357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exe
Size

1.3MB
MD5

f1d50a03a025126113412edb04baebbb
SHA1

4575ce76e80e4736319737604877174e238e3bc1
SHA256

357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df
SHA512

e7d1c2ba210799e5cba3ee384d12d53c33e4306cddb6b2eebdc3c2db8a13ae03ef0e31f70e98cad7f1876658332a57a00b2ea67245df5c01d5f2629387a7154e
SSDEEP

24576:U3LutmkEz+PAVV/bOInO4Xs2ztR4iegxLHgZpJE4VDdkt/sBlDqgZQd6XKtiMJYv:UbutmkO+wROInO4XrztygxLHkJE4VBe6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
372	alg.exe
2424	elevation_service.exe
1304	elevation_service.exe
1396	maintenanceservice.exe
220	OSE.EXE
800	DiagnosticsHub.StandardCollector.Service.exe
2244	fxssvc.exe
3000	msdtc.exe
1000	PerceptionSimulationService.exe
4988	perfhost.exe
4652	locator.exe
2608	SensorDataService.exe
3228	snmptrap.exe
2304	spectrum.exe
3092	ssh-agent.exe
2292	TieringEngineService.exe
3884	AgentService.exe
1312	vds.exe
2040	vssvc.exe
2024	wbengine.exe
2796	WmiApSrv.exe
2620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ccde377f5325400b.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F23469F0-29AC-49EF-9260-16E5DB697B1C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b156dded0dd3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e5a9fed0dd3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008246abed0dd3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015b9dfed0dd3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abd276ed0dd3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2e0e6ed0dd3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063bf63ed0dd3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2424	elevation_service.exe
2424	elevation_service.exe
2424	elevation_service.exe
2424	elevation_service.exe
2424	elevation_service.exe
2424	elevation_service.exe
2424	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2356	357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exe
Token: SeDebugPrivilege	372	alg.exe
Token: SeDebugPrivilege	372	alg.exe
Token: SeDebugPrivilege	372	alg.exe
Token: SeTakeOwnershipPrivilege	2424	elevation_service.exe
Token: SeAuditPrivilege	2244	fxssvc.exe
Token: SeRestorePrivilege	2292	TieringEngineService.exe
Token: SeManageVolumePrivilege	2292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3884	AgentService.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	2024	wbengine.exe
Token: SeRestorePrivilege	2024	wbengine.exe
Token: SeSecurityPrivilege	2024	wbengine.exe
Token: 33	2620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2620	SearchIndexer.exe
Token: SeDebugPrivilege	2424	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2620 wrote to memory of 2996	2620	SearchIndexer.exe	SearchProtocolHost.exe
PID 2620 wrote to memory of 2996	2620	SearchIndexer.exe	SearchProtocolHost.exe
PID 2620 wrote to memory of 4948	2620	SearchIndexer.exe	SearchFilterHost.exe
PID 2620 wrote to memory of 4948	2620	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exe
"C:\Users\Admin\AppData\Local\Temp\357f964fd1518a7b22f1d5c4cec3c89219c0ee22c5f40663f109d327ee93e7df.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1396

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1400

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2304

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2996

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cd52e4e05512a048d79d504440a863a2

SHA1
f2724c2b88fe993aada80fa49413181b6ed6d09e

SHA256
f4bd134cd5cf5a58e62abd8fb6d848a4e4076077a1b05d643d971845c9f34d24

SHA512
e0128c0dd487073c14d8b0b7856bf6af46a7088349ce0e27d732ec1e5953fda56f5b622f5eaed8e5b9a0a7290a9ae187c72f9055b8b2b5603044196ee329cf3d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
5a4c171e8a87739e45a8314fe6c3eb56

SHA1
a158f36b630ca0e2e129f49d0d4149cd3fa631e4

SHA256
830424695d43387b96985283bb4911ab8f1b3ef41df932e63a2f6a2c723535a5

SHA512
fb35ff6f4ffadbc3b53f4ff74be22e6b76320849b6a7aa6c5564b35d2fd52cf7a1bcb16df2e795eef9bddc494eb6498cc8abb7c0aea3c6052081b105e11c0c6a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
40acfe54d5014a3c0e8254b305ae0ebe

