0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd.exe
Size

1.3MB
MD5

04bb393f88c8d9c0e7261d204a0340ae
SHA1

288032e4abe4acf7a89bb2516b263df8ff03e852
SHA256

0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd
SHA512

dcec90d45df2b8aa35a838f969aa74d20c4eb81130eb7fe9d9f31bd72b2c96ba012dcb7d8b54a09933e01e033a4f68e4b1bead8049e88a5c9c2aa14a5af81fbd
SSDEEP

12288:EE9B+VtUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:EE9BSatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
212	alg.exe
1480	elevation_service.exe
932	elevation_service.exe
1716	maintenanceservice.exe
4440	OSE.EXE
4348	DiagnosticsHub.StandardCollector.Service.exe
1268	fxssvc.exe
4748	msdtc.exe
2940	PerceptionSimulationService.exe
2580	perfhost.exe
116	locator.exe
552	SensorDataService.exe
3888	snmptrap.exe
468	spectrum.exe
1860	ssh-agent.exe
4324	TieringEngineService.exe
4392	AgentService.exe
3232	vds.exe
3184	vssvc.exe
4920	wbengine.exe
1568	WmiApSrv.exe
3996	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7b7a79ae720dbab7.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CEF7DB4F-2246-44A3-A17E-9C5870D211DB}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af8a9d2db4dada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049c4b72db4dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d676a92db4dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d20d422eb4dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d461b52db4dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b59aee2db4dada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f23f82db4dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c0e232eb4dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ffdf02db4dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1480	elevation_service.exe
1480	elevation_service.exe
1480	elevation_service.exe
1480	elevation_service.exe
1480	elevation_service.exe
1480	elevation_service.exe
1480	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4620	0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeTakeOwnershipPrivilege	1480	elevation_service.exe
Token: SeAuditPrivilege	1268	fxssvc.exe
Token: SeRestorePrivilege	4324	TieringEngineService.exe
Token: SeManageVolumePrivilege	4324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4392	AgentService.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeBackupPrivilege	4920	wbengine.exe
Token: SeRestorePrivilege	4920	wbengine.exe
Token: SeSecurityPrivilege	4920	wbengine.exe
Token: 33	3996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3996	SearchIndexer.exe
Token: SeDebugPrivilege	1480	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 2348	3996	SearchIndexer.exe	125
PID 3996 wrote to memory of 2348	3996	SearchIndexer.exe	125
PID 3996 wrote to memory of 3660	3996	SearchIndexer.exe	126
PID 3996 wrote to memory of 3660	3996	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd.exe
"C:\Users\Admin\AppData\Local\Temp\0371fa6bc7a7952f49fbad18d34860b8c9398a8e9eb5802fe532d351478362fd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3768

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4748

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:560

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2348
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b8eab6f2c528f232d1b3c5d0dcc0b09c

SHA1
2ded69652d5c8c11ee81dbd4122b0df166d8c27b

SHA256
9b1490c6b08ea26fa9cf473625c7f6f05d03298038910ce3e80127370c0f2b4a

SHA512
2aac22c3712f4f1eae02d263644778f8da42a63ad009008d7c55b099171bef9c23ab9966c05e7e6dc5ecb8fd48909ce2249949eaf2ff68ecf27edc2344a27aaf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9a89621ae891e652d62d1b8b1ac53aec

SHA1
7fb376078386feb4bdbf416233d7a2172d1f210a

SHA256
5cbd289dfcfe6fcd57c029c1ef61cdeb12415593d20daee1284b6c06aef2d138

SHA512
823d410c4a67debd05c708bc0da778790e650cc712caa8570c2789ebafea1d85525a1acf4ceeb9db5410d10a318e0628b3b4108e7d438782370de96e5db3ae4b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
60480c1ceb09bdd450d21bc614a749af

SHA1
2caa4553909be142db9ba0ab540cb90cacf3d9e2

SHA256
668ff4baeb3d283c4fc251a03300cffe2c55f23dab2d887693ac63f47d592eb9

SHA512
b165b527cfcffb77e9f8fa59c893c08b9340d173a7a73f3a7ab05093fa75503e810b0ca4e353f76a267f87f63249313454e05348698c83020b21f5821133ec86

