f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 21:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65.exe
Size

1.6MB
MD5

8f737a42ed0f61271f47b76a0ec1225b
SHA1

a6f00294a6a4afe3cff22c5a4ae7b8bb3ff2cff4
SHA256

f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65
SHA512

3ad23b6cd800584df33e43d4c7ffca5d0ee7786f9791df40ab4697e555ac36de1d5954c87f1801a67d04c9bc8eb9b0d4f03ffc5268cfbb55ddb9e63b34ccbe51
SSDEEP

12288:fB9B+VXEpwfVqIjngMN0s8Jco9QzQ/b+Ka7zPKv2yI1677qasLkVI:fB9BmEpwsQNgcdAFeK+yI47Ga

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1816	alg.exe
3844	elevation_service.exe
4156	elevation_service.exe
4116	maintenanceservice.exe
440	OSE.EXE
3916	DiagnosticsHub.StandardCollector.Service.exe
696	fxssvc.exe
3936	msdtc.exe
2880	PerceptionSimulationService.exe
1188	perfhost.exe
1124	locator.exe
1928	SensorDataService.exe
4576	snmptrap.exe
3136	spectrum.exe
1792	ssh-agent.exe
824	TieringEngineService.exe
4436	AgentService.exe
4464	vds.exe
4980	vssvc.exe
4020	wbengine.exe
4784	WmiApSrv.exe
3588	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e388cab971c363d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ea922f743d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003384fcf643d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000152038f743d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c18b4f743d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056e9c0f643d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd6b65f743d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1c521f843d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000737bb6f743d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3844	elevation_service.exe
3844	elevation_service.exe
3844	elevation_service.exe
3844	elevation_service.exe
3844	elevation_service.exe
3844	elevation_service.exe
3844	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2832	f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65.exe
Token: SeDebugPrivilege	1816	alg.exe
Token: SeDebugPrivilege	1816	alg.exe
Token: SeDebugPrivilege	1816	alg.exe
Token: SeTakeOwnershipPrivilege	3844	elevation_service.exe
Token: SeAuditPrivilege	696	fxssvc.exe
Token: SeRestorePrivilege	824	TieringEngineService.exe
Token: SeManageVolumePrivilege	824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4436	AgentService.exe
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe
Token: SeBackupPrivilege	4020	wbengine.exe
Token: SeRestorePrivilege	4020	wbengine.exe
Token: SeSecurityPrivilege	4020	wbengine.exe
Token: 33	3588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeDebugPrivilege	3844	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4112	3588	SearchIndexer.exe	111
PID 3588 wrote to memory of 4112	3588	SearchIndexer.exe	111
PID 3588 wrote to memory of 2196	3588	SearchIndexer.exe	112
PID 3588 wrote to memory of 2196	3588	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65.exe
"C:\Users\Admin\AppData\Local\Temp\f92ac5634e296cda22d3b97348337a665308946002b83c1ced88235a46250e65.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3960

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9e52c408d851fb62971a33c62600558a

SHA1
41b4cfc105e74dce7df2df073bcd373c2e5b807c

SHA256
4fe92025afb7622409fd45846a54b693942fe878ce825c9e6028a15fa96c0513

SHA512
826a66080ddfd076b9eac1045ba219de98c30dc7aa521770a4c144edac1aca9f4f459891b30583fedb8c7a1f535c430537a4e4d8babbe39b106bebe7e5275a8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
2b8db55682651fa950ba8dba4ea987c7

SHA1
7859ef990f236efa2780b04b2896401a833b0db1

SHA256
31c411d32c7c93ae55c1804e933d47a588422bdb27a5c491e5709d71ae38208a

SHA512
592c6f4304791f730d038ecdfbf61ac90f53aa1bebcdca37373515bc06a2596b010ac922fb6c7edc68e3edb991c79beba827fd3ad7f92453e47502bef6122497

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9cd0747be932b434a6d7be622455d54d

SHA1
648d5bb81d36b2bf8bea2163cee68f0c2a2561fe

SHA256
52c891b559a553d644490a2af508a5030abccbec9902ef5ffc1ae73de4518d0e

SHA512
c394e6d3364121017c903b76ec172b969c0c64a871c13eecbc88b09e2b7de3be4b73f4adff12ab0362b3312823dd273d969605d6e8b43901422ea34abc688f4f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
10fbbb330288e8f523ad62ac28d42fc2