SHA1
885b51fae0a733d6c1b746521c7e8d96d2f020cd

SHA256
3feb733f1d3c368d5e3604e95e9ad1f7cfcb86bb700a30bba1c68dd9888e026d

SHA512
9802a1052da755e04aba03f85d3ef8b609242a246ecd4d29ec7c825b3af039a91431993c69f8b844928d54246755d11b5eba778de93ee277c924ae076524cc89

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
317fcd3b8a95870969df8716a2035013

SHA1
b08397ff3647c31ece5d7bcf5aa735e0dfe6c10e

SHA256
1e74530bc73bcd78288b6d6c3ade3c94671e33761146caf8ee805812b884a8b2

SHA512
429726b7330143c7381296acedbb8f8bfb3998a47c37a6b4ddbecd1f3d616d5a536aae9c1545956655ebcf400c066793887892a62cf34605b3a638b5e1fd618c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0b367346b79dba422f06252909d6bc64

SHA1
75657007da078a9ac62b72e78a48a6e95947046d

SHA256
f6173ae3d53e34cd73bb4b2ed77c59c28fc79158fc11d0b4aedad308c7e6da0f

SHA512
93084fd73ca49da53f54d799fd503d924aa2ea764e3ee03fe17b0db0e536ba5e6b1e080c8149b36161a8a0beba1589edc48ac5812c20575edb8f556464c47376

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5f33514ccc89c08939daa49232e628f7

SHA1
50be1ffaf8a3ce4b8c18c8653b578b871e08fe12

SHA256
1c779cf70e57405dfb3770199882cab991d7b1fb5f481dcf1d0f068bfaa78a71

SHA512
51681e485900340c5e3c6ca0e1a8a8ab479d41719a14479fcab0f878dbe624585095074669c6cb8155a8e730e50c6d0f9897528b659c68e0d6b616ebad1dd51d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5f392ca30db09bf1875247fab08456fc

SHA1
67ad8bcd1971e2a6bb821d8ffeb2113ad165bc9d

SHA256
3af8aec9e20f0f9ab3a961d82a2f9f4a29f6b341561d0fe36a28e54d932c1569

SHA512
89286dd7f38c5f2a8a8c1aee4b3659346ab778a1099ad3fc176ee28848ce820a54afa1e43f320abeee65fa98d572ead1d8d0232152891e5cb8c791a2b012d5ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3ea2736401dd0924577fa37547f33b35

SHA1
70126d51b6226af434f2b95e5909b527e2b82654

SHA256
b7fe2f078ebf85d62d485e59726616a13f6584681fc5c8dd46f0d6b84faf4456

SHA512
f509c6c7425138d7abf56c0580d9ac96bc8cf07874072a6cf29098becb65ca819d8f9d5dc930c0ac8d9982df6786b612ebc4a157e172b2a7da08f67b4805b4e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d34eaab5c11ab2af520ee1660513d472

SHA1
a06888395576d4cb7bf2c64f65047753030014a3

SHA256
89275e170c26a99cbac5684185fba92999845bbb3076606cad2f447d61604304

SHA512
9987867f091fd4ba6c37f4b3fba75c3456a67eab39c4449e6edd00323137a48bc71b5e77a0268075cbad44268b08c7824641e22024192ca2eccff3d24e2da369

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c924a7d28e3b49c064964879a16f048a

SHA1
c42eb481f5e49cca662817bf13e04cef818815c7

SHA256
aa697d8719489e90a3dfc8d2c4200936b3f26aa951d912d062bbaa5f3f5f33eb

SHA512
6ea253179c17ce84b7407fedf4ac1801ee15657a5c8edd2ce70f0b557d901185e5d10de5ab77b4d413b9070c9b30fd2469550bec8b5f03a95e2475054b290a0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
12af4bc6732f3e4fbb89e2af2975ac93

SHA1
2b288f3d872be6c4b1773affdda399358efab255

SHA256
36fbff9f2d2bc74ba77a5ff4fb2ec0084edf28b45e60c05bfe2306b7a89e290c

SHA512
7285c7c8da803ca95413dbe437fac0bfd1fc0efc912901180f5e15b4bea4590769f3a5c6dff00e30d92e8e9ff6535e0f16d1593405be4062931dfb5b6d86b974

