b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3.exe
Size

1.3MB
MD5

64262dd90ed78828a224fbf30c18d0b3
SHA1

c615b57f6db3067cb045da07d6fd62da661758f1
SHA256

b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3
SHA512

f4ff36fd29d898655c82367d48b2005254e39605ad34c2fab7dcaf8bfa21339b6db443489620dc8ee643a3f3a42c69c63ab926345c3090e9e6498f5b3eba8e37
SSDEEP

24576:I3LutmkEz+PAVV/bOInO4Xs2ztR4iegxLHgZpJE4VDdXukYBI1ByiM9tAskNmY6I:IbutmkO+wROInO4XrztygxLHkJE4VBdF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3760	alg.exe
1672	elevation_service.exe
1948	elevation_service.exe
4212	maintenanceservice.exe
4036	OSE.EXE
4452	DiagnosticsHub.StandardCollector.Service.exe
2552	fxssvc.exe
4432	msdtc.exe
1192	PerceptionSimulationService.exe
3020	perfhost.exe
4552	locator.exe
3612	SensorDataService.exe
364	snmptrap.exe
3836	spectrum.exe
4484	ssh-agent.exe
4392	TieringEngineService.exe
436	AgentService.exe
440	vds.exe
2364	vssvc.exe
2840	wbengine.exe
1648	WmiApSrv.exe
3712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8b83dc6f253fadf5.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030297055bdcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d89f55bdcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091b29855bdcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa515855bdcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055165d55bdcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032412655bdcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064da8055bdcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da202a56bdcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098fec555bdcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006211d955bdcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1672	elevation_service.exe
1672	elevation_service.exe
1672	elevation_service.exe
1672	elevation_service.exe
1672	elevation_service.exe
1672	elevation_service.exe
1672	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4692	b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3.exe
Token: SeDebugPrivilege	3760	alg.exe
Token: SeDebugPrivilege	3760	alg.exe
Token: SeDebugPrivilege	3760	alg.exe
Token: SeTakeOwnershipPrivilege	1672	elevation_service.exe
Token: SeAuditPrivilege	2552	fxssvc.exe
Token: SeRestorePrivilege	4392	TieringEngineService.exe
Token: SeManageVolumePrivilege	4392	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	436	AgentService.exe
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeBackupPrivilege	2840	wbengine.exe
Token: SeRestorePrivilege	2840	wbengine.exe
Token: SeSecurityPrivilege	2840	wbengine.exe
Token: 33	3712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeDebugPrivilege	1672	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 320	3712	SearchIndexer.exe	122
PID 3712 wrote to memory of 320	3712	SearchIndexer.exe	122
PID 3712 wrote to memory of 216	3712	SearchIndexer.exe	123
PID 3712 wrote to memory of 216	3712	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3.exe
"C:\Users\Admin\AppData\Local\Temp\b95e78d33a08aadece21b2a93811123c2c3a432fe0978f718db55ec3709927d3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3520

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4432

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3612

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:812

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:320
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4aa8b32cf88557a8f6735e83ecd0516c

SHA1
ace7be89939fcd61b14b27b4ffb319164469a706

SHA256
f5bb4d416c0fdfc4a14e38f33e296a7d67e3475b8f3f2ebbdfdc28d83dc0e36e

SHA512
e2035dce94187503e9978a6c388b0757ab200a3fbcdcf53b33561eb17a3dfddc94e74cbcd2f00d7dc4325387486b5dc14418fdf912fc5f04d2baf5408bd5d657

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1eafe7923c309f462a8a8592ea952448

SHA1
de6ca08aba1bd166efc368dc8a03432342e4ee6e

SHA256
3a0cc80e98f6d062f746007118986750299aeb0ad3be55316052566e5cfc0277

SHA512
fa66e260f0fb9a063c64be64cbf57cb2692e7faf8d345239df2582f9cdd529ad7a9f8bec2d06221a3c572de646ebeeb3982103ab7dc0e9d9099991ba5de927aa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0b0a7e5cc6e649e4ca2d59d92f6786c0

