793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
Size

1.8MB
MD5

f9cd3da015409a362ea8700136792eda
SHA1

2c404c480ced9dd9ffc51f70e46e5ef1e5af53bd
SHA256

793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca
SHA512

33f1e17b2e6edad7043294c8a489ca324102369b2ed0d8ee192f83222ee82c01f704b940affaed59d24fa30b3378108517f22746413c3e42df9711928aa4fbce
SSDEEP

49152:6KJ0WR7AFPyyiSruXKpk3WFDL9zxnSO0vo05s0eusONlP:6KlBAFPydSS6W6X9lnleD5s0JXP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2016	alg.exe
640	DiagnosticsHub.StandardCollector.Service.exe
216	fxssvc.exe
1740	elevation_service.exe
644	elevation_service.exe
4132	maintenanceservice.exe
3320	msdtc.exe
4168	OSE.EXE
4428	PerceptionSimulationService.exe
4892	perfhost.exe
2992	locator.exe
2232	SensorDataService.exe
3176	snmptrap.exe
1496	spectrum.exe
1092	ssh-agent.exe
5112	TieringEngineService.exe
2252	AgentService.exe
5060	vds.exe
1120	vssvc.exe
1572	wbengine.exe
2612	WmiApSrv.exe
4116	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aef25fbab3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\msiexec.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\dllhost.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM249A.tmp\goopdateres_fa.dll	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM249A.tmp\GoogleUpdateSetup.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM249A.tmp\goopdateres_de.dll	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM249A.tmp\psmachine.dll	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM249A.tmp\goopdateres_bg.dll	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM249A.tmp\goopdateres_ur.dll	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f65667678faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba4616678faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b97aea678faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000205ecc668faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ae79a688faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000909e10688faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4076	793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
Token: SeAuditPrivilege	216	fxssvc.exe
Token: SeDebugPrivilege	640	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1740	elevation_service.exe
Token: SeRestorePrivilege	5112	TieringEngineService.exe
Token: SeManageVolumePrivilege	5112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2252	AgentService.exe
Token: SeBackupPrivilege	1120	vssvc.exe
Token: SeRestorePrivilege	1120	vssvc.exe
Token: SeAuditPrivilege	1120	vssvc.exe
Token: SeBackupPrivilege	1572	wbengine.exe
Token: SeRestorePrivilege	1572	wbengine.exe
Token: SeSecurityPrivilege	1572	wbengine.exe
Token: 33	4116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeDebugPrivilege	1740	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 2476	4116	SearchIndexer.exe	124
PID 4116 wrote to memory of 2476	4116	SearchIndexer.exe	124
PID 4116 wrote to memory of 2880	4116	SearchIndexer.exe	125
PID 4116 wrote to memory of 2880	4116	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe
"C:\Users\Admin\AppData\Local\Temp\793c81f897d3b9b45552a686eada7c6420393afb928515ef09d2b48e5b99a9ca.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3428

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1496

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
1dc047629343fde0fbc7b1df23a62fb7

SHA1
e9106b65b4701e1abd87ef18bf012bb02e43f38c

SHA256
3432fbc6431c26d4fcf7bb68d6ee6c87f43def122290f04d45d509fc42ff9d5a

SHA512
bae08283953ca9ed04629f122464e3e3686cdd3b88bb7a4ee4968e7e02292da6ff39e377c386e5da788df8da2c75329175b764ec001c9c814dcf0b8e7a94895d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a1bcaaaf9ffae494616e8bfcbb431a64

SHA1
7c7efc985954004a8aa5548e7c0c2ce7e851eddf

SHA256
4cf1efbf749aa698dd6cd5d5ed3daed3ba3afc31639fc85d0fe6b5425502c62d

SHA512
32c67361db96d09dd0797fb7a95da3589f6539a9032025b10f2f01fef1c9407b971c6be2eebb4f04ecb3f0657aead38a0f81dac1a578498a852d61073a511b15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
91506ae0a3ddb6c7c694140f6e4f73d7