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
83fdfe22d33f4d674af239793920ac69

SHA1
4e210eb7cd9541b115fe2fe55d60ef57d003331f

SHA256
31aba961b4d98d568370e3b0b897da82f7700e81831d285f84e2c6703c6e8ab8

SHA512
6b4384228275fcc02a85d3706998162c241e07c20393e759c138c11a20904660ba74dd9d9b094e4eb3eb5d85c3df5093c2f5169d2639ff8e9c77f0afd1101677

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
674ec263759fccb509369122bcdec1ff

SHA1
6218a6ac3396cc65f76186f97061d9bf1f0834ca

SHA256
84962b8742ab98267aefcdb45510e39a6cf11392032c6ebaab4babd68abc0255

SHA512
886ec69260b0a281db51b92e6967d862af35134da392160b354a019c929ee6c4de0bb71f53a4505040fa96d481ab7d1424956e9297ccc821187e6fbabb54a277

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
56773ec63a0fc784226db832bed4f8e0

SHA1
8b799dee08f86428b24f3bf3603020b95728ed4c

SHA256
f179d0ac896fa89e28d9987a0bdec047f644fdcc5a9263e890cb6cb8cbab5962

SHA512
59463c64464ee505ceb7e60590468c68746b0abdbdea85520f1890cf3cdcd79ec1e7e882fdfef9e97fafa1f5d4cd009f7cf0a2c5f2b1e99858fbf980c2586dc3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ee88465ee6b0d9b7d2c2c52d642026b0

SHA1
79cca3ab50f73d676c1a487183f08c7ed74015d4

SHA256
c7dfd1a3f6bfbd979b1cb781e59c1d0799ba87ccaf15d52baca826922f7cc8a3

SHA512
ec9ed07ecf3bd7a2e3a429852ccd8d1f82d245b65d0ff93a63032ad24e357a5c3ac4ae4efdf143f7c865c6baaa61ea7df00c27de2c4644659f0882848829862a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
81e5e61d76e851e30b3b4ec25705ecb1

SHA1
074cc02d66e18910d0ea614717e68b32380679bc

SHA256
9f973224993c01637c5adca87adea4694667548751165f4a8a696a36eb657e26

SHA512
89447507f56aca8a5b46571c7ae1044d99b78fc739cb24e939f10628a2c22c0919ac0b4dc21917717a1124e29200eb80396bfc3833ce24c7b06821d4b2beb44b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
de14605dc5ecd1c47d775b14970c2a66

SHA1
4584b21726a6cc3309e4c7827b1c3a492295dde7

SHA256
30851c3076c85a8cbdca459f6fc5801b117ba6296a24507480f96e6d3fcf4dd9

SHA512
56051a23e0e49120552f8e7e51c14285d9c8cf69dd7458f9e5c39b804a93eef9252c04dbf63520f925006dbea9bca8f35086c307c44dde8cfdac946a60ae5002

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
fddb245b9313a6b32504343d291b0b1b

SHA1
aacbac9d5847db70a7d15528ccb845b2e7a038fa

SHA256
1be856434f4cd793623b8f4a76f29e09b1bdc52a0b45c81da93522e07feb8c62

SHA512
3c082efc6350450f994e2dca01980203c7e9bee2785cab80b413208728434733bb1df036686366483629774ed3f6678a59919ffb1419f45a035f9e1f952c1ac2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c800ca43e5a5f1a0206eb5d386601d8c

SHA1
59d9a4de3815cf0dcfba0e4a5bb3c1ac992f0f6b

SHA256
9e5b67f9abff0e062f058bc5bd26200a61b60a53a1079fa306c13bb3b8387291

SHA512
49cf7ec0c21b9f210d027148e6e98e7c5ec682b9145ea1b938c2f0c26f4db50b25900c90c566899df87c43258bf7cb1a94af055a9b179f0009a933adb5334c53

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
50eee85f0d8cadd3c8ae28f84f10bead

SHA1
e9b0977a40146ff89b6950f45ed5da16ab5a5b1f

SHA256
be0bf611aa89b768d79edbf14f71571f9871d9b9f6caf85c5e8817a9576e0720

SHA512
60ea743b2f37f5748b04b2c428151be169f6a442bd7557bb31597594051d9c7e511fc6e4e649d555a0208be3d16a540b9e61ebb1c239faee55f499558fd5fccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
57f5f534dd4cd6a3d3182df532a74e06