SHA1
4b7842debfea7d69e5a9af7fef51d58b4795ac49

SHA256
e0b7a84a7bfbb325be8055b134ae863995dd0cf457c68fe90d1963a3548f54d3

SHA512
5c39b391577556f7bb4f1cbb0fd26b3338371129982bf199099f8601a1f079360d9514229f02ae46b6b79522cb2a484a1d4a93826fe3a087a2dda52f80359aa3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fd73df2101ee5c87161de5eea9f49f6d

SHA1
91ddeee551a4fdc1d77c3cfbb2fe5753caa5f9b9

SHA256
eb0c89664a691a92349f1d2297f3532dd1e6abd3ae0206426ebb99ecfb8b89bb

SHA512
48c33824ae6180c5ded2341b7e27db63dd064dfa8f53031e91dce0f6a44c2c38f85a74739164cbc30decb201cb9f810e779ebc3949f1f3e826c851ba3d6f5e64

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c7fb3032bae9c0dcf29c917b910af67c

SHA1
7dd8b493307395ee3644d612ec7a3b2c61055279

SHA256
9f02814026960fe2fe6c688daa9979273c24d27324a589159b800f2d82a24359

SHA512
3edc67058e7aa07b89ba42f3ba083053969da29e26f7425c385a5e71fac02c8bdc7fe605c5fb0c9f060bb18645140578f901a087857dd70e33909cc2946daf83

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
17aa0f3f878c152497212a202936da78

SHA1
2e369bcfa0be5e416adfa66b2eb10c9a86785bdc

SHA256
aeab240b5203d1d5f420e8e44bf9994b263f362163307a9f43477b87fd82cd7f

SHA512
9a18faf121e97ac6da4855e7cc5c0bef94ebbb17dd60ce397c00432f955a018f715bb5acd67d5a461cc61fc2db68b4516b933f0ac4d38719745c51792555977b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
364391d20cf0913267c2b63e514b3fa1

SHA1
c292bf7429a8fe7052c1433953191098102eb6ee

SHA256
229bf10627886b65e650a4d0803a25b6a1ed2261d6ef3d52366e53e3e2a0b36d

SHA512
a0ddd7f4b18731b7959a87a7627ef7dbf20db859a79829cb2b12c846d2a04d0d554c7e7919433ea702aa238730b995a40ade19e057ea8727d98ff0e43af5620c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3ac0dd88afb5f98ab856245e3bf345c0

SHA1
d845617edafe030ba7473ff61111eb5ab8292ed2

SHA256
d9ba961ce3ac44cbaf5787ead432f341e3ce06d3ef6e2d1580e35ec2d4cd0af7

SHA512
1ca11e75aece79f1f0d20d626ae54bc1e28e3c97e9808423835167fa65b216c8405edd06d17b0faa8ad2e3df2c38edf4019c9d47246d663af6cbb0275026d9e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
23c0fa37e2f19832333bb79e64d5e10f

SHA1
a0debe48b7b33f6e1ee8183dc60063018b0c3125

SHA256
003cea9f590d80b8e7eae0615dd91865325ff7450dfed0a81cfc6c710067fa70

SHA512
fb3b36d08f10ef607bc8feb2d3771f050adadd46383cf17af2af46276177b3ec1ce353f27af4e910441463f15296af595c6cd3e699b4367c2d0deec1bc130820

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d4975ec7515742ab1a764e613ab126bb

SHA1
24c21aeea471012a82718a82dfd77f84def593f5

SHA256
ef14b564b52779f4de58d96b02708bdd0389f12e78d1a0ae61cd5a21d7298a32

SHA512
7d738cea75dbca53e4f953128be20306f523bea84444fc71297397af04c1202b8d78ed420cedca432293f9bfa58242dfab3d9cdcd855dd615c4f71561612b8e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8b56309501374a351d15044074869a5a

SHA1
dd3c76497087dbf5be426d52581fd48106c1c970

SHA256
f73f4c9a487ade708650bffc2ec896763522f2b1d77a803066245165ac658ed0

SHA512
89051943f2907ae76b15a5568de2a5f2b8dd7fc9bb427010f9bd815bc54b143d700dcebdf0082879a9cbd8bb44b458f73a5e4793d96c786a8ea3e6edf0ecb8a3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7744b1164dd3868b9c4e463fe0fc0794

