
6497de94c86e8a16584ec5bbceaebb6af5eb6bf42633b98b7b71637200eed286

SHA512
1e01dcc4bebcf23116caaf94ebb0ada5aa32b8ba28058499af211094e55707800b1332eb6c4f68b2d72d6c42068e3fba610e3e95b8bad9d19b45e81962932d22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
67866f8a250e6a5b31148a45b51cfb2f

SHA1
bbd3ec33c73dcf4d65043ffbd9d375f7eeca13b8

SHA256
a9e2c37a60a1e8fd336ee453a1698c4387bee5de02a5762773aefc70f578315c

SHA512
52bcee224c7fabea9ae0dbc7670f33016e8fe2e75a9a871ad5d0bd32e1569647fd6c9d1fecec927320a7d51809b315c9f14992d95d65f7bee247e2f296a5e664

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
84bb6ea0167830f17659964ad0979532

SHA1
83fea31fe840b18edb35d18b326f88107453408f

SHA256
74a3adbd1f69ea88141c83e9e6da0ca7a9edc3d762f75ca95074c31022424589

SHA512
83507fd363d2afe61e57b6f62db31e784c364536558a2b331c6441653757b1935f518ce1112883e9d8d2685761a5ce741c59bb282bf2fefb57f40219d349df26

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
5a4da90d8465e06a58bf18b38ee77a7f

SHA1
ab75aa15025ec1d8dace7beaf794216ee6e14b76

SHA256
7beba370e7ac3529459f8f2bc30d205a74d6b276cb98c3d417e6978b73cfc96b

SHA512
f229383a68db3e9833b5601dfc0d0b6bff6f2dbd89015974c161f05cb0d72e49e64d70dce3777d49ec535fa56ff3afec0a37a5726f238fb0354732cec316cba0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d356b5d74bbc028977dd5f40654adf7e

SHA1
3cbd54f5faecb08d59df48dcc64818415c9ea9de

SHA256
4c249ef1d6d0a5bcfbf1f2fc17201fc694a4aa21de18bc8291519f5056199bc2

SHA512
a99960aedd3664974d142fbf8a1d25c8493bc63d60e6158efca486dc177c1795e171129ebd998afc5fe204ce0eaf147bc9b24c1ed4b3aa4e2b65aabe33fdbebc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
db8c60408306fad76494bce20a301eac

SHA1
097babd69c70f154dbe4bf33d0a41e5207c1b953

SHA256
e16bd141925d5e931f70fe85ed0a3325fbf03f81b42b162befbc028ba7a9d849

SHA512
17fe779d62bfadd0c53abe42543192442aa44f617ab9b1654a41e826338299e4fceb42723e1db8ebd56974b1a3102567ebdd68481540d5fc72c65aba6c91a63f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8cce2e513ca50c6cb6f2420f6b9f4167

SHA1
71d378bd72ca32a2b731d6f6ea1f45c05d0b2d5a

SHA256
3edfed8bdc8653b6ed13d99e04d8a3fc1cc0394a554faa9b6af09f0ea50d79a7

SHA512
a00b7348838e03d6d88bb70b7e3b9ddb8398632c83cab2c1c6b17e54c254a9c43af180a02c37dc590b65233b11c6ce19d8579a17c34aa267b523ee7a7e483cf1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
01acb9a66a71cfc87ed69eb3dbf2ffb5

SHA1
627d4941d4b4ed3b97640db87e156433faa187a6

SHA256
360edcea88ae032fa536ed22121f7fa486ddb1dc57e17f490d542380d809448a

SHA512
f51e2c2f93572e625bee6626f24d416bf7c34999a3ce36a5f563f327fd006d6a2bc73a2a24fc71aca4a72bab74b5585f8eaa52ec25e7968d1a75ae5ce97e3151

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
31197c355eb9fb0394fd9a3dbfcbb63b

SHA1
039a8d7d483ce2fb9124287e38b6e8bbe38a6268

SHA256
bead05e130af425859859734209f5ae28594194045ca0cbe39a8787a4cecdc8a

SHA512
8be8ffd0c7e469eb3a07f2839b313f82f85265d12052a392cc84422a93d2f3d541cb424607007d25c4d59b72d71cf36c65f73828f71a8759e46d789029e48ea9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
370590fcded29d4916cb72840f937cd5

SHA1
b4c9dfb0d53e977565e20c3e4ea1523a6154f1bf

SHA256
9778a900780856fb38ab1e2753cc6b920d274d382435712a0ece9cf586f87ca6

SHA512
55e1cfc41baec0ee57c37e0c518789f590091d84c9e65c9cb9002f570bd42735950b09618dc3ec3ce9a0b53d264e4ef007dd79327b3e6d29fbbb6d908433fb67

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e1fabb34198c616c55fcbe1b4bac62cc

SHA1
525b2bb5632a59a14a9f5e3852904a9f26ae75c8

SHA256
66a8b3e5a77ff3e6e995dc5b4e4f31b5b966a72eb9a836929346878cb086168a

SHA512
4abc7fca9ce10b018a60061576fb29a41fa811279d7e9463da4ad17c5873f295bb4410430b4862c81ebf3383a6e450ac16dad618ac44d1d97a2f931feb741d7b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5eadea1bca324361c65c4aa0cbb7173f

SHA1
e381b1c98b02d71bd96fbeb7ff4577ba5a5edeb5

SHA256
c65da53edf39079b1b70d3af332b7aa8801302fcab25ec9ef3bb4aaea64e4c1a

SHA512
49b2ed2cdac1e17d8c7ee25f291a68bb144f2738e4ff9293482bb1af4c750d82e448c673e1cf00ade5a8b7987853f415dfd63b86203481bd21e149f622fac755

