c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exe
Size

1.4MB
MD5

84395028d6ae73d10c222b94897cb21d
SHA1

5ab370deda61e74406ea3545fd78094d55a729ff
SHA256

c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c
SHA512

3c8f1e9b393ce82c2cb0c61808f8b6fe014f9d19768b64692317cdab0dbe87c6f542b23bf0896b53f5cfec92fcc386d24d5ee1805263f13bedbf38d41ac05249
SSDEEP

24576:hAnARmRsDwJxmjkbl0fitGbna8FLk2m1X2D4brr:hXmRsDwHmjkblI7a8K2mFhbrr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3512	alg.exe
872	elevation_service.exe
3852	elevation_service.exe
3108	maintenanceservice.exe
4228	OSE.EXE
2028	DiagnosticsHub.StandardCollector.Service.exe
2776	fxssvc.exe
1716	msdtc.exe
3304	PerceptionSimulationService.exe
4232	perfhost.exe
3172	locator.exe
2032	SensorDataService.exe
3064	snmptrap.exe
4252	spectrum.exe
2200	ssh-agent.exe
3864	TieringEngineService.exe
1340	AgentService.exe
3028	vds.exe
4628	vssvc.exe
4108	wbengine.exe
4748	WmiApSrv.exe
4548	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exeelevation_service.exemsdtc.exec37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ac49a225b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000500ad545bbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000308c7946bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bb72346bbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000629d0545bbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1fe2645bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031412d46bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a691546bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a612945bbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
872	elevation_service.exe
872	elevation_service.exe
872	elevation_service.exe
872	elevation_service.exe
872	elevation_service.exe
872	elevation_service.exe
872	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4484	c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exe
Token: SeDebugPrivilege	3512	alg.exe
Token: SeDebugPrivilege	3512	alg.exe
Token: SeDebugPrivilege	3512	alg.exe
Token: SeTakeOwnershipPrivilege	872	elevation_service.exe
Token: SeAuditPrivilege	2776	fxssvc.exe
Token: SeRestorePrivilege	3864	TieringEngineService.exe
Token: SeManageVolumePrivilege	3864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1340	AgentService.exe
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe
Token: SeBackupPrivilege	4108	wbengine.exe
Token: SeRestorePrivilege	4108	wbengine.exe
Token: SeSecurityPrivilege	4108	wbengine.exe
Token: 33	4548	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeDebugPrivilege	872	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4548 wrote to memory of 1376	4548	SearchIndexer.exe	SearchProtocolHost.exe
PID 4548 wrote to memory of 1376	4548	SearchIndexer.exe	SearchProtocolHost.exe
PID 4548 wrote to memory of 3996	4548	SearchIndexer.exe	SearchFilterHost.exe
PID 4548 wrote to memory of 3996	4548	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exe
"C:\Users\Admin\AppData\Local\Temp\c37db129d14df0ae03344f534d2e53543d3d0f53286254e9359c6dd4b576562c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4252

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4784

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1376

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a960252ead8c0df3ca5ec93b47dcefd9

SHA1
94c2c9193a03d2cde46b1cfd097da6ed2435cbf2

SHA256
9118131a482e0b77c44b334ac57bf714a84d961b034079f978ad71058e55513e

SHA512
fc5508a4cf22b2f20db83c3557c925494826ac997817d5584340673846d717d3b104a0c9be6415b8e7f6fa844502890cd1ced6711548d852b08a8d577e6dc9c8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
e96b304681529d92f8261c948ad067ef

SHA1
7cae61b761fe8863ed6237b0bd76e4f725777084

SHA256
59f0282b7a6057f0525244aa0a2075a08610657121b84b2386b68ad076c549cc

SHA512
7a200cced1eb13b6a0e888e6e92a0e38da3c4208f99c6eecfaddf0675782a57948d3d6dddcb939aeeaec850c40ac72c580dcc227d527a633ed9a210c057e8d1e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
e2c1d088659774cdb6bef3b71a0d3d77