SHA1
0b3281ac7bb9e9343df204e312f8c5a51f51cfd7

SHA256
0b989e2621711f041a0ee35e89fd7e22c2540a37f653824158c46ee18ce33080

SHA512
6c611cfdb110b29876db083b403cc65292039f2c8d8cbf3ace5a49c636decb76d22dad3b06b8222fa4342b67682aca6a992e0d7985d19b2569cbfd39a0ec5fe5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5c3cf83ff489451759f2b1ed3ba86594

SHA1
0063d967166e66158bb962b44652c37bc70a9b53

SHA256
6b0d8448ac29a70cde38890d14a3f976b95831591141fb7a6439c18a6acaf123

SHA512
912a2b128bd64f9a93d2abf6a0f71a4c7a0acb95b8a4889242a926927e517b3a01f65cfa3fd756ba37115b0bceca3999335c5618766019f3b4918289e1260496

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
433e9a831873aec290481d36cf54a30c

SHA1
338e4025723f60c0a07a190261e5104f1c7d463c

SHA256
58d70974130155f09d556a770d2329f2c75d91d5179be8f29418926806fb1b99

SHA512
1d82bfbc885ed02029d10b828ccaa5b1f3da632fe47483554c3a3c7df55eb42b3fc2f3e19173736c9e7d6dc9131a61b46be96cb66344e9a109359a9856a79206

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ebf6d76c3dce77e00b05178a5f086390

SHA1
5e112683b18f7bc989d206e86662fadbbe23c320

SHA256
9ad9e7141a57f086ddcb48a6571ca263aff52655e78619947a2353c468736d30

SHA512
951bd268aab32ef1a3eac78a4f95f7074ddde5084b00f9aff7ac563ff7f5669f79f6859dea6f8787d681331e67cd2eadab47572dd3fb91afc45b81775718a2f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d6fb26ad618cb8bf8911f9f10fd612d9

SHA1
adba627f2a1a969f78780bd56252860b9422ea0d

SHA256
13a8561179515977bb44fe2ec29f200a7407654b69e338be8e241130d7f700d2

SHA512
36abdd68cbfd42e75d0fda1951d3b38c5073952f75c84e607e4e7a28443f628e38040caf4d5083d56e6ff253718adfea4428c67617301d4fdf7d81018e8e7c1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f1413282b2d24c4d8df43765faf7bcb5

SHA1
e425f17130b699f2861a2f356f69b0f2a8a5a504

SHA256
eecb49cb57bb2e15474a999885353ecbc067380bb371633137493410285066a8

SHA512
fec749fc95324accdf113d05bcf9761220d23a052b8b1ae27fa2d69e19969c3cf9918f47ecaf90413e316c1ae192a9800ad94092bc3666702117fa81b3fbbd37

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6d87890099a927653736ced5f452e188

SHA1
7ffaa035438f929a9e54ddfa91e4f5e4e777dc38

SHA256
8645d7a4f6b7825770badf12e7317b0f44894430625725b8cfb0a02f0031e85b

SHA512
4ae287e1385d9b91562e9558d0e4223a8b2bee5cc7bbffff2b04f4b4a91a9cb4c950226c8a22cd310da29076f5460297be2140d06133e210023a79bca8f47c10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9137c6d210a900e8119ee61d3ec2930d

SHA1
fbec80f15ac723b2d71c727c6ecaed2810333a41

SHA256
ae048e2318d4c2c7eebaa380bb40bcab96282a3a103cffefdb23d01ed178c1a3

SHA512
17525efc08ccd6581e1eda873cf20c60268f8cfec6f611a819fac14860d2121c26d5331af21cea31d1c3b566909f789a6585ac5087b3a759f77f6b009ac1b09a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
957aa622a4043dc73634762d29768d40

SHA1
35fce9312642a9fb04144754e3f1ecadb726752e

SHA256
78c5e0e71c4462b04942365ff4a39be711872236c5813c5dda3e52cd68c5abf6

SHA512
a14d0c1af6ce340bb88a01afe5e3a07d85f73ac0ea8454697f00479b5413220a0412c0c3f7c638bac9c5abebc5ba871dfda2e974dc330ef02237538fe16369ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
925486af805b26c25e43cd2d885bba3d

