9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c.exe
Size

716KB
MD5

7517d3afe2eba5660333329042a1e1b6
SHA1

241abd102647838059de361ff83a795b5d3cedcd
SHA256

9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c
SHA512

837d664886491de61f6935f99b48e82c47ed5c1d7a1a78584aefe531ead1bac49bb79da54d775384bd6927106ac8717a56c9af7776b1f982edc9af71281e6f53
SSDEEP

12288:A3P/aK2vB+oFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMp:A/CKAB58NDFKYmKOF0zr31JwAlcR3QCW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1960	alg.exe
4028	elevation_service.exe
2224	elevation_service.exe
1136	maintenanceservice.exe
4964	OSE.EXE
2336	DiagnosticsHub.StandardCollector.Service.exe
4440	fxssvc.exe
3684	msdtc.exe
4456	PerceptionSimulationService.exe
1844	perfhost.exe
3084	locator.exe
3200	SensorDataService.exe
4236	snmptrap.exe
3880	spectrum.exe
5016	ssh-agent.exe
3948	TieringEngineService.exe
2656	AgentService.exe
3020	vds.exe
1108	vssvc.exe
1744	wbengine.exe
1444	WmiApSrv.exe
2688	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c2d72c1b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afd8e737f49bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a1bfc33f49bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097d74f31f49bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0f02431f49bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff30b233f49bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1c05038f49bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000635f7831f49bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de0a0532f49bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091ba1532f49bda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4664	9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c.exe
Token: SeDebugPrivilege	1960	alg.exe
Token: SeDebugPrivilege	1960	alg.exe
Token: SeDebugPrivilege	1960	alg.exe
Token: SeTakeOwnershipPrivilege	4028	elevation_service.exe
Token: SeAuditPrivilege	4440	fxssvc.exe
Token: SeRestorePrivilege	3948	TieringEngineService.exe
Token: SeManageVolumePrivilege	3948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2656	AgentService.exe
Token: SeBackupPrivilege	1108	vssvc.exe
Token: SeRestorePrivilege	1108	vssvc.exe
Token: SeAuditPrivilege	1108	vssvc.exe
Token: SeBackupPrivilege	1744	wbengine.exe
Token: SeRestorePrivilege	1744	wbengine.exe
Token: SeSecurityPrivilege	1744	wbengine.exe
Token: 33	2688	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeDebugPrivilege	4028	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 5272	2688	SearchIndexer.exe	124
PID 2688 wrote to memory of 5272	2688	SearchIndexer.exe	124
PID 2688 wrote to memory of 5296	2688	SearchIndexer.exe	125
PID 2688 wrote to memory of 5296	2688	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c.exe
"C:\Users\Admin\AppData\Local\Temp\9f3087d1d1b2e2770ebcb4d14b3fc331f9413f773ac5e769c068d911d49ad93c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4584

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3200

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3880

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4336

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5272
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
efc926a773ee5f900b71b26ddab9c640

SHA1
bcb98443274bbeb1bab13a37edc48c37cf76fdae

SHA256
835afec6a77a7dd820ffbb43cf50caf3299d8d82a3293cf1e033bf7083fb2922

SHA512
2128efddff78f0531524b0dedc51a456a077aa8568d5e8484b0c55761cedfb59a089980e0af31c263aead5fa6072f8f9f81aa3923f5fa1ed10631251cc7b8afb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
734fe3dfbb4684f5d3ad182b500970ad

SHA1
92aa6705b37d7d708a458e782f949e618716465f

SHA256
60384c4c846d85034ab5a3d6308b7433982f01a6c0822a2bd2eb4ca2b342c786

SHA512
a4e38cc9b06577ae2c745c3013fc05306572c89dcc5e939701517e09f09da673f14d0ee5a53d59449d2c5660055433dbe6646b8211d05a56305ae548ee393852

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0d0e52425a3d9f53c5f5a13f63f717eb

SHA1
ce1f27b244141624ca2486a76d3a00ab81c192f8

SHA256
247a8f0f50867ad6a980013c7706a9dbd75518bc9f2d8c3345c232906c670b22

SHA512
e5256a1f3c7cfa73fba599c5b22d10741d6601a9255c59a0713dcd15dff4401f2bd34fbea028fbf4e3f8f68ecd38a19bf45a6a9512b1c7e847c652a8a1f527b8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
df54d2bbba84cbec042777b4bdc8cb1e

