de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 03:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51.exe
Size

1.5MB
MD5

0dd753eebb4b5eee866d23a267faef93
SHA1

a0b114c2cb11061157009352213c921ebece6975
SHA256

de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51
SHA512

1f7311480b9a90305af19cf2a8ccce386b8a730d7d94cb5c42770c9925a44610b9e93c19f5cedc768911bc557ddb0b81bd77d8d5eba6303dbc71b68dc6f1bcf4
SSDEEP

12288:Kt/eSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:u/et/HU9zPjeidP1Yi/dGyA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
348	alg.exe
3820	elevation_service.exe
2028	elevation_service.exe
3208	maintenanceservice.exe
2956	OSE.EXE
5032	DiagnosticsHub.StandardCollector.Service.exe
2960	fxssvc.exe
1268	msdtc.exe
2492	PerceptionSimulationService.exe
2736	perfhost.exe
1572	locator.exe
1016	SensorDataService.exe
1584	snmptrap.exe
4532	spectrum.exe
2336	ssh-agent.exe
1252	TieringEngineService.exe
3920	AgentService.exe
1828	vds.exe
1816	vssvc.exe
3156	wbengine.exe
3612	WmiApSrv.exe
1852	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e209dd5c293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d94979945b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cbd7f9945b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006283469945b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081f85b9945b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f66b909945b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025171d9a45b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2904	de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51.exe
Token: SeDebugPrivilege	348	alg.exe
Token: SeDebugPrivilege	348	alg.exe
Token: SeDebugPrivilege	348	alg.exe
Token: SeTakeOwnershipPrivilege	3820	elevation_service.exe
Token: SeAuditPrivilege	2960	fxssvc.exe
Token: SeRestorePrivilege	1252	TieringEngineService.exe
Token: SeManageVolumePrivilege	1252	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3920	AgentService.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeBackupPrivilege	3156	wbengine.exe
Token: SeRestorePrivilege	3156	wbengine.exe
Token: SeSecurityPrivilege	3156	wbengine.exe
Token: 33	1852	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1852	SearchIndexer.exe
Token: SeDebugPrivilege	3820	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3292	1852	SearchIndexer.exe	123
PID 1852 wrote to memory of 3292	1852	SearchIndexer.exe	123
PID 1852 wrote to memory of 3660	1852	SearchIndexer.exe	124
PID 1852 wrote to memory of 3660	1852	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51.exe
"C:\Users\Admin\AppData\Local\Temp\de05679a06c2b48b06540d39eda411c78107bf12e2a703d9dda75a9c1c90cc51.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1268

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9c68e8bb0f637c9497a9775e8f56d0f7

SHA1
2c37b411e0656158bb117da4eed9ae2f4c217b8d

SHA256
674112aef42d00f19018b440826d5824486ab46e1d95237328a285d8052304ab

SHA512
147ee292a70de9005b57b8bd52c7038990cd34977137601643abd7e0643b25149f42390c970ab0eec4a6872d9ef1b2f72751b2404877d1dcecce64e4e92001a1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a178288e13fd7bb0deac040c17155814

SHA1
2c48619aad589bbcffe59c10c9104f72096fbce0

SHA256
aa17aaa64dd0a40dba86030141a4506b6815b729bf58c0c38e67a53e69c6b19b

SHA512
c513527fac43c7c32f6e1e2ab432f2c1033e88f26c29a2aa3cc126473d47a5fd338cf7a8f3c8943147f8177f1ed699f1315d0d840814151368b9282e5db3152b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
1a0c50305dfe2cae11b7587d0a479df0

SHA1
30e587c7a49d76bbaade18956bf31279c56326ea

SHA256
c137aaf5d25d8d582bb2ecbdd4f9899858582bf715d09887fa78c3337c6dfe08

SHA512
7285230bf3a7317eb049980352c40d4adebe04af81e96e0061eb10ee14b76891d130281804a5fa4f8cb86b722bcc8fe22042a9229762e32d6fda87afdd4415ee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7ba0708dad6623aad32ddad6c16d9fd4