SHA1
1297763ff29faa7aa427112fd3f1b2cc4e749068

SHA256
baf4f8aff539e22689016857b43750232e318ec39a556800709183004b79e621

SHA512
1a0e09e6f0c5acf7e0bbb1933485299b878a53e1cf474b8043b80386ca6423f230ea52ecbdbd28f1bfbb82db4122471106efe6f8aeb324cd2c88b36c4ef3164b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
bd903767a7409f94d503749c68d936ef

SHA1
75cceeb913a4aa211a867ded7aff86eb3804eec3

SHA256
10902186c69ff07f479586878372cacd742f828fd2ed1b7e27bcb5e01c960e7a

SHA512
d0c730f803a13f93700945818752afa90a47087ff32a2b60261583b6478884f4ad332e65b62de38d7ff47b9c807741492755d8c969e42aa12360c51410be1229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
42e5599ef00257b05e2f66353f8b0ba7

SHA1
b644ed084759038e75ffe79e5dfea8c9c5cfefab

SHA256
bde1f2ab4ac8322b20f0b6d7171c501613df7e45ca666eaa622e44d3bd6291a9

SHA512
6c2345d927fd4d43fa20bc217b04d429c6931ba208ac9ef0b795441e034f7bdc1276befed5e203a62249568e7ef7b4b3cecb8531751a29b0d7e49bb2cb42f507

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3b90ed37a1cd4ef6b871d103d710c224

SHA1
024bd659c39c8852142720a9d571f22e2a1955cd

SHA256
02b4e5dbf028a82f6336e3b5845a9ec459cf43468730c9162a812440d411afef

SHA512
9b1165c4a0d8989772aaa5dc5ea617c7933781d43671815b3c2be6eb48121b1144a4af0a3fc98a8e5383f1f599b5297f6d070bede4d768019e2a43d0a00ffeee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
34b857fa4233f24018cb8b2f67280c6e

SHA1
1cf2041496d0f76be0f41683119fdf9ab846fd4e

SHA256
7fa85ffc734940f4270e85cb78e87babb74b6daec55fbc6d8aaa63bed6c33d65

SHA512
c634ae87e337deeb979bd798287bfc247c9f5cfde3da2f5858ba121eb420c998cf74ec5d54f9c1fdabd78ab9a533c10dc36b1df0baeba9485bf041fd2a1f2672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4666edd2ba3b27b23752a6512b0cdc0f

SHA1
ff8884f309ee0f08ffed6ce016206fed8bef8890

SHA256
409c82520802bffb5027056d166595a1385e7a7753f7b30d321466550822e3f7

SHA512
41f21142d09b819fd4db26b8db12a13539317ff89602909ba4562ccdefeb94989fb33d64805d1deee740872e4410f24a914a72f0a59757e3c0c8165ede5ffabf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3b7fbee90470ce508b8c63e58fa28dab

SHA1
e343663ffc21c706ee5bf032bee6ee5aa785a602

SHA256
523ff1b894ff444570d94c7c2ca99a37586dbac32038a9a1a036e8a826cce968

SHA512
7c8c6817a91809451662c8160b87009f46bc8171c6d6fa0ada4e777eac706989bd084d1c206030c63ac9fbe0477ed8772c8177b9678053e5f7292d91803a5291

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
9dc07369c4d4a2a82e327cdd39ba1e88

SHA1
0d3d9dd738ac60f989fd72b29d271e23af7fce19

SHA256
7baeecaa3d51d78d0568bea50fe7a9fa0bb608437248d9719cd7397f5430f776

SHA512
2925850c60e46004df451b09b9e8ba7add483c46bc25c6886568f9b5f128ef2519116b85ed5dc51b9b3689f4378e260a16afe744d06befa42bd5644373c1aa26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3faca47df1e5524d73ada86abb6ed8ca

SHA1
a5c483486ef98fb7c3c8b8343ec945104c3578a7

SHA256
5eee9ec8500b4ab63a77ed74adc07bbfe8d60fcb642716cabda293757586ba88

SHA512
c7d301b57821516eeb05a1d3da07b493c93e5309c5fdb99fab4f59bfa0f19e54ae145af96b00c1cf2cfb967f1d56e46056ab3cbd213730b592b3020dd6161a0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9c3b817ed91632abb0d73ac6edda7380