SHA1
3971848e65e967e4f1bc06664eacf4cc7522ea9a

SHA256
bad0d3ec82d8f4f20c195844d5073187028529efb6add6de40a9e1a67f905e07

SHA512
d596000f5437127815a132916e71825244d550dc957f59e17a656cef5ac9d4a0d4f733d2d4fb242aaec9438d8a5e469dcafe4b48e6205bd34300a7d60e345da9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d87245b924545d01f8fbfa387fbaf8fd

SHA1
30ca6cafe1fa96235a72dd5e0feb4f39ccc94f2b

SHA256
671fa79f4995ec7e262379b7d9aff5d4d67d53c6c7cf475e53960650f00bd804

SHA512
2bd49093f0d2ffd40557ca2bf6dee520d1d44413a73b67053542d48cb821961d8c7ab8bf9d37d35579defdaeaef9b4ee2eb0597b457e9b85dcf0f35c734cebf2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
007bb87942d7d883f586f253845e9a57

SHA1
30ab2af25932b1f95d3ee711331bad7498e37355

SHA256
dcb06087b4cd4a22452c729c67f0bdb99252f5cbfa61b8eb0618e413fc416c4a

SHA512
86649cc1e517fc4a1e75d65d9cfe7a2423a50c07f17d3e41a9edca0b381850c2a4a0a0df28ac2d692460db380040119b97b450a78ed122b7072677ae2db14106

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
cf0520a4bf6ccbf117a7adbe468691dc

SHA1
718e1cb6fbcfc8abfffb3e7c742d82bbc83417de

SHA256
5820e177ed08cc2f4095db3f8833598356b329a8a8bfee12773c1b1161e71358

SHA512
dece64b09e8f9d07b89e5d94b5a3671e269415b8d58dcb6bdd42e64aebec2ebe3dfff277adac80556be58a069d4c602c78d79054a9e231372b11480c1f392ba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
0f636e60845144f4c12623c8401eb088

SHA1
74af9b67903b65962be81195458128ab13fe6f53

SHA256
a4824bfe64d4b72a1e62e4b04c155ebda1b00e9964b3cc037f03abda8f70e9ed

SHA512
63d6568105c7ea0afd33567f1321321c4fb5e216d99757563ad8813815179499b7eccf357151836992541bda2c61d74cdb3f4e78620980c1a5e6ce8771ead9c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
77896080e6bf5a9e54fe53d986c55cb0

SHA1
97ff4fb8e3c509f8d7d83688f52943ce4d6c7c71

SHA256
f97a694f0ff39a59adb2d27505396a978a87b9add5a5b61f90004aaff363e356

SHA512
de1f3185e1da8d20432c0d984941e12a26e52ab125c321cbd9e4f7683d143be0e39a21050afb5660d380e23d98672dbc2717a12e79fac57f10ea910058f6137d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
c3bf5f675cf3f4674fd28fb0ef7884fd

SHA1
982b759060829f92e99e6bf6ff04d71e4b91c83a

SHA256
4e7c11203570bb1f0a4b7c3e9681fbb047c8a5dfe361f1f2335054a3742e04e7

SHA512
ceda6bb6007763eef7512e348a972e1183e0f5f7b6b90d7ddcc22c81610cf5889ac777146f1152fb43f1611ca48b795d14a137fa56a122c00dda06c1b6b99643

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
85702b879c60dad0b455337c00330d64

SHA1
ecf2f8f2f103da10db9301de6d1abfc6c51ad5a3

SHA256
8595f85ff70be61afa273620bbf0aae99c66cd523d90e5f3599bb92f5ce28313

SHA512
78eb3a5037e1859c123d143ed77f6964fc84ace0c4a0321a6136b8c8a56bb203b702bfa0c37dc7278183647cc1d15f4ba22c903c3792f25baff4323abd9b4cf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ffce9a27bf9d297e80eb529929f4d242

SHA1
25351b7d91696a07e8075f0c2c55fc44f36ca671

SHA256
cacd965e484fd639ec92ec9f431f5ba81219ce7d2ebabf578d2283c721526c44

SHA512
2978bf970de3f2f73c64d1d1a94d3e148099af2639c30974951dce2ffcb2b97902e0d1a31d2c1cde46042bc8706aea895c656661362a649c72910d26392b45d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5bc19e6a6e21ea610c050ebc83f7c5cc