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
3df03e04eb6b9cf15b0f464b033a8040

SHA1
5d13f13e824551d8feacc8c7abb496e30b9489ef

SHA256
a01515e3cba55085763a8fbaa5167fa00ff8e7d3b2de87ead43240bfd023aa7e

SHA512
36bf03357a68878c3798452c3da2261a5262d8c99a894d4b43ea23d2d0297a5aa3f8ba24841b127678dec64ecce9e7586173f9f8d58f2984adbdc90e1653a1ce

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
61281f5b716d825daae834e7f6df0d16

SHA1
9fafa490bac3d0cefdb00641cc130766b8c389d8

SHA256
a76999b4d66b72154e63256a0decd5fe16fb631609c8040b056304e0bb9332cd

SHA512
f2f40759ffaabaa7d754cd9a8c22e9c420b28221662f7a207887aed90330847f09ef2852d1adc1833c68f063472c5c8738a476d26905c7d53e30fecdb8a9cd9d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6ceb4bd0733f743abd5a73f0016a627a

SHA1
6b119758741470483390fb48c9f3ca88a2f6a126

SHA256
b3ac14891b76c1d2101b37930a8ed94f7d8d19cdb79eed7cec5f385b09a6492e

SHA512
741ff77867e752aa3752ef93f64396ed0bbd25b12ebc12d82ed8cf8a542c913a32b21be15fe20c75672c53b3b72266ce731a0933816898e3e60fca3e34912982

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
15d0057442e72c6da82f7a00d9595071

SHA1
41f68c41c0e87249639010eb56ff2b20f5246a55

SHA256
8d4667e994d2fb88c557df67bcc0ac66fc4809437256a053a846e5249acbf09b

SHA512
7d249494a678b2ca0e0d64b5bc7332208579cf4b5f8281ef0902c80f8985752285691fb0cba10bac45fb7112f251f9884a2aec009b9709f9c4cf79ffc973ded5

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
2ba8b53148a6c48452ba750a3cf3e2db

SHA1
0cc7463f9af7575e357e27aff63b2cd4ae0efc67

SHA256
b6470876836c240bf01922bfff9cb1dbbcdf538c4ab91c5f7435f719724a5f55

SHA512
900b7d93fc389e275a56010329049f7ed8d85199c3498d822557dd6277c5945be6b79310239d52ee698deff1ffffb1aefeead8057bd2ba175afecd9913397299

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
96a0a02a61e39e5269c89d022d44daf9

SHA1
6f8b9ccc3205640ddcf0a5dd968e95a91ac285b0

SHA256
f93db308ce0c680ce0ce132189415e4f948eaff8fc59e4257c7832563ba01814

SHA512
6ccb15250e9d8c802a24e6f1986e6cd7e0dc96d3588b001b54b042fc6b9b8eb1bbed467a566eb34ac2b005901bb27101718698a487960c4a87f4254f9a26ecd8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ea71734e347bfb12e40f5f8fb93c722f

SHA1
cc60ccbb9847a8d8cc4a57f93dabfcb6b9d2feeb

SHA256
0256a05255a3ff87cd7b6187d55200f892f28ca6bb321bdce72354d5357df014

SHA512
4e1212d994cee5d1301ec57f204b1a422b8b832b39f597afda57f712eb6adc890b36411fa0f9160885430d241fe5e202fcb73f7c5f978ca17357c8ca26f2a7a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
680f9a97c52153153db4362585b9db25

SHA1
7b4080900e83e32e4e1a7e8e169218b82f31c4dc

SHA256
c3752fad0d1781068697a83530a053feb2020a7c4273be120c051148f764054a

SHA512
b0c1892f1a5d50066df0141554b47f6f1c8db9661a4f558d5e0418a1fff7fcb76caa5be14fac2710e193ebac8e9b870b03ae1bc1895615467d2fadce710c22c9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c5df1895ef5cdf4f16d12874905ebe51

SHA1
0852d97077ccf9ceb5acd629947b87908785a316

SHA256
2f31de347d4c82fe6fa2e4d55197fd61f7032f05625651cc9894c38ea8179163

SHA512
d50ca0d034877e3558a73b607f4219384a32041bfb26e281e2c94ea84f2c8413920192a7c4a2bb35ede121e4feafb1d7ddce059a49eeb5c92674abfd7f80e5a8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
45f3136f94abc4e7bbc76b9b550d1ab9

SHA1
be202a253721c7724fa0b34d4726480756a382ed

SHA256
2207212c2ca5f677e5af9cd62c4bb2948ebb4403c66b97061a5ef5328ac382bf

SHA512
0a0d7eea9b509f02af387f8a6b4e3db52f44e8db6cfdd7fd2c654a129dd2c4093461ef4b4f86f782717d05a0a914e44b670b74859e210826f452b6a65337cb54

Download Submit
memory/8-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/448-516-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/448-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/712-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/712-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/712-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/712-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/840-419-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/840-610-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1104-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1104-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1200-28-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1200-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1200-1-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1200-0-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1200-27-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1588-607-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1588-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1664-251-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1664-356-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1664-245-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1664-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1748-585-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1748-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1940-184-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1940-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1940-175-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1940-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1940-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2044-418-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2044-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2612-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-256-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2852-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2852-394-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2888-382-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2888-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2956-68-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2956-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2956-62-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2956-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3052-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3052-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3356-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3356-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3608-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3608-406-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4264-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4264-536-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4304-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4304-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4304-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4304-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4328-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4328-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4328-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4328-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4332-604-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4332-357-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4672-407-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4672-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download