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e70c71c46a3932ee1f6d351a8c3a82d7

SHA1
1baea2ebec172b799f12e6463a8a1184c497e360

SHA256
60ed990471f978c1ce6cb2c3be54fd87cc9434cd7440e3bc82996cb92b69fa8d

SHA512
9e63814aa8570d3311582eb08fd86106efa9debc4a6d1df02664e5a1c89497e1398021c943cc5f78a7482fd76cc7c0f84bee3b1066333e3992553bd61c1e726d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
af515ae93ebd2b48ca7d69a171706a79

SHA1
23397723eb1c0c76a5871b8ab0ef50f2b804e333

SHA256
181b5ee9844339a2c7ff285f60bd196fa7f0129647a27c2b297c02fc05ea76e0

SHA512
2a8f7483622552155dad6cb82639a9b71b9e82943d846633336cb1885c2612bc6fa466f1cf2d0b6a5cac6d37c9240b7571035aed2f9ec32e4c05da19a4a57169

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
222415eb4559df1777d04e61eb132019

SHA1
08ffa06feb084ceaa202f9b568552a658456a131

SHA256
9e8760875a95b82053fb4f173986c265e9f0ccf0c48019499f2f21d92e29cf79

SHA512
2e8f1a796d093eebbda765c5701a9b28f31c65118c8ddd2e15bf2c1e5628eafe8950b8e7931496edd4068de984d5776a96ddf0380145ea5a7775b38c696702de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
94fa0392b6ab4a2f8b1573dfbff92625

SHA1
a4f330accd0eb864c5710e00ccca2bc2c7a682a3

SHA256
b1c3007879e699841db223c4fe9e6ed3dabab01c83822bb3d53542b4b8641f27

SHA512
3d89620c924fb3df0ee56bc5a24dda85ceaf63ec7924fe73ee11a44bc73cb582478c3c88842ffb950767b1242ad2ada25fca806282c53bcbae2335f786e6f870

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
727c5bcd0c9d9e38382a2f9a166c6561

SHA1
7f0b14cdbe8a56ee8962a9b540eacff8ae1a0406

SHA256
491bb89bc150e5ad1b06aa0ea9f5140d3f8218e333fcd9de16314f8ca0bab7e2

SHA512
66bc73fe1394a3c00a8873dce54d7cdddc334e8a114e5a6efa1f5e4780141fa81ad650fc78e7519613b4047a8b4f0381d454151b7e9a2ae2a457a65c0a345a9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
236f431d14ffbc055d132e9ee599301b

SHA1
6fdb722ac5e26a2ec55f8cc286cebbbe41798ee5

SHA256
36b890c57f802b3e4827f84d04b565f024fa0b622dc9b93ba17d9705cea12337

SHA512
5f153d7a3fa90fa5e2eef65586c8e070bb12c490705a35f469c8ad19c55b13e3e69068502665a97a65aad3bd11612fb42c5874ed50b6f8bb52f8d01be69d59ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7ba8cedcdb18cfe8feedcbc9f763862b

SHA1
efbda28e97148a4424d4a212ec7d781662d7723c

SHA256
c859c7d1d100c7d6e7790fefcf940422e4ef6187fa2e7f08cd06f460ddb4d32f

SHA512
4b57e8c327322eee15627d42fa03a5fe9acd60fcd0d27f38897595b2b39779b18727fa7988c1bd0caf6d87839befeebb8bdb4ac4c440aefa50d7589e210e1e45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f6c02de44de6a184caae98c025e2ce9c

SHA1
37484c8644ed27e1c4e77e7f1bee52b58050abb7

SHA256
c4d7cad52e88ca3b5a61d7270f9214659f46a878985dfee694efd4cd39498e45

SHA512
9f3dedb6e4857b128f45098cdde4ca90d2707cf01c84910d6fc770974066c65f3c7624629de6d962f667121cee7061c25920648f1f8c253c58b17349514e9ac2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c44b83f3bf20ed9b455e5dd2f5a07445