SHA1
68a59de1c04596495b64d0e0dea34908822cd560

SHA256
9510ea72e9fc768fad22b42bf6772ba3a501421c6d2ed0658836b42e8f542fae

SHA512
3209bdeaffa943ad36e1e6046bfc5546fb23cd09d8b728264b338ed81d520ec4f438792c8f2d1fe8f9b86ce0ecbdef23d7c1734dca988f533b3535a056b8108e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
72c2e9fd666ee88fc753591160e7306b

SHA1
fd1197b262eed87200fa843da615052ad570b0dd

SHA256
31cf80037b13c70fc4081b476e9246a5cada7aa0de0346ac748ba313e246ed66

SHA512
7da9d11bff3080d40495b63aa3f4726bab219f331b2e72d591b1cc7a5df920b34414fe68b1c518a4687619882fbd3b048e336232884a869cdd5a9b5ecf6de958

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
02a0d8eea530367bd071f7fba681916e

SHA1
da6b46a6fc7400cf3fd38dc6b163f63762d6781c

SHA256
7084d9b642920a582122007ee4de5d7cb848dbcbc0dabc6b078984316fa8bc16

SHA512
fafb195e000f26970c976303551f52d736e14d2b91319effeb56e273d7b492279467b93aeb1623e5fe5e8cab682557a5a07d158b3e62bbc3b80f6b015c509f54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
6f4fa10f06e2c6fd74e66e2b49fe981e

SHA1
c878bd799f1b0d3f93f28cb40914b15b4c651c0c

SHA256
556e77107d97eb9c981b0ceb02a2fd282f608ae5b616f375fb18ea8125c5a2a9

SHA512
599f6d2331513db993662500605feb25319d13e9eb8dc05df9573a05c2733ee11194ec9ede4f9e9fd9e5120876729eeba08e2fa07642078b1501db2cfaeb1d6f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1844c161b77b180982f00a57c38359c6

SHA1
a8a78bb7d5330bdd8454e9768d89fada4e4a6150

SHA256
74be3b6b685144590d85df3462586e82188f679bb8d884fc9a5d13e1002b533f

SHA512
00b7a5c5b645c062bda84ae89227a0d926a30e986cfed74843745dbe4cf540b4f1709a2a29c075aa07c35eb9c9fb532fc6f611b7c5bdc75a894cf52d84a5d1dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4229c0204e09689f737399dcb1f26bdb

SHA1
f820d155b0c2dd504ca45a686e8e3dbae3105918

SHA256
4f4d02342fd4a928c6c2faa71c3b1fb87c351f6f8c3d2dfe4d3eb5235ca32b01

SHA512
d0532d289dd7415b43ce06f3e192b2628c4075ff0037f526625c8185de2a9a6dbc9c786d85a69ddd32c0fabbe1ac2822f8eba36d25c097382a5a47e077aa540d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8a4a543a838188b70c2a20ab355ad865

SHA1
9aa555e081f0856b0229293ae871ff5caebfb5cd

SHA256
931b7f5472fa701acdc201b5166114b6d21bc7747aecd5ce211f02d96d17a3d5

SHA512
62208e88d0bf8650b2e0169d864cfab0fec154f0b942c5748f947fe5fce55d72d27a2cace3d9217fdb9288b208dfa33dc95110e96f1e8470261b96efd9ab5366

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dcf27443b3e2c5363fb1c4b42fb173a7

SHA1
373da5e49462b0c613e940402fdb5ead794cf5ee

SHA256
87d94c34a055a397e989e9b2691114e12128fbdfbae71e589e1ceb823b973aad

SHA512
5d9c58316539e228b93564752cb2b63c8155e6f395b5e30cba3c5111badd4cac4e296ab6e8495d92de0e9da65108ccdc148111763577864ebd8b6195c27f0fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
102d44336d77e877529a776941f94d47

SHA1
5f29901ecef1e7b75ccf02303d0b40cea81f8c0a

SHA256
bd1ba4a237576ad4c929591369f2e14fce3363db7582fa8fe80395a794141fba

SHA512
6d912cc8db3175af1ad226b067ae06fffcafd9237ae1bf48a3ac04ce34921202718bbcc85b7b5ab42b5da75364108469f3240fb9468086354a3b47c9943da75a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
6000f0ab0bb7e0edc33d80bd5e0a70c9