SHA1
0caddffe28f2110131c0f51884e80aa1bd282ecc

SHA256
bbbe6075773720636a39ca2476ec674f8eec34854dddbe2a68668a7cccd28774

SHA512
1d0bbb61a69664ede648647c8c7605e06fe591e24da9a3c48be525ffa550020728bba196a0fa661c863022e5bdcd1e8f9ce419ee3a1632a42551060bfda12557

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
947d5c2b2f3efe8f5230ffbcaeb8e2f4

SHA1
f61b0b06eb81303cfcb64029a0108f3567fdc194

SHA256
c74189ab9a736b7d3fa67fc41aa27dc35ef7135f9243bb247fe25f2d29ffb928

SHA512
e806f1884547800f4d16cf736f28028966fe7cf6f620419029d29e884f0ec5d031c590b60aa7b85fb8f3f8a46f3c10dd3a69fb4f160f296433fc19aa6a1662f7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7cea18e2fa4dfdf83d3675922fb24d44

SHA1
bcfe0d398cd403f82003791616e67b4e51677123

SHA256
69478b39bdbd2d8bb1d28c9901f8f1776a3aee70e10fd5a856fde5fe575a81f3

SHA512
c5b380810877e6421dc45e8e28283c313775470071b01f4b35511ef3ac6384c8b7a01b23847d0ddbdeb0c9c25dda40f14b97ea75075e6130eb39020fdd85b3ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9e1aa9c42db9dbdc195d140a8e5260f5

SHA1
ab3a8bca4539f7f71b01191a5909399b1dea92b6

SHA256
799b9f00f4b831042073d4b54834e4362ffd75a7832cf00cc0d2f06e1a27e8f2

SHA512
eca698f0a3a017c59bdfe883f9822e57023fb249ae15d0b3ba7b5a36379c1838f1b58a43dcc85ba7e37f7b4dc22eddb8b3cf7c19d8a36cb482cb36334eefd3aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c3fcc78773e822c9ea32864fbe958f21

SHA1
00dad1b692bfed97711f688e0b71ceaeb42171f7

SHA256
9541f0add9efb6ff9ed357fb3c2cbf0809a6989a9c1f59d2d31f99175d5f9664

SHA512
d558f1a6ca4943b0f19adabd31a30ca317273eaa8cd9b61304fdce42d0e0b52d329100bf6dd0ad1106719876a225e121aedfc12b90881e05eecf7e3550e38ac3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8e80818edf574e5c4bcd5896297303b7

SHA1
1419322ba0641dce818e3a6f9329cd04ade532c2

SHA256
6abbc82addf14f67d5657a329bc9310663c506d8b0fb46e6ddb39db25eb1995e

SHA512
e426cf0203e52f06be0dc77214e3e860b821d7aacfaf2b716218d9f9a1483dca764eaa5db344125e04239e718f6f98459d9e7415e99eac041d7d1db6375834f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
35b5626b3af341a0553ab714ac2c3a7b

SHA1
78b93636529c253fe7ab2bf641b7fdd1dadc91de

SHA256
77bd25f0e965558f4b92b9fb374d58faca44369db2d5706f871fb0a2d17c9ec2

SHA512
c09ab038126f22e255efe7a7ddcb46d11dfc75f6e851222ef9799c16e1e57a872809aa7d4511df98343507d204a35fd1270cb8884f88003496bc6465121a6f77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ca1dce74227ca15dfffce1f513e51be5

SHA1
0d3f0838ec070ea1e771749e2b2b1b0245592714

SHA256
ac5b3c9d6acf03807242614178ff1f7f2f6589434e113aef069b4a602e86d3e5

SHA512
f41201cd3a528b1c88d0bb09cca29dcc2734e8a537b9e9873824738ece1dbc2d8f0b1963bf1c9ab756d8eb42e05f362cff6f54a8ece5c9efae86ff1c4c5ba8fc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4d2931fb5ae43c2715020efcccbd15ef