SHA1
b331bc0e132b28b8e9df6fe81b2fa87121e3695d

SHA256
70efbfc7c0029607543264981a7a10a59168ef60bb898ddb2910a438ef782e6b

SHA512
a06d56134191cbd9a1c130cae20e6af2524e32f056a176d0c1c3afb71a700a42ae63ebc107dafd0a8819f399b41515cdd940a1b927da1051600b3dacb3625aa9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
c6c1888c2e6ffbabbd43dde8813aa0a3

SHA1
79c33aef1f60fd93999137fb5725e20aa3c600c5

SHA256
d4929f290fe6af7e52065c6fbef05666cba272fc854c9d1752c91a645bb5398b

SHA512
10cc99c801ec50260c9eb2d156b94f1dd38e95017586ad4c796d2325ea267e892b7e8dc65ca49ce1b4d21f8ab610bce7a41dbb41946820037d45dc2e6c433c12

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
93edca735a8beda83b188db277b9cd67

SHA1
5bda4c89da92bdefec38283f4ac5af6c2856e09e

SHA256
c018d46c56021d43a419ea04d6087f9f2647efe36578625bb3beecacc79190f5

SHA512
a615872562215492b08a4fda52cb967b3966287e51c0d01f5fd9b1426038c1940061ed4625968c64f5f14d8fa80e354539c6a00021dbd42eb6bea386131e03b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
bf6084b7b00dd3f0daa9ad4c3bcc250d

SHA1
b8105f0624bb1b816d8d343f543032c5227fee1e

SHA256
6745af690679ff4cc5c79caef7c74bd2165d9ac75f037df95291874cba05bdd7

SHA512
ea3e302d8f5652e1bce093f1f788ecfeeac9d70b76a5759920d0ab1f5ad4ff01e27e241f1491ed51d3395fa084e0d8dca5d39bf29a02dfc4ab9143ad77ef9b00

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
92081bd1534e95d01d9e393c7aeb3a23

SHA1
9ac5cf057c9ec5fa1cad8894c84388327a99f9a8

SHA256
96c793318a310b8b179dc0e88895deac87e9efb5da77230f2ed8502cf34194f1

SHA512
a96a0e482802417e75ea4b60cc052f065451ee0f40ac965a0d9adb4b7f0cce733c71d53cdc5bf76d0e6c245470d238c7434b1d10f2b545c637d77165ecf9371b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
cecfa3fd3f4ae5ae87583de2929ca4e3

SHA1
2ba19bd9a05a4cc7d2652c7366b08f8e184f8789

SHA256
529db5c3e4e0910fd92089c9c2d14f82c6195ac6bdcc03cd2ccd47182a4a3b12

SHA512
af75b715cbf76fb905155d1ea3f5b50079817204f6ff3c4bc0ff2bf59bb359ac99af24e50706845d6dad55fc64b006cc094893c0441b212e009f6edc5d38dece

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
27e392c679182171f994b76049549cb8

SHA1
633717b5fa560c86366d5298fc94af7e2594ced5

SHA256
d247f1b6f1ba2da0a24e230216c42fa8f74418ff374321f52b2945efa77b7c40

SHA512
c8f65f2930db1ef727fd5cd110d9b1cb0499e5696fe085ec7d5cd31e591d9f4b2d43c38d79f9357602545698a77cc332f0f92e055c001db23ff2d6de72ac853e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
881420203f9d94afe7b2dbb7a0a269bf

SHA1
5f9bf33cf69ad2592d034f5f56a0f0d3d115e98c

SHA256
93e67f611c0a63d7025644f95c6b9dd5bc14422eeb4f1e06940d00c8b9cc126d

SHA512
5b79a2049c28cb9706760448962c2b432cd04c3b62902123166cb94e236ff969dcd2313e3ca21b28e00f9267288ae4faa3af82bdb0591f26ec481f4677185d7b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
51b3acb74185ebe3b7b9ce0fa8bee1bd