SHA1
6ba5cc1d25290417470db88f69289a73e65ba86a

SHA256
f21e3d0ea0beebcfad5dfbca014ba026753fcc04f342182dd6e5a0d87b0e4c76

SHA512
fb545876691d3162931ee33c3cee9274f7485674d666b85a909a5c3d00fed589ff6120417a2317282ca2441d5d68042a73e52a6e3952a40e1e12f78b4c11811c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
185344971fa08e1e934316123edc7a75

SHA1
1b02c78354c16c2acb20d3f4be750070dfd8f803

SHA256
6c3a3dcf84aad24c82a228c9bc005130eb574ec9f1c4118ddb96fe55431bae8b

SHA512
a96c51c9ff6cf9eba8bc4353bcd58c058b114199d6253fc8acbd0b553bffed388a0ee72f6305743f0807379ebd8cfda2ce05c0fb4eda98a68d3a5ed374595b3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
88501970b81d59c3f1428830ade7e29c

SHA1
ea2f20cd2c4b954496f65574d09cc5a1bd2ec6b1

SHA256
4adaca515e27cf9047b635cc61710c7d92275a29276f5791334dd31deeccc4fd

SHA512
ee48e2762784a08e29dc064a7ce655e71db580884a0ffba4afdec5d6a6544e6e5a0bbb168bca54827e6270012a619d35ec82d781b74ae4b818c6ee1f0deb4497

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f413b1e7d620b1ba84082b8f238c1bf2

SHA1
915afe5279b8779a840aa6ed54bda986e57c52bd

SHA256
d58b35c9ebaa8a93420fa9ef5e010cec946ac03956b7a8de79b0cc0a6e6447f8

SHA512
55fcd522136626faeaee79dae68f17588b6995241e5c6d8e17d612694198c75d5598b7b98ed965fb031ce432e392ad26f23b190225bad12f473034a2d1918856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
51ae6e42cdd4dfeb06c697c392c225ba

SHA1
58e454a419148fae6a2ac0e0f8e13cd322e234ff

SHA256
0c9519b04c668cceec52a0d0a13cb12fe2de93060a6b820ecd56bf930e2ced2d

SHA512
4315223156b6488827506341ccbdd355c11a8a815c1529bbd655d3bccd9fe96d7bb983434378039fe5ea7219e2a57ee2fb59ec3cf6a827408b2d4879556fa5d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4ffde8d9837a20ca5cae891ee7f73d46

SHA1
d6ab2f3605bf38de02af9dc0d1613ba1f665b59c

SHA256
21955e8ce9f2a1a8991dc44b08def6f8b2cfe2c538449b1ffa600dc045462d36

SHA512
8b7d7e998653312fc3e73e104ba97a2ef2f30601f0f59ecb6752bdce8189e31d0fdbe715ccc0bb772ea80484e21789e6b6ab3e7807d5e46424b449d3b3b57225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
704753dd33bcdcfad0be2e15f769dae9

SHA1
80d9db94ea013b2d0b12b30ce21e733c15badd2f

SHA256
edcfe51937111d715dd4bb168743a1e0f836025ef32882e731b868f38e09bb63

SHA512
bfa66d9e101163856c68c250d3f51d35986bf0de264026b109b39d1bc52fb7e72d56a09d6d91c30e121ce6759115be34cb76ee248f4b9f04483650505f4b5ec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b547964533f78587d874e1ee78a0196b

SHA1
85d821583f0138ec3a0dd60347844a369f09a423

SHA256
f4e752f1fe25cecf60eb0545135fdda6b9fb080f0d59940ee9567f93739d5cdc

SHA512
800629ee97f62adea15bc46203506a6d822554cbb3e7b13b7f8d0e674f3c8faefe9f8dea77efda5837e4492bc45efb99c24c118f0043587a378871d12cd74ec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
38c6b42e51f4fca6561331de388fe2f2