SHA1
497b3165808185e7c6c0bca3efc2cf0ec0235468

SHA256
259a783ab9b7c2dcab798a01c630622caf014f7762ad92041fbf52386cd067ac

SHA512
667a33589c65ff3938b001008b7c17ba0904acddf1a624aa14bc7b3233591a37bb85db7711c68604b40ff7d23945dff597e3e6f881b233082a29c67dc8a9a927

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a37b4eafe4fcba154dba5ee074bdee7a

SHA1
c7f9b03d751ba5efef60ec9e2d9065552307b8fb

SHA256
91119fa1b4f2cf165b8a917a65db0b13abe733efa874d27abbd8098ff87b2685

SHA512
c8a21618a301714f9946f5c81256ca3e33ddd15a0c8b1d301853492b18ed4f686d6acd08b207b07eefb6c04b9b84e963ce52851a950128d10deb9217baa11c19

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
23578b6f55c4bad603204bbd887ebb1c

SHA1
9602422f14aa637c395fa8fc9ed1f6fb14b22d13

SHA256
1cfc52e78ffe0689ebdb096b01c33bbb4695c483e5ad185a61daf2d4ccebe01d

SHA512
822a6b44d0270d7a6378b2625977371e91c7ae53177826b0461e387fb91d13467dd17d3b15509ef06c707dae7d1761b2c6020398fbae21c1c77802548644a557

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a2d14f67e62ea2749f994de5a1fb572c

SHA1
cefdddcf9284f0be473c73ff53ad4994252081fc

SHA256
5ba0543c1ccceabc6f922799b948bff05631b423bf1fc1eabaaf5bdcbb5063a4

SHA512
83fe8ac1db294531b8b491b1856e8794598c7641afe6c6fd9a222dea02f032fef820958093504ff39d718445d223edfbd6d4e3748cb315ba833a534dd9073d46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f0080942d5f2efb6841eb374dcd19119

SHA1
961feb7afc09f5d337b84c6283defc1d8af40a19

SHA256
c76aa2a84c07d1eba87bc390a657800379d0983b3ef0313a13577268691cd70e

SHA512
78cf101ae8d78a5cba2a3326ebdaabd3bae657e477900a3991954b94c25cf8671d5a1a7cab8e8907db1d97ed7d5e4e21f6dfce07b0213f93442f66e6ab670a60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
1f8a54f9f9c5abb9429ce8a01318ed75

SHA1
efde5fb773230a9398a8008f8aecbdc29a6f4616

SHA256
b1a7a59fbed10e51c4da0f10e49f16e7110f7a2c605e76af07bf127ced886505

SHA512
3fb9d1ee40b306f4dd48e7a42795e2ff9a3d433644948cdb74f742eddf6459e823e4e81a522b3e1ef9111911128efbc9d233f9269ceb628eff13d258363edfe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
04d88655a5d018bde0acf80b0e8b658a

SHA1
0e9afd4e107634634e646a72f3253d7ff4455037

SHA256
e488a4dd66134cda86482956a4ed48f97b119c40d297d0cd906356243396f37d

SHA512
07613084bdbf4928fb5582f189b036bdf83381a3cb715455bb3bf400b16d07ec8a7e30c60c399ce55899472fec6057c559e6a067f55b92a1ef00e28c71004e6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
29794da85e6fa5e62125437cd25be111

SHA1
ba3789c0eced34290fbc76dc80c5d89d5e9dcb8b

SHA256
38b4c3d8e409bc5e853a32f39215f3b9cfbb43d0db22dc7af8248d5ae57677b4

SHA512
d2d24a6e8547042b21dd93ee3f3f2835e95d1eec40f0812883ee913d730db7292e0d8d5b8bc411cd4fa03e424fc7ad7a008dddd8927c48baa3c3f1eedaee4aec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
87173dde9d20cc9e817a3ae8ad713a4d

SHA1
f5ddbbbda8e973ad11d24270b06668e852a59981

SHA256
7d044025e9047449e54eacb90df96f2c60633570bea4a1964117c0931b7a4b09

SHA512
632bcc3448b1f440df148eb193cebb6f6c00529f8aac4a5b154abb428d064f13fd854b18c80d6dced78c1b686e33512df43b156fcad734e7f85289ae31522e1e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
81644c5bd8938bb6bc36068045e55f19