SHA1
13b8aa80cc32f00737820fca9bff6d9ddc5172e5

SHA256
c230b57d6d6b23a85cdccabbaea4891591b5a8330d7730f926d45f9e62f0d5e1

SHA512
8981c51a29c80a2e8e0fbb38e62b1e7a6aa8a7b543de5f3585374aa501c1dfeb036aa5c39bdecd13bd946b00fb8721d88add2590eeb18427b31a30541a6b0d92

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
32f35aa10b001d0e54ffef4569aeb0c9

SHA1
3341e2cec3db331a64b6547fe51eafaa8237c352

SHA256
b88460dac027221147505ded872cfdfddc552efe2c936deb89d4e06a34d58028

SHA512
bdf41a44e6128ba1c2c6927014087590631aef25d21a540dffbcbe6e549352ad8b1c8627b769e5c6c3decabe44b12a099fdb5bd4833185b2c6f387a7f3f5b0a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
088d58f3fc60fa1c8d9e8843eb9afff5

SHA1
0747e365ba70335e09aba41115c30764d3109ac6

SHA256
bc42c56f05e462384a4bf2fae6d0604be2938336c4366c5af04e4977f3016e7e

SHA512
9b8f5b4574c3c554a40e1d9ef84abddda060c90ba18f571437511440e071504713f24981fe8de2d833a10faa27097d62f541ba84e761e6bbbbf3e4f67d05c11b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
7a2ed0609d176c936fc5d679e56b803c

SHA1
fa6b59e3ce3ea1bc7bc2381f0d8bc3cdd1f75d1d

SHA256
a3872030a150e783de647a1e396940bdd13c414a1dee635b7ae8adb7930a26e8

SHA512
dfb9a47ae4d7ffd11b8df000e138ce0e8a13041dcdff967d70d1d8c1a1c86cb9cfdee578b0df9f8420098a944ac94926cc231c3f74e9cbac954cf8b04c42d4ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5ca7f83c44800fae9f75dc3d5b4a0b55

SHA1
ca8702dbfc21e6cd8057435af16e4228998091fa

SHA256
0a57bdcf9b191a9501cdb072c5c9b0cb659371c432d43515660fbabbf2ce7f35

SHA512
22fec650b0cd067c1ee2eceee04f3f142a56207f2d7892f216d8f52855cef65fac8034d1ca675bcb04dea44336badea1901cad2efeccd0be6c11e6c1afacfae9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
513e38b5f47363e52dc4592c32986498

SHA1
7aae8e9f02298621de1b9133cd04e6a2fa0b9f74

SHA256
295ef702b0710dbab0575ceebc027b5ba11eb55d840188839c91bf35aa40a453

SHA512
d0089dc9dc8ffd13629ad671d1326086eddb31d074afecfebd1260cc6e705972b4a12d50f9bc4bb22c2e126aa0692d8c43445aae8577dbc918c412c728955d29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
4af75334b4858fc67b09b3e7f1248258

SHA1
b2adf393eaa6db01bc7cd4c9f966fe35618a41b3

SHA256
a663a2b81d5acfbc2daf3c17fbb6e121b3c8dd574eee200b337b728aebecc30c

SHA512
674f02aaf56394326cecb185cb8d920df7528ad7eecd78c7df0f4fc0d1cf864f31a8ee0689102cd9c65835b618776f60057c015141b914cf3eb1a66e2819828c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c9417a0fd031404854a62be79e1f36f7

SHA1
976139c55745d442d2f2d0ac3238440be64e9ba9

SHA256
453822f899a24a91a7f03138b25959286c1b84814fd2a7bf20d31982642436f4

SHA512
6bc315d98de20445222ac0ae870c6bf818c9ef4c39719f854e8716d9eb0a84d8647c5d0dfe1165351eebed98cb5fee4f9beac4d74a6703a959fb2ae6561f7af5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
734df48d369e5397556d0f6d1ca199c6

