887f39230a61074c9caf4935685504200a3288eb90b57415cd341bbff6b3de22

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e6de14265c346f1769a24f4385b030N.exe
Size

718KB
MD5

29e6de14265c346f1769a24f4385b030
SHA1

490dae2cdb40b37635287e2422a6c6ed69c2429f
SHA256

887f39230a61074c9caf4935685504200a3288eb90b57415cd341bbff6b3de22
SHA512

89b0208cf443fddabd83118beead345c7d2abc34ea4e96e94b367a75b5ec82dca0f86c9f6d7462de4a4e64da179d30f97d4938d6a753c199fb6f543ee18c2a8b
SSDEEP

12288:PTLniQhJWGasi+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:rLfWG8UOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1452	alg.exe
2104	elevation_service.exe
2372	elevation_service.exe
2152	maintenanceservice.exe
4132	OSE.EXE
2224	DiagnosticsHub.StandardCollector.Service.exe
1276	fxssvc.exe
1996	msdtc.exe
2084	PerceptionSimulationService.exe
3632	perfhost.exe
3772	locator.exe
2624	SensorDataService.exe
4360	snmptrap.exe
672	spectrum.exe
3056	ssh-agent.exe
4420	TieringEngineService.exe
1420	AgentService.exe
3288	vds.exe
4984	vssvc.exe
1640	wbengine.exe
1036	WmiApSrv.exe
1120	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	29e6de14265c346f1769a24f4385b030N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4926bc8e16be280c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005438cfcdb5d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dc75ccdb5d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5332cceb5d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0954dceb5d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c23facdb5d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6cf48ceb5d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d55066cdb5d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030eac0cdb5d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dc75ccdb5d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2104	elevation_service.exe
2104	elevation_service.exe
2104	elevation_service.exe
2104	elevation_service.exe
2104	elevation_service.exe
2104	elevation_service.exe
2104	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3248	29e6de14265c346f1769a24f4385b030N.exe
Token: SeDebugPrivilege	1452	alg.exe
Token: SeDebugPrivilege	1452	alg.exe
Token: SeDebugPrivilege	1452	alg.exe
Token: SeTakeOwnershipPrivilege	2104	elevation_service.exe
Token: SeAuditPrivilege	1276	fxssvc.exe
Token: SeRestorePrivilege	4420	TieringEngineService.exe
Token: SeManageVolumePrivilege	4420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1420	AgentService.exe
Token: SeBackupPrivilege	4984	vssvc.exe
Token: SeRestorePrivilege	4984	vssvc.exe
Token: SeAuditPrivilege	4984	vssvc.exe
Token: SeBackupPrivilege	1640	wbengine.exe
Token: SeRestorePrivilege	1640	wbengine.exe
Token: SeSecurityPrivilege	1640	wbengine.exe
Token: 33	1120	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeDebugPrivilege	2104	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1012	1120	SearchIndexer.exe	115
PID 1120 wrote to memory of 1012	1120	SearchIndexer.exe	115
PID 1120 wrote to memory of 1728	1120	SearchIndexer.exe	116
PID 1120 wrote to memory of 1728	1120	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\29e6de14265c346f1769a24f4385b030N.exe
"C:\Users\Admin\AppData\Local\Temp\29e6de14265c346f1769a24f4385b030N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0cc5438aa040e63d74a528e82dfbf3da

SHA1
8223d211e2b0b9b3eaed9fc81fe3efb1f6f785f9

SHA256
cbe1ca6cc345fe54d85be45f5dd56e67969e6828e5978127bae76c8cd748fc27

SHA512
960a740fb5c22929095b99ee9b789bbd6c7e83efd33a51f7166bbc3fb86948084eaacaf7e956311e332efa35486d9fc811ab00d8a7a073d42f4c74d9a10bf157

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ddd3ee9261120d1d92a9c56422681e97

SHA1
40e1ba788f046f477061689dd8543482b028a05a

SHA256
0d485adcb846b448dbff3ca2b25aa7e7d726a636eea2e4afc7a4a85a5a50350f

SHA512
75bed0efcfac10fbbae3e1b7383fc6e6af3abea3b03eed2b9267b2541509c358c226325b8010d677a91b41b149a157e87eb92cb76f7821026f00c49b8593143a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
228d3c223caa7d9d41af66ef3bda589e