SHA1
8b4ae2c2990492c45eb25b7fecfa5c5b7b7787b8

SHA256
7148b540503a340cb581406d3166936c77c9dcde264d6fbbfe289e1bfdea3873

SHA512
f36595e1e8333208dd181916f40fc9c78911aadab6b600d733d1c730201851d2ae248a0eeb7e9d3edd15e5ff87eec436b55c047e36742496fba263829dff0cb1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
adda2e0866ba8a21f278b17bb62a69c6

SHA1
79d10f162f3b6bc396f3a64d835c9e371e666400

SHA256
2ba92401f004c3c2a35216a2d7ff4c054ea643b5a37c982e8601703c2f143f02

SHA512
1c9a80d00df713418005427d7f9cc9339b9a07852453e4f207d582c2b17e9886427b48c6d006d4d26cf967d5328e9ac4e4ea8cedf5084b9242c923036063e511

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
31199c05c0ec3b5de3fc88ecfd0b2eec

SHA1
ae4f297f5b592a0ab7891d713a35112957ad403f

SHA256
ef475f74709680335ad7bd2ded1e8120c06cc993fbf089f7d60618600e75cc50

SHA512
4ba076e3b226365b6f378f29bde4296d807e54b5fab8f7e70266311a6aeae351d695800982c4773d3a5d7da009473bf9f5464ea6e656d27a4c0c3b627016214a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
07aaead20d1d0748f6a6a9dc650f516b

SHA1
9a740a9df1dab4bf361c34ca6dcc48580d21d6b9

SHA256
e713aeb96b0818eb4d81094249e4a491d0a36c52720a55c111c7fb486eeb60e0

SHA512
14b60348ec3db96df08254039ef505dc55ef881d7cac9e9145b6fb1d37cae122b0b2edc72347b4ce4b15ecdde86fcdc7da5f0c9856b6a5477b8d249a1bd0e03a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
e7be3d913781565d392b6f8dc6bd64b9

SHA1
afb8729930817fadf14e326dfb3957f69aa8bacd

SHA256
64766918707a053793422fb49b24835facb5789c27c4f1215b5ec9c4df8d6bd8

SHA512
bcda4b7bb178fd21d2f9c9059cae3bbc7bfda8869f67991e991d357e3da192103f64b2cf099b52009b248de12721e023b34a6508468ceb7709ae505268ee84f1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
321bd2fb7e476b4a3a7caa04ea16b192

SHA1
c88b2a3f8ce0fa5e42757e8d17336f4fa73de06e

SHA256
a8174ca08a6ed103e3d925aa021abfc050e26bc5c69d251fcead481ec4b4d150

SHA512
454638fc71cd07e0920bd9693c41fc5beab1a8e37d20200cc575b2c5e55967903b4b1dc2ecc6af2dab74d9e41873e9c4c214f8d08d127d552c0d4d53ddb1e9d1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
d51775e998ace88bdfb4dea44a05a09b

SHA1
12dc83afed9aaac23625d8966560026cd82447fb

SHA256
db2ca6e1710881aedab652a8d220c8fd328336761795239dca9dcbb5c7a9caba

SHA512
004bfe6eba082cce0f409da2df44aafba77bd4701a8c4c9b057c39666c6eb861ee7ef545523a1a74a69bbe0cd5f1b29843256090ec10f0b8dedbccc048808b7c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
742628ec14e498b498dc2cca6de3365f

SHA1
6de2e4deeddffbbcdc98bad2d05989be7a6ee7af

SHA256
f5c962fda086e9737226bae2bee871ea43c6221403c684fd4901c7f8561884e9

SHA512
3ac1bef7d15ea6a02381161f59e9aaeb6cd43793a28526af898d371d6057ee52f3068e0f100bfe401a9e015c1004a81f903d0974cc97985a295ce7429ed8668f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
392cf44ebdc246b4373355836292cfeb

SHA1
0a5d8e1832cd3e32735212f4136e523cd88b8667

SHA256
c60136bcb71f176aae80dc8783c273f9d266c29333a5f7c7c6892790783e03a8

SHA512
b0c9ba347237f346abccc74a8f11df3b726400b3be051565300b8504751d5a38793afbc4643621fdef4d00f94ecae2f29738d6491cb582fae9fb5488c8087808

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d0dc17b60c910942d7eb811f6191b4dc

