01e5d8e6401bebf40bf590a30bd3ded366e3e0d73a361081f7bd6ea36b60b6dd

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3ab02558abe2cb6f8c419183c6d2050N.exe
Size

1.3MB
MD5

a3ab02558abe2cb6f8c419183c6d2050
SHA1

c0840042f215540a838c4a493f5dc214a3610e9f
SHA256

01e5d8e6401bebf40bf590a30bd3ded366e3e0d73a361081f7bd6ea36b60b6dd
SHA512

8280280679450f0b7c145a3fe242b3fa7d6d0f2d3c7e94f6e15e473174f5c55997b115a9cdb47b89ac162b1fbf3ef611bfcac9b529073f3f44cfa311cf4ad611
SSDEEP

24576:23LutmkEz+PAVV/bOInO4Xs2ztR4iegxLHgZpJE4VDdL8S+LbzQkWWbCzLLB+lMz:2butmkO+wROInO4XrztygxLHkJE4VBL1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1224	alg.exe
4040	elevation_service.exe
3232	elevation_service.exe
3400	maintenanceservice.exe
3532	OSE.EXE
2696	DiagnosticsHub.StandardCollector.Service.exe
3108	fxssvc.exe
3952	msdtc.exe
1676	PerceptionSimulationService.exe
3384	perfhost.exe
4120	locator.exe
3500	SensorDataService.exe
4060	snmptrap.exe
3016	spectrum.exe
2632	ssh-agent.exe
2712	TieringEngineService.exe
2212	AgentService.exe
216	vds.exe
1876	vssvc.exe
1912	wbengine.exe
1056	WmiApSrv.exe
3520	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a3ab02558abe2cb6f8c419183c6d2050N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2f510a276003136b.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bb75ef5e9dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc7882f5e9dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afc5aff5e9dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000973ac5f5e9dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000204ef7f5e9dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000557b63f5e9dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012cb33f5e9dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cac790f5e9dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4040	elevation_service.exe
4040	elevation_service.exe
4040	elevation_service.exe
4040	elevation_service.exe
4040	elevation_service.exe
4040	elevation_service.exe
4040	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2820	a3ab02558abe2cb6f8c419183c6d2050N.exe
Token: SeDebugPrivilege	1224	alg.exe
Token: SeDebugPrivilege	1224	alg.exe
Token: SeDebugPrivilege	1224	alg.exe
Token: SeTakeOwnershipPrivilege	4040	elevation_service.exe
Token: SeAuditPrivilege	3108	fxssvc.exe
Token: SeRestorePrivilege	2712	TieringEngineService.exe
Token: SeManageVolumePrivilege	2712	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2212	AgentService.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeBackupPrivilege	1912	wbengine.exe
Token: SeRestorePrivilege	1912	wbengine.exe
Token: SeSecurityPrivilege	1912	wbengine.exe
Token: 33	3520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeDebugPrivilege	4040	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 3668	3520	SearchIndexer.exe	131
PID 3520 wrote to memory of 3668	3520	SearchIndexer.exe	131
PID 3520 wrote to memory of 864	3520	SearchIndexer.exe	132
PID 3520 wrote to memory of 864	3520	SearchIndexer.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3ab02558abe2cb6f8c419183c6d2050N.exe
"C:\Users\Admin\AppData\Local\Temp\a3ab02558abe2cb6f8c419183c6d2050N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3952

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fcf2c462014a41887bb431cb436626bd

SHA1
36bcf9766746e061a354a568c441a3d02269e99b

SHA256
73f83aad3bc79bd244330d08a43518cd8eb2c6ba4579d8dd5841cc2f39082878

SHA512
994c2b60972abef0933024224c97ed1babe25d03530b3ef89c75e2c6ff799ef25edb94ba4cb3ac8ccb7feef0a7225e7d4276bba7b3d4d2fc38ab8b851d33c18c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
09749352ff0c1c1a4305f834fb135476

SHA1
9183b33031df8ee5c3e9173681545880cb24db86

SHA256
269978fdda48bf8cf7d7d533362e4b1bc53ba50dc4fce4d177f917dc0f5ad536

SHA512
f7b4a147053cb99dcbcef8ae37a44c6cecde318ee8bcdd7f2b96b82dc65b4e76eed2b064ee30ff157543f3837424cb1b41eee98be922c229abe2b850f5f4a3ab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d3f654fa8b1981144d20aa1f7d591a93

SHA1
4e5d8746f97c7665845a2ecd3edee277b802dc75

SHA256
0349fcaf7e2d0c2ac00933dcd0001d87cb800d2119c8f57886530e6b921fd815

SHA512
1731525bd7953eed5a606639e46c5d5ef637e3184bfe4ba9c3e2bafa4fd7cb08f4a55d5010044fe64c47fe0d1727929602d36d67526d5e9549a5b1d1a94dc541

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
19fcda2a75afbe68931f707d45be8c30