SHA1
4b0e023ba6fd7d10f51d49332327e6c3a88e6a2c

SHA256
f9c214b54ac42d4da7c944bc12720cc8f057195af0b8ccc61fc253c759bbbc1c

SHA512
29f6aa01cc095bbc45adf77830c577ab5731b188afefc991a6e1e1fed538682fedf61cd6ff98fc67f1e0a747104e260f6a411d1046c331249028917c62d6d1c3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6a607be17e518ae1837a80c89d03e6c8

SHA1
5b2bdb70f0d838c09464a625f50f069b97662c91

SHA256
f293ccb08cb7785102b901301e5a8a5b9b5cec7784a1398772d672738cbe8b9f

SHA512
6c39db6efdda4ccf603b52f73fa0e3eb74ee0e4c26d2df4c8377127badfb1140d19cbd2c367f2cef59f45b2dea091ebd5da4641efe424941aa075f9393a56735

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
657abff60f6e12423781aaf9c3c4e13d

SHA1
6f00fd90d0105f9877d6d03bf1b6c46214c98c91

SHA256
2416b28ef4f7a1c6721769fec3b9b5fd6c35905c7ae70b93a41ab0a12e3979ff

SHA512
187942a6d811691a1d26bb9d742224d29621509137eb9b71032d137b38778492b6506bde9a825b6d38bd75b4e23de23f1fa765199efe92997e3fe6c567b45f9f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
477cc93fc9f2d7dfc2bc564e1ed714fc

SHA1
2fcbab578f69cbea88362286e8fa95a3492403dc

SHA256
336b719782509d1624865b1ae1c0a55a3ec6c86207f6393edcfc62334de6fcf9

SHA512
b848cfcef16a86fc568bd2208f2d34529aed452d9ad9ec40d26b30b7299f9d477af1089d591d04614412efadd5660f275aae12648a4501c4dcce0bec80ef59aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b0227f0dbfeb8dcd6223ace3163b2fb5

SHA1
93a6ff70f4a2c6e9326c83dd1a4aed864ee6d502

SHA256
aac750dae2c82b68c3660792d3ac7728e4464aae5e26800e513aec9b76835c8a

SHA512
802c78343a0898f3a471b8916a411307a65fb48125a4987687ddee25261ab817fb585fc25df74ab1f5b757daf8dbd44c3c1bac6070874c63f6da35a7447a408f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
714e010486da0bf550f71929b34bab63

SHA1
d454f20daf022ba75506350169600f299b8cd041

SHA256
82144a53ab47d07857c82f55e7d02e336b86a7f621b40db5638f99106f10384b

SHA512
94255e915bb5dbf98228989ea6af66aaa5612b918e6e084e373a42cc7cdb0aab3c0b72c0798cfa7c6b5fcbedcc2dc2729eaca0560ac63b16e033a7573fd7a957

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
727fbfaa2d4acc904c87812e4df932f7

SHA1
410db59cc97ec8dd6d4b99f313c4e4ab01f3ef9d

SHA256
991f1954bd5bccbcb417f9b70a5f3686c3b7deae23687b290fc8ab9c19f9866c

SHA512
1cd4d2961ba0bb1796c61b2e37cbc5abfdd797807d6ec06f1794a06005b8a38699ade0c528793ca54a51d586cd27daafc7fa42be9c7d5571b893c2a7c39f6f08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
40dd9791c3b0982b36c4763c4609e1d6

SHA1
ed263510fd4f01173947a56a81a72bd72630c7e7

SHA256
edef6947f576b4dea46c3b60f486b98e6c4cb4f2d606acb8d3d28e047805802c

SHA512
ac142f27bdc1fd3c94f3baa9888e2d194d5371f8cb727c39ac7c6e6cc235d63fe0e6909977fd51fc34d7aff2ebd4791656ff013aea2a25006e475f9168ef9867

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e1df51618927ec16548a08badc4abe3a

SHA1
25471553e8747e01439a9565932141a8dc7c26ad

SHA256
56aee35e9a12f7771e484a5a6a091496f34061b1be4a34cb4f539a614ae7ca0d

SHA512
ddba99f98967683643b5658a567d5bfc0c23a1ab730ca5c7a4fd00a75891bdccc00fc266051672c5f7ac432fe9fa7c957ac3412719f1784f8d8ae07a02e621ca