SHA1
e53bb1bacb8af9482fac35c79b100e275be74d92

SHA256
489794cb4cae4b6b40cb7d9b2e1169a3198179eb5688ac239b26d9aaa8ef23b4

SHA512
3fd19868bc08a069edb48f72045b946fc77fbb10518bc2c6dfa4ef647f46de110271f1583a56385eddf9e474b6cfcd02c8032ec15561aaa75549c3c746cdb2d2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3e0af6000545b6ea4584d880f3c03fdb

SHA1
7ef7d4108ec175ae720123aedc5864ad82883b73

SHA256
a4b4c2d08b9b93903786b98d41e6fd70bc91a9efda395e0f5de29cea93451d18

SHA512
c59a9409724315d8c7bda63fd78404ed605afe61ee7d537b6cf311a290ffc1f408cb0fc734549376bac3300d06eee7889902c5857cc1f079405faab9744f955c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
54506107eb47ccd9c87685e259a58d71

SHA1
a5dcc1fe7ef3949c2b665365f44f92b5d475d29b

SHA256
0c5e0d3b4598de9eee1fdbbd7d8ff0dfe2d5659ea71968fc7db62a81dc6c5c37

SHA512
64bdf1995ec1ea306e19f11529f84a91a68afa8299b705c193781123322cd249de662adee9a30d18cab33afde42a012cda8ba6caa489f9001054af141e38b585

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b0caa4a73b12f7eb526c29c4fb9b097b

SHA1
3360375179c6b806f2fb6d53df03f1fd9d89c420

SHA256
63127adf8404833c7031776f87464bf1596e08da86031354cf4c5f42a2f16f0d

SHA512
175870e0aec30654ae6be385eb46392a42027428136202094b85122b8ed9c0303c2aa7986c8314450742f107f8a3200718257d7fabe5c2ea0018aad27ae8f7e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c2c695e329260331eba0bf5ae2b96b06

SHA1
0e2f3c40cfb6ac6a98d2eee2cfcf74ff72886960

SHA256
f02bba1fd13786304dd9371a73f5801f55f5d8d4b4f17b0b37afbb6c0670bdaf

SHA512
ea4bde8e6cf7e073272d18ffa4d77893e42ce31baa32730a36787ecc2011d96390db55caebe9576cf74db9f3021d8122793253e2046de447561165ae59887b9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f220a2b06ab412d21aff263684e572d9

SHA1
9f118ece58301dbf6e6b39a946582bd18b471e43

SHA256
d7f1cb7c1563e43aaf16f7f434e71f3c1dc530e4e3c1019ae28209e851730e7a

SHA512
3964fa1f8ccd250bf2313cf274cea96401cb1f3acfc1df7e5a7981ca439213bf915d7e572685565b422abfd8a65c43c3056731b3239c8db4199c4c3809dbd769

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
a073b987ec2964e0945bdef24871e3c2

SHA1
65320dc3f9a84e2beb5826c9d5abb17a93db471c

SHA256
985afe47d309284c2d3ee89d0d3fac5606dbebdb8f800410b1cef2ab8fa12d2a

SHA512
602cc4b7eaaac2799b1a3a130ca7814bd3952fb68fa6ca13d2f4490d27a12748c39670d89c31a48d69de102699cb60b6ebbcdff910f881671fdf8985e6867277

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0edd72c000db040d6768b1dec90077a8

SHA1
a60af9c16754e6529b2964fdf2290c0cb5ffaf3e

SHA256
90b849645db2ba012f85196c37db57ab1ed6caa7069acb6db2709a8f5872cc7d

SHA512
3865ede1889ec04c811a21409e566e83f943807640acf69288047e8d142e17b21335523e9fcdba7f967e20e38c4d5f653edd0b5974d619226597f29b305f073a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7df4916d1d48301a22cf2f57038d0c3c

SHA1
e756e968e7a5bc71bf1ede081b5c739865ee5628

SHA256
9b4315b4e1ea901ace3c33583c84f04f1adf79e04f736d40bdc955962dbed94b

SHA512
0863e467b08dcd8d4b5a95ea734cf69adb27366c524c0f63cbab2a7732b5705c2c73420486966faf1f7135bad4e6f62d65dc848a0a559db9b28d8e151904bb88

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
79f78e2612353eba49b85a5dc3fee916