SHA1
756da5b53448282b1a8a65a10850d56913fcacb6

SHA256
06b575287eb1b6e990eb9c3e35175487a1b68be4853076c82f9370cf2d5ffc01

SHA512
7489880970f640e7526f57496d3feaa721820c16ae2109c9fe1837a97ddca8db4ffb6d342a00d42bc28efba56d8957b5872bfde7d3ec3aa61406da87fc4add75

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e280e24d4efc433da8453b0328e130f1

SHA1
4120f98a73f3a0694529adc1e86a12bc103ca280

SHA256
d4e0fc48b2ab729445254f3c8bdb1b33a1bf99e234e9f806970ffea398677acb

SHA512
c79450ca6e3802589b2a4dca60a551bd5772d59258d93b02b61829086b893a24e421527171d35e462c1c530d5984e34800d00e64676c0d3273d8465eee8809f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d06a31694ea90ad6e79de1de8b0b4d6d

SHA1
22493c37651b685e33f80d2a0878965eb39b6d6e

SHA256
1047ca932de55abefad6296154d6649b8e1261d190b2b153fc323b244e487be5

SHA512
97ac7e48e9d7eaecd6becd1053d073ab534786afe76d357e88156a12064560bad24f2958898773bf65dae427dd970ce4b28a1fb738a3f69b28d61838fdc151d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
21cb21f0c0f42a2fb5f25cee9f0c61fd

SHA1
0f817ad8aca1f9a3e010509a51c65eebeb4b1cda

SHA256
064deabf570a2f53abd57e9145880019637262a8a96e2c0fe2db2e1cfde865db

SHA512
8af3ab2c6b47597995ad267fc6a4ce9875b79cf718c798c690ea583a69bb8a028f9ca34d0865aff9de407e72e8ae16ae675a7ca90eeb28c24d90ecce0d83d19b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
83910a9c0b7af01bcae40500a66a35ef

SHA1
7dfff9b7e51567633b9cb7a2650e8760fa96e230

SHA256
d2ea4f246ddafb26101af0fd50f3886b98e44393913f8a23354ee4e8f76372fb

SHA512
e3b23f21b404f7b8cfb002b8a3a97b8037365bde17c98a779666a819afc9330223b78e40a4776adb697012b407eb626e0b9f99cc5162478af4c1a125ada7b35c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
482c921342bf5fadf6e8ad40b58a4d65

SHA1
e8874ffb55dbb2885bd9f7d07927ddae55f6ab06

SHA256
eae70a0cf9a72399d5e5261a5c3b8336cceb2bebe89a01213bebc98dc3fcb6b3

SHA512
eccaafd9737f5305935a6703a3d3814b059f26f897ea0602eac2156c86c3f22964d01591e423fc5c34a51cb8c0f964d66fa1691c0d2ff4c4a645de10853fa9a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
65d9f70a1cb60b7cda71343300dc7c7c

SHA1
ac072d5b01df16137a3d4c3f2cf1ad0a15a91cd3

SHA256
a54f3565ad15be095558d81ccc311aaaf316f169a6510c4d5b2e8104ca905cf8

SHA512
58f0471aae30733be979dfcf26ec988591f366d75b50bf21b815a5a9582c9f77e817634800ea9c8a0252eadbc9e4280c55393a77e660b553886238f76bdf2d0a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
edf7f2818c8a42385f747a49614bdb99

SHA1
59bffb034afc62aa20c3530224ee2ec66d98321d

SHA256
2dd1bdb79144b8777bbd2d674902bd3a2b3fed035bdf9ed5127f6cd83ce64f23

SHA512
c23af681d0c4d4e0a6710bd16747a790162965b2214e9bda27389178532be442dcfe0a211bac23d0d2f4bc64bfa796b8bb8431386639f2e615376a192e9b7793

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0b598b04a3c234a014e0a661395d1413

SHA1
9a66c34174044a8d542e0c6ba90c419097aeba28

SHA256
2839d72b26e40e3c60d55ef1f153c28198804c7c807d3357fcd7c34a1cd051d2

SHA512
17fcd1ad5b4f32483b2bb161c5818f21ca00f65f374251eb57be9c506aa2f6282513ae893ae0c79716eda4dc3617f10c3cbfe0cee94554c123994dda1dba7830