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d05962a69cca78b98adaad331fa15a5f

SHA1
0b20c05137c24c50aa988172f67d6edf53709d2f

SHA256
1e8627bb7ae9bb0930a2ef35460935385bc03c81ca575c337736c17a63424f8e

SHA512
6bd7faf4c028ac35c58d93dce0f8affc10ce2d6a472d3dcce9ddabdbc98cf8547626de662698419eee853fa9f2ee31ab0eab86994cb04f68cb5b7f7b01300a55

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ef649f557ef0c545c10f60280007d502

SHA1
5ad538bbc0907fde6c9a6c9cb0d8d4c0db1dccaf

SHA256
3e0373942e2533e3e9611aecd64024a4b1cac202e510c7ab00b82c136d41be43

SHA512
5c91d19f65c97ae71d1acd0b769948b8756c62122044e5253c6d632506fda90666b4c4e206c39725c133589cd7f1a9cafe8992e393e09f5af0e9f1b477c26a50

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
825fd2541b96aabbc1e306b07502d7da

SHA1
9e48e1621a8a6a19d7dd066c9f4fd3656b52e33d

SHA256
254872695339f754ccb01294a80cfd0ef53d38affe058702df2a8ac75f0993b3

SHA512
67dd15e0748b6f21be6d8efc5bc684eca69eb256fa12af8e8dc333b935a2534ec4b5a530e92e1078276cc2cb95285e24365246ed440715ab99170902f9fa35ee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
16811d13ff01341a8ad4d98d35794fca

SHA1
2fad02a1e29f55f6ecdf84e33af7f70563b757cb

SHA256
04a96aca88aa3c15107e12f0c3af3c5ef32c088112c3246be77a67e45c52ee5d

SHA512
262f2dd875e7ca44da0987fb80c0616c6d68cf691b5bd77cc4a58bcc736e9f7dadecaf7bba6298779f6305c74591c83359e76ebf183896d1781822e5de354d3c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0d93b274a8978eb54cb6781b795edba7

SHA1
ea586614f178696dbad4d2c04807391d883aca01

SHA256
f2153b3d7e7493e593663b49509ae714d48377db75a76322d845d54b7a301abd

SHA512
e6a009a7944b026e07ce0f8285727e866110d42c502fcfb43f61651d8501a390a454b4ed781bd2d3d2b3cced6542e51c736e5ed90d8bd12b6f73c090f1364e7c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
170c3f2e38e18656b30ac4bff0cad06b

SHA1
106e8299bd7f635fe8bfab5c2f3dd5e3ce0cbaae

SHA256
0094881339a8493a0a4e1075682275704d50fc0a02ef4129e941b05a8f378339

SHA512
e5ff5b3e22bb1744bf796a7c0380204e4872542fd871eabeb5390ab59ef3d8d1f7c0d054215d9770db3875e595ed9ec3c505408bef097a0d8c35c8e54a7fb222

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0a3c739f6191e299000ccff5cf490a18

SHA1
24b8976555180bad2cb525eefd25d70f09b5bd25

SHA256
a2bc87485e1d61876fec9c7a42355d5fd536a3f432179ff39a78548f3f093f8f

SHA512
4a6887e61b5b4dbe1efcde6df85943ccb23a00d2900afa2ad8c270e0983d20c671cebb1295b8c4cb2dabc719e478e083776b09c701ca89f82e03f47bde620f74

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
06e5d5830a273c63b9c5d0b11489f90c

SHA1
e25979bb02c92bd96036a68774cd1bed69aa3203

SHA256
b250dd48c8a980c697f49b5d909fe489ca5420b59dde86b738b48fbd9b363ca5

SHA512
7da26370da42c44efc8e9ee80ad0250364d9ba62adad2ec01c4bee77a99f3296d4b8418c9431e270ed2eadcace0a8859fbfb8bdfabd1bde143c50be4fc7b840a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
60534f22f8500875595a76b880e9ea2d