SHA1
39fd76f9852cc7d811bf36cedc924bac4f11a898

SHA256
e98e8547e2f7395fdd3383d1e5683fd88fc8211e7541c4ccbf7493a18ba5e9df

SHA512
91b19e56284dad12aa3684b6812466abd7a9ddbab49f2f9f6a6a74a2bdbf3b2295b6b59ceb9722567d41f7e1b3514ab0475d02fc5f0c02dbcddeb5d09c2bdc8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
124b86cfea55d5c53c60d411cf44099a

SHA1
afe5d982a16f0d2ac40d29cff5489a140062f6eb

SHA256
588909ba8d6af0367cc6390c25fb29050a7dc427e3fb370e55d1a424baab72f5

SHA512
629fc16d0bce555cd7f20f2522fe34a42c12fa4c45717fd9d7b410c0ca215b7473b649cd144c20c14edcbdef0f9943f4445f8b7fba008ff9d3f5339be9e3f29a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
3bb24c7f4f9576dbeaa09406cf09480a

SHA1
6d24e6fa83cfd45c7fedca5bc9e09b1010d3cdc5

SHA256
b003563cec417f7f8b3f94b27bd1bba55ff1b0e6d7f74d4b74efb3b82fc3efc2

SHA512
ae1f46bfdb3b609f139597614734c2e2618e3d0ec64964fb65de55f0eac1a2972a54c7084b7c3787a2030d25880726c8dcb05a82960485f3790f77a0a3236808

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
715c865e452294d6cd26406bf42b1aea

SHA1
d8ecb1d1c6534f8f8c718f45cee679966ba9570e

SHA256
512a82e7f91f82d6778f849e8f55038f4f7c70c3bef04de58f434421b46d9e77

SHA512
4e1aeaf450632aca87f3a125cbdd19d77c19ae2b1b6b342e4bbfd31c4e451860b47a280007acc36cdb62df3835ec81e04b8c0d37cf4e23cece0bb2bb9102a5ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
574cdf8c945b0e3acba6447fbc21d3e8

SHA1
80bf15d5636a4af947f72c864e8f1b6b6bc56192

SHA256
076f533acd2572a12caaa8ea2393dd356906ce072ebc5980bb06ac72dc175134

SHA512
ddb6825e06b39e6f1b965218be2421fb6c0a570457ea88e4d9668b96c2e31ae6e4b417853907cdd345adacc0147419243a8a00ba7ad55133c91489d1b0ccb8f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
434c994fab6b18158c3e9f4dcadd623d

SHA1
3d12de2dbab72197eda9a5c5a3da9593bff7521a

SHA256
f040ea677eeb06622fd67464e0bf7a9904be43d0f3cba0f244c42c6cb7516537

SHA512
c7ee653581ec5c29a0f6d1202aaac61f4b670427fa0c0a477417b231359abb9b91bcc30a29c00bfcb07dc86627bc7cbc5fcc21e16f5c7350779bcef537cbb2a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
4badcb6ca30726f5e4be9ded51471bea

SHA1
4b9c74365a8fef6650626921000eefa69e3715e9

SHA256
b1cbe933b3334d3a85c71a89f4d4824c466e094eb430d9f0e51380994d26093e

SHA512
1ec841c6835e3cfb2c0e41b68f3c92f6beda6066fb3234f875527212285a166eb0fadafe45dc6bb3f2fb6a95274d69d09bc44cac586ee515412f03edc2c0a0b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
e6be072fae1cf4274454f83b82a42197

SHA1
1f6ccbcc0e6b590042fd451c6e9c9506ae722193

SHA256
52669c3c22ed6129100ae8dafc5be00bf3b25e6828de64fa70ca186ae65db970

SHA512
b505d2f93c3cdb434f24e12898880037f80b124dfba0d9be17d874cb628ad6b7cc999287083cf3fb4bf7cd60f6d472d54bcfa855a059ab2135310735a4e2a8ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
1ce33e044cb4eb720730c8a7336eefc5

SHA1
2fdc415286ed3bb6ad7e829a522b419a74d1e2a4

SHA256
8b82d8a066fdd0bdb3e1b8289734c60a7f9ffff6f76233b00d6c674d7de1e6b6

SHA512
d70a4d5f348d134a41ae03a654c437012798e117e0e46de11273bd36c53bffc45a58155c7e39f2b67149d2eb72cf1e482752727080c0b63a7a4c2dc810c14b9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
8161bcc95fa7df8fdcd6b99d6df47cfa