SHA1
204a1a9b02be0a78659d93ee6451217725a54d4d

SHA256
12d463c0887e1b62b9a54d8c47ac6d529d7d8d88f0b9cd5d40aabc002f34d435

SHA512
fd01b7622a8e0a2be84139de27ca5dc6a6838da446c688000051d93b2ace4afe55b515902aad29ae013c3552302c4646adcf6469e8b50c428c52e159c32bf7be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c6e4a091776f3eff6c9a54a369a97ccb

SHA1
36ce8ba077210b1648a000ed48c840d5d8ff7bb0

SHA256
8d8dd84444dcf152d0ff1beb3b213471e48e7140a2c9983a4ab53bd0ce1bc0ff

SHA512
452002073c970c3f3e9c3256ca8a9ca0cc6be37261160b61f9bb881e85cacd725a44e89ae4608ad7cfac44a6a07c72e1b5727eb409f52ba7a9e2bdede61f1a80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f18c36734a1030c861515b48c5691096

SHA1
998b812609631bbd0de2121bb17ef85d4e11af4c

SHA256
41afd8e066f66edb3ae2e0270379aecec84a66e6823f49cb3add805f555a1c3d

SHA512
1ee85a03526f1bba31b6a80a614215d019c5576e25610fba593fe0dc551907ef3176b8bac4a7666d3364e82ba57a7680a6e538ea87f12013af198ecde2916154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e8067b4c717659ad5ca92729a058b574

SHA1
8cd2321dfcddd11e4a35e21efbc5e3f1bafa794b

SHA256
88e20a5253055622afb88866d23808047debc0607c98a2dbfe6a2f676aa37b9d

SHA512
b07c11c68b623058da1ef23d11ffac2eb542c4429d459198b4eed14cd0779cbb4453ea8240231c408a91bd18dea33083e10ba5caf4c21f62adfa23eb0f73a345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
cea62da350948e5e882624a7f566674c

SHA1
0946a1d3d302035fa9f674557678586a13541f98

SHA256
962ac9d96b84134ff04d4d0147d6dd360718d4d47ac9e23c5e5431dc921ce3dd

SHA512
c6bdb73397d3d5664f21251d84922f73c6ab2fc4ec4dba6d601cadaa19baa2d1abc2a9e10c4365f69b751f7186903ef0ea47b4d4cd7e64791f3dcfdace08480c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
82406c65c9708574ddb1984c09119544

SHA1
41d2870356f6256b6b4f32ce31a1a8096e1dd9f6

SHA256
6e28479d18b8757cb518911cc72b5d970d9d9d2ed6ec192a01f8547740160d09

SHA512
eef71f887452d105af271569a3e2a1953b68819612f9705f029839ff25f2a70efb8228a518d8d7a7f2f1bcd5629344bd8df65fbca3c9712433602b27eaa3dae3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
00f3caeee04a4586b26a8b3166d8370a

SHA1
9cb9c27a619dfbd5922f32d37321f047ea4a79aa

SHA256
0fa26dafc7b3416b3c411219e2b297a52a61bea571e31f265eff62e2e6e91aa3

SHA512
f1f67dc115a454e4b9adb0f481df464e5342248f648f3fff71ef79abecc2080f5b746756b498de14aaa35736113206d6079f6f5227a5d902798311689ae3b6b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
1e6027270c164d669e02c4b56d8b1e4c

SHA1
32445aabf21b892a9f6b425dba34674f79342f74

SHA256
17841352c00155401a4df90a684c8a853955ba0d5a2fc4c5e9d4c474d04dc9f5

SHA512
662df1d9aab12e8c6573f3e87117f8a8f25e7365be337626c4c8b977246a083d489b4d376aaf2c056a6bf73e7b251798ea0be5f841a34bcebfcc22b8650c2b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ab615c422e1589fc3719b16542c63aa7

SHA1
5caccfe682f8266f8735e995efdb429088754f81

SHA256
ca9a31f43073297a30777acb55eccef1756aa45ac8327c3c050b445460d6cb1c

SHA512
045401ba6e93cc579cf7f18738fc3f35c21f8852f3fecf7c67fbf740bafd822697ef29f2903afd4604a8eeab3e8e1e369daf85ac1d2653279363f7da21d31b37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d26a63f408ed420174d869bfa6b9df17