SHA1
eecf4e01e2104a50e8999c07a59489d5f907c70a

SHA256
45f961dc847c884a84f190057e9ed2c5f4ebe8a1f2421f6ccd8bdf338f285728

SHA512
0ad0da6d906f15ba328254ec96dc4aa1f02dad32b3c8920c16a393b71980caea691cbb72e6e04997a97f631e20ec5edb92b3d8816c81d682afe4eca5ed165233

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1ad3c35921e9cf95a19977f4ad229552

SHA1
96486246fbcd1fedfa0dba88249aba4b883d186e

SHA256
0195e77089c8ec83e04e47d1914d05004cbb6cda122bed084e63c0e2f2ba4395

SHA512
d25ae273a3959f5877de424417b0a855636926104f1e2fb30ed27a1a3b785c3826c93736ba91c723f9721a29ae0b93d103996355e7ec29b6bc2e1e0b8fd5bd74

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
795abb15b0e190c4135edaeab1901e1f

SHA1
04f06a3665fc6d74d81b8d0eb342af15fed78a5b

SHA256
cb668a54482cbe8d8ee1bb44c0e297d8903346b4ac8c5844dd7025b4ee413347

SHA512
9835346533aedd6bb9835b0245bfb3033cdcd4c3d545244c0fba8a86458b0637cc1f032e84f2588cea22035ccf659431bb769af71bc06a6403981dcd62666a09

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
95f2cf7949095cf5076fa422197ca833

SHA1
c12533619e2ae4b7204e9d33a243a52cd4b1745d

SHA256
6a3771129f2503df3fa2967ff5d920b3466637ca2f98da21341c322f01b365c2

SHA512
d1c926e2eb1c4791b1ec6cf3551e9f83dc67f4f8160be0fc25afa7ce964e542846dd0b27cc47eef4e7866f1e4a8d48568be4775303767bd12230d1cb973e3639

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
fb00eaf0e902d6c26d6a1cbee8f62792

SHA1
8402c806e4bc1555d2912c7a83595fefa6d3a2f2

SHA256
a32bfb5242d4881bc59b449a5c220e72e3e0224634fe16a6c1a5658228fbacc2

SHA512
4045662cfaaab74cb7f0058fe99c27cc310db3fbb2ba9b9b488f7e1ed6827509fd8a81ff9127122b54c9bfb01a01647604628605654c8cfa4bd8ef5d07e91b3c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
fbba13916b34a870b9e571dae61a3a22

SHA1
c98e26a879dcd3f748f85c1bc3a099d33dad4903

SHA256
4c58db6d295160ab0fa7fc38738a68e83389c6526e900916c42474bf04b656ba

SHA512
e8762dc3440b3a040adc71b4806be1e155608d002d2c2abf422b44e77fafe7df5887f8fa95d6b9ce6ab585a7460b1a0526ab5f4f428058dd031bb3a9b0c25a5e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a480d37f8ac7328b29831c471afbc3b6

SHA1
a87e03ea911cacfd2d326f59314ca039a6a84bff

SHA256
7a38293ffc7f9da999d114da8861fb240e4097e9422d73dde187207de81ad7c5

SHA512
1a8c1f147d3262e8a0f6cee94f354ca6e2dd309ff9bc58b926897c01f26b574fc98205975d78414f62186df0b6fba4f8eb83a7fd65e75e93137041d53ca5cc08

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
9e56689e70c7f070b417b41f87b694da

SHA1
94097b5a6e1fdc7761372dafcc2cb225194e1b91

SHA256
916663a5e04090f07b1946188e2a4b8dae7e1959ec5a4ef46ab8efeacb9e4bad

SHA512
bde23a866d312f7f926f71b5894519e3528e1084a138d52999bf7d4726443ba7ad18a94541f06b3cde573092cacab409fe66323e2a124197c3ab09c53fc3f156

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9078abf2abde0791bf7d4977c5822bea

SHA1
d817b22e3d58653ad8936fc2a415864b446c70f5

SHA256
2053dbefce1408e2ff00d14abb7bb7e1665209da79f7753ec6c4853ef5796dbd

SHA512
b207d875c51746e586e0f809de103339764d6591a22c0f7e525d3fe16625427d50ea42dedf7c1e0ea7de35b9f4d7ff9b911e8a992450a2e35aa5b23d82e0b229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
113a04a9d9b16fefd615db2b14ed9c23