SHA1
b083ba109269e90d24ba7591b95c455c63faf575

SHA256
a5d87de1e0101f38cad33c224d453bd2ca97845ac4a3bc3ec02e09485326b4ce

SHA512
720cd313037505bc93199d511faac9807b772524dcef5e4ef0bdc1b8b06eb0e3dcd6c247c2870c6649787d00756b0e6f0cfe1161c566e401e7a1789019b8c26f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f204b068a08f8057de2794013bed81e6

SHA1
fb9752d4877724d5b5e8a27aafc6868bb6bcbe14

SHA256
47f5b13b9926dd4e3afcb3c872aa00b559b090f63aabbeda0253a9f9ed0ae2b2

SHA512
87555e6462c73b43bb1331d71797a50f6db2954d52cc60e7766d29fe1c916a1f2a847bb96d3be209fedb922b6723189005889669bd6486e1a115e15a8b460606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fcc861e2503bc1814f3c3399305ae966

SHA1
98199fa4c9c4c3ee86d663b19b125b47300ecdad

SHA256
002acf16007fcc813e2408b65eb98e2dbd87e47e1b78609819b4a0b217e04c3f

SHA512
5afad8f5cb45bba97bcd2251bf2eeb7ad25a2a6a8cfc4d652db300317a0afd8c2bc172786ca2a5a2a15d360a15245b9f44142f144224f95b0380e90b071b5e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
80bf5c3e8aa334b11a1f47984a662edc

SHA1
83216d385df371757b08cba2b40a530deb067125

SHA256
9013ba61e62800de64a5b490cfba01679d2f66914b0f005d17621fcb46f8ce0a

SHA512
965448c17f559ae6fa2fabcafe834f5fa02447427efd1af3baf0a052a436aaa0a8a2e51f19086d99ae8e9285adc1cc21e1979b8cb114d26498488d014093e2c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
655fa1571e9712a8e5fac423c3900bfc

SHA1
cfe1a9612f84979f118a6c999e8072370e221582

SHA256
f6063a67a4d519e428a17f27e158a8c6ba14b95212d378c94ca3c6799f1eca67

SHA512
6f389cfdb840a3472006b0c9cd24bf9f73406d2da4ab0af0134c76945907c8f98ce28e734d7a83b2149f01113d41cb9a5ff87d1553eabceb115f03625cc447d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
70e756e6a7c0d42def664b360691cab1

SHA1
d1209578bd4024ad458c404510c2597093aa2182

SHA256
36cbd9210cfc61dcb762fbfb1ca153844883c8947a2abc1bfdd49d3d3872724e

SHA512
0ad3517eeb000a2c5a44f3e7353dc8a1d366ab73fad6b46c0ebb8977050b32f95e59d756e64a6b9b5040faf8082ebe6ecf64f71fcf0a9e69455759929c63af92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dea6bee11d34e801f122b663a6e532c2

SHA1
95caf8584f96e72c7c2ee4e8d4697cd1fde3b60f

SHA256
2f42d493b1da479381e1028a3216ac3b883f0f2567aa5bbb57760a3817d9fedd

SHA512
3589732bc9a6734f7b4ad78b860d0b31e9ea2d02b44a6559d6bd3ec670d1cbd239cc68a3043259b8fe539e3914c60e2861a89a379fe414838a7de3e3e8d44de7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
31be92e75791416aba922c84c9f33655

SHA1
c8e624b123da23baaaa91b9a1e2e997328aa058b

SHA256
706ece9b1a0b3ac8e66d7a2e2f673dd9e8cee192a7939fb76e7ad9001cf57ef8

SHA512
4931e0b16949497f3ef5dc90ec454109319af9e7232f734263cd08f681d4a44b3b7d5fdb5aa92f4c0977a438b82cd251d88f2cb0ad230afa7bb61121523d5ad3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
004532a95124603b38b5369e251ad7ef

SHA1
a22c3047f831243c0261f346896156f899830049

SHA256
181094263c6752fa77e9bfbcb43202dc171e0f61886cb85ce9207a913c4ae9ce

SHA512
34702c173926b034fb2ea5c3bbe10dba145d409940aa083c6292ecc128682a461a01bdf336f031b725b63e4a66a0564642ae7fa171dabf1c0f96f249f4ada9b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
74ce83579329cae8a3bb296875d3bfe1