SHA1
c40a95c78939545b72133676f86d7fd0e0b1c746

SHA256
d9dd9aa42e19f22aeb33e5635ddce200a7e5ce3d87253928e93e2aa333e4983b

SHA512
36878cc53b9ea5f2ea5679b0060dc055f3f8a7dd35abb4cc3534dfbbe1b6fe3b284c576f6230ed4d9add5365e857e91812749e4f972c625571bb1f870264c322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
6e4a237cb12c3e20b21c1b8c4ad5915a

SHA1
17334bf8cbfd94f8394244c2c8b87f4ff62a91f0

SHA256
ab3589967f0fbab271c3a99485b8535a5f759e29b3f9d82ff3af9a9439341fb1

SHA512
6e700f90b068c5701583e6b27f6cd84f5da094bdfefbb0843bf8ab7e8fd106125f749a2e6efe20be87dffdec6d4e91d604c0d46e222acf66daf3a73cb3d8fc11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
77738c813a91b5b06d8b91152dd817c1

SHA1
0b36f6e151a7ca23c090d3c12f32a11f475b6161

SHA256
29235add7702b86f6de92426473a9bd60c16e62fe044b113a7149d46daf27a15

SHA512
cb8b4e4d876a5f812dc6cacb7c4953129dcbd9e7f05a54afb683eb2bf54b36b46d1026f19f98d6e0a98587f9c6281d85de5d71773e467d9b8a1380e4be9a3efb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
82767281f1177d24b30f49acd0b23965

SHA1
1fec0480f481bfb371354c0991226daed2984349

SHA256
0131176b59e962d58068b1d1d1eed47a8023487c43c1cead4e1a6d45cf2767d4

SHA512
8eeceeab78535820a03085d4d057ed81e9f9c7502fe34df713c9ed09929e873f1abd1fe559e6713e8028e8699127fcd7d9dd58b0a873e566fab51708247c6196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
3fc42af8652912ae2a4858d4b04e490c

SHA1
79cc5963a33b77369345512fa2366641110a2802

SHA256
a10fe2bb7fae8ed259da7ca89fbb061e094a3a3c6406630ec0cb393fe95ec72c

SHA512
9df17aa0a4480218b690e88888caa6d71e48f7e7d21445dd671fcb108e7388e7b5c87c46c4c885803c6a23d560d63963718d1f22c9863879a9fa2d25b087bfe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
f4e9a574181dd7c8e6ccf2b69cf5a0e2

SHA1
e2fc7694beeef2e2d3979319d4aee9652a7e4214

SHA256
5b0dac514d72c7227aef8fb6bcfc28923801910b3f91a4aab9e37272e7152d1a

SHA512
c2fac4afe4f0344bb3ffb26d56a42f5f53715038729244d64a01894025999799394f7ea418f88fb59d0fbe0db68b7cd8139284515ad9259492e085a09b95cb42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
48af8783cc9241a9251b2e96c0921b56

SHA1
ffbcf6c94c4835d662bc7bbc7cb281d54ffaf27e

SHA256
409a857cf838635d88b2576139360676eae5ddfc4f13463acea41e32bdece372

SHA512
8d16adf17c9541c14841f254a8729beaca2635d8d53799f5ec2137c55cf0235ff78db330898709579cd0ae0168cc044a8a1832f5ccf909e53cb21ec201c354a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
588d4295c46b977b7c2815457ed704da

SHA1
00308560dddf750b01951cc7f58cbb16cce29734

SHA256
d66745522a86f4957a1a042df281c643c76839cc2b8b793ce2687a962d1b6571

SHA512
d761dd8e9e7133230871015a8a68a66300ad3efe26a2232ea2b1a4478cbc932d94be8d2f97a1bc2888ce98d0d22367040d344c3c0d9503356b586a0541c575c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
3c5427b1e5ad489c9d3bc40f832972d9

SHA1
089c651e3c0c8b02ea196dc50d71185c5410598f

SHA256
9c8aa1f2a71fe636d6630944b410b945a7b236b410afb1d9e14624fd7cfc8eee

SHA512
c5ca60aba58df939512d3d09f33c4b11a3d84495b58dccf3b85f3f8f9b0a5bdd6848a4ded26afe279c11e3883b30e489fcc748dd75d94be6d03ff12f6fa1c9fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
bfd09fdbd65023860ed87a12d91f29d5