SHA1
662cac8801e3fed222ff14e1dde8fc1e8ed53f97

SHA256
3187b74c42aaf14a55fbf597ea845191143d3d9440c3d25c632b5820069df7f0

SHA512
09b281602e259d41299e19934bfa909cc8eb479f4567624d51c43ca4e4d21f93948837229eb9e0de7601505db615f483d7c79410811f8aea9633783bd4f90cbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a96505b02644ff155fd4fdd2662fa774

SHA1
063ffa76efbbd73e4da183c28aee25c2f3f94f90

SHA256
a635030d189421656d05ef7ef9b36c17662a9e7d04489b47be61d0ef2b83b0a1

SHA512
5c2839f60fff9bb0f0c9c76aedd6f1135fbbae2b3343b686c507b8e8b8aaa54b8cdee93d97ead4cf42f3f736318dfc9890656872fe7cec5bb8b574ef1f3f20ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
93ac479df3e22227714303b9ad134544

SHA1
077e7ee9df3e30d31f8ee91936742a2e859ea348

SHA256
cc86471f7d1fd0c45e0465c5fef649b9bdef46ec245ac008f7b650a860c11783

SHA512
c5cc9aabdd465e365e8180064e1c5026de6ea49ebd48e62b9fbb1116f031d647c1d40095ad6bffe39fa03e7965d42820a14af281448602f664b2bb85544d7cd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
bac77a0b0b09eca605e3919cf9337f82

SHA1
7b7a003388444ab68f36b6e7ff600f8d794bfe6a

SHA256
34e2bb1ffc84f8467c5194f30b9d34dc9295e111ee7fc50c5dd677452bc0f1a0

SHA512
bb464ebc777f9798db2a846505ad52ad478828eaccd777170e8ed87f7542ce458c665456dbb0fe850b357102789d3051039dcfdd8397b7e71e53d7a91d4f3b40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3bdd65b3aab10b28d1aff47bc94adc7c

SHA1
5580f145671f527b3acad6e12ca4868f6fb0f279

SHA256
f52d45d40a6b78c6a66e5b8ab9c88ddb67bbb2739c280cbc99ee1e675783f46d

SHA512
9a3b2dfb42df2a57e283d3db5deb7d0c3a3ae3c4b5041994544d9fda259a5370da938e1861f6911e3b146cbd8d083ff21b72bc752770230e8333ce5663eb852c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
1e7cb1f7ce2c070fb495c5b29dc0ddd3

SHA1
a4c355bf279527a897a49528e1d1ad799c3b23dc

SHA256
4457a8174821bb95dc64a45759bb3f80c12e43361fe717424fb86c4b87b16235

SHA512
ce043487ac7466be418fa25bece25f01bbdbc2f006dc72fd1ad4e717b9e81c4f0453255ccd6890f0d87ca8a3aca9262d337bde44e4408824a6e9dc64d8a8e623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b8f93317409155f44773818546020a89

SHA1
dcd4f3bd06680746e45f7a02be00e5186dbda03c

SHA256
a83fd80ab2927120c44bdb0840501e400c7576066aa474ea896535f79750000b

SHA512
477b49b097d62e7580f80522230529deabae157465cf81379adab003dd9d64eea146842d7a9a84eca75d42214fa9d708873a154a327e12c9a22c78934c899cfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8d35c673d40d1b3cdf0ced63c029778c

SHA1
ec853d7f36bf0e82cccbc1da60131420d1dd9959

SHA256
58debc405b78252a49c4e689ea69b2d8f3e72049851c2ce1dedfb622e6d88e63

SHA512
b8f502b17c9338e2ed1ac3537b12d219a88f8a18edb67b71778e521ec80ef148273c49d537524241705f7764d6ec624189ae2b3d78841e39a155137b4cf50314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
34674562cfa90d30abc528e406513fd3

SHA1
693baa6715ec8893f36c70352b67ee27e0bd21e1

SHA256
b958bdb439b508abb1f32ebf530eefb19d7fb4646778713161a4d9f32cb6b5ed

SHA512
9ca6f308caa6e7c9d62d7a4c6ff6b55dea2b0135f430e2a3e980969c6027fb783a883f8b7b6b4d2cd791edf0c8095937cdc152949e533b4b378dd069f585b653