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
9678f2a456476f3ef93fadbbbb991cae

SHA1
bb619ee04ea3de71476e0a78eb2dcaf480e9c644

SHA256
10dfea29e66beda73058627e5787179a7c96e1fff3f837a6b454bf43b15c5343

SHA512
67aba759c664ff5204e18d9c28551737e3ee91aa3aa8bd432dd7898c5fd1cae6e3b5ea4e316370737675a0c7aa49f12c514dad7b6eed581fd2852182db8b5a50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c7b8b0bf9b2558639db6d4845df09c0a

SHA1
a5f463e604f498a0c24537917e04bcccd138a510

SHA256
93ee2381d92186619748f97793b4bdb7f059d4764c1e39ad04c90c95bb4d8e68

SHA512
1899e30fdb0a0e1218b21650e229b9c535e57eb8ba321bafa4030109d72a5827eac14b2ec0c33e7bfd33048b052bf3e749062c9499a4d7ec162970f3150035fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
14074c678fe9336fef0eb8484585e128

SHA1
8ac0f0c3762b4d934e1d3fc124db31e5ab376225

SHA256
6545df47dc7d000a8f8b8a6bd6aa75201cb14471fa63cd494656b6c3e0bfeacc

SHA512
fc3efbac31e6fe8a0639456133729c1120a5f4683e424493b13ab350a2ea793fb8dc15039b64887d9329a6dee6e175ba9d7cccabf2965780ecf1019b0f8f0ba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
1da3c2236302912ddaae702a9b6f8b32

SHA1
3fbf1ca4ad7a51fb12b61e293c5135ffc48c0c72

SHA256
cc36798d2d6ebc29603f69e50e1e5ee8fd97aae9aa83e36eb54f70c69dbb71bb

SHA512
451030f1497a91d7c7c1e7b106ae2dcb8b6c1ece0848b78d5940ae9e8fbae83e4f71c42ee9fb3ca5f945d5e14255afe65c74f8a621a53ef638d2d6d6681dc0c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1353a81bc1741567f11c78d473e876f0

SHA1
e9afacbb40e6988cc59323b9c1918539733377cb

SHA256
4a0b727ae901f8e941a23ac416b8d077c7fc7fc14f49bc59ca4bb462d1d79c5d

SHA512
cee30d9290749c3715e94e1a284b78f6ad50dcaef962c32db8e42a80f2bd71001dfafec4b6a2b8ba4c85c24a85a516944149a8158c37b3319f065599498f9926

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
dfa8ab73908f49bb6c1cda565a1977d4

SHA1
656758433be00d6ce7859d9bd61b2515dbb75585

SHA256
7f6e5887f48c6732aa0db6af891e22f0c35a789a81a9e6f2cdd277de3dcb81dd

SHA512
f43ef92402222e3801ad6f2d18837c9924bfa93bfedcbe24a859e7ab835f10a3c0540364cec5457cc41329d55a1c5952074ce3496c9f33dc44281e4096c1792c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
8d8f78ddf05d84c8897dbfbcbfabb100

SHA1
abc6c2aa20544cc70e68399781316a8f986ff391

SHA256
2821e6e3ae46e5120bc1baf7d4bef78993e2a6818f9aad5f99582130f0c9bd82

SHA512
655f98d32b311b4a2f30ee72329232b537c2c74e8e7ef69480a5024e038e2a51c9c6ba2b9831fbbf514906c0e36b5b416f41d5168359857f51981eabc8a93cd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
810c50b0f122ba7124e5208aa57fd639

SHA1
7c8740cb65211421fa8b86a96baccdc754e1539a

SHA256
65bc57f27f397c042913d391dc4138eceb70177c9dc80ae619c84796f69260c7

SHA512
435d8af903740ea0ed8bb7554b5bdecf0a75ecc03fb523fa62e576e82bf32242c79510ca04e533d362a608202f763e1daa8073460e386812a15477ebdde245f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
c073abef438df60287687ce854eb6596