SHA1
543fe9199aa8390bb48feff6eabd057001f154a8

SHA256
dc26f475833451c69851460d9ee93e540124c9c42045039a60b39d27dd4f5707

SHA512
5faef89fc4f0c9ca48b4adcd28d033f0795774e4a932f0083dce16ab5e741526b1079491a51f2d8fbdd3c299cdff449c461c0f26d4b30ed23dd623cd06b2c111

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2258d07bd7e393fa192770ee33f2d441

SHA1
ce5cf9110467927c624ec432f2fceec773ae802e

SHA256
62679f59c9b4fb335760e584aa2c55f9884f990191b8731eaf6a2a8e4587c388

SHA512
88a0a6742621614e907ccce48edecbb83281aa1418e33909674081c28ac5cc96bd7c53e17cc2b3a4d1f469d7bfa7fe3c1260f8dd9194cb7d4a80883a323e08ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
73f33c53d279b48c73b3553f418eae18

SHA1
6139bc2a2b83ae2ca633072142c961fb490f877b

SHA256
f1ca3ec2951e7eeada4fe4719cb590dcf67f3a483e2215b3715caa0486c0dcd5

SHA512
0927b6082cc50470163e8d3857ea940d0a0ad602055558fe6061cab611c8b4bf1664596c0b5a5ca2c4e9ecfa4881368e86e6d16f83b63a04aa609f6f3c06f3cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
ecf2bd3fa87f34e4bf081da63a039a32

SHA1
6d282509e4d505af61724e32144f671145d82ef8

SHA256
b6ebc408003f092637b303220d4a7019d96372e05b2c4d09fd7bf6fe2bc8f1c7

SHA512
067c18b3bfc639ddde76b4ac1f90df05db0f51a84aa13ee8ff077c651e70cb1201ba909f5a0bdf991accf231b82f3af713cf1c2b7cd920cea8c2ae7505415c28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1bd499b128203839b3907f6e867eaa22

SHA1
c7c266f57533f8b7d4e8ea8342c50aa702ce701c

SHA256
abe2c02105c41f5ff55dfa66e317fb0dd170688e085ce44d90f1ea2872864b5c

SHA512
7abe8125754c5ebf7d2d54602d17429052a52a4768a392e8dfa5b6194bd61541243b8af7c2f01b7d7f005e5fb7c8dc617fea112a3c3d9fc06b55e5c754c16163

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
693d46af93f8c2c3b02d353a003d54a3

SHA1
4be57aec6620eba0dc19257ef52cd732081a93fd

SHA256
713094f12e7f31b2e2cac4d7661c8b25bc6f6c54abfaf0d2a6c715b5e6439347

SHA512
b006fec3988e12cec5aab4370d5034cbdcd4262e3eab6d4c175ef5db8270c1dbef29a0efa42da5294d515a4c4ad7e8e6302077da1a7ea3312a1a360cbc935877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
5a51ca1f9314fe50a3d16c347af2441b

SHA1
b7df9b3929bb1625a65ea68505d79725701e484b

SHA256
ba6a5bb014de966859bbfbe97f18ae53913d315e154eea2c4ab6051f5b769dad

SHA512
aaa42ff5d5ebd2c80c42cc62ff56f48143a91a8014c9ae87001ba21c38a8f00c0bcd2d556ab9b14c2c7b2cb004a08af40a2663cda0beb198b5eb6d3b79246b2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
146937824a0326a31666ecbc0c02384e

SHA1
e031c441c2f52ef83ddb66f73610105c2d6d8dae

SHA256
79a204394876240ede7e387ab540a6f7b95fd5389cad6575c885cab1bcb2ab25

SHA512
ca5cc7f658decc4064064065538cbca7b4bd14be0e20059c149331be7e8092675a2dabf85c100304a39fb2312d4c93e85f70a4d880446ce5e68e3c0fab0bc4f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
e4f99cad0d5086641b8a64c90f90e007

SHA1
9a774342baf42ddb4bc87104d4a895ada41e3a56

SHA256
06922bc54ad99da356b1b54184667b10950303e57bd67b465542a8a40ec3520f

SHA512
44c3996ed4a3960a61e47bdcf953e010954509a558f5dc9899883c7df3c7f486f3f7ca89b089b89cd75b7969a3c880d8652a56e20df6e4818d7ebfedceec5750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
ee8bf3c1241f3b60ab5af1a868362fe8