SHA1
473ced4f04c7257cb8e6026fe67078a6d026b6aa

SHA256
441833ce790447ec946c74719447b842c87d740570bf3c0924a32108a1f4f3cc

SHA512
395ebde8b3d06458679a25e4e3345cdf3712a49cb711a25a36fdeae94c4438cf7135c337b5d7068fa153179eb1049d6aa38d38d802562eaef7f3e874d677201b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5d22faaf32e8af812d23908ecbb4e557

SHA1
08dae3744895d4d171e9accb5c1161c8737ce4fe

SHA256
249174f5a5df13cfc8865ffadb0914479037ec332333f14d12d48dca4a2be5aa

SHA512
87c2d82882a5f3c50654a6f534c528acd4cadaf19eb650c1bef872fdf37fc46c777662c1ca05942babae705cf5af3b989886f3e8ccfe4f938e76dd6879075789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
78d3cf285afbbbfbd02521edffe07f0d

SHA1
664885cd9f1d1cb4e52bb59471cb4536504dd9c7

SHA256
45dca3b374d4e0504e2f3e871c4efc5c0cf6d931e16a12f4011f4ab9d2cf9731

SHA512
fec62c97ab745bd3a4c62cabe7183d4178c1d0cd225e4061b57cf32eb92e20637bfc8edfee581bb7b959a1055a171b8a49993e10299a2f065673d7a06311fbaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
63c7569417a4bbb9598bebd0eaf549f1

SHA1
51e8b51786abaf13ec92ea762651a51f1e1361b2

SHA256
648ae50417fa22a6fa1ffd79059cc4efb501a3d2f78e744541712fcd2e6ac405

SHA512
213701467d9234fcbc0751ad1a2cd9cf7c3bfc967709373f477935fcb58477bb727ec5990c044067fa65cff2d4bc7d6e3563fad0318937f053c845e2cbc315d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
50c07aa93cfacf64556f55943f6bb18e

SHA1
e046fb2c1875004997c4fc997e0a6f1a39fb4e83

SHA256
ac77b418b3240375a9b649a4180067dd3adecc3095267b6b9cfa09027af5788c

SHA512
587b246dee76e8a9ca9f14437afd08cb3229b4d142d6a411f3bb64f72f9d15e46d31d33a2f587eb69f6880af6f514c53154325dcf8bc65df82a194bc512884de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cde2571942639e763c907e2c542f453f

SHA1
0b80443c72fc3c7cf9ba7255a16cf89f99b91e78

SHA256
5a9d62a07e4c9baaeea5e167d8868576cc973dca35310fd39c909dcb8b33fc9e

SHA512
531dd1a39056a1c6575f326080496fc01a593d5b6a4ef7d7ca676d63bf461348bc59f554bd937c903d3657c548beb58217226d139ec1cd9bbb568388203fa942

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e90870ca23c5250f02dbe5bcc3036d55

SHA1
b6d30e128f7730b26e51dea95a59ff31e4624f6d

SHA256
52ae69577ea159e2731022c09c5e689cf4eff849b2e3e5fcccf3d5c8cdd3e2d8

SHA512
487f461f6c7f7aa2205daed528c55065fbb311acdd594db6d9f065d5ad39642690a589ff2bb4b42eb5072853814fe4d1aef67efec6f44543a084ce426af69f82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
47a66ac90404695d489586d585a5814c

SHA1
3a3987cb3a48946bb62d5f8a62b63f57ae2c8c40

SHA256
5184e42f6400dd304d489f79dcf5ccf94265b6b68b356ca32c5bc88cd2195b5d

SHA512
cd0711edf5a000ab60588e390e2f0df8054a6eb439030e3ffbfca48c59439bfde0776eef6b5120fc6cbbe70f05c38a4a722977489bab8666ae81cbedf91e01d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
bca329fe6e8531e1ee4d0f9983cbce75