SHA1
ea2e24a460b35cc16924c74968576146082d995f

SHA256
0933ba1e5f90b098570de2cf8e37d279529b56781904c75c1bb6400594202e8b

SHA512
2f2bf4b250836f53258c8bfb18e76b0c7b9c0cb0901ccbb53cbaebb9ba062c33c338b54ec9286cf51f6c6097e431739a35e0979f3042974a508b89628ff8cb3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
b4cd30d4212e42a3a785ebdb3d5e2663

SHA1
ca59dc880bad9f1101d9d390662a05439d6708cb

SHA256
a85e9c44cd98b39a745918bfa85fd2d34d4cec8a47e659f36dd9262ec64d2954

SHA512
03d65b1ccbdab977324d9eaad6d34e5db382dd603f77bcd228566f958448f6fc7d8f7e057ad226caf2e874b4e12727d8eeabd9779fe0be577414e49a08bf27da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
a3917c7c288dbd0ad577e9e48b1f4511

SHA1
1b3b0af2d7f1e8f967ad7cd95810d9d03d268cc3

SHA256
30fc4c292bf7794588697305003aee095b68564100e1edba75274582adeb3d29

SHA512
65cdd2eaa6645d8ad1f5e4c2d009ac47904e206585edbf0cd61d71c63a401964cb696d5b60ecd7099332ea49c13bb809f430e8e6a8a048f346362aacd5adf1ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
b76198b285182e89b6019804db179f06

SHA1
d43e85a4a12512b646496ff88997dd8c6eed652a

SHA256
a70c369e7992a6d4bda4417a7fe241e27caa29923901dd4aa86f87f7532193c6

SHA512
ff4c0035db0e4939e7dbeff96aee0632dfa4f69d76b422467ee2cf754d362a9cea9722105676adb66925bae906a597dd0e3986ece04e5ad2845a2225197028a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
4dffbed85f127b4dbb6cbb59edb2092e

SHA1
799e7e1970565e7eda1168a7799c98bec476465e

SHA256
b14df8534c4da19af246f8b383f635ebc5f2ca34aa01e7f1549f9bd6a707aaa3

SHA512
f78c5291e22c45caccf3a6f681ef6697bb3caa1966577915a99ddf8710b30ecffda3d806515a5749e12a870bc3c52fc99ae9f574858181d30104ff7312b49c0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
78c5ca0abbdd300faa6802e7860a8e84

SHA1
4e07d3544451c558520743598968685ebea9666d

SHA256
dc2b72542fa54cb7d57f1dd53e29086e08b71eebf2ba51fa5ed110302a6f746b

SHA512
24a13a41e813ff16036894ca9a73831e6b5df810b1ead107fc61697655285d1f68a8be23a76a8d7e4db35dc377aed70b4ad54067fda2ec69b94aca1ce756f617

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
3d6e3641f2d3d362d172376fa139cdf7

SHA1
b3ea8f2476a24d4d5b2e077699fc6e6ed4a38089

SHA256
71bd74fc8043a1be7ccb18c8ebddf787de9924a7dede134d0bb4d0cefdf5cfad

SHA512
b549d3b93edb95c66016d5cef14ff7f2af64311eadbecc83fd097ef26196d2b5e6646b3e1d4376595023203e4f714d99a9bda4d76ab50cf147de67402215190c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
7bcd37028a16606d5061c4a25cfc67f3

SHA1
8df6ecdc326bbdf854892e862a77ec4e4575d008

SHA256
c0c600b0dfd5321ff63bf2db6da8ebff1933e58cbed150b3d2446d647e007e3a

SHA512
78f66f8b9441eddefc7a4a12f69d5906db14ecb8b4d4b9b8a422c303892e2a488bbe6a29d2ff102ac446a459bc4146f68d0571f8337e96240ba6c51e9ab31a1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
d52bc05b3a12dda015acc038dc995336

SHA1
a417b0a6e705d779936d33ac493373379e1899c0

SHA256
2f01eb27990c1e3a00a2fba1b34e74fcabb4b2ea28b857eb0397e134af2436d8

SHA512
e2ad0d22cbedd9dfc9e7c73d297fc57f7297616adff6d6e8d4f2f682fde2d1273574b5ead3519385b95446532a9f09d5708074fff196306b21555b3a074a3363

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
0e9db3744cb9289632aec3af8d896454