SHA1
37a2314c0986fbf5a4f966efd6a9fb4b19efbc66

SHA256
521522c79e38a8d5d64f953ba75ff7c5d4a82612190fd33d2f188390662b1bff

SHA512
b10fce7bb42e2d6206f3b9b906ef75fa9b0892e0bfc67e033f449a5586770a2278d0166c1d33bcaa9603a18158abf481211737fad1a3fc4a08844bccc6cc9f7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
1376e2e7e1fd7d160c9baae2ffe31dae

SHA1
caeaf5c1494a4e37235253509ab73b415ac45ba7

SHA256
e3b4d168c256370951c2d185dcbd27365b99a833004802364b7382f5162b3462

SHA512
c9f487618f7406ae6db5fabda537c4364634be21ea9c141069cdfccea469748bd2b0a73226da9fc9ae588b7022a5a4e4601ccdc93c8d88cd9c09c6dacf099148

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
361aaac9f1c0e5e745f554c461dcbf9a

SHA1
0b08788b318c7888469b1d36846eda652efc0f51

SHA256
6b391aae47b6a5b10346a04682b723c63615a81112396f0a2740a137e902477d

SHA512
0bd75f941f82137f9ab6d73e98f36cf31bdbd4366210f0dd3732cc46688ccce6bc331de9c173755ff890e9789e3952612f384900acba01bf93ec017aaec2a53b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
6f28f0458b3142656590e48e3e6f44cc

SHA1
d0666ca765662c2b9305251f858d42bccb10b685

SHA256
fc6f50ab48250eb5f7ff0cf0fa8022cbf802f681664a9fb85a178bc9fef4116f

SHA512
8d540c5ef3f326e4ac3416c04bb7a8f2aa4e39a9358083105dba46801bbea0a1f483aae46c966f0f161c5d7a38152394e8f4a0133d88eeb0e0a12388a72f2bf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
4631d4f8be05bf342ded9db7bf973942

SHA1
2a83b14fb7b654a02f37dd344973713c4a36fba3

SHA256
a25cfa684908ec18f0d2648361c42fc5fc5314c02b3babbee9020c4f58be6395

SHA512
29264c3b9df8fa25daa75486962bb76ceca5f7a75c207af1f593dcdb39ce349c2ceb21001e9fac122f72131c33617ce9c1ffd7b1e500812ceed6eb02e9046bff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
42f3d2e2589e6b080703e001bc56f38e

SHA1
7a7f66c0dd5ae08db4868c818205427800f92e47

SHA256
80294f12863f2fab7adef8b446695e4d95360609c566333d52177caed099c666

SHA512
133c9e6f92d8743bae6bdae9c4e7eeaff13f4e0b3ae1eeb8c29bc9628b7b99e502ec469a9bf4750e1d8920c165132e931d447947a76ce3e4a00065a5418cd146

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c6a16806811a86d234a0d4df853a647c

SHA1
1a85fb1fb61c103118a385b5c3e377814ae53d9f

SHA256
b405cb3f2189823c91ab8c0db8f62289b74e83be66baafce92de927669696f43

SHA512
8f674ed0574cd6c60f6bcafd9515a5e6c2ed03f6654827647a2f5cbb2a2d15e155afbd015849ada9b69898c8b2f09da54dd750d7698043b1de12d2db917a464b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
12f50df09d56cd19e0c6db2dcd961fe2

SHA1
891b3444f28f3c67636196605df5371e4a95d020

SHA256
4731b18b2e620a73e024bac2fca6fba338a00b3fd0bf747f0f27c3b15cede70b

SHA512
10e07edb956e6350bded1d4698f0c25af2451fe0eba9215b467987b1ddc2523bc060f335fff2777a54445a8c7ef864b1c4a829899e8a7fc170f6da93fa9ea30a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e406eafed7e58853196ff8fcf55cf9b0