SHA1
73d15aa784a6e84bec56ec4ab4bb06ab957c0bdf

SHA256
3b9f2ddf9a2abe2dcfe5da0a7f09ff1ffa72177223ccf53b3f5eed2c1a2f186d

SHA512
5bca28ba0ee184b68a014621f8303cd31a70f14575348dd2da426510310b49843409e230f83e5a375bd0130e59443a9860d6d9c3c9b15d9fdbe4a7449eb68530

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
dbce49cabca51ba9a03056a5df75f202

SHA1
9793261d9e54afb4c7bdfe175b52042876bc1c63

SHA256
395bed99b29a51f220ef37067a7523389418be07e86f7d55597b19f30d5dac2e

SHA512
b907cf964b84605b9a32edee490bd3678dda4d39daf9e274233b5ed904cf7f2e429f6466c1f6584bbae7b53380abea643407b5cfc547256f5401625b8e34413f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
afb343709b8910bc27bc05fb1bf9a324

SHA1
c2d666ef42e331c93d8e37924f250e88791aa12a

SHA256
a75dd9892f837fc870e1b100f3794ba611bf77e637aafc41ba1c2241aede8fdc

SHA512
becebea7323d40bea1fb3b371e921ce8a55d9b0ec5c2f390cd042e394d63749c4b86d6fc79291fa50224328f85329bef693912af8e0846e9a85531f6fd0e3cf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8ec7dabbb6970ed971a63b514ca0befc

SHA1
0955e811df8d8cfc930000f75150a523820855e5

SHA256
46f7285b0dd0adc2037d52fe6c66331d00a56495d50479525388bd0affa4b57f

SHA512
a3d7f06707d56a5c411da2527173f8e3d33b0da34cad3bb45311139e4a14ce0a9d17300044fa91d7ccfc60f2b777e0be3648e6d5c9a2a7a7edd9e79fb3d5f4cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a18c588b0d04394b8694c42df8fc863c

SHA1
1d2cb44390612ccc24f1abeb7055f5af04bbf70d

SHA256
1dae0847abd0b6d6070621d1c58a92bf7ec4942decd0fda3e44e087596f81030

SHA512
d97110c8ce3203a7cb1c4505126e6f86da5ccd29421f94bffd06da3017db30d55ee663e6f5d6b9dce404edded144ded07affde2fe55c11781d6e7909bf4ff7f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5f6f1bb9edf71f306257a641669de332

SHA1
394570b8dca7eab010f2abad516fba2e0d3752dd

SHA256
9e0d484cbee3fbb3bdad35ba1e88954951303f284af447cfc92be927c53e5f58

SHA512
8cdb07d0a278a8562273073af4738ae84eb77492b0c95a175d3131ad150cfaba11a4863f9e8cd22fc55e352c3b37001cf3a9ed74cf8edff349f7e23582fe0d40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b56bfb7c3902eff8e03cf69df76f8aff

SHA1
1d8cb4f981d79a31555143835758dd11ea62fc05

SHA256
be0209cb9cd8874e60bae29ba8d2e95631062860d50335ed45b01b8f951a9ff8

SHA512
41b2e5da1c1699d2a2dae38bbbc1f3d0a68752e3ff84d11c406a4753e950b3e049320b6dcad5afb97eaaf02f929345581fa6125610726d197093b29bb83040ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c3ee8615e0c73a3b24f0029b640278ba

SHA1
5a37a01a971c656601f5b3d400890a3ee24dfaa4

SHA256
98b2ef1fc6238821bfb27f4ba047fc8e995b7da9223b2735fe2961844b060841

SHA512
5d0d9c3dd5a551ac0b7f68ccf1c7675c13713d4c5b2a3f5fc3602bf53d73a86f925a28a4347cf74ad7d24c8764ca94239dd4a5bfdc4f315e22fb1ff5a3e2e6ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9abbd9bfeaaebf454663b6c09f0a4be7

SHA1
24f80e591bd2412ba91dca27ae44329c8ab8cf42

SHA256
e8dfec24fa4c8b0ef7c03f1b000d4944de28c013f5741750a24ff68d0bbcd231

SHA512
48e35f8d885f789f71a72cdbfb7ff33c9c9231dcd3f55f2976bd4de87d6379e30b3553350d3bf3476f1bfc25d3d0ba440a38a47e4e024182fa5f5c040ec79efc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
92e272270668d6ba5965d6c78a2910c5