SHA1
962073667113d82777e375995d307afc32ee799d

SHA256
04a903fb4e35db034f745192a5a72a174b93bf71aee9cd01aed1fac54d5f2923

SHA512
552964a7c3f44ff6c74224cc275a22dd70af8aed9601d12c9af1e3dcc5eb2e574066c0348d9fd30563671dc9c8524774b8dc2a3db255a5b26431f7901d39f8d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7a6643e6d36ba269bdc109b4b0bddb69

SHA1
b9770f1761d557ce031041488f2f2bb0cb9e477c

SHA256
94487a5c6e251a1353339a96db2b6fb15e33b4fa5d7ca9daea39af5fb14bc4d5

SHA512
b8c5d1366e572d7a73aa589b701e8d8b84e075281a37578e766bdad3e5723a84beeb375016e464ea284c7645dfb11dba966d6cc2f122f9bd074bb30a1c18c31f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e90f7404ac0a2720612429dc1b1a1d52

SHA1
67c6e551b04c2bf40c04282ce9d02e56d79f5f6e

SHA256
d3106c4c676951ba21891541d8e56cf821aa580e2bd80c9c185429f7b7216f74

SHA512
3596bceab05b475c0679eb062f617b5bac2428400faeea1335b0d53e9511c3caa1ede82b08ba47672e0462149341d12bbcbe236b68cfc5dc91c31940d5c8acdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
894681a55d44481ae55ea8ac49aeafa3

SHA1
082bf6c263634f7d780980a14e86bc63ff4abe52

SHA256
175c3e996c9ff886f23f527739de006a1e21206aa49890c452e3fa11296911e5

SHA512
ccf61b9295c3eed942c2b1c152d4404670bfb032a2157fcafdccc0b7d169dd2a083df7695887be2f299a737366c86806ee09ca5a671623943c3f48e98efbc85d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
75c97a42339621e6cca8c071018b928c

SHA1
0e09dfa57f6d6d5779f59b20af4a33fc6d91119d

SHA256
6159025692daa45d310552efb044ddbf5f390b04fdccdefb00539dc1671b1c28

SHA512
5cb5369f649161ed64150f91318f88ce80bb4e91c351891828d3e6e7cdaaaab61eb22016a8279bd8cf3dbcd6dccba8d1b6600a3927e3a0b2014cf72c4996b32a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
f3f77b7053f3b3ff7de51ebe78c3e11e

SHA1
b12678eb9ae79d33130400ac02151045265f6c09

SHA256
d7d1e549bffb0a29572fe1cdfd6118d7f8bd6513691d4287588be8e91a4cae73

SHA512
a129f1b3e0c4821d2e4b405c7fd0bef18da77f85434282a154654310632c50b4a8dda500843aa989fbea1659963824b2d18dd70f2485bb5cb31c656dacd07f63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6cd89b44257d5dd3cd6c8f2b6c131d89

SHA1
50b698c594fcef11e8f48cdd1f8320b1104446e7

SHA256
6dc4f8a079eee8e490d3150e11d56c1bfba13cf37b1fc97395e735e68233f516

SHA512
c377c89f2c26cb15a6914021c8097b3493518cf85dfc84532f097b5a6afb48d22ebe3213a3c0358faad837312a92ecb77652d823b62cfff4bfabce45ffc604f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
b97fb1070c595eea9ac3932e495c169a

SHA1
504606ed9c397c237067e836bb42265e421f7c9c

SHA256
40cad8fb980fced8aa80ee0db1cc75410de41fa40c24963d8e6565a3086dd91f

SHA512
62487b0473a7be3fef571c6343b4c3a09a15d381aa8039259cbbb6caf7c1a9ac73bf762b80633a51c15ddcc3dc9625a9eab573dc66db1e54ed4a2e0e02b65045

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
92b8b7f69763c85157854c4df715e0dd

SHA1
f611a27fda427ef5bbfed46283c814a60f60a8a3

SHA256
f180015effc74508e77e5e842cb4a5ae46ed4f9f5ab385c38402783b90c09045

SHA512
cf2bc63dda9ea362878c2724fe92f762f6f25879f4e663282909a3371a922a138e4d22c13a559197f6ae284328fb4173628ab18c168cc0d16b2ec5170363f941

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
fdd11e8e9eb16b557d2de6cabcded667