SHA1
723ed053666913f1abdc92c2664d53b411a109bc

SHA256
2e32208f264cbb01d251fc47c6c48e9f56ac597d84d69aff95136f0911bb1cd3

SHA512
512e57575addeb8ae03c236ff049b18ea4d6234361f6bac97db939497fceba2c284d24ba9f83cc0ad62cece3d72288e518e98d8b9f7ddf7e0c27c16382c0ed30

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c1ce481032b3310256f22cd87e5436ab

SHA1
b114c88dce438bc5bea26a22c569c02b8dbbb3a6

SHA256
336d05129f4b1d25e6d0ba3f259bf8e98cabd7c80a6caa175d51223eae5a45b7

SHA512
84e632bc3468a447f4b061e906b4045d3b64d269020714071ce4a8740502b66882c86ada8f49ba5d8eec240689fbd4646d57d5a2ba16766b73a4aa29e9fbbf91

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e5edabbca85fd65879ff04ae65702ed8

SHA1
0db92b76d0d6adc7cd287c21f3576a4ce2a57294

SHA256
bc6d28e0660019f906cb46f9d28872a1ddda56bd89b2fc43502c84bb411a8f7f

SHA512
424cf9132f5f422be249bff79562f9efef3dbcb067ff6f05dc6309e5b0019251a23f82fcdb441a9208ba871e05f37927a100caff3f4278d0a21531d7f0f1de88

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
690af66ecadd77f2f23ed1c6399fd74e

SHA1
89245455cc29b7361c0139590263c96f665edb54

SHA256
45b6474ce24a991ac2aad0092a33d727d50a3d7df16a387c2afd6b4fdfa15d22

SHA512
5a0af154166e48522357b34fcb04f435a6a7399b76d61df8fc4b5526f973711bc46a89ac00b8a18a73e00d801f4eaf011cbf25bdadd9ca47ba1c835252098ecb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1439431eaa61de8db7ea4569796f782e

SHA1
6835282c7d2efb03c7537a9017859fdaad475895

SHA256
41f78ffbae5a9a2c4e49b4d1804af279979ead35f695513c3801fe1be830e6ca

SHA512
abbeda41ecebbf7453fc26db7908d025379cd957be1064b5c5d07ba75108a5c786abec79efc7b4fa32cf855bb2e4f6b8f273260251cc686f378b7a9817642caf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
59e76bb46ad4eeda41813ed85dfa0941

SHA1
09970bdd0c8e8f5df6f552416ce655f7a4975387

SHA256
e0453aae4605dec78cad0c3449ad06d1a3deec3aab67661cc542efe1b35778cc

SHA512
b794a5d1ab0c9899c4e52e83820bcf735e1ceecd4bdfb9f31d8cfb855ad213c5d841db26f60f403d3de8e143e3130748edfa5d2934acac0017fe21a9edd928f2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4adbb29030c12b6584445ed0aa226d91

SHA1
f2d240f5139791af7c96296f22921a3b5d20cb97

SHA256
ffb4a0bd7117876ca5037e2ecd07fcd15d969cb26e74da71aacbda9267ddc3f2

SHA512
bee36608345a417a1979434cba8f91f42bf31687576eda7ec0ada6f79d88b2bf9588f410c263fc111b629d9ee86c43d9c95e1ade7031b3db0d21c3479e7c8647

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
74fed1e7d6322e4f44b0e5dccf197810

SHA1
edb1431e9d091cf66269c4e397347fbcf482e4ee

SHA256
b9c043191d195f4d8568194a3a779408f368b363dec2e5b04566eb8be8806a2d

SHA512
d8082fedd38e82f62a55f613e0ed1ebd992c4b4c65160350564a075b3e468df9b1a22f182a1a242507e8c56f60f550838e6cf6903280271b2a41f74a9491ea9b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
e795f5514c48e198cfafce589da03d06

SHA1
12fef2ed6049bdf086ce33a2e269977e9a5608c1

SHA256
c9f1a0e93400a1c2cc8e815a3135dff94d042a8b1d4c406fbe265782812d53ab

SHA512
97acb3d3b991ada36c708bc35a626092f17157ed0f2636aa167ec4900adbe1dc47d70d874b3d4ad64eb9b4e69140723de4db502437ca189e9f0b4ad7e48a7945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3eb7ffbbc74e115e5e0cfb59ee49707a