SHA1
172a7218edec9bf04cb77c4a0543fc25eae37f71

SHA256
63bae448e1296427e65fcaa6a2a8839e95c6ac60f56e2cd176c5b29af7dcd7ed

SHA512
b5813d231fe35a41e585a43affcef4cbb18afd842f57273f5c38d27c8a175def84d7c2b10667f03aa266974a5aa465e34c866d0097ea067710d0aa3df1237d88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
2a0120bfde2533a59dcd76f26eca9965

SHA1
a060f1ee4d1210394445b89b419f4b0208067cfe

SHA256
55779663d47613ccd4f4f70fc6e4d98e7bb6bfd3f8d35fdfae8d72fc1ee86800

SHA512
fd770cae6608baab0626cf7a36cead87a4e150111ccf85fa05e5a05fa7ef3c63d067ae40035a8982109915354fdc3e848b3d251f3d830b902ff6e021cb5a2a43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
fc21a46193b5fcd39b201331300ebd6d

SHA1
cec059a2d58cfda908a471844a77461f98f65ad6

SHA256
87be08ef57bf7a906fe3c9dbe11c43cba2ff4b8fcafd18969547540283db7785

SHA512
22d779f35a237854709580a9ff6d5c97f75dce3f8c84cfd8e8f90c37063f9557e4fff3d8c9e2805e2feccc3b4eb4d62032839abe6669e147a54f7e58451350d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
7fbc7f4f18a85e4af3d284f7fff01d38

SHA1
97b42188b3b2b1d5ea7b29e7c1090be4c52ca244

SHA256
9ff45db0bcfa307a7a6f5c602d6cc141afae2e48c5e7b1b230827de2460c02d8

SHA512
037b63fb4f975e1ca0ffda0ff9ba6e937b6e44e00669f19a1475b45bae422291de0b53d9c68b170bf5eee95830267b5a9e973a784049ec5837f8864882bf633b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.5MB

MD5
86acba3422f94c2f50e48ed2b26e5081

SHA1
ffa67c46cbc0e073ed04c5c9fc07684718a08b45

SHA256
c761906da40c40d5cce2d419705d1ec17304f1da18fb1467bc1ab10b8b89d0c9

SHA512
5deada6a8faf561ee47df6bc3b2ee46995578f8a73043e0a1c18cf3afd62cc70661f83f12438ddd8847bf34b374f4e3d90e3d6b018c13e0b64cbd8c325228b0f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
803cd6577cdcf0c7db7fcca5c42560c7

SHA1
62354963ff00267b921b4bf5754c3c043a486577

SHA256
fb9f9107b286bff81de7905eeea8f157d334dfb26567ab96e7f2b98ac4047e22

SHA512
f98a49e8ca46c9195c7e9caec1bf2decf5091c9a78098bcfc6f4c1b14d8e57555f0296eba0753004e4c6f87d7d91fb91d782a42cada318332413b5c942e5fe70

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
4fa7f64dd8c1bdb7a98f84c69c535071

SHA1
b465ca7575c25cdad7b7a69a5a56d514b27b18b9

SHA256
4cceada98e955be21ee1ccf8bd85d8a5d4fe9f07bc55850e70a8418d1efc5028

SHA512
4f66f384629c6b056781d7c0df99b17594fd2b4a61c6b39034a7e499dc77dea74880561d0de299c4fd179d2758b926fb823a5a50e13f01e9f881296fcb8ef08a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
091a03d6f01361794fe39edf3148b501

SHA1
06b0af08b187e6f6c35a2546191169c78fc530bc

SHA256
e078a836ffe10129cc4120159b4fc8ee01106c64b7becfcc0a2f5aebb11adc81

SHA512
eaad215aa680e74aa54ed679e4cd69170823348bf139014677e63d04fe4a918ee669c29a16f1f8703bbf211627ac9fa0745d8ae7d652482d3aa79de76d14ad64

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
dd8de6f9648cbb1467b188654340c922