SHA1
606f99281235a24689cd3433a5102aef74455863

SHA256
890c96713c421d2cf1b6ac1eb9702c3b543fd5efa813b9c435cfc66b44a95e8f

SHA512
3c69a1e2dda69b5a4616ce6d850ad2a91e94d2cb6631d1db2a183e05049d3069498d42947d86a19bb3584ea447eb4ee83fa8b87dc2a93eaf87bff737c3e935ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
fedb60ec2c693e485b27fb0ec5694fec

SHA1
c78df266bb0b861aade2369830e5e5efedcfa7ad

SHA256
ff16c42d4cbf0141ae0ed27aa704cf573859258b93faa09f5e797de75eb9eb80

SHA512
aa9eb06b42e53ad8e71ff4b3af607db6a3a8e66427c15b8c4469af74c6dbf9341b9f2aaee3a47e80793135bd37ce383d0775d07b06920626f8dfacf4308a3520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
f40dca4631330003ae8f45a579398987

SHA1
a9df9876547033329840bafdbd3c1c460036165a

SHA256
6c3ba2a335dde5c082c64c32468adc7c856232595783985ef1c69c15886da1e2

SHA512
d95b2b3ba139900c1128001c19ba5b6838af9be1c5e87af162f16ea17b88a870a5b9b8fd22234ec7231ec14df46ecaf5b4e5e81929238acaa1e26f72c7f821b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
50caaef1c83b8ac461e7fd602d943f13

SHA1
6240d83d068e458de4b86f3408d1dd07fc7bd9a6

SHA256
41c95d72aa5eaa28d203e874a28f9d5ee96569e62779dcb0ea9aba09bc1ec9cc

SHA512
a5de9cadf7f9bfd94d527386df910ed07a5b12d5de885a116ef3f3b623703704132bb36ed66422e14f01bab15d37de2bb5f87f5acbd6c9bd644a885218902a9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
4c62c582bb4da34e87d7cd8f8b730769

SHA1
5d623414f1f982843035e9b8d0772c61630e1258

SHA256
486b994c3b7111bc267955750ab46116ccfcdf8f1d04c2e9af58ec4e8de6c668

SHA512
eb982862b893e2b3f4f679084b5870d67e8b041c3fb2cc141036cb78cc0a313ac6f8b5b81fd796bf61176afc394417801474b6c76958c3a75a5c6f021d1d2f4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
41dc89993aeb774f896101d6d906ef3e

SHA1
2fdb323830ed93db89d3786a7338eb2382ed96d8

SHA256
0d918e9ecec071c3b9d4fdff79d0dc77c4f8482f888098f0605f4044ee0b2672

SHA512
5cfa172500fbef9dabf9796e6cc28861cdd7bdb625f636e9a13dbb463f320f3f5e3d2086ea0284677c581e5958bef984d05ee699045233688c92276db25b1e49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
21c24e20885bc662b6b37576dd02a438

SHA1
fe8969ee4de572e02efc5799cc5bcadb598a087c

SHA256
9b13432b103fefd024899b962017d057da1cbc773660a0f5dfbc075972f91d71

SHA512
b3887ec3b837aa5e7e911704212ae2023e72202ce638b523ed88709f72f1ff52e34bbe47af6087cb51d12a82f3566668e319fa0b0b26e9f2823e4a36e3e6789c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
12b8712bab77350eb4b47e781cb0a34d

SHA1
87bf1b0ba7527d70cba1682fa94df510055884e0

SHA256
15cd5da75e0c21a301218b7497e952d221faff5808fa288124c906413608ae87

SHA512
826f93b34c4cb5c4b675634da47decbad0d7af67f6f6f08a6d54e96cfc6dc67d8b0e865cecafda494e7e2daee9252e9f1ae368fc9ec7c450c36fb6a6f9f0bd5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
50c21dd7c9370296623bdb7a4db7fcdb

SHA1
21b68906a2b0754fb9253f5baa6c148f5dbf708d

SHA256
d4bccc04d34063e36d121fb12fe0601f92462605b7619c6f64d283f817667c9d

SHA512
70a899996e8ad3ec43c53e1e83d45328e79b8a2d40d6641be17873d212c2c464fcdc3e2a84d0ef3f04ae661659a92395baf1e3ae99616fe6156b05d8096c2361

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
8f581367c095ee864d7cabf18b5814bb