SHA1
c161650bb4d42e729467ed958c01bf2c3bdc2088

SHA256
91991385eae65c2cb0f0de25247d1de89f341b4fd88da2c979229af5093ef621

SHA512
deb1508ab5f1aa1f38e4b20ccc73b2c33c891d6ba616c76f71cfdf71eede944927ed6f835b0195a61315238a4308fa42c669fca1e73279aef675db4b3ef37026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a838bccdfb5beb536838e533e440de42

SHA1
08102f8519c6c2291553bc817c10ba1cc128bc00

SHA256
96e97db00f0b4461bd5d0f23a2b18dcdb571be42a9ac0592b8f5005e25df83f7

SHA512
7dee2d663777334ae1022f6d7570b12b7d69ce21a6df0b280d3e050896422500ddb52d139ac4975e217a168c39cd728ef01f3bb379141e34483f1b0ad5390458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0b55f73d66449fed279fdb920e7e73d4

SHA1
f8155538f2681694c182e230d9259e2648a3cdd0

SHA256
f1d2a16f1c3a5ab3408cff5b6d85267bb20cabdbf54ad107fcd6d1cfd5940d50

SHA512
26d7a74e8bcc223635826d76c1e9930f08d19e5a977c5c22f0a43f812ee9fc65f0c69149016ead3b9d28469b30234199649fb7f4bdc9139665d35ff2fc333658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3b56162a89efd77928db079d1da94769

SHA1
512c42f85670672e0078afbfb9d7ef6517d13961

SHA256
47656bd98a0a2e96d94da7f7f7ac68926c0173f3214553e6871fad3280473448

SHA512
1812a573c16b13a39547b68ce6fe1b2e82bbc79553dac5496df9865ee7d63951d111190c8abab6d6cd777dac94cda05c49e9ea11cdd0f63e516d9deb463e6155

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
89a0d7969fcd5480d951851b0b9f7897

SHA1
d607b6bdb89b6c47c33b1a8a6302a47112cdd615

SHA256
d65fa537ae95bc0d22a90a1fc02cad7960bb3b56824463c689bf7e0dbf0a0b4b

SHA512
269fe730fccf1b700e93740987658da93cff157f80b5acf8c4f4ac44e267d775bc2ccff82910e5bb9b35a30028632b9a5f3e2d8a9d95f083d8b417b98c3897ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0326c5de1c76155bedf21c159970e377

SHA1
0d9119aa79ba3aebdfe125abf970fc1f2bb47cfe

SHA256
84604e7901d7093ac348f1049b570ae103d865edbcdace1228536b2a74d698fb

SHA512
62cd86482bcfd0a8af1e6cce7d32d1176e9b78b597081120e07851c11365debf1a7a55c26ad36e3062731c0ed5e7235d05ba4bc5779dbf229d149c895897a946

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cdb22fa21a773596ba8743f59f5ca144

SHA1
d78cc4bd40250bfc3003e7c3b9fbf70ae705892a

SHA256
870eda6f2061ac44ef4b8249571313411fb2f23d56e39f67acc098311fdcaf0e

SHA512
6d4de26fa855e58d7d82ee7f0e53634e1e0e6926fa02971405cba7202e2a08f9fe75164557729bb7ef4547543f7b8dd1c74eda187f0a4348834f91748dda13da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3eeda68898011cb8d47dee03c9beb69c

SHA1
5f463cf6627d2b1af48de9c2e26e21644d833dcc

SHA256
fbdd9d37620e0d71349abaecf43eb526d4e78d5b4cc32f6ac001d96bf437d2ac

SHA512
48cafcbd30dd8e373f061b4b405a94a4683fbfafb9dba217d1d9fe49daea7623c8c3956d7f5171b82ae6db5db56df9ae75b4e41cb8a7156446e70dfa6a9bae23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ffdaaed0e51055edf2c95c25d6badcd1

SHA1
0c180e17d91f43fa8880fae51a6358875ccd0915

SHA256
60968114a6c2648e73540eda814027a966d283503441f87a2e33d196654cf254

SHA512
b34c52d94e7140a22716b9a4e368b5a1db56b21eb0ea84cd47d3015745500399d5c3ec845f465b3db935c1d39d64f0d426e29618dd40f44e1cc545b7e2e87f38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
419e95e18716d6a1018f8cf270bac906