SHA1
73e854338b998eb17141793baff4024143b36069

SHA256
15a77b0505e3d706da26cfcff17d5afc9033ce58ca29109e8d00ea367a1c54f0

SHA512
4643a1c343d2f2e5bc6730c7c8facbb32c689cc125f277b90bb1ea73a3f071a86748ff38b51875039aa4eb3602c1b7cd741db3ef591bcbeca7326afec90ea7b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
3fa6a64cfd7c2dfcaa4ee0ad95081fca

SHA1
d62d2773a715376948966a6add89a106fbf417f3

SHA256
906c784ef657a4e7e3d20d24a3d34d12f2d7f1825fef134ece535b6c12d5cc68

SHA512
715c76440e22a4cbde1b86c0e54a8d85015d2f7ee929745a1f483e5257758dae6de52dade78ac87047495635cc0145f538ba170a7b93dc1d1018d86ddd19bfc5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
756938633aae5f938313c84f2d55383b

SHA1
f033121dea9da827ad729ac65b1569ec4273d0e9

SHA256
7a5da748bc6036a6fe50d7a5e31ba0f2275585575edca0c4dadd74712b20009f

SHA512
79cf1b52c666ef984df3ef69eb9a3eb4b97e2633b03c1b7cdf6ad4b4e7cf5102a87d903a9653e9bfa4443a993c2fe2647025153c3ac439200b4559bc6c164210

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
290057231e6c778bed0ebb2c9dd4a181

SHA1
96afcc4e024e43a62ff0af6b2befb3212ea0e6ae

SHA256
e3b48be34a744c492b0e2692dde7030bb1594f2ade4b1ffb202d93e27288a51a

SHA512
c2672ba58b58d64454068773acc7d925c735a51e3b35062e89df93497425af6bae4ce5f05ea569382160a8903f850ae9a68916421d071ff5286ca7af7389dfa4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f3fe9a9dd8c3ddeec44943a25822c6ea

SHA1
fd32fc3ceca6d914679b852618220059e8f23592

SHA256
a1cc5a5c8a7fc094472470f391456478e6d70f25a8dc0dcd851cd640868a841a

SHA512
9bcd7353f5b08bc0413a40bc08140daff7c4579d514a2bdc4a1eb4b873c5e77c9e45af2a173e15473c05d1f1719ceebf393dff57e0975d6a6c8ef616536797bf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4381f0f3bd6dd2b063f1ea13405f4ea3

SHA1
602fe31ded78787c031a2b11b77c13f30e40a30f

SHA256
79abf9395a03e1592f6a1b2a6297df922392b57672f884a9269af6e0f7843dec

SHA512
2557740afcc835c6466ee875e769f19b2755c006dd6f840914bdeb454e63fc8a9b7a44622497e712980ae377281b468794e4c7bbd7dc13ae4a569406f9269b5e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cbe5304975ea9dc1a5641c10d489c9d7

SHA1
1c21d84c9d94c53be79a3dfdba1d0a76b3a8b55f

SHA256
936f96853d6aacc492aa289db97c46fb78ef6f383626b1b7a3468af1f18c4fd8

SHA512
05fa55a333323bd806a56f2bad48b3576f2b668edd5ce812a408e6a6b5f2c36ed13de568dfa3d64b09c3d3bf23e918589e457ee471426c976249bc11785117eb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
67c0e3bf0b89201179b59df192cedad1

SHA1
cf0db3929a077f6106bc149053fcc8258528d958

SHA256
5f2fde9ab092764f2534e42c6a6285d4c09c381f54de2aa0fc9f557b6dd97162

SHA512
039c673eb2c35b06794a6a5220b408d3bb49b152782a340ff49d2b2c23eb43cd08505952126574f22dc0d62be7a8498603576102c520bea9c5761f2526989032

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c36b4e42e60da4983646ecd17ba4ffb4

SHA1
8ee2b9e21d4ad742ec474094327ff1f361e880ab

SHA256
f6d5a29db01931cabd0759d771836620af82705f84f99a05a7f0159031f2deb9

SHA512
4fdb2ae37923e64c566b4848e5129b6ff3b0c6b82335f013f3794f3f072f708fc21873f3ee4c2e825fb01afd36994c259fd64aa6e2c8768f08d29a0662468182