SHA1
c29ca0280fce5351e54266ab4e63b3e1b9e9da0c

SHA256
477885924f89ab0153f29f210aafdc90b69a4407fb96fb1c3d1f3dbd5f4a42bf

SHA512
2fb3b2fe8f2ea370b7429a7ec8192bd9193bf55d8593c5a1d61f16e553f2a3210c54e7149ebd84b6d837e137f94aca3cad783647dc264dc06df7bc2b95afd70d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f07bd99b58cf3a63ae0ae7037a0a1643

SHA1
995578d4b8a05b4e3df7c0926acd7ab9d59b2c88

SHA256
34ade2e5be8e09d454ae58dcd64782e9a65aa478d7d5ca4b0e98bffca651602e

SHA512
9a64a0b7a0036b22002da9ef54a74ea8e45a693da21f38fd0476b191f29ee31f8a07e94615745d940e9c8e5a3320c4af48fe7a3c6c0dcc0ed0fec307a4ec457a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fa8b0e250fb5bb905337ca86d4de13d3

SHA1
c8de305995ff24b2344430b34af06402bbf1ba78

SHA256
0440aeb741d40221b23a7a4305bccb4e253f1ba61b8621bebfe1fd9512be756c

SHA512
7a1d6b3e8c43612c2a8d73fc2880cf064d9351bfd05235198944d18adf705f95c8d91346189cadec8e2e672db89bd421c612563bbc4fbdc9750df0cd9a6b2202

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
d73cb84e39ea21368b35d2d216485063

SHA1
642f74870ac4a22ba7f99bdc515ac28fe0c0bf24

SHA256
045a222eebcb25da455d22dffa6e0b610ffd5eb8fc6f993742e9d5b44384dec9

SHA512
488038f9375142434d32eaa1ac431baff14b0f0924fcfcb503ea4d8f3a803d50f6912457fa03ee1e00424c0bf0b2d416dd924a171b5f86cc42e032634cff5443

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bc87ad49d31a7069283f86fac133d99a

SHA1
b4835782cd49ba2c0b094f0df69e74b4f69f17e6

SHA256
e92c8e0548f962e03abff1f930ba0a65140ff64312c03e158f43e8cf6f6cd433

SHA512
f6f28d1dce235f44b3de346c9c3c281e26e976f23c8a1be5a18a79f50163542f37ac227150514ca35887f7ccc412c56123eeb57af0e616adc7d0f3490e2f474f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c973c379a9dd6d18ea1fed450c38ee9e

SHA1
577507bf74f64e78f57b8355f8979c75e4deb369

SHA256
acf28a7cbe04df6da0420fd14876ee92467ba6f6b3f681ad43de8c51cab52128

SHA512
30c7451b2c1f58720045fba3e177675f92d8f6692d939dc5f109eeb30e4d677bcb334b17ae818b78cfc1de1a69329af7c7435b31c3a9218c824c73f72e92dc1e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0309420093a2ec5e197de4262dc904a5

SHA1
7e65c9ec741658feddd1a0dafdec048b3666eb08

SHA256
a22a2c42e72fff8648155317126da9af8ab643fd403ad51349f00dab3d37e359

SHA512
b391398a3d1893c3f23e22fcb695f24fa3fb22bb8dbe4476c17b655c85bde3a944cdc19a4513233120f96f8fc7fdae06e0e65f8977e2b8e85969b1c743ab5c95

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b2955c036fd02b7d49fd2026e38e9714

SHA1
1d4cac76e112314c562328cd9c61ca5b16beb9af

SHA256
ccb0a28e6a5643ecbf7424101a6e61ea8edde0a1998a8ad0355b44ece277f138

SHA512
db4e3756e98b5ebfe97be956e14ec34c826647c09a5428845da7a65961b094ddaa5bd40b6032eb7783f8a6d393c2a646f1de111ff3cdab6820e289e435f63616

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
773d63fcd30e780e5f960bdf46c6151c

SHA1
d22063e55618e881e11e30beb7efc554d468e2e8

SHA256
fc91e4476ed6723754609a422569b0227d036fc9286550825ea7ed507cea134b

SHA512
ff8998f65dd71e87a0285ffd4eea30fd5aadf0bb66471f4f7d40a0141631bb1ce336fb6ce3a7c0ea94ced20fefeddccee9eed336b523b4a6eda78c23494fa016

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e80db325bac08fe0cd77d00ac809bdec