SHA1
6a5527acbd0e25b481cb2f8f4d3938b85aac6783

SHA256
360426feb27afb3ff41e716be75a7c9410036509fbd798e5bf3d3f4f79f76dfb

SHA512
75935d09aded632fa87a4647649085b5a57f3838a9cf109cf83006dc743baec013de362dd6de563c1b859a49b5f30fcf2230c1031d1d08d08e80e08fbfdd2bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
b9da8df5ab9e999c8afefccc26b7d72c

SHA1
bc9c4dfa64544d87f4f12c64b5904793d1566ff4

SHA256
e5a9c39a5e73e3f860cf22c619da9b30fa096b44fe8233339c766912cb47736a

SHA512
7e40bbb60387ab44c2b12036753399338fd8ecab59d79fbce7a87b23886f27f4b633a861c021249a390b0a76afba22510405074f64c173f584e341f65efa223a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
43e1e87e3b15c872c18eced75476465a

SHA1
3ce1a3470249e473b5e93e8148b79ddac755963d

SHA256
de4dcd0ed897449829d6d956670975ff0a4cd4af6b990af38d9d99368a137f0e

SHA512
8afa92d5b7ef3e0ce282ff1e36920b4be1d62c9ba86d890af4df41aa42b5279302d1c0bfe97b87f4c7d13ec97a1059acfd2599bba9302c300d7bbc64c468ae52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
56e3afe7548a886fada05d264430cb4c

SHA1
60ee41d1263fa8fff897d0b573526179686bb1b1

SHA256
927f93883a816e3798f0d4415fe0d93147626f1ce2313ae7c28dc828e2885425

SHA512
70436e9170f3973032e3e24c5e104f79b08b149673343cd226c5d1da53af58d847e9cc5fc700b90031854b8a682093d2fe18db71bdd415f5d86a9d21bec35353

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
861d6abea219b01b3c0cec7248dcae4d

SHA1
569a17d65b1e8cb05f27b285256d8dff4ec829b3

SHA256
4125f199838fc8ebaaa347127fcbb9db3d40259c9b5949a4ba8e1f4522626b8a

SHA512
21da238608b282fab64be7044206d4da29198dd0da8a013554ec00611b04e20e20500c13e79f5b92cabbfe3e68b17e621634adc19b03a2cadbb8c483a22267dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
0966b1c92bf458db307dc5d2d11596bf

SHA1
3398700369bc82fca4be27ccc0a3de86f27d7c21

SHA256
d3ebf921cb4c58d29b921d98c774e49768fa13c9f5487b9023b3d4e06f34e247

SHA512
1a1f51ee43023fda21605be2a31a93c6f22e0db9075c85b4cbf24ba1e93cb57780f3bd59e4d90df8aa020ffdcec72ec1a77e49d46730372857f39faf76428ff0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
dcca353fe6a28110abcda203e7bcaa2b

SHA1
3a9b1310d795e25b1a77dbf5ad3702301b477ddb

SHA256
ba94549b864c523ced04f9a37ae3ddd8a9e218b32830e0935569ae6e517df8fb

SHA512
6c3b468d87f5fa999c80f53d1eea368e5f22bf21313229e49910c22211ef3f2d0ddc0bd3a4cd335c53d336593f122489c5a791a73919765a3c4f61b4953e1366

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
a23ec0e7951529690f8db6402b3ed493

SHA1
b5839cc065b4d1a3bd311f2b6b3e6c3aed88b9e1

SHA256
8cdace11dc651ce530b9f28086724ff0eccb4428435d28818d5efc283645c3b8

SHA512
da3aa29e45dcf502abf81607ffdbfefdd5327b107b2359419e384b57526cac9eac409e8bb309311d9ba4990cd08e15476a758d62852d12950fabf28eb0ea5559

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
0227c080143efbe045d3963ea6394bbc

SHA1
3b2bbc67794897c0327d6d85d5f986e7a5f1fbdf

SHA256
35d5d9b6a9aefce7e3728091a2930461cd2c1ee7c984c152a453dc9039badc89

SHA512
316830a450187d80ac774d28579c160a87dd579ca550391c98315258b2fe3b3d4cc579c64074ef2bd072012ce8b0eff01daaf35c3d4c46e896f97c366da3cdd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
5902f87a813fba7cfb31006496a7ccf0