SHA1
bb10b80d08fa4c49a5b2f53b98b36515b2ea148b

SHA256
29f6b109f5c57bb6ff5460c5b00f115dec984ad557566edb7b3dff43aa8c9832

SHA512
88fab5f3c7d4a47753f9da1f035920611bb73e52e5a25705ab6670df71e5251db532cb5b0805804da7bf468632e62d4d010d2f7b2f3299c30ccbb0cc78c698b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8b5789c057376b85b838c48516905f4a

SHA1
ef012368ea497e1c0672c9f292ae42d5f2cb3edd

SHA256
c623bc5e1237081eb960fe81398e88459f94d352bdbb63507ebe42dd459d4ee9

SHA512
01ddb9278fce63402b72f1297602de7e9611a1f2b1d5b148959ee2f563838d2c7ef01679e86ef99aeb23b7d25457bc3a7efb77103d4a871ff068a9ca7c3e9b54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bd2306b06c7d3b382d0c86a6c96daa92

SHA1
8901bb7aefc26d640b3998a97a79817751291629

SHA256
5555860afadee39a50b39f5089c5fa4ee8de573c84413700dd0a11d3e7aa77c4

SHA512
8ea4150537e9317476eb9503011a006839aa3aba55e28f19f1834bfb556839f06065603a320c80b192b32dcf787970c913fb538089c0a9bb2513d25381e652ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d2e85424407c53ee99fb89d4e30c8066

SHA1
8a6dd7e042ba05f44d5d9af47628519ae0f88767

SHA256
d0412d6be32959ada0eb55a8dc1b91769f64c7b3c4a7d5102a56d49dac372892

SHA512
54f9d7ce5edc631dc55180e61b196cd890ddc55f3a91148718f3e0de15662dc2a158cae8836a37b49bd6efa0fad44d2e2d70e913ad2f7688945cb9bbc9c9678e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f868fa8421f48c05ded693d9a196ff0f

SHA1
4b8c63c416b9e77c31dc1fa5d7c916f4c6e2d273

SHA256
8b54229f2e383ad4d6afa458e7911a477fb0f246fbacb5a41fe64ea6e197e6b2

SHA512
6feadc1e2490f7b6a1963cb5c2063374e11bbd71961d1622c89104e57944322b9ef0f945f781be84f738a837a92f49efebf0180a89424a5fe794c87dcef84557

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
90d68b6d41062a7ba7ce93ccc77260b7

SHA1
5622afdc7d292fedfc494189a6227e8a4c3cf99e

SHA256
46dac66bd0758c10e6d6ccc038a290522049dd71643e4408cd403d0f5ade42e7

SHA512
4482e8cc2cc0bdc45ff9bfd9b9054831654bfa137c66cf918631682cb4043119b8e8b27d7e275ced94764bdd8939edeebb51cae4d9759c78f6ff2413c7582803

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6e66b330bc728c7c129fa1c5fadbd81e

SHA1
b6c99f38401aa78334f17121257e145860d99e15

SHA256
b3daa4a31db51afa59d5b71f6d7576401761e39731a2736983682b0874a268a6

SHA512
e2060ce0acd7f610fc35352cf8fb6941e289b565d92150d7346de655fceb57483ee495f0aa3b4179abff45959a3eaf0dab9fb172ab7419fb2829671978e12d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7125b3bbd92aee929009cbc6b6d47666

SHA1
ae139196a3189e111b6b173699720e85601dd32f

SHA256
ece81d4f89b48632ea2b5916bdd5439cde4a177c40d3e1bfc27780d2d52bc69c

SHA512
f16e1f64f9438d9b3fe3811df3b698cd5a7bce7930919916f36e2878473c328c0cd38e01e7315fce07092516e0e3681fe9e329f2a05d19b5f0c3068d3e500135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4bc8df3c67b647f9df8c935b66c92aa4

SHA1
ecd69764b07330a1ceac0d1aaae5ce17e40d7523

SHA256
b2697da83267a63607e3f7b94c114aa3e13e5f03a2af3f3cc2939efa59c812b5

SHA512
20101c71652958e4a6ac3da23421cea3f929932aa438864df946a5ef2be7a4783aae6009a6789c446bbf6647fe7734af414b16b39dcb0d4616202a6d15ec32d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
68474e5adbfca914a05d63532d146bbf