SHA1
cc30e36ec51cfb2f7a7849d86e14a6b11670f7c7

SHA256
81605b8609212e5e36c337e09d2bd1c51dbe0eaa59125fc4f0e19a06c9b5264b

SHA512
2f8c19f51beabec89f3771e1f69dac93daa2a9d7292b6f6bb19bac7f0a42aafd40b3e7521f844f13ddb54a6d116823b6fa97774a7b004d15d17aa9386030eae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ee60559fcc26a52cf5ff3d5f0e15f396

SHA1
92a0b554e58d8f90bf84c3cfc84908138d2a05c7

SHA256
b5e20b3fd1011ee5a717ce7a5656b7ac49533fe10d0ebba5fab07afc213cde43

SHA512
9ddc9c689c6f7267fcd584f89ac9ba8eecbe54e4c3e1c7255248eb1c41b33e31d503271e2b3ee2b6c2a0ff0a43f3eeef63a1b0ff7715352fb6bb3b05ceea0051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c7b39cd9842de825beba2d818716021a

SHA1
68911fb253e13e9b89f6177c7d4814b7b924c4f0

SHA256
9599c695c361f53905d6d1dce55be54351cb7ab8114cf51b619ad4ae5bc253e5

SHA512
65b7090de6116714c95222642ce72515c7da04e1292efde8d22460b98dfd5bfa8a9838947157b1d504fe31d53542a396971e32caf2375582f839e859ff955418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1c0c987a2ace738c5ab5ce27c8cba08b

SHA1
5d55910450e5704b08aa9d899c94021035bd6b1d

SHA256
6b721f617f247dbfbc43293e2150d7833226d83e1a5b0181fdc395fd9839049a

SHA512
c1e325a12fbe75ab72b6e0d22f07b3777282f658aa0b20545d12de4bd3008a82ab2ab41ee46b7e9f6218c9a5d6b1cb5476c9c6cb07ebfae077700e24c8f2ca04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c88d64a4e7b988df1c33257536e437cc

SHA1
e0cb2325d02df1039fad9ef30f841c1d43a34b21

SHA256
6597bd388bc72be262f69ebfbc176ac0c2bcb4d5de7d4ff951c14be8e8ef2416

SHA512
d490bd78ea3e97c434f6a1f2d312ab4f3b4f2426a78d4e48c05f81eb408dd5607162084286d0419565dfc25c8738473aba2f42785f8170907b7390fc6ba3673d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9e2769993e9a29a3d1d2a7fb056b739d

SHA1
feb35d9ca16c29c236742e62570d560372b38f19

SHA256
13c6b1dfbb0ec4e8c4db183313c842afb6b255c472215749b2a43f88baac6db0

SHA512
632583777fe5e82b2144483ac5191f037c034e8f2c0c2cad0bc294afc2c9d34148994152eed01af0ade2c12684548e3c7a9d45289e036e3d1866965a95d3540b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
47981d4fef5ae22a000321a5672b010f

SHA1
84eed54bce4c92a95ae33087e34140af5cdc3625

SHA256
2a265bb198e7ff3c3922eac8fdf21b9093a8d9bff6daf7603f8144dbdc50ea53

SHA512
d9f95b05714cc9b34fcb98899fd6800bd5746535b7dc10489041d4e91bd23c6624cf279b8565454b949c9ec34b75db3951be69045b8eda51c8e49e2e47868d87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8ff3f8073b1816206f0960dcc7654a27

SHA1
7c2018ab422fd9cbfc38223d6f5bd5fcdece3a6e

SHA256
c1f6cd55579d8f6d8c52cf5bb998728f122ddcb54d05333a99a4743bc96a4aa9

SHA512
4d9f0bbb72a1ce1bcd0b89b44e7d77db18be90a5264f43c09078ff450776e830c77030ec455aeabc72bf7c0652db0fcfb03dcd14a4223d8846b2f7f73dad73f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f3403b828669cbb55b1aa08cfb294533