SHA1
eced367295f3381f8cf1cc94a7617998b927dc07

SHA256
0cc5a38b75ee7a3de7b3425544ba587baddc99b8c2ea627b8695b367d7f1b120

SHA512
622dcffec75b73b51af511036934d0f1cad9985a1fa7cf80c5fc617b0ea83420c8807d93d67e14c9ba1d3cf4fdfc55768ac8eb2f5ae88c2b51c9eb4b1fee439c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
9330651f1380619d4498cd1c25d9939e

SHA1
4ede926df1d693c284a5fab5874887417b8335bd

SHA256
f8817df4ec452d156f191ade68d08458d84966b7cadc62f61f0db04852035506

SHA512
44be01bbd36bcb25c6886f944409c12c214f9d7ce57730cb082f40015bd2457c93682ed657c3301bd95adabd45755a8d0121c7fd0e3fd56be9a12e32a1a4119e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
df56ceac9f5fcc91622b82b4f740b41f

SHA1
9d66474b46d86a231e2c6bd8b90e1c4a1af93c65

SHA256
2cbb4655f36d4817b60227051b28c32860112764f240a2b384c3e80f9fbda727

SHA512
3004f3e5b175e5242913ef62edf4e757d47ac9328dbb3cf6c46656ec3fe60f34825edf1378f0bd80167b939ed18956d05bfb1d24d71c3b539e0d1f480e32adfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
aa8da6aefd0cae24c23ceee4548b6c87

SHA1
62a31373c79ff70fcda961a1d7d3dbfac0ff8bd7

SHA256
fadc012aa772f68598c1d3dd3c98f96499dca5e8c66711997bea47905472943f

SHA512
4cde37bf75d8406cacf80458796797f42c324831ac4183252a8d0c57f53c57da42e4e50c71b154e8a69284366ff270fb02edad48819825009fd4fcfffac1a1a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
afa9c3afd110a63f5c10c8794c872761

SHA1
1e6cbf4e8bafc660b6b581457db4abf0dc548c29

SHA256
c5871c3d878e128e884473bdb90bcdf878d65fa0abed26c406d452a44cb6fbde

SHA512
e25210bd20cc4cbcb7c58f56bd03c4d5ee30c07dfe7fe4b91db43f4c495fa6adccd374fc02674ba14935ef69ed4a9d979015e00717e713b29370e81167937265

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
4e43bbe271b92af8e2084d86141f3d22

SHA1
3f800f1fe1b01ad6244f76df0ad820699b998ecb

SHA256
b3368d8f7c10d6cd99ccc5520b3e7689650d592bcc5a779b2765d48d202de941

SHA512
7ad214dd1febf6411fb0dbdf9aa1b0f5877e428c8b585fd61c2cadd43dba2fe98ae3b7b386b92f9b4532159855afb132e51925ed2aa2a06a304b1ce075a9c09a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
350cd8c098a0adc4db900af2528919a9

SHA1
aa1730c6e5ccf976fb80d74e1fcf10e58c6d63b9

SHA256
6ee48dafc4c7d2061f940ba53129ce8ab859f255d7ad4ca7322b831bf358e485

SHA512
48b7c6c8e05053366cc016f270ee4d7959fe437c3abc28eb80eedc59d038ef424834fd9a3198b2509d3f326e9daa3842948eac473b18ee7389b3ad015b9ecd45

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9e53381858bb24d2d1f89a0bb11bc3e8

SHA1
5dc11f5b95f769c0eeb8342adf49d270bead2961

SHA256
13e50d6d3a43980be3191e4bd85abecedce606da559ec14c017e2937c9f78f7c

SHA512
36a5d9543398ca402d95b527c22ac078a4aaa872a1abda9afac151ec8b5491f287d151c00fc197a5a5789a091cc7c263155a636a74be946d67d7bdb9cf496c8d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
1a1e540e7d0b245457c016d7a116c592