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
14f2a2e5a697ebd632ed8700a217cace

SHA1
85c57fa912f0a0852b157890faf6c45b1fb524e5

SHA256
f157b132140f655e367827128bff28276ae7df011c9b3689ce7892dcc9b0f23b

SHA512
27ce95ac36081cb3ee73bdacf552c6c868a34afd163cdb8f38dc02e829d5edf9bb2bc967aa9bcc5e0181a91528357dfc43423e0474992465dc80d7155920bee5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
2e66cac23b570f79d4027f84e10ad11d

SHA1
241cd4ce69d32c8b86dbf5c20ce7ad239989d8f8

SHA256
fafb7a5d25da3f8d567f1154562439caab0d0a345c535995cf7b50d6766f02cb

SHA512
8be0861e1fd301af0e232632562962566d59a48ee3233103d43efed0331c7753ca7571d17c7b81b79bc6ba05a3bc14360d177d554f7a1d746d8546f78ba8370d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
2f3063efb6e1a021a8c77e78a0489188

SHA1
c9ce9b5ab30b1ca0f02f8efbfe63b49c2bbaafcb

SHA256
5e8ccf9b5b0b369a312bfc295866a35f31b8563eabb826dc965e8974588082c0

SHA512
c3803e65bfb8fa377d1300dca88ee8d80d6f9a025b5e9587a129c6d1cf1370b45401e2205be38f00ee77ed3b717491ee94cb012f828412f553e12c6720bc2978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
3c8f144066c20871594ff970ba713c69

SHA1
4fee68db4a4657b20de2bd981d894006b9e36b48

SHA256
e9c48fbd55fbdd5fd98116a8f21a08b5fc3413eb57be5ccc42a212eecd802256

SHA512
c9a103429865e88d9792867d4fff5ba320f345709aed182300bfc86abe674150ed171cf8ab81337bdcf0729fb6799580d19343d84bbe595b88b9e7ec3e4cd322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
dce4f55250d8f6fafa5567e72b8099a3

SHA1
7bca866a2e76a4dbb5c2cd231db72581352e0ec4

SHA256
b647105f182d28377c28e81a1d3bd513cad1c9d9d9c69b3ae350e1ae57711742

SHA512
d5cbfd7de6b90b4a957219a41555d1fcde7e8ff9e246c94ec3c67ed1b97b21fcf4839bea95500479577ea864b52fc183fa2ab748fba79adf3875cb48cb94d801

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
97aa799c298bf5c5592dcfb9b340225a

SHA1
8d1229463576002505ff13b51983fb92221ca873

SHA256
b9ddef07b0ca1eaeeb6d53a25860e61a367c6cc35d1a783e7af1345679a9f163

SHA512
4ee7a7e803ff4d94b29c207c7ce803f860a667004dd6cc8d2f64678566079df3bc8f3933927a33fc4baff44d35c1b10553f13523f2d612ea37d2c2a2031403ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fa23d6185cd0c001e3e0e26a7b150c94

SHA1
d3eaf13f118fe77ce9c73513c207369d9870450a

SHA256
31d1718595f0dd51f9c1e810528c692e94eb6aded5c6b9a37da96964c4f074c1

SHA512
a626652225323e2ff45b2a03eb8978a800ad847716c0980fbbf5c3c06331cc1847415112371fd1b83e19ae5fb60b29ac9ead292a46c56fb1593334aa8fcd6a64

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fe5dc42147e104172022b4233da25db6

SHA1
3fe5eaaba00f9b1c9ff599cac81e2c01f5c978d1

SHA256
4b6ff54f06537589bbf1b08013a1545456d53681e774ae117a6472dffd753293

SHA512
44fd39915d997be3df8e6891c325e53966d4a8db2a5bab9bd9050f4a31688e8e4aba737b5f87ed011a036e9020733486eac8dcb26cd76c04ed69b5bed7f20c9c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
81d9aad29f191a133dae2d4a9596fb18