SHA1
86ce03e08fcfb2c38b79530c04c65fca3e2a97d2

SHA256
8a7db5d40a6c5a8cddbca208b269d5e559303c9f71c1f8b700c0c93e7ac989f9

SHA512
a17a13919593c9a9ab9af570a226c6867819f1662028eef5899e81d49f8a917f67e545f9152aacabeeffe3caec5f5c21f3a6aef42a95d578bb2d3d017bb9cd04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
1508beec6b4762f9e36e8ae02c224031

SHA1
cf327614103ef8a06f820817b657ee108aee38be

SHA256
81a06d03d6c1288d40b018915194f66f93fcf97afb87a5cf102d7e3c2a085dad

SHA512
8e0229c8d3ae9f196756faebdab2c29d707887b029234bcbe35557b2f5518405e7f84e6109de9137a59b20bb949ee2497de85b4154448f6277b4bb267f58d52c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
f8ca5a3ce56eefc44c25cd965a871620

SHA1
3a1b0a0edca7618a451078952316ecd85ae35bb8

SHA256
b1d1b3a9483497628331c4290f0b025a0910b4ff1a422f39c29aaa7916413403

SHA512
2ad003ca10e441adb856382df25bb98e785efad37ac38c789c9f7a1e314e48198d00e08394ffcf24fa08d9ce24263fc85c3422f129c7c3010265b2d83a63db44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b180a1ff18e79755f2c4916110f25609

SHA1
482f638678fc5474810bd3c3c1e45f4121075616

SHA256
67010b251acaba68d667fd651d5467cd864c7fc3e4c3ceeb87601aeafb1095a8

SHA512
c8c8ee04f947700b156e19b3aa72f2896dcaf474a70e2896ee2f7ac1f59ebad0bfefdf472d625c1a1a0839bec61d14ca4e696e3b944892338ad0884e872d8241

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
e1d08d9a70962b8deee30ac65abc4ec7

SHA1
07e9f7c3c000840698cc33ebc19cdcdbcd06966c

SHA256
2a9137f79f2537bb2a7ef488d81b0729b1c201ab95a6c6fa0ab005c8381c9f41

SHA512
b6cc2f65ce0e03633f768a99cf77cb95b2a2d3f296bbadb0325156406a402fd34c291504259fe8e6d657debbe2efd5ef9709a79d35284d2b64138d7e77dd9bc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
2807afba767c1941084363a147e1ef0c

SHA1
8a2e1c34788bcf3bc69cfe86b445c6eda5653949

SHA256
4fcee6cbcc517d80974da01a05107519803a477fd5ca0d79e0d98edaffcad0f7

SHA512
4a229cb9856dc663b14f4224348bc9892e78a858fd89b811d64c02ff4c707a351aaf64f67b58269ba8a0276637ee6f5a35a403c7fd90312b14c8d69d126f568d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2e902949a9efb068e595bc260420514d

SHA1
6e42993edb543380d1de164808f4787d2c1111c0

SHA256
29bfa806aedd26691e9371381343ccbb1a0e82918a0eeb0e4b5b8601018b693d

SHA512
2fc84f62ec54c29386e8dd4f73ef9a1bb6def995a2d7112307cb78ff85472e1a739ddc7129b81b1b0ed78c601df89ddc0ac143cc43100e6989a8725d3ea1a2a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
798b96bd5b72ddaaab1297f0d2f7349a

SHA1
bd70d833fbf8efe1abc32f58700884608f7aa7c8

SHA256
f6011d0cf58670ebce4875098cce7f6e10040a8dc9f5e36ec0f3859fe6d044f4

SHA512
21f785c6f479cf98e0e9b1d246e527d676219e37741fa59b1a8fb27925085e06fcb5c7a626506b80ddc40e8a9da4939f183c0a3c1a18c6b22d04668cd083bc82

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bec1be0884df670e442eb70581473cbd

SHA1
ba362471aa89396c407cfcc9d8f95d560c781f20

SHA256
35b91838d6fb82093f9c2dfc3466bd1113693906ed2387cb4d3ec86c0372dda7

SHA512
70bacf49a8cd58fc1748c52223782197d4f6028581731d03a28cf1d13efb5beeac5e32b9415424c2ba65fbb54ec16f7e18e6a06bb97574045c4baeb4e1452d45

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9535dd104e2233a18c673f588985a9f0