SHA1
4ccd2cf9a51f4e9218270937c96ccf4b72386ae9

SHA256
161089aa5368458a36e915cf683f94058705afe8e694e1b89d435a19d0e0e1b7

SHA512
5b3ce3888c4f6618b64e24c1ef2eb973c08506b53ddd44eea1ba1df793391f5e93499de79e4c8e1a2fa726c96fc0aa341e9d76bacdd9c7740aeec1ff8f3fb89d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
978d6cc4d74507a5cae1a0055e160794

SHA1
2c46c6ca154a718d0ce364afac2f2411c684baff

SHA256
34e4f5bbb11b4ef98f1a5e2b024d7bfbcd416769f38fbaaf0ba7ddc0513a6f59

SHA512
5fdbf6665422d039fa474b1905eb066d6097bdce6b878955eccd1504440174bf7f4724cf53dc591d93ee2b269652bcb81662aad41da0f0864d208539b177a9c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
e5ba58b30b1763a7688392b5afbdeaa6

SHA1
3af812e1326b084fcbaad20a8fb5034f5ae43e8f

SHA256
b492bf4feb5cb42e04f1ee92b5f5eccc224e9b406cbf35c4d5428287000bc50f

SHA512
c377788f0ea617894f200529e0fe290e7ab608be7886a4f6583d369a419dd37e88d4169b79b9cb4ec37f37ae6aa182ac18f90d7c20d6805dd8ef001a2792afcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
7ee4163004fd0a728ee029120f7c6cdd

SHA1
b39aae4a14ce1f4c795bb7fdb3d9ba130cbcfef8

SHA256
e4ca916009954252c3b921e76f2f751269ddc41d3197338731da9fe423e1e476

SHA512
38fd648bbf4b533aa93a8befe46aa7c286473b80133f74d630decd463ca2b7b90ce6b85ca662e730bdcb9421af0ff51061358136b5e2d5f066ff893216ca874b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
b83b3a7535ff85a55796fb903c3d8130

SHA1
252053fffba81ee51b422c0c04b32a577365097e

SHA256
831f08109b7b37acbcff3d2dba8d051709f3a61a8bcc62530d654332782674a9

SHA512
5dbef69683f837658b11d32ac05100c9f6d6655a496d4d6a5055f93408b963be6671f8d11fc91c21acf1bd156cb2534ba40e8df812237d8c714984f24796a124

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
2da1904287d206b870ac225448a7c3a4

SHA1
b624b50abba624ab3190a79170cf9d083163bdc2

SHA256
0f1a0762a0b0a70e68283933dc82c2b26d29fd67eb7af3473488bd5a13d5bbc5

SHA512
40ca6acad892251bf2210fc6b5bb5039f7b39f22db0ad8a61257861e9eb199c56d24e6cd3fdf25c7889f76b0c127829a3fff0c508be0ea24e8062dfcdb6e5cd3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5b49645efdeab1f91f0097124a9dc270

SHA1
464104707dd32fe2cd1b68608c51a20f21fc8b1f

SHA256
027723d2037b4b9bcbd05d02c89b00af89607ad85f805546a5dc7c3ebbe6c588

SHA512
2e4294392c5137bf9eb284cfac527b9dfcc1e63d0b4981d87aa3a02827dc25d522b2700eb9b119384873ca21d5de29b6619246a8998dd4d4e0248f3106754653

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b0fdcc180bd79ccd1def2a5d8dafaa1b

SHA1
2fbd702d0faff0ec5d62cc887f0b331391dfe7b3

SHA256
083fa8c86244461e55fa7f44c388e8e2e928a4c6596b9aef2b5730e1770f3056

SHA512
d65ea765387e026ef50b9f0e2f4e977938c9027dc0cb318819157ba1de5b5bf932cd8846a8e3ffcef30601c59c71b193e05f298e1670f0655f943a8faf810a84

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
cff35ee3a50083e1064be2044f4424d9

SHA1
d480d96ddecea6c97cfe63118e8108e4b3e9d489

SHA256
5bd5b5fb664571c3900cf1caf2fc894c015d873e4e2a0fed3a0d66dbdefd4385

SHA512
7bc9492f5135d26e6f83a171982fcca8f953aa8834edc43b21c0d33e105b62f21f12b735a05ed732a679360147a875818028c781dd41553483fa2f3d884d5a7d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5ec61ba78419391f17fe4189c1895896