SHA1
61242d4f1b871cd9cfa614d7d30eb8caed903bc7

SHA256
08a0d428c43e6c9d7b3174199a32215f514a49a253b840ffb914089a45dcf9cb

SHA512
a8ba08fbb42c7e9a68863f219e39f01337583b66232f3e1ca8041f3e76d8237b4b1a19bfe393db4b581ceeb85a8e1eaab3cb714a1b7692b5be835b0df0c1ca2a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7cf403b793e1a8499d93fd6972d22156

SHA1
b840febae6f51b5a892848cbdf2b0176881742ee

SHA256
660418c06d2b2a1158a05c84d7b4c6af8a78403cae4220067e0ea012f0fdb797

SHA512
1737051dc19384835be5b7cea13344891e1ad79c9576495013ec53ac6f120f1debd7e115923c272e171f7077529b4f0f860d5f5c3a2cbf1f261a31a0034b97ca

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
3ddc03341c8e0f52a4bd5824e57dcbee

SHA1
cd319765a9682e54ebbd37f1f4fc60c693d153ba

SHA256
672d910204ff242ef9bca9b03314e3eb08d61c2cb3fcd04e6b5cc1893fb1a87a

SHA512
75cccc1609cec75deac3e93f186ad97eca9031a2f7bc6ce7e46370644fe3f09be3c2b65f53c9ddd6d3c3266530c86259b687eb34a5667f69f6572dd7f2821bb8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
a8e3c717937dc6acf669867dd7b096b5

SHA1
35de8c5cba748b57c3b85f95dd129c5df0ec1ddc

SHA256
86fa70d2850cd18a96e4765ff7b1e8ec147328e3eeca9db42b047900dab53cd6

SHA512
f0cc176c79857ab03f041b843faed934b4fc75d1895e03851050e6e81b32d691999544cea1498066c53edaf3b17393642bb7cbada24ad642ba2ef0c9927a0d64

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
1ad66f3b7b0c941552a0a0c3e7b194f7

SHA1
c61436f3eaf301f776dc4a5ccbf7a0a67be600f0

SHA256
6ee0f41bbf4e585c1ef4d08411d44a2849c8202de9fc222b899ce7720aa192f1

SHA512
662abc2d2bcf784eaee460a43033226081b17e0bbca51ce5be1b589caf1028844da9eb487ebbb74bb3262f0e7074192c953960dc0376877abf60da0b61e2cbda

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1e8556b551e44775722f08e894ca9a7b

SHA1
6d0ae3c5f66114a540b8603940dc4f0c75388864

SHA256
a54de1ec866a1cc74c91ad41d49cbf0979ccd79f1a62e704f9651bc55816ca58

SHA512
3bae4c7b36d68ce3837f1289d836afef59ff5f244f36a942daec8f70181e339425c709ff6e4c77872072b440007b3c221494bd8ef868b1386172077a744000bd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aa40b5fb4258df06f3e7c873dc61f103

SHA1
e1d32ca94e925d571eaf038c74504e43606ba316

SHA256
826ff0e44284bac7c1781037b424cd475a730949c7ca9bd0d9911c03691faced

SHA512
af3bd92f6fbec95b2ff0c20441d588ab3d38f33d0296304e0012529296394794a79e4fcabf3d017f48ee064ebe90c1cc36e750bf0df511c82378fbcca6e77e62

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a30af145968874737c00f310b9ef7738

SHA1
9992d95f1c1a87aac9513060cfccbc7424136718

SHA256
7acb0fb886faae76f59e0c15f92512b7e65e6f0348525f271aa6e5301b1590de

SHA512
971eaaffb3ee5f937fdd0053f6da25f8b753501a8776162167f4ec24e39672355ccaa25a8977a1c8d1dc7ebd46cd9645ce2859ca259698558a77ccba8a44dd0b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
e74d4276811518f6cfe58cd7fcf34a4c

SHA1
5920fb4b0acaf308bdaa297a2279c90280efda37

SHA256
90ad9558c49a087b67eff21178d4e7375429a938747074a9e1ccaa086ef78adb

SHA512
c5144e0d4bd0d509f8dfa2e0aa2dece7180ab65630430182bbe6ccbb6f4784b01b2ebc7517fcb9c384c44c8006227854a83ede873577e3aa299eff25cbad9d91

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
99e09bf30247d9e5488f51bd8f4cb2df