SHA1
e86c475521ad4f83add308e7348947aa6d02cef8

SHA256
788aa4be85adcbb277230016e0cf9eaa1dcc2365243b042c122f8b5478b40f1f

SHA512
eb84a00e63497cc7fb4544dcaa348c30c9017c2c62b3d18c6a1499d59cc4a72f7111f21c05ca84a454bc203bb6742a3a646f9beb72ff4b93b6a89b22dac5780b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4e9f39120d15833cebe1cb305c908351

SHA1
d7c91cf7d2c1f206960918bcce1f09c0de878bba

SHA256
90139afed456cf21e57a14a145d466274f6067ac60b0dfafd3b6ed65dec32f26

SHA512
b43ad9846df20f7cf5a59b168854f342ceb2c46c5b38b70f69b57c24960784160c89ea0eaaea60d565f16d23e921eb6ca7d4d10c5a5977bfd2924b4f369a426c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6099a8d46781f53a728e38b4ea57e033

SHA1
68a03d31ca82dd99a7528db9083dbb080c1ba3ca

SHA256
47a00cf298aed1f8430adf197531a3dbe64b72dff6ecc16097492e3f0473fdeb

SHA512
a14f0e2a18df13044257f4db45bb9155712c9c32816d22ada0b004794dfbda18033f728c7d76190c4ed567fb2b453db719ff574baa4f120499e2b49861249994

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f32555de16643e2a6ae143e14bf461bf

SHA1
dfbce5c34fbe8285ce651c2ff48e1f5b4ea55863

SHA256
ae29073978ea8ade5fec8223951796ee0739783c26a902cf8860b5be74b82774

SHA512
2fe216bef6b7c12971b48913382acfcb9a3377cbef58d8a7844d4f9ac9e878a7684ab117ed2f52b8a7850e3dcddfec270624ce23faa6e0a2e66bfcf72ef103ea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
90775471fc00649bafba995f3fe6e284

SHA1
cfca3201cbf8bb540a310a45f6f9e39eb33a94e4

SHA256
fbdb0d1c1fea51e1d5fc7c19875481cc011b2a68f9d1d0bddb514e2b6871d861

SHA512
13fdf0715c950da6ff976f8d86a3628837d22a829b3777ee32e29137e3bbbac686703eedf83ee2a39c6ca12b2d1462e9724b1eff60b86f88dec6847fb350a6c8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9fc712ecd8a747eef498ab89373fcd56

SHA1
498b3cca9d4f21573dd389202e38280d6c65d71a

SHA256
441edcc5f4623a8805be07560916d506ecb24815995546497b06d46499ae8b5c

SHA512
dd0b1d7bd3b674d0dcfc69b06448b1ef950e91362292fdd66f5d14597084c9561ea0dd61927037f4bc3d06d69c03f34c2bce7f5e44c12c18f545c2429b76720d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
772b334ba48c4fa6954a55c78cb4b5c1

SHA1
8ad6f1245ebc6953160295398e9b0838f569a743

SHA256
7b2063228fca1c5860f7f940edca57de1b254612eea09102186b09b6ed5858d9

SHA512
3fe7d1553274970459a42b391455d20724fb6ce13b1afa9b422796c517ec055260617a87c660990734b06f23c5886e916c23a8ada05697dbac440c79e8c31e25

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
15608e9ebcba2e41b116779ae3a90bb6

SHA1
b53d7c2dade36b36274cb990efffcf61c584619f

SHA256
1b52b1e4f7b758ddcb5ab1415e7ce0133ab635a7847225c4489d7479d0b74f12

SHA512
f0d143dc7261a2901f0ad3593e98788c932171dd4ddfb3f1499df9e8fb686c96f87d2d66d78fc01c51b5977fc81126c5a87b22e0e42453a4092032ef3cb49c72

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
edceb8cd2746b39a79f3ce8f8e757556

SHA1
2c3bf40344bd76c2898459d1675f879a3f9e2294

SHA256
ec44481c200dd1291feb882f3b446de710a6c43b23c7ce3515b321bdeec5bfcc

SHA512
9a2b3ce88eb40ca3a1b3cc1ad570886d3ceffc8680d27f62f9dc734288e90f289acc8f5316603cc4aa347b5a572b9fa06c6363c897b689ed98568034b652b8d2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7d483621ef494cc5c8982514393c1667