SHA1
8675a162610de4f3c3388e49aae08e63d89aa531

SHA256
c29636042f9546e1fa645518098078916ee496b86822a1f1648d76c464725554

SHA512
95d2b40afb7598b16829eed15b4ed8d68ba6e359ef6c15665e9da3ac7c7d690e3af19326299ede8ebb369b2ae425eacd1bfc218947ca6611433ee1a0ef603bde

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
309e265d2351e94d6faf57b24926b9f3

SHA1
8860b4941b2d07a005031b937247de0abee20ba3

SHA256
ecb6907ae62e1a42dc0f2bd8c13cc7a8360ea7d25e96325a26b02cda73af656b

SHA512
70da869b88599e2ba66a6aab5fd5986bff5830b723938362b5ffa54cd09137888ab118449114bc5d573052cf8a32fe072933c1161904dfaa9e1c29ad97159e16

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
26d5b05d25e1b38b11e18d97236a2feb

SHA1
3b0a13a1b362e428cc9664c60352edd46b560ab4

SHA256
a9af9f220a99454843d534ed031046c7dd8c800873891cd9e253427bad7736eb

SHA512
5fa2832fa47d5a850eecbc763e7eec83cdb6e83b02cb0dd15ab1cbb3e53970d57fead34fd499be301c3b6610532404a742a07cda70886430858cd20ecb1da59c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6f13d61b469c0e095273694ef9a7257e

SHA1
fe20d1c444c19ae97072b0849ab7b31e9356fa54

SHA256
3cb6dedb250bb6a7b01e4babcba72c5cb8e02d90e4d7759bd23ea40b23ede256

SHA512
2583abe59e0ffe0841ef123bdb0464530c01e209293208c90bc313401fad057312279b0cc2e3ab15b1c4e44172b6e49a3cb2ea67f5de79099b4c9945b42ed40a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
714007fb70c13bc1a24be542f64318b5

SHA1
962090feece1a8eb7a41a90d4ce85bba269e8503

SHA256
1ccdc3c0213ba39ccfde6154a64b170811b0a4a492a386a234bd44d80f74637c

SHA512
9d62fdd7b2583dd0e8a52968f5867569c10b6f04eb49c0ae21c35552602ed8befe99342025dadf8bbe9be85348c622ba7ef75bd7df26865304d1a2f4ca625b9f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
97046b5ea8aea6af73a5ac8e59b28c75

SHA1
7acd2125cc377a00aefa74b462902445ea07f3b8

SHA256
4d6fb27328de55e4013e4b4f9a01b2f7d2a64f78c111b65df736cd58680c0f08

SHA512
c2b03a58453e5ffb805cab96fcb444430a18489927bda93a94777acf7b1cda2310e7752abc34a8d13002c34bf9fa4de27270a60a0a11ffa4439bda50219936c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2c55c15bf2b6101a5ecb19d7bd955bba

SHA1
12888a9d11baf4b63d1ac8056ee59704f2cd84cf

SHA256
db4e875c15884f7cd9bf5f73a6209947aa5004e3441cd1f1d9f8dc9baa8ea12f

SHA512
c5a39dd4083d744b51ac13f7229735e3f164563c79a0e33739e6f931163dcaa316e92ebbc2e4352fb1ec943beab464d9f5053c35e43d21c1a008f5a5d448d7da

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
5fe4b1d91f17b07bec0936bc4ae0700b

SHA1
8a1b554d75fba602b2299f3d5dcb29c63457e316

SHA256
06a49e73e61fe006940c8160213bf34208a666adfcf3e36794223bc7615e44b5

SHA512
16c5a02090830f0aaa9dd255baa4e8018affc329e01239a16720b95bc7bb22b8b8bc97076322f5d6810a4d0762a1cd553f7d7a2ee05f848a428f582dd430a6b9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f4e9b94d9a1dacf460e82ba3dd88f9d8