SHA1
6df87bebec9e005a7853a81df89fb38059ccc546

SHA256
c37b714194dccf804a9369e1a20261e39a1f62832a5ac0a0f8cfe6b4f03c141d

SHA512
3194aa2e16774d8135031a2ede0098f00639d65a43b3bbf8f260d6215a7ef979b0d5ba6d5fc56e62964c7000add2be97dc1b60dcdd32dd2b791272815f38a9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
28b63aa49adebae1c987c963d0876ffc

SHA1
bc44b4b43695b0e96afd292fbf324fc764a3bd45

SHA256
df87ebd5537887cfe9113a2fbbb5293c23c6b5d2a5c45bf7b1d8405d9092769c

SHA512
b81f5aa77d69fafb6bca1999bf90190c9b61b932c6826a01e802fe3a41053aeac1f28e7d833e250c363921fb00bd1bcd328aae36e6671ce7efe340bae4bdea23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
4eb9bdc80c58ccdd6aa5413f4560d430

SHA1
62f5a0e9720353b372a6bec23e6c2bfd6d7ba8df

SHA256
2d69d28915a5a0f285c72216a362fd96d9ec64985fec8f62d8c9d4c865a6b02f

SHA512
318eccd74d23b6cfdae995dd4d0af0d948983374437804cd4d22cd77f4713288d0ccaae9de571c6de416628d8d6a37d20720c6ff9b7f940c14a18defe85aebf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
29616febe408b03cb519dc8cbdee73ed

SHA1
9762b458b23b81ddeefddb6b657c3359b8f63aa8

SHA256
af663d8f648273db506c61632811cc3cfc0215075abb0fe2b5e22300694df5ff

SHA512
0a807c66ffa22d2793dfcb2f445c587460312878a88ee5d85f12f3c323d213044fe86fde7d0a744ba2d801c4653058f6b762dcb576849993c6deb7514d4da7c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
91863ed374cd41cdd8d5846d18edfa9d

SHA1
e0e7b2ea2d965a0946f31b0f0c96663e5d6a4385

SHA256
fe1fe5f84263057c6d202bbed8d05c3f5053c01c8edad7459fa04c427effa086

SHA512
e2072c419c45778f2506aea7ec10e484ca02f80d8651f1622c98e6be4a0f2366cd4e18527af21808b6c7ca57c950d879ec3cb871b1b9d096b8e1b73ec8b64ffb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
12524b0183913197e3153cd8b39d9c3a

SHA1
880de3c95cfc43a5552084100047299a42d2c145

SHA256
073d7ccd3f07f437462ff81bf5aa5c5eb789760748b905fc6c8bdd3890c47e72

SHA512
b0bd03dc87da65c04212b76d92288872bc0b3cdba8b1515b8a26178fea03cf6939222cec57f146eb9a2f01513e576d596dc3362c0d53c7da1e576d4d58b8975f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
72d5e307e23556f59f3f7972f9223c41

SHA1
59d1434419978d2457aa3d22370a39c2483d9f15

SHA256
e5355ab147786dc20e951e2cc780f074d5fe3d546a7a364247491f7c3d4ce077

SHA512
c3f3fd694d6f08748bd251930a003195704d9e3b41fee5908dc21c32929036cb25f5e7800fa11a19d921e90b9fe3416d1a586090ee7c7f55cb4c8600df9dd58d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1ce0323d70cda52576a60512f0802bed

SHA1
b2633d7b944ca7355e7991dfafc72d88243b1165

SHA256
6294c92d9fc716005075a1cdc357156580abb9d8c53c6c484ddbe33c2ab39593

SHA512
12e3ef8175fbb57ace6c18467669d2b921d9e9645d8933f83505076fa762652d94c9eb18511c3d7b41facde633dba3c7ebcb5cc408dea55c80481d2e1ef89ed5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0eacef5a03c917cd16b0385bb7b008a0

SHA1
0d44162ad9ebd0bffe859240e991a26197b691b8

SHA256
adcd41a2871f005a6ebd1caccead0de6b51ea0b281af9c3456eb7d4505aaac85

SHA512
de5404ec68371b4880a37858b94d1488ccdd64453ca845a2790388c0f6fd40034293ffd1d929926f069fe9de86b8566f22b666ab55bdc09cb66d8f0908968ab0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
de6f7a49b84bd598a987c7d3413d6a24