SHA1
bc54cb74ecc6573ef36b593fe52daa3ac93e8371

SHA256
fcfc3df8280bdee021b103599239b869966922f3a1015ee72c9b4873805f20f9

SHA512
e3b92ae2edf323e07a6f418dc032a462f01176c2addc190a51780683d0cb25acc1239eb7dbb7682178b00c0e471d759bd40d60739b2cbb70963b25380cd95edd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
69db74eb22cd4b1c636e2f72d7c50c15

SHA1
82925c282c3c7de285bd0a0be98d8c9f0bc70483

SHA256
b01d00bf2e41f593c1f0b3c550001c3ea541d66ef34fb522c2331c18fd3534c5

SHA512
1e6b96040ff58c12d4c7527bf558a08190529709429805817fb71539b8be2e4770aa732a260aa4bb7513a0b1f3e57d8392e3a4789c8ed7c36e862076ab833726

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
173cde6e2cb52c6f83bd6cf3d1c38520

SHA1
fe6b98e7ba007b4a3152ad0b721b406fcd518113

SHA256
0f83b072e8cac19098ac9bf00c6ca4993d23aaa5d7ec1860596004d55e9fb9f6

SHA512
610da740aaee491ee5eec582cb3e9d44618bb0e1e0ab29367a53f06ea78f7f0c696b5b9b333bc9654dc2d3fd4d76bb434cfb65ae90d00256d7ad466e47f3b5c1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1bc84bdd529e8f2d8f0adfa727eb9612

SHA1
6245b343695e2093516bac32ecb752302d201133

SHA256
08386dda41a87aa05127b998b71bd0f770d250e473af9fd7cedbe8ec35438804

SHA512
92eec70652a9dd9ccb61ca078bd5b4353dba1ce2938f93b0624ff96c0e9370569a9a6846d8c83d3de21ffbeee8c790c8f5b673e491b292fd855f96050a25321f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
740cb7daae3363b6705dd491c107ffb3

SHA1
a56704ff58591345c021f061412b14cdc1197fa2

SHA256
37691225f261597be23dc7d2d47285fc4cea0b6690507a8bfff296ae46758f6c

SHA512
4bac3d3f4cd3cc9b355b784ef8db56ff7b0b1b3e28b9af7409d4f0872bfc2b2779ba3c628061715be25e442de821087af828aa1f94823f4e2a6b0165492d65fe

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
be5de6550e9a0398fce3da3024253214

SHA1
f15108230c53d395cd6e7efe12135b6a52e839ff

SHA256
44bb9c4d2930941fcb1a38d0d894ddcc1b6f42ec81f9093aee3aab6589096173

SHA512
1d0f8ce3787641da9ea4574fcd5c93fa3180c9cc20dc1c55d6457df2818024066bb61e12c3f63369b0266007ed354dac0bf8df0251e15aeec2ce90e2b83da987

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0e08271c485473c2798ee58487a912fc

SHA1
ff1440a453749d7db27b14c8a142491c01e28dbb

SHA256
82dc9f973c2413f25b3d9fde99fbc3a2f3687698e0c735fc05b76ac377b5c1b6

SHA512
9eb5f24fb6d3e4d0e5e213ebac885d9597b06a03aa2b59fe8dd25c12e94895eab8810329e0dc7b9842f0c7aa4e14d810e81840f01d13123c03e19ddc7bf2a32d

Download Submit
memory/116-294-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/116-412-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/212-230-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/212-15-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/212-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/212-22-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/212-14-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/468-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/468-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/552-305-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/552-425-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/552-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/932-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/932-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/932-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/932-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1268-263-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1268-250-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/1268-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1480-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1480-27-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1480-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1480-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1568-413-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1568-589-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1716-57-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1716-63-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1716-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1716-51-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1716-50-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1860-340-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1860-582-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2580-400-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2580-291-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2940-388-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2940-277-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/3184-389-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3232-586-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3232-377-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3888-317-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3888-545-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3996-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3996-590-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4324-358-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4324-583-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4348-351-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4348-246-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4348-240-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4348-239-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4392-363-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4392-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4440-65-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4440-78-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4440-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4620-12-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4620-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4620-0-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4620-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4748-274-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4920-588-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4920-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download