SHA1
ec2aa2cdbe79e37b18cdd6136f9fdec261b0f2d8

SHA256
f4a5fff06f6947496d0605c218d9b4ca85ec186c7805d013a0a835d81e4aa4fa

SHA512
2248f2d7dd9b162c651f0499ac2547c3c960f7ae1181a4d6ae029646b8f2323300295bf933c4d05c734364b164139cf6159d04e2fbba1438df37bbe3e4d4c99b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
084d1fad814b0084adf0a3c8fcb2e30b

SHA1
475958d20267e03ee2ae54adea50199dca1e400d

SHA256
8602aa0f86375b96a2688b5b6fa5c0ab0d0cf6c4be97b1ae618826fdc7cf1812

SHA512
983798c44db4eaa0d3cf07c2d051c75ce8223c6b07c19ec2974b06566309d102edd31ef987e33fcf3b68b0bb0823ea0c5322d8dd2adb3c202d39c3d591b5038c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
c2d42c175ee4a741f5c7a3ab3f3c0fc7

SHA1
f37b8df507fcbde55f091e402d559f504680b80e

SHA256
11a25e27c4f258ff1722aa2270bd4a5deb61937dbadf42824142ae5c506967ac

SHA512
b4c78a951040ab13b2b9593e01df179d64c4324521761b603267eafe9c17fc6af29a98f5262663de8afa7953042b629cb294c0b9b0583e36f784e42a8efa1c50

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
b0f41d574af49f3ab9d5d7f13659e8de

SHA1
5a03369edabbd6aef0594e568903001eff44cdd4

SHA256
4a9b9f0754701d9bd28a9bec2035a7d2d4e6b8641087baa3ce8491184172c1c9

SHA512
08522fee92befac03781d90403aaaedbf48e28dc78402373dd456a61be2c57f43c2c4aaf799341e53f3c43e31231302135d82129ecad7e7ba747303f99f15973

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb9b2952ae64318fce40c065b86e3981

SHA1
0e9a5461ee3e5857d98c59e19969c62935c865e5

SHA256
e7784b80982e41f42e201e4cc216f4e5d67e370b91aca23247835819bd0c61ad

SHA512
7b62b581486905768c3b4f7e68f6c2e43a28b98b2d932d20eb3a5be2bfed870d8831a5f230a995d95f244e9de5145e4a7e418378123f266e00b9497218e0bef4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
b15d4a6227bb0ab5774b7be6c5dfe801

SHA1
cd61a23b1587a92a5585b386a01b29f78a2e3978

SHA256
2af0708bb526865499de548cf709013405d2d8ed7e5b6752474081442c672ec1

SHA512
b5bcfcd69e0bf40b2ac353ac3e9efa78e1d90b9677163bc792e6ce44ba3af868d86579460d0195123c0aff1a54ad7831bc9e9dfb9f4e4745fa164ac844fea272

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1c1ac416c7152873bc685be6e1e9d946

SHA1
881e02bb7ed8f51cf84ba65b6439907e2a5c9984

SHA256
5115dbc1e39f58ef63e06bafa48d4636e6168acb90a732c3d9ce82154b02942f

SHA512
2baf0c53aa4b342c5954ea38db350298a337695bdf399d073dfa3ffa9a7eaeebacfbf50526852e73705d0e671cad39b70cb215595f210c405f50895c497204e8

Download Submit
memory/348-236-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/348-15-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/348-24-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/348-23-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1016-675-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1252-678-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1252-374-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1268-391-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1268-272-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1572-427-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1572-308-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1584-339-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1584-670-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1816-682-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1816-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1828-681-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1828-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1852-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1852-686-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2028-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2028-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2028-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2028-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2028-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2336-362-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2336-677-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2492-403-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2492-284-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2736-305-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2736-415-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2904-1-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/2904-0-0x0000000001000000-0x0000000001181000-memory.dmp

Filesize
1.5MB

Download
memory/2904-14-0x0000000001000000-0x0000000001181000-memory.dmp

Filesize
1.5MB

Download
memory/2904-8-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/2956-77-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2956-241-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2956-75-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2956-69-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2960-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2960-258-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2960-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3156-683-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3208-52-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3208-60-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/3208-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3208-66-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/3208-67-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3612-433-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3612-684-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3820-37-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3820-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3820-28-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3820-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3920-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3920-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-676-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4532-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5032-365-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5032-246-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5032-253-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5032-247-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download