SHA1
9487e7eb2b238a3e78ddbce4556a189a08ec9b56

SHA256
7b2e40b71acca8fdfaf3e90f046058bd8e90460050d12cc6f3c943b60f7bf6d6

SHA512
551341db14b3d2aa535c6087827edbfc0a3a6b48dbd9a4067d1babe3855697d3c727db581e0c981c16ad2a31f4b9af70a220059a4ece3ca6139d63a7c100a8ae

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e8569d4c3d0ede60eef87b64ca4cfaf8

SHA1
f56429cb986f4e7cd84cf4c88c22d7ed55b99971

SHA256
fa279ac0b889d7b12d0e5d95ed1147f33c39e83a5e26926881d5ebe2f176906e

SHA512
d42538d483ccf60f70439ebd13f935541242fc5ffd594e370912070224280aff02f5e0ab5f964cd14d11099b3edd5a6622bf2a113666a543b6ab610ecee1c705

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
04b38bbfc6379659e20fe08bc00fc783

SHA1
fec5192a4b891847974818063d88bd6f463f18f4

SHA256
b33500c9dcb7a2cdf250308f144a5fb91c0b2275a8c9ba06e91b5f00b6766a50

SHA512
0d3c3683bc82d06cf3dcacfe0cd20f30d184c172becce9de7b1652082ab3eeda2b33da23996e685a5f6b73bd612608c99ecc460619e226eb7687b6cc18a468fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f0b159753addf60e374c533e8f44236c

SHA1
5e5887bd24d205a20c624a3f3b516081e56f56c1

SHA256
26e603093156ad5f006b21a4ae358cb945f1044d16fbad8eb321f825c055b11e

SHA512
0bda39afb8f40cb623494afb08e7552d0ad94d822e83b9ca66e13a73336a542699977dc98accdfbcf88811c5cd5bb1e254ca1dd4d040e6bbf8d2c74d6641642d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9cec0dba64a6bfbe4bae1c93e87e24b8

SHA1
ce4639db39bac7afe23e96cb450dfdbae6d740d3

SHA256
50195b9d2b3a8e583c99d066e4b1d0968cf46714f2e56f70cdaa8371228e297e

SHA512
e73572dd9b13d773ecb59dfe5727eda62d1ac43fcb08e91cedcc2d83934b00890dd1304e0af9aaebd0ec1fc31af263f23283b58b03c871943cbfa1c2ae4a78d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5e9a2c3d411e6abb7ee8ab5402d426bc

SHA1
926b0128d2a392ed90e2741e14419a33b71b5a7d

SHA256
eb4d29f851777c33a627577c6b054e19daa04e3f06b726d025a2f31a12850ea1

SHA512
005ff16269525e5936fb80a7f9071762459908d48b9dcdb9e72a952d8bbca6ec00aff3203017d1affbccf8cbc3a826995fe10030ada10802bddb4b68de88dd6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8206b32d94d4a1aec7b1927490dee8d5

SHA1
f9a1755d36fbeeefcbc4497b0ccaf3f07de650df

SHA256
ff23bbfd2ccd50bcc46da1ee63d03767300fdd489a271b89cbe69f9d31beb843

SHA512
8dc76c71fb2f5876ed22bee35e495dec4142788798c63afe779918bd8324b65609fafff9c3f263eff00bf710398acaea746e9fe7d8b1e9c0a3c3f84b61c254d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c96da7bb2bcd4e2f47943b109b99b1fa

SHA1
6ce786c780d82135f374b7785d6acdf68094d604

SHA256
93c48a6c4373d57358e25f8732c76658c0abf546f16d36f6ea537d56f7e2a7a3

SHA512
f44de6bb1ea0af22cc14ca848eca059169549f39518dbfd601c45f91f11f703d48766ed1c21bb1f05c2fac05ffcec3a4ba0178009d1f7b86cba2d1db6a37f2a0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ba632ce24e4e7295b63a5374dcd523d6

SHA1
62bbc49d6d40be6c5a7798b64728a6c21641d30d

SHA256
c9146a046fbf894ce80c389e299e74e92fed6a2c0a16bf02bf13a1b04940a979

SHA512
2082ef93a5286c0ddf5c262296258f561b6286dbd300bdd9d1ec6733b6aaac6513253d16a46f1e4d7494ec2c566663fa5bd2a00d45505ef0160f3a97fa83567c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bf6ad9825083487acf8d890603fd7556

SHA1
1c5a00e617d407f4a23f29ffe56b38a6c8240c94

SHA256
d36a2a9d45147253691e2e29570c26598de65fbe81b282bc6c89978fbe30c692

SHA512
62dc64257653b44da87c63a8e70af0270a1e0981e8c4447f6be25a1b5729cca3b9fc5b849adc630dde020dae2c3c6dbb7c9972e7efd0c0bda912ee0b33e2f536

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
543bc8b17a9337b9a6f0c0d5096e64d4

SHA1
28000591cd0250c594e0ddf5cc42be771b843e8b

SHA256
0ff5fa26374f6aef9d17b921c7080cfbe2dc1be841fe5f38451f2a761878a36c

SHA512
abb3cad96c0ad87deb36c1260ea4eaef9caa771c97ab612f81f2c32e87f685ebae90970546931bb5dc3e251bfa38604d4ffa041ca9144a3035d926e9c316506a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2449cf3aefde56a0b585bf40b6629ea4