SHA1
89387515f5d4eb47f906490d800c1e187c4ed42d

SHA256
0723e274dbe93e76fe3a4627686c7dff483acbb9f3c9f9e4fb805f8e939d4338

SHA512
c8499e161e4eecd705d62845f6918ec5e2089b7189c97b296d34915f3c188d5f56fd51e3a3d6e2323a67f3bbc673bed27126c28292e0e3abe9e8a48941f597da

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
3687ae1fc1058580031e3087d09a129d

SHA1
bd73e24822fc3568a8f863e776c8ca9b94a74af4

SHA256
9343fc40f0cf4242b339ed5ebaa55d6e6f3305f24fba36e704a3cd427fd56d9c

SHA512
c7f807419fe345f92d882a28f58589b612ba796ad48f1351dd6fbf3a14620350c494c9950f4c997151cd7a262e790809f055753e382fdc08e5a527f15638c58b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
021045b84072f83d7cd5fae152cdb914

SHA1
8230f6d2b64fd3c2ed1332c084c8105112677d18

SHA256
aeba28f7bcd57d76e736ddfeed8dbba8da658530b51e78df6c600cfaadfe13f2

SHA512
3088fb688707b0c60a69efa9dab6cff3968fa103a169b4868444ff2e1c2816c3d5cdb1654fd6610ee5f34219a5feaa7e5b1c6ebb958f00edc08583c0c44eb2dd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
88955ca18ff1abb7a6e7ac0c642e46dd

SHA1
543740b8eb33fe6523cc49a7cac2ab84d9bc999e

SHA256
4e2e23a86c1bac147991c6a56318cb208d539f9316af317a4664ba855ddc77ea

SHA512
bc3f55a5129479d86237c24fe3e2956eddbcbdd79f072d2ddc485566d67c579ff3a1bb333dd648187e04091bae886454654c566a9a0bbf89c7a9c7801bb52026

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
896ef9c7aa17d823b6abfdc3ace784cd

SHA1
bd16c5c1b8b4c9908d3095385d30c1ee582199a0

SHA256
7e539849cc47f3c280f16220f33a0b0b932df6dea90bdbf33240907439233863

SHA512
d5ac7576c33f9d899815c8d710aff3b0519dde28f940fea3c65f917c90e0c6c1247c183eaffa23a28eaaf5fcdc0e773cc5c808bde5257f8e662af890ebd11ad6

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c87ea3a4f265223937906fe427cc2d79

SHA1
040255d6bef955aeabc3b4ec37d6f9623b811141

SHA256
1f8b1128d1b5db4fe21bf09ce75d16241d1632ee1c2682508d544d821af2355a

SHA512
b5ccd4b4e220d67ce4a328665df124fd8511259fb97fff0113857de945e6797ab8f7593f9d184fa2f4def35d1c0a8dd40202441ac9c19bb8073df5d05a236935

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b467cc512237c13906d8f94cc69cb953

SHA1
a06e2655ab7df8411c537d90bcccbe64f229ecd5

SHA256
a958fdb86b497badf9b80a0a02d7fa3794e6558d31211a6657aa3bd945905892

SHA512
d994fdc2852481f191f8e5c879de776db278eec93e825b52bb0dda09198879c6baa9959bd7dea2815affba136887fb34a00936fd298b7f0949f028ea85fe1bb4

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8475e6cc23f47cba4928ec53bd51f9ae

SHA1
3bf987c918c6d51fba532407713c3146e2403bbc

SHA256
271ed30e7fbd181888dd8ed6c2585d9d37d372a5034c71a18613f366cc0c8939

SHA512
876b843ee706237ddb584bf75afc8e7cc75031d873e0219c631ba3e3ef5d9d696be506a60465092112c9984dea6dabde95fce8cae9156bcfe30c07c6b556d6d7

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
83feeda25eb0368a9dc8b66d86622775

SHA1
7c4b528839f7bb11cf21ffbaa9f135b4a5041cce

SHA256
c5952cb9f415f5a5f513d147c0211372c8848a40ff17412177bf607c7c3dbe74

SHA512
e7a0d1aff539e9dd44ec1c15a870180ac4f54d5c1359c36c5b50d204394c8634a28b2a167ced564269d7dbecc1525ab119fb886d040916176e9b6b0eace76daa