SHA1
89696c43774156e1033670bcf7332b147d3bff62

SHA256
5acfb5f6aa00245f9cd00d9ec64b69a1425bb7e7dd91ad7b424ada80c70d1b32

SHA512
cb5914ea26b3cc3635f50226c4fa9681be1178f0a8654149ebb9d28d2d1bf0bf9742eac1a7ec57f0cd83ab25f230d762431cefbe56201e8b7a706aa491ec4e02

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
173995f901e0225cb13e0b20a762ce35

SHA1
797a68c5115f205dc956444bf3d2a027441645b4

SHA256
3d9a4c00afe995aac342b6891e1620c7d9772c225c5105df3a9329d7204623de

SHA512
755ef2773f37b379334c339c987c5611f5ed76929e01925cbceaff59d75f75ba6429403c4f8bc96271a1f300c9b37dd13d13e0e561b977f311ddad3d1a061738

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
39ed2b50cb3b699a36cf429a0e5589da

SHA1
994529327bdb532338550d85bcb80cd930afd8d2

SHA256
4c616d7339842226cd945c9a3515a7b5f8501f877950a080e1cbec0201677b79

SHA512
d61195ceaad2c29bcf8b27ec3249cfd2944caf5b7dbcaf898de4339f26c5ff5b030172f3fed1845235b18fc6efd2e329cdcae0be50005e0f1716eea542db40d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
2c759895291997d1e7fc7ff244702a5c

SHA1
cb666a76d5dd9dd374c8fe835daad9b9694442e3

SHA256
7ed9972aac48f9a338a6b0af7f3e6c698c581382c900a9debafb8411345f0262

SHA512
b24faddb7650fe6a4f4efe1a79621711ce81a7c545ca5918eb029f46bacc47b1a0e70cc1d004b7c4a21a892f1b7ac72e203ebe40b917ee7914907dbc4267cc09

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
946abc22091515ef94f14133e0b4d8e2

SHA1
7e6080bd4f0d286db603625b895baf35c139fb6a

SHA256
94bd09e1cf65586acfda73fc7e3f1e963b2f6470f61d28b7f9051d76fb6763cd

SHA512
bb781c5c79d7fc3bd3a1d4153c2448dad8856a7529a1ad61524dcdafd2bf1bbc8b36084add54e74f57049d4e947ec3d498f09f86ba26df2daa7b8be9894e5cc6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
5bc09260be5a3498178ab0e849c66548

SHA1
fbf5fe516af2014cf9bc42048350bdb274dd0128

SHA256
46b938e8055bb5b9038bff9c1b558e16f7aa7ba2de0950598f9d9bfd7029bc0d

SHA512
3d5b17f6a4dca346d2052d89cf81e340d05d0f9a56e36cc2b332b32b48c29076d528ef4b143e0e946ea7106fb953a72a66d8a5179b932c80527f2d8a442425bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2f934ca16b8feb9a390095c771085c70

SHA1
7f811268d3a036361d31ea2da0f58a0ca371d54a

SHA256
a6959cbff9d2fc41edca9fac87d1dd36f63343ee7294e5f091caa72022703940

SHA512
15b4edbf34028b2e2a105d2e347b8b90a500e84821d97cee690a9f4864d2046b0d477b4635624b560329dc94660d77afd100540b7ab7ee4994b96be746d9ad5f

Download Submit
memory/440-235-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/440-62-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/440-69-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/440-70-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/696-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/696-252-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/696-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/824-563-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/824-368-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/1124-421-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1124-302-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1188-409-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1188-292-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1792-356-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1792-562-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1816-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1816-230-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1816-24-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1816-15-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1928-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1928-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1928-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2832-0-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/2832-6-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download
memory/2832-7-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download
memory/2832-14-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/2832-2-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download
memory/2880-278-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2880-397-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/3136-545-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3136-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3588-570-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3844-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3844-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3844-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3844-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3916-367-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3916-241-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3916-247-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3916-240-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3936-385-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3936-263-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4020-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4020-568-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4116-57-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4116-59-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4116-51-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4116-72-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4116-74-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4156-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4156-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4156-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4156-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4436-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4464-566-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4464-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4576-523-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/4576-333-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/4784-569-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4784-430-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4980-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-567-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download