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9799dccaba18b54fd5a55ad543beb29b

SHA1
7b0a0b895ea350636aeee8840d52e99cf66383e9

SHA256
4e11c57bf041c9df897b4fc8d74dd724795cdabdf39bdbf660e33792234aad86

SHA512
ccef084dd1951e1b1ec2eb6fe7129aef2fb64525316404bba8e093260ea7e4ea0b286c8c31d78775c3ca78ce1c77d65c62af80ba049efedc9f51814be14ab520

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
598258f8bba99b754ad6ae05e02cb760

SHA1
1fdda87c51d540fb3b9f28952444760404b1da34

SHA256
f8d57daab699a3aa54bb0d065b5ca1f0bebf64293bc589e5e9f913374ccb1955

SHA512
a7b161c7fa9009c9fc8fa4d011b77c426b6b460cfca03b4a33ccf8c0cda44cd99a1137830af80accfad73cc4d590d50ed5d737531e1724a08afaddee7646b918

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6945a39e87658285618de3502c196277

SHA1
d0ba75c6c5b55c0f38a9e4492f55e8f004b2edb0

SHA256
c3383453145b7748269ef938c2d3fbd6477b28c63546ae7c61150b761ed23c5e

SHA512
b6555ceaa8685f38c45b9820fb901025a3d4c4092825a7698f042362ff1be4bff14de987b040929274d461d2ef5e0d0b0473c4a47d2bcab5f7461a78a7f72aab

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2a99c4886ec6f7aa5a8cd3d875842418

SHA1
53e6d159baf101aeb3b0d0533779fb991ce36382

SHA256
cb0e1019a8d2e9ad85a76e1c61987bb7679748230b30c402245d7f08eba5ef53

SHA512
ebf0740145f39b35b8e7780f76173cf60232f32c69b9f13437d3232cb6c680d27b68fb877cf4ff50c37e4566a2e38e047d8679e4a20c4334cc1e37f57c9f647a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
da1570cf62b670258079772b67927ea0

SHA1
4e3eab46f509614dfcec76f36c18649fcae19184

SHA256
06fcb233f07a7fa36d6983da3c0e3f376ef1f21dd1f4aa9a6b570e3112ca3f2e

SHA512
43e509c37c55ee91126d37ac7d762c725deb67056cca3f9e17a1492894533ecc653f9aa4385785959ba5e6c1ae412b9e99a7bfb4b660f505a825ff1ca162bdc7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3b057bb326a1a3ee88b030c58bab8e17

SHA1
36c282bbee4c2c453816512c1f3d3da4b41fc7ce

SHA256
54acda90a53469adce70cdd0abe5b098ba2e097f0e57ce6ca8e833543017c6af

SHA512
219ce30c687864562db7f2dc3fa6b1548fdcff20fc547bd150481295934a7ddcc8a11e4f66772eaf905da5dceef9240a96b41449e8a9655f4b28e3f3280a30fa

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
66a4a39fad6e18ff0b71ff0a6f1214f0

SHA1
5a01639816b9c98e3cd84da28cd58d646d507cc9

SHA256
6efe51ef0919ea0b230a4b02e6e67e757b3bb4469c1e46b091cd9062e4ad0a8c

SHA512
bdca8fb7946152cb0969c8a0b9957b7ca774cb21ef6867e8a7dc15f77aef3c5aeae6435cb17bffa625775132175ba8758e21762c82d1b2d018b021c91cc54c43

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7ba5216a30dd7b0c674dd77425f41d96

SHA1
ed959ea9346521d7bb106f96340d065d956a803a

SHA256
ba3c224611d92ef4f2be423746158a13d178f8cdc2bc2786a2cc04f642d5a02d

SHA512
62d037c32cef631e269ab7cd8e6747174d19fb9d0d86315d96374472200a6b69059b1961695afc4f12eba6a80eb490c62160c95d64a81b6f853d7ce96f49360e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5c1406ec2b7ac534216e767da71b3c56

SHA1
592993908dd85309380f005b7364b81e449e98ca

SHA256
04445d903f05f1b47cdc2212112a3d8b49b5c795c1153f12723e19e8e85468dd

SHA512
f7cbcf0c7abcaad6eef2ad2d618282a64f8a247697ce2862515fb8a342b775ebc21687a08ec2ae25796fad46727a861ba0d2fe1e9cbfa1a4cbd2a3e262d74d57