SHA1
befb7fe0ec8a7de7cc42e9f0b662a7f1c9b062a3

SHA256
203884a60999849d49c5eb3ea2100f436c96012d70022b9f4f5ef4a399168811

SHA512
1af125c74d601b35420a35ee78910c39a594b837cc49903ddbc225a182bb38ba71b2fc3f765326f708232dc74569b55acbde8e95fd84936347eee00cee34727d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
56d91692c6cdfd4bbcc7d69dfb6bfc3d

SHA1
944995c23df39ba6b6dd62c6108fb25eb29ab7fa

SHA256
6baa9fec146f7aaa85b976da573fdbe11e7b0f995a77e136359fe71f9ebe2f04

SHA512
3c85d15e9a47cdd234921d6a539ceee92bf2b7283f573dff02dafb9b6a8f99b9a96648207ef335502425e6dc0e7a96998ff2e4204878840de2adcdb79415d7b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
c791e21055f2bc1632127872027ea541

SHA1
ded83966497c3c4e5ceb482f463d1f5fd9f38e51

SHA256
42978278914a6f9b4dda1fb6eccc6e81c0ae8a740e4596665844f55fc8564067

SHA512
418b1b6032d4dce9e7aab44ae1b7b0b4eabc7ad3489038a8e47ce9ad85af2f2ea1e95a94d2992f246ed654a919b914dfb0893e6af5a05bc979f4257fa30dc7f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
5c59f98f6c446e5695ce04ff02d71402

SHA1
7047d646191693dd286bda4d09902711f51e6d94

SHA256
16e2447265027d218de53231cd6928a20c49e200d72d8e1478c2cddfcbe05c6d

SHA512
a7056a8bc5dce54198c415886f78f7dfb13bd6ff31b537ddb9ed68761eb6ca5b832919535706368c478d4e2fe989b0d0de33b106bff379596ac58136b2d77de0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
e75684f232f872c6a3dada103456d160

SHA1
47570204b857c9e765d963e3b7ab3b184749c2c8

SHA256
90e5171c3a61f4927ae9ff71bc4fcd2eef37c05381f3bc4a6ba9008316f250f6

SHA512
33a9bc6a641ccad7713ae94edbf97a59f1c2711e7b3dce45265c6fd14ff7d6d95b0f400da8a71ee54e612f565bf53b3cdedac83e221028a14478a3419f33a47e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
bdddbffdcce55bb3f071153bdc03c38c

SHA1
1c036a2d0e644cb6596a6c11960c7c4b4b15e60f

SHA256
6f60dd42f1773fb9ac4c8b7fc4a6666f85ca4953025a06410b1762af203fa6c7

SHA512
5551c0dee23ebe36e7193075d8ae21e4171e46167265442e531ada953221de76d7b9a998167481c6f3c0d9818ac2d08b85094809778889b7905bab856cfa1570

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
eeb2219f7b1dd07b15acafdc1487b92d

SHA1
372139b8509117e6482713652a4f43f1dcec0ffb

SHA256
cc303dfc7ba46af1172a7a35dbb9bad64fef3e77ee1942388352142cd662b550

SHA512
97b880da2c995fb36559de7469ddfa220fa7ef4cfa4ef4c6696376cf93acb336ab3524018e05ba9dcf191e373b816809b8a3bd389c5417b6be716f669207680c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7af997106e868402a1ea0ca6e2847096

SHA1
4712766bb22571a2d9824bfe10a2c6ae645f49aa

SHA256
4cdad7ea848b807d7d89ce74b6d55f7cacaa59adb0cd0f8051359f99d4e5add8

SHA512
b59f9156085c298ad57588cff92b91e623faee5790bedaad9201f9fd4d940d212c07f3bbd6fc22e1be7d4fdbba37d33a4c41a515eb99aab6e4a7cd541d574ce6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ec346444d98a6086ba23a7d5cfc0ae08

SHA1
73b2a729c2c2480de6f37495ec2c3717b3864bc3

SHA256
e7fa96e80d31056a324fe4bc8990986b637fbc4a97313f04999ae663e41f2755

SHA512
321fb04456df82e2aa1c3141fb879a58b18d72b8a338fe3e90b81ddc4a35ec3f3bde935a706174b9372f40dfefa2d2b4df741754751133f050d62ca91d2cf479