SHA1
e735b182c2134efa9e6b8133510d27d27f9ac00d

SHA256
4e4b152e4a45397eacb9fc2d8b1328345e63ac89b11a03e73061a2aee49265a1

SHA512
d3440daa20072b63974060e79f8091aff8beb00705fb1a2ead6103a41a81b33c352ff998137135de79774a5a37dc37a95c616d82ef0fb7e2cff99d33477a2344

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
86373c2717e6f8e71cb6bbe855b68cc1

SHA1
6ed78506a43823cc66edac93616a07b6a617a22a

SHA256
b17988a69aa5f77039a85697f06a4b553a340b9bf20400bde02d9d2e7accfecb

SHA512
940480734e1bb670d61667fb2cacc5c0acbddca928c978c8c30d4537199100fcac1f3c75c0774f4398e5d8937d598ac154a44cdedf57ae2b869abfe830d7f95f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
607074da3568b6514256a603fcfec2c6

SHA1
214456cd8a723b2f11032c6063d1624140357ab4

SHA256
16d07f819d2f0554a4e423aaf40655002a1b798b38e6bd873617af8950f4eb5e

SHA512
d5ec0df0ae917ed6c9713c8c8836944a367cc1bf2e8bba3d9752fb590ad42d3a5c1f849e6cb860c20799908d586d0d9c8ca3b4c519a364b99cbd2e6b109de91f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7f12b84a05bcbccf9e6ce9d8483e94ac

SHA1
ce7fa5d3e7fa33d85643e12a211fac7395ac5a00

SHA256
06592456e40e196acc89e42009c71b774041c86fdb17f09d387aaad0c82cfb10

SHA512
26c6ee8b19796bb2f4af76afd5071fb80cead23fe20dc11a59dd0452f2f4caf7cff74fce5ca72b59427e5674c108febfbd31258cff3d70623b737c9b3f57586c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8de26df27c2c09bd69fb247e7397fdf6

SHA1
e87a6b1623d717b74d845b41ac4b07f5ab118269

SHA256
d14ce353f2523df082e523515f1f4dfe24035dbb099ccf4b0422a635e2d6556b

SHA512
7886504fa94d493b29da8e4be2129532b968dec41c416af7548d41e1737277f0a81cb0935728fc4d467af9a394b8cb0cbf2d0b76324d6f3ec2d8b6c842cfba79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a29c73218650432632815ac88074b98d

SHA1
70720e29bdaa11c74188063042442c4d8503b06c

SHA256
ed6f4d2e2a466aa2e4e07891a488083379bf2bc16590e946b3878389b786f75e

SHA512
b1442a05267af4b9b70cdc7eb2feca741b0b48d71636dc56c555e1ddd29ae05cbc44518beb277ee1ea504d4a279842ac5c6470e41a6d403bbddf30a6bd5f2f18

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0c126d89aa17cdf2a0e6b685b9f709ea

SHA1
099994fbe9ef62258132265349d75ae92ea9c432

SHA256
e6449a2c0b25c3dbcb2bdb7f258939539db23339be0a574f76e0bc55e15f93d7

SHA512
d33b9377e87163cb39069134ca52bedc51a1150431428c41866784f881b9233506e7d25e61758fe2cfa02c6ebf9347a3fa764da47d3fb694e35a3f673fdae36f

Download Submit
memory/364-556-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/364-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/436-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/436-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/440-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/440-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1192-293-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1192-396-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1648-632-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1648-429-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1672-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1672-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1672-30-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1672-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1948-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1948-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2364-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2364-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2552-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2552-258-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2552-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2840-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2840-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3020-298-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3020-414-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3612-624-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3612-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3612-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3712-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3712-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3760-236-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3760-26-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3760-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3760-17-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3836-621-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3836-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4036-66-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4036-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4036-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4036-241-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4212-77-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4212-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4212-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4212-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4212-72-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4392-367-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4392-626-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4432-384-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4432-272-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4452-247-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4452-253-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4452-358-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4452-246-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4484-355-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4484-625-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4552-301-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4552-420-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4692-1-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/4692-8-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/4692-25-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/4692-0-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download