SHA1
7c9b20c5577c0fe220dd5588110d38e117025c35

SHA256
fdc4fa0165e8ff425df10dca9099deb70023ba91be2a293c3fffffbc730fc428

SHA512
bcae38eb07718cfbeded2cc11a3b8d253037df8ce30575feeeb9443148eb3fb259a1b992992709cb0fd4dd5b5fd93ba2658ae74b16adae46ab64c74390665f4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9888925da806dbbced4acc7773177116

SHA1
68b3d8ee7583eed84dd0e221d5da322b662a24cf

SHA256
4ea0560d33c924e352845aa7478f59ce5a50c14dc3996491ef974557241cc6fe

SHA512
2e201b31283aa9923c1dac9072bdc9c5b84e533382d3bc4e017f4d0808b10a811fd703b920f4d3c6b37edb87372296b90ac480bfc731ebe115a1931470914370

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ab88335f0099649f01b6ce3397d97714

SHA1
7a0b9cda159e2a3d1c9362415448398dcbb0b965

SHA256
265695013d4ba6911ba1508bb09dc74d374df8ac6ce1889f22b7d7577f46944a

SHA512
253e0b5f41f160758f46a0a579f5bc3893aebafb462efe39247812401aa5bcaca54ede12e390944c702e97321d6537d36ed3a67490b61537df714c11beb803a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d159873d5e39b22e0fdd7efe68df4f65

SHA1
3ba4c7cdc1a4ca9660c00564f054bea08ab182fe

SHA256
d2d374ab6cbe80b4f68aa5e008d3065fa0badc91ab981035fd05450c0edad777

SHA512
90ee85bf1cc4656c88251271619a15b276c90739a173ebd40e3a1248bf0760d1a5ab95f799077fc2ef2a29cdce1a0bed89741f873e4a7b073cf2e006c976c129

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a9bdb7d45f1123518af4d2f23b78cb9f

SHA1
fff9af2667179a8c0eac3baa1f377e7341b2a251

SHA256
4de5ec678089321da3b6d626f688d9cd77c6dcd2736f0a7069be4e2c36451714

SHA512
adb5690a3a245e2cdcc52dce1ce5a732682204b6d6a5ba237aef1ba647048373a017e598b3f3b254bd949aedfbb9427a3f0b1c059cdb97a261d0021c750ce40b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
51bf1cfa7d47b7013a1a2c9269f08f15

SHA1
d252639cf76c6f30989b64e6a798f7c19d5b2c05

SHA256
5ca2ae612fde461bb12e5deeb810f3b5b216999f47dcf4f7c79a29ee87d19fdf

SHA512
33fa979ada0216e685609da6b1845c22f5e9e875f38d0e7bf6366063899df614bd4c139c925e8e2bab3333a06450feda649c13c274fceeee3bf83a68e9662033

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dbb622777e37588bf72e4f16b108759e

SHA1
83b2739b4bc7ad7c580ffef4b5f7ef5688851795

SHA256
23d8bf170cf3cd398f63bd1f8af54472183f466a74b6ce893d40107853665a44

SHA512
451f25a60bdd4e60d8b1610b49246de3f8e65daa17e78423270ee67b3b98bd9ede42f394561d2e0cb42a59d18c6d727fbfbfa058f9b057d7df7a3663496fd79f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
611b36955afe2f3cb53ef149a5be9adb

SHA1
941750110c8c0c4e5632008fad9579abdcc2e22c

SHA256
ecda4c106cc82d9639960f40bef102a9737313d7cc45dbfc2eb8c2128becee52

SHA512
0b7e0218c86883556f4878f3b3857b6130b92ee5d0363cb0cd87f48f9bfb6496a9565a449dbc072354287dd93c90bbeac393b873cee834eb5cd09b0c47a014b8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
537f3d9ead82ce794db10b40a06a9318

SHA1
5289bd76d1cb76d1fcf8d2d829c7a1338502b940

SHA256
3f4b786413c5f413e7afd38c7fc0fd1466c6d6b39ab1dcb22e3efa384eaed8f0

SHA512
53603ecfbf5c9351e6b3815ac323eb37a85ddaabee53c6bb68bed7537b94af0f7fccc73ec4c0b5520bfaa64a275a4cf91ae43a51eb112d7b0673a37442d39ae3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bde064e5706870146edb42d231e98f0e