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2f7a00d6a607856709876d0498a354af

SHA1
fa721bd27d8895cf7224677ad65c02ae45e0d75b

SHA256
cf186d277f281acf98d23b11a20fef31eb5acfd6d873fc1be80d26782fe8bbea

SHA512
80ad92152bbb754eb0a3f41c5828151b82885359ddc5732d25784de8ad84482df362e30ce3c771a13c17b3f5157439707f9b7694ef225492ba71a95db66c561e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d4307c095d038624c635bb0fd15127eb

SHA1
fb8e99053ade0421ba22a191379d44931cf5eeba

SHA256
ed4cd97d7329786004309d281840349b94320fc4acc94b2003922cb342568ff6

SHA512
d5cfefef2a07b8c3a79403f6a1690c0970068505a20732a9757f8729f0c56640ce2533e4c0734fa20db32423c8b9f9bf905a402f64f83b34df1bc66b06082bda

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fa102efc0c209af73e71a14c5fd2f5be

SHA1
52f9afe6f74916e02787d5c1d9e264e9ff984ec2

SHA256
fc3a0fd89123696384c13a0a192e9b9b8381d42573bf97ff8791980171835888

SHA512
d8604a3a1fea92908a7d702acb3d22debd0a4996f2c39724140105218977a470409846f99ec7235d3b2015a435381a209e1ce6044208f0fbd0406515d1c735b3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c2fc976d6b3e6995c5aa5ecddd4005cf

SHA1
280175ed66f3de85a3dd316058face088f3a48ea

SHA256
73c0ebe4603602d460ae5fdee6762d07fbaa440868861d6f01821470e312e07f

SHA512
5ea10d2ff0ab0dea7c09b4a2b8483cafbd4b77a0bde6618b408ac75c42b6e17301d5ec441c4b456058aca1c7003341a34d231949d272c4d46f54399ea9308b90

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f8bb2633d2968031a6e14e6e8ed96063

SHA1
cba911ea32f810ba4cb2e57d52cfe887b50a012f

SHA256
d842433bf254d235f46895c48082f8427a7c5249c0717d31891fe8b12bfa73f5

SHA512
a5c78986e3242e823bf5639330a83871d2a7eaed5e0b64818d62392bfd946eb55263b05e3fb5739ba0fb8083233e84d782cb30f8a7c3195cd9d3a158727493b0

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
d19eda4f1c886d7157723371a0ce71ee

SHA1
62a09fb0a07ffeba9962a34d3f97d640dc957085

SHA256
e61122620201d57c7ab934df32d22b5d222d67f6d65adfef20f80d38709bf781

SHA512
f7876f860a9f9a416a4076d85c9e97115dcd250bbd5c88860d374b8d2412c81d045ab6e3da98144bdeb4ecc2553a3a1a77dfde0a764e288456ef70eb3ae2b321

Download Submit
memory/216-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/216-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/640-17-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/640-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/640-25-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/640-272-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/644-120-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/644-118-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/644-112-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/644-390-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1092-448-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1092-557-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1120-469-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1496-556-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1496-436-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1572-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1740-107-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-108-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1740-378-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-101-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2016-157-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2016-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2232-480-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2232-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2232-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2252-464-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2252-462-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2612-476-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2992-426-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2992-475-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3176-555-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3176-433-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3320-410-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3320-139-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4076-6-0x0000000002310000-0x0000000002376000-memory.dmp

Filesize
408KB

Download
memory/4076-253-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4076-1-0x0000000002310000-0x0000000002376000-memory.dmp

Filesize
408KB

Download
memory/4076-7-0x0000000002310000-0x0000000002376000-memory.dmp

Filesize
408KB

Download
memory/4076-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4076-138-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4116-481-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4132-130-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4132-123-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4132-136-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4132-134-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4132-125-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4168-413-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4168-149-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4168-151-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4168-143-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4428-158-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4428-201-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4428-172-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4428-415-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4892-246-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/4892-245-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4892-418-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5060-466-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5060-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5112-459-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5112-558-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download