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0692467a7a2bd555b074b972a131072f

SHA1
18afd15e82e946a848ce429178d85f52d1558ef5

SHA256
d0afef7f1023811d61c7fa8d2f297745448f520e6678142ddf3309eb483282c8

SHA512
e15588d62768388201087d95edf56bd969305c5fbb62bbc49a96a2a9289e2f3eeba6c04e9dac19318e4986c06d820267c43e35add0c2cb9a63abe63ee29a2fa5

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
de51fd5963154d4cbd3a71c218426280

SHA1
9de38ca2b1f873ac48e5fcb3ea0dd0556ffef03a

SHA256
a899dc6b2161cec089b61c402eda09f069450182c4c2b63d988ff8c3bc6c44ed

SHA512
2d73af853fc40053b81c225f817d5e1ac261ec8e141aaebf4c33ed9ddb1ec81f66a124489f42ead867d90134f686ae7f42913aad22f21de190679eb8057644d1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
e3e61dea6d42cf858575c4ad918e8553

SHA1
0cf262fc24daad935b08bebf090726ea5cf67fb1

SHA256
95e2b1ef124ca16538e58a4ebe0c41d30ba597f6132c1fe3300dacd967177423

SHA512
d6255b7ef18b2e3cc656508ac847be6748169b60de816092ed69ba382c23b38e57eb0b6bfa584b0b9857bede68c7b1f8234b51616890a50428341094f2d16293

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
e57baf8a92ccffb467f63e98883a227e

SHA1
e1c215759a4f49e6329dea07047cb7b62123ebaa

SHA256
44a096ed097de541f35e2e67a606076ff5ffa1ea496cf7bb0557268b6ae8cd48

SHA512
b313ed02a998e9796f9aa409be4b052c2ba66644038d75866438be7a80c143ec11a1a6606bebea0300a4503800c4dc1b6ca5ef4ce2543b57eca0e111f712530e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a05ce2c53132f2c0d627cecf637ade0b

SHA1
30cee4f4308e71bdd907643de32bf3f161bcd173

SHA256
369bfb1922042dcff74beab5a703a1bc8b62012733173e3079ba9ff6c8669325

SHA512
4b2e67caddb31dbc1b079c74b532784c4a66ebd2b6cc48843cdcf000be414508b0c86e31da2b0771994c411b3298790d4b91ca060bb47995e75acb2586127fa1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
ce74a0f68ab29e47a41658da09c25fde

SHA1
b29ddc63a81df50fb717eef5b50198760796fe8c

SHA256
c1dcd858d129c1f526343e3f9fa5d02681dbb1d87b12ec4b228d5263aa86bdb8

SHA512
2e7003ab72d89ded257a00e860eb8ed0fa559556d0874c74b149e6be8291f8042dc5a740b352f8046755f2e11825d40e7bc3655bd48f3cae0f7ee3af295c6d09

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
fd2282ef9d657fb9d196044526dbf12e

SHA1
7792ae41cdcc97983a5062db259f97947a54cc32

SHA256
025cb111febfd7c2437d79ab5f7070a696b4414c800481d4b95850c7982ea64a

SHA512
f14518b569d465347ed83bd4c37b8f36e2bc796949eaa45599a5bf6d6b73f81bb0ee008f46b5a6a3b7f9cb945043e8f87d81b5ee6d338806518cc337ea2dab3d

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/872-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/872-28-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/872-34-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/872-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1340-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1340-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-266-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2028-363-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2028-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2028-243-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2028-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2032-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2200-343-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2200-554-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2776-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2776-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2776-255-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3028-558-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3028-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3064-329-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3064-521-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3108-65-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3108-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3108-60-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3108-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3108-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3172-303-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/3172-417-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/3304-284-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3304-393-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3512-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3512-23-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3512-233-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3512-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3852-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3852-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3852-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3852-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3864-364-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/3864-555-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/4108-560-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4108-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4228-238-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4228-64-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4228-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4228-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4232-296-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4232-405-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4252-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4252-548-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4484-1-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/4484-8-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/4484-22-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/4484-0-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/4548-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4548-563-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4628-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4628-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4748-418-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4748-561-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download