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9679a87104c9418bacdb8a48d81ee951

SHA1
089c0f5fc86dbc2c77721a3a52d4f2ee0bce5711

SHA256
3b36a572fb4eeaaa22625bad15e5b302952150f38efd1b6f2c0c7a2fd8713612

SHA512
8c456d4f827051a9aeb93fcddb3de6adcbb2c56230d4b3a08fc1ac1e3f0a4738150595059cb584c65b8eac46ade04b93d173621e20c6674a84b3ae26ab7a0742

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1a6c7675a4dce00b82300c84e3296b49

SHA1
ee731893f7cdaa2b72dc962bd167dd5ce5b8e576

SHA256
6f4dcf42167cb511f456193403b8cc562d990f0835266808f9998435de7a9c52

SHA512
087164dd1b1d7f0c8be92c69bf6ced6e00e29a541218ad22409b6e6098307326a21e32ed871c2b842ad68123d5165ad274b831462a235bf4f7c345d53be6dd4a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0313703e64d375955d62df0e30bd2232

SHA1
2c424281cb16081d0bc462686e8e465f3252c128

SHA256
affc921d51d9303fc56541eba44079043b7c4c86164f6910e465b5f45acd4880

SHA512
2c1d5c4df0065e94ef768586f58f97fae48a5a52b86d02d781cac9e936cb41222da20589402394fa35049c89104269683150953492c4d34a1d9c07c41ab69250

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4843ebdadbb0d75baa77d004b9edeebb

SHA1
17e92865fa4733862103fdeb739444fd0a07e669

SHA256
998cacd51ea47e47c790ce2af70d81a2044c72fef8595e106cad6b1e18badc16

SHA512
b983f83bd31c3a73577ba4010ec51e9e735345e9ea39a49b06a22f85376cf34397e0616c997e65226d0942c030377d8f4cebc43918334fb137ae6066007f205b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e67eb78eabccf75e92181b75719f4eb2

SHA1
f99d4d9d3aca3bb5c8bc133ba8f7b9c7f194e49d

SHA256
ab862b48bea88542eac41316e13cdabfdfadc20acabe3e1882c7ca4412bb5772

SHA512
1959debe4ee11e36fd554d64d3a07cd597f4526c0d0ac642431ad7afaa275575a45512fc1289e427ad307ed1766bba8a47672908f75149cde99bad6d69ceb667

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7adc7b6dd0762e84d543700fcdcf8f5f

SHA1
75bf5951508ea9720d22ab991521e7559ef336a5

SHA256
04b2d0ead0b3f4792f172f6c374221635986073550903713267188af143da91a

SHA512
b2b32d0f5152ef5145da4b87f2040d0bc5a300900cff6cd130734bbf21104c3429bc487974cb5c7d60f678ddf585ff420215cacfe9e0119baf14dfc48d3d3936

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cca3fc5b3d3b112ae78b5ee6a64f30f0

SHA1
1cf96d42f3ee79ee276d981c43e8c57c0e886640

SHA256
a11b6122c8b2623cb74802c64d3c837e83d38a0ace69ec59a856b030195c5704

SHA512
897f999f5760368019e4cb8c9879f4d8932a8002ef18c41b57a911d5dc99aad5c00cbef44b9e899eb070feeeecb583e053641444a5ab849f5a3bfba71758230d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
13745309964d128efa135668716f7795

SHA1
4e9c738b99928f17513ea95c1726bff96f4bbfb1

SHA256
00f828649327ca297adedb036eaa579fcdc6155065fb3af866f7412b63fb62b4

SHA512
5cd7911a0a4ec5cc767a5fcdcd3cb9a76556c2f93013ff12c8ff2b8a7d90df7dd0255ecb28c4348540e4df0e3501f544763058e5661fd0d16f7cbe796ddc8dfa

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2b4c76af54ff778d5d50b98c527f2618

SHA1
1aa29a92a5a762a15d97734a433e60597dab4b4a

SHA256
dea696591c7a1af020af64f6f5f58c45aad54fb4d0b55ffddb2b4a26370acc1f

SHA512
f8093cf87931518c4c927cecb2f6241661d3cddefc3fa0d66945c93ce2bf6796ee707a3943516b62703edee82d91ad57060e241e2adb904451b4651eeabc361a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7ccb2488e4e4ce5735e310fc08f107fb