SHA1
ab045a7f3aa3c5642b60c128db443a4542dea689

SHA256
09ff5798b2f70ddb3cf86845afb3de4a69717f9a69923976a0585f0c03f313ca

SHA512
c6f146d87425e359a76808dade8664434d2dfc170469683bc4fa659300bbe0b48f0c4f9f56cfb58e0bb86520fc34d3472f386978012a5cfe55001b32e1c3480f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a5bc049b0a5b6fe8981c13bcfb7c7adb

SHA1
6bd60a59adf6479454971b5d120e7f1a80064e0a

SHA256
51cae1126e4c5b053815b32dc2c9f2b75ad7d58a49b505f9dd08fe8ae05b2e39

SHA512
3149a6f8307e0224d973b22ae1f199d9d4eeebd1f5de35a4dab824b20f00fa073e2fee8a94e6684569481505e0a396905693b73f345b9b0c60db70732c223326

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2edc119458e0c1add5acce0f6082fad2

SHA1
12057a0414d10930e4ff3ea30eb76641434295eb

SHA256
d58d439e7011bc8db7a452fe0af2e734ba260010fd2b958f5a90c5bb392bfd5d

SHA512
e54262b4731b4573cd12d47a39512026d9cc0bc24635030d54daa0e5323d24d108857db81741f95cfce4c260bd7526f926fad54b9aa57151355726d76545c05c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e2f497a2d8725e9c5dee62ec057c501f

SHA1
c59ce2c1af261e25daa39d00d819096b7ddba901

SHA256
30dce7f2fd7439eee57410e725a1174b766fcdabce725178c23f0c090db55138

SHA512
4575a260dbd6568c9f40f80b5d3a913ae6748a6228d6b18b32dd4baa3641318809854b8c5db6d7f0700823d658fac14be87b5f8412dcd522df8e63d5f3aeff9b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
41d12c2c820f4b16c1afc200b85ec55e

SHA1
73a03f711ba2363371009bd9c6397abcb89c6b2f

SHA256
b433ff73d89c5f7c65ee7289cbb09679e5d19a0da4c24956adb772d2afeafa9e

SHA512
9ffa0faae3bc8673255912efe57954b189c78982d5584108e7d382e2f5bf8485b53da9c12cf551cf8e1ad31964185ad7370c95aa2167b1f00018d87fd652e79e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e4c69169c033c237578d5ae8734148ec

SHA1
daf26976a5960a4f819fff0a08d2b00bebf30506

SHA256
9f808754c49d976e6c071a8292a3e2006fe27c710e5225c0610b6aac5dd71165

SHA512
9a0f173ef3cebc1e140f9b1661395b60fdc7d5edbea06fc26d03fd10c0598fc2525c57d9892a7515fb7fc30afc8b94f4c32329dfde78bc56ab31acc4f8570f7a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dafe889670273cece808b397c9a35bfc

SHA1
cba134e5c0132554619ed4a26ddea2e50aad9baa

SHA256
fcc6992568ffdfd1455b9d99664db5a76de038c18028eec3ddcf310513318fca

SHA512
0539db12f426452f4eefcb8eefe7a1a90f87d47940a45a67f5b5dc2ba2811d293e5d5d9ead9a49ab07cda26634fa979ea5b08e413e7397f6215b1a2b38a87d8d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
062df510fe0485dd24c7c502f42355fe

SHA1
ed86b280f8c31d32bdaac0002119c693a793e531

SHA256
b0c7e9e79bd6439e36f710b46e07e7d4e29941abf7893ee7da7893b3734a7bd6

SHA512
5b7f463cba58ef47a565e94bb242facc2618b4f6541c1d59dd2df4f1d21ee8fbf1018481a8a1c99558eb40290a298e17f5d908feb7f29e8d5fe2bc165482acf7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e5c0d67db4206312c29b464b4e568141

SHA1
090e3de588fa9293595633fd466ce7699728cca6

SHA256
58ae9a7146e919f0864ae85274df1a7b8e2018c3134065dba2aa99d580dfbc0a

SHA512
b4adb80d6dce9cd2e922e01fb7d78d5031119789701e1fce4b040c7f240248e404bb44c7cd61d4c75de2f3c9163f9d9ff46a2f9cdda6831982a9af99864d0599