SHA1
9f6fc9a20a06d07c752eea2d9755ee97516b7cf1

SHA256
428266785b7798496eb2e0c46a7814c86fdda6dfb7704f6db1906f5d8b90c14a

SHA512
8bad339da78c8651baddf9fa567a23201e6b3c6636b64704c95d0e38e85e105df3eb387d7a49e9bb2ad43362356100132695298490aa0fa273f03e852c12fd96

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fcfe900fd304101252259d33626da56e

SHA1
5423a21ebf9095952b6172349b3459582c23e506

SHA256
2fcbeb1a1f4905d1f819c44ec3f077c1267999aa5c8c93f0ba04191b55a913cc

SHA512
77296f5ee5e310a658f37af176461d2ae431c02aabf8bfd59dceebbcc9e03726af4c87a79aaa7a2e7596c17bb71741c33eb048efd23b75c114fd6894bc84a1b7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
712a7073f40272f7cf29c013f35f99e7

SHA1
95040aaca5b0f916d463ed257f41a588ca42f329

SHA256
545045a219786673e70931bdda7bb74f4f16bed6723b3ddfef17859d1bc0537a

SHA512
b2156c631588feb09231462daca2f5872c8c3682c658c04c0a27cde6c3554d22bdc599770d04dbf0bbafb6951c5214ed2ebf36f50d8f7dade7eff0be5a699412

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
78dfd3bfae99e432320849b7a9fe225c

SHA1
8dbe0c2fc00210e32b39092279b6c330327704c8

SHA256
f8da2271c29af6401ac4f76856f0cadcfa52fe6e5f5a057be6ae253eacf6cb60

SHA512
ff18170f3dbfcc3040585bddc1b0807a68a2e2abefd3a2915ff06d00d2d7cf4100560e36e26de0876e77101c9e15a0f41df96d710b3819bf30bd15dd9ad92aef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
142fa886cd246e73028498c3669538fd

SHA1
fe9b2d4dac1e739a6057d7efefc1533b23e5c916

SHA256
6b77263dfb146c9bff977269ff7d29adf768e4ecc0941e25699cca7dca14d298

SHA512
3c75f5afcff88093bfa2aeb2e676b1742c05cbf599d1e257e48f69c18527a55dbc254f4eda87c5c9134d0b71d9809aaca458dfcdd9468145bceb0e4e888ffdc0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1085e0a24a30718e4260e511b99c45e9

SHA1
e4132d6403909cff6c577419abb36021200134d0

SHA256
7d8b57f059621995b32ef0ddc4189d926a6d25ee7a18e2801522458bee5f4b73

SHA512
373dab07dd0a5e965198b6f9d0912eabae92d45d248a9819527dc10c016e0c9ca373d791042f96bf921f80ff527bab86298152489d93eaeba648e5e33e18d3a2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ba8a8923ec873efec6d2c5efe17d2629

SHA1
5fd188268e9f3f65213897570451b272bbaf518f

SHA256
1e579d43c7d6665f97519c30cdec01abfcf6127d1aad1fa4808f24b2888339ad

SHA512
3c47f20b1c4dc78c09c53405f6d19dbcd0fda04a7c67a60b33d70af89a6ff8f61a0052bdd7c72ac6e299cdad23876b45d271ab6883cc05f4bcd4924634cbaf5e

Download Submit
memory/220-68-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/220-74-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/220-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/372-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/372-18-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/372-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/372-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/372-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/800-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/800-249-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/800-242-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/800-361-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1000-398-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1000-279-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1304-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1304-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1304-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1304-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1312-387-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1312-695-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1396-54-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1396-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1396-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1396-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1396-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2024-411-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2024-697-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2040-399-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2040-696-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2244-253-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2244-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2244-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2292-369-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2292-692-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2304-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2304-690-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2356-0-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/2356-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2356-8-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2356-17-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/2424-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2424-32-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2424-31-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2424-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2608-625-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2608-443-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2608-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2620-700-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2620-444-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2796-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2796-698-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3000-386-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3000-264-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3092-691-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3092-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3228-527-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3228-326-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3884-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3884-372-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4652-309-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4652-422-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4988-293-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-410-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download