SHA1
f4292871b8a3ade880541aa3e65f855f6d34c6c2

SHA256
519a1be4e578c93025184cf3805916968ed35090ffb8cb10f191cff12053910b

SHA512
ed07b3ed727629f7972ac7e3bb053b3b181aeec4a900f46d699b6a89b94bb8e34fd6ee359699ca08a3e54bd45f2dc950d0e5b8e3d0ff035bd786f52652666378

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c8922afa1b2e6cba1c3c7836e4f72b3b

SHA1
ff0c9e4bef27bcaa7123639874f79f8a07f3a172

SHA256
7c31bb9f88e38f66f7a6b52b552839703aa572b90c4dad85c6ed97d6a2e5c0af

SHA512
25d9a9e8fe87c9add3e78ed966983e8b0f611aadfa99716c32ce7a42470998af5e715f00931f86854dde1a1dbcf39393b37a74041917b630905c649257325632

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ad34d33e73f080e1bcea785f7ac558fc

SHA1
d2971763804e6babd742c9f550a1f3d712b0ca73

SHA256
77cea18551f6c928d579a7b26f6b0ce704400c81a5f842da60e971b58df0481e

SHA512
39e39431382c0ad49e43c152407ab97a01286525aeb8e1ba19aa6edce1ab7d11bae35ef0eab2893781408623958ec55a0094f5136cd49eb1adc0e8cd4ca2a985

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b5cbd71fad361e0822c76bddf800eebf

SHA1
383776c674807a6d3355599d48e1c1d04a7fadb3

SHA256
c983ec760c130056f5604cb40f6af020e40cd50ad5a2d7a07a204c7e065d0d82

SHA512
1a23ec8239d8392a56c992f9ac691606fb759ec0bd4254c092b195a2f06c0cc9995252f8c443bc80c70859dddcf43552c3428cd30341a2a7226e702b26dd5f5e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
041411b548d77764958ff4862eb128f4

SHA1
5a1cd89cb5756fe4594d88025e470e9e6f91f7b0

SHA256
95bfb46a013d4a2ce1d0c221df52805c646d2d816e3be20df959c3d02174269a

SHA512
e26b6ae8e082700f4b4b4dc60365ff534852045a9d8de926cc810435b4aa0142ae68faad2420bc848b4e0603a3b9f195aa51647216cc6158f600993a12e2f033

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1e5f529ef810b53ee99bc4cab401f1df

SHA1
fad231da2b04b0ae2d486c48873e9a4655366110

SHA256
238880ad41050198b0e6f82c49ac1673cbeb8c23610f99afd8409cda647894ee

SHA512
04be8ae92380f36745349c41c0a71903b047a2dbb2c8437214b729415098dff8830759d2e532f9953c59f1daa09fe49eeb90efdc60b9d3da884db8eccc37750b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
363d82d08399fa8c651643adc9aa7289

SHA1
bff4c96aa6f2968536da5d55b5320b98a6610d31

SHA256
57a4477fcf4c8d31f6e57ec76f1669d03afcb226143aec0a61931e191ea79a52

SHA512
c0e40d54212c4c138cd7be99fa8b8c0e831b9fb7d1dcba4e618291a244f698a761fc4d321602646a14c8bd06732ff52ea4e89297d9ad8e0b1e4e3470dc3525fb

Download Submit
memory/672-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/672-536-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1036-421-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1036-547-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1120-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1120-549-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1276-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1276-251-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1276-263-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1420-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1420-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1452-227-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1452-22-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1452-14-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1452-21-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1452-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1640-546-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1640-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1996-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1996-265-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2084-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2084-280-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2104-231-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2104-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2104-28-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2104-34-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2152-51-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2152-57-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2152-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2152-63-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2152-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2224-358-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2224-246-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2224-241-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2224-239-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2372-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2372-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2372-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2624-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2624-539-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2624-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3056-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3056-540-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3248-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3248-1-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/3248-6-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/3248-12-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3288-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3288-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3632-408-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3632-291-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3772-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3772-301-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4132-70-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4132-64-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4132-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4360-519-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4360-324-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4420-359-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4420-541-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4984-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4984-545-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download