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
58af186c16c8ebef4656e728e0504cad

SHA1
5f5ab13b8610d308a997ae970d03505468873fd8

SHA256
dbc138d5c04863f74ee1924c214c8da5ab39303585f992091bde79a39512a8e9

SHA512
721007a260e1e02820a7aff06462ab67639efd880ad3b49ad5beb4eafc126b189b17051008396a3b794e3c0f66447a3d2142db8cef270b983ab9d1a6bc243ccf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
335c8fae6441765a9e5e26060818aa84

SHA1
3e8fe7c71879decb12b34b83959ec4abedeb40f5

SHA256
1d450f6681fffc4a09a31ad7298c2676a47bce54f32eeb3ab4bd7e22c177fd8e

SHA512
83963da6baf3139d8491bc222b7d7bd6acb242bf0f362655765caf04a72e0d8094ae46116c3af33e9bb75c4e583cb65aad4a1554982b90bbcf455dd5e72ac328

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4236572a03d6a9f556eb49e00d08fe5a

SHA1
c00a282cf5ffc595fd6afc2e05ebd23da0be21b5

SHA256
44729312d7136801cce557e984c72a93101223987ed57ee8eef2c9e497552888

SHA512
425a56990125db315a0e3d591135f0afbaca8658c7607a80aa1b81ef8c4e38beb61607a9f0234167d1a4941a0a51b146a6249aa5f00c2329427f0c65ff83cbc3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b6f41af2c23d3dbd01d7a4e50abfd4fb

SHA1
ad55062c907ed75401074c2ccf19b355653af050

SHA256
2543aefc13daa64004cb6f46ce5e692c464d562eab07a2a251ef4697713e1221

SHA512
131af515dbc53c5d4b4fd5cceddc38d83b80ced898106f4e2a938d0bada6ecd435526b196280b081905b07ec7583a51fdf6fd645a2002642e9edbaa07c4ac0d1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
89e37f22ec92aa25989a522e9a848500

SHA1
5057820cc2c5271865bb131c009bf41f8213ca51

SHA256
0ee68a4a6f6a7c27d7b962d234fbe4872584e29750f864e0ab81eaf32661e35a

SHA512
c122aa39f24da7bd17c00c0333adfdbacf566b171827aeb46d4200bb822a40688d855bed3dadf700d64ff6ab1ad97f1ec922916ffc892f58548778d0cc07e338

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
34e1ee67830a3a0dad7f778c574d21d4

SHA1
63866c3e754c10cf3c1723a693c890d2cde4df0d

SHA256
d9d8d9058637333e1231464da9b2a28c371c177bddf8119f838aa1a79528805e

SHA512
92e59053bc328f596463a151aae7af83c6da79f57a2941b531cabca4fb81f1328afa5ca77a4efb9ba27a1e7b559848a9a3c1fba7b6684be45c66d0c17388f95e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
67474aa295088d169cf5c16ca4bb38c7

SHA1
4fe5cc4508752335653b5614bfc77bd982a96e40

SHA256
c643ba09ba460d88dd2d9472f3aa46a1ef9828054f4aea893ce9557e92c3e042

SHA512
899c981b7a1595af4d36807d32714a821813c7cd8b6328fd6f383ae7af0ae96873845704e3a1f4575e5ffcc66e25d36ad8c64754d1706b9bcabfc049e66872fe

Download Submit
memory/1108-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1108-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1136-62-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1136-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1136-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1136-57-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1136-51-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1444-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1444-425-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1744-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1744-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1844-412-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1844-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1960-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1960-171-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1960-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1960-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2224-38-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2224-231-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2224-39-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2224-47-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2336-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2336-244-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2336-250-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2336-362-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2656-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2656-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2688-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2688-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3020-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3020-597-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3084-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3084-424-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3200-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3200-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3200-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3684-387-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3684-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3880-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3880-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3948-592-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3948-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4028-26-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4028-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4028-32-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4028-34-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4236-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4236-525-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4440-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4440-256-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4440-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4456-400-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4456-281-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4664-1-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/4664-35-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4664-6-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/4664-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4664-7-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/4964-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-72-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4964-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-66-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5016-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5016-527-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download