SHA1
caab23ce1927a0075f89bcb68536cabd378d14eb

SHA256
e0c4d87b582cf5cf583545e7a041728a7d1f4df3ab6506cd2c54d2c2895da5d3

SHA512
add03bae2f1b8f0b4179e38d1f300deebcd79d9761764e257626e0d092aee76497f5ed4a6e66549a17c5d273bb8403d5520756db01e04959ce788a5ce44d8a4f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
43ba2d1fe0e89def50f81cd714d058e1

SHA1
ea4276be66611cda3f756bd2402b2a6488d0a118

SHA256
a35cd59f74cf85207b9dce567dcae88b5eb8731faa4d828d76bfd7b96040d268

SHA512
e69cc062d6930dd8cf6170be429d6a48578e9345f9e2f354fc6e4652ff28daf90cdf403f13fdeb14b2b322d9a8b9d8761d71cbc77eef69cd5050cb71c41d777c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4a24ce5ded3fd904ad21bbb8bce6bd56

SHA1
18c88cc02e5581aedfa1f7a73b42fb3c47be628d

SHA256
52e403ca46b93ee82f36f5292ed68e22e91a4cdba2a198f657f9b0d0ae451ce0

SHA512
26092e64e2a1a641b3b2a651a628b495f835547adda19a0b4492174a53f3a57a30f5ac63c336714c8ce7712c9b5eff94a190fac1277c9a2f8cfdc93f9f769c40

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
a84959eb2bc759ae45253037b62f198c

SHA1
25add077aee866673e03e363622de556e0c19511

SHA256
95565243c83fecfc188f72e7528547ad31c440af4d4979af85e5fef236eb132a

SHA512
00e4da9d9a18d049790e593dcda5a56a402cf3f6b90c51294754c181c6cb382da2d4fce776f0530558d0ce695a202e18312f4fdfe0d071c6dd5c2c323816a51c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
01f14f437dc2320d658172bd0aae5fa3

SHA1
f15412ac20c2784603bcf0f09a48bfe6a5aa77ce

SHA256
9123535692c0019b51a3447ce1ced81062a797ac4ef4e059cb50848fca4abf15

SHA512
26fe5e7155284eee6dd494712cb16989ec8b8670be05d53028722406caffc6f07b0f3b7a93d157cf4fa401ba9a34806a1c9dd9138bfe7d77a7e75dc9c3095c62

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c40cdcb823fc06863d96b13a3381282e

SHA1
0165ebc5a31809490698348655a9e4e47fc519df

SHA256
8ab266deab402e31f8adf949c5e8c49bfa1d1564ceed96547dc099af8f109664

SHA512
4233c07608c7ca479b790f5bfdb53ee198c21de23e7fdac0cd4a5466ce1427c60c2fcab540b44bae04ec40b95f0388c185589af03c2d6f3c0728c275ad0354f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cf402683561aaccaab258344c2d7f2fb

SHA1
5c45b989fb02632a237705ab17498c1ebaf516e1

SHA256
b18ae54f3d2f331eb7be6c04a8156bf671955206a72b93ea011831253000c276

SHA512
8243813533ee708ebfc8c1cf262f0e989aff046c48098701cb9d6db09c5294e905b93426e50169affa55253d90c211cbc1709249edbf5d51991031bc72622f12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3d52d5364a5ba0abc18304d5af82ebe3

SHA1
c18668641551961638e5574e1371de71e6d20bbb

SHA256
ce451dbaf9f4123d46be97b61add94b186b48a73efbe3441c507be90d154e837

SHA512
edaa3bae6e6d1d31acda75e93f5e1b8000060498a089c8c78f573c68b3995d3c4545e19a1e4371224670231cb5bcdd1d020f95903271938343e7622ac4e22cc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
319f15fb97a6ed7963c70f3dbd39185d

SHA1
b1406ac75432766313a449ca0c46456238d1926b

SHA256
cbbeed03ee8a5a3ab21c11cad602011258ae09738e85df212311dcc53d0b4b59

SHA512
e424aad0a75c2fc8261b22243808a23ba3f70b68de11a9c468bdb22c6dc500de9404ff97b71b84a98d78a0e92709f14a2d9ea8ae54dd1a669f32434312955157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e2fb5f9ad14f5ee483df439e34096fc2

SHA1
b6b11618c0cb4ca781f3674178be10ae766277b2

SHA256
f2bb30fae27e37beb57582bbb203120ecd44e34711f00ca8bc877050d8ababe0

SHA512
e5239a8ebd8dbc66f202aba5b3fb30c1eb6d6ae3e891f42e38d6a1aab3fee2fcaf6891cf059006cbaee244525aecc1e6455331740b6659acfd4f78d034c0c127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
30d14e84adf0163c22ffd4fb5278c651

SHA1
341735f1e5b660c709523fcf57de5a43b578b30a

SHA256
47c378aafd09f53306b0a7175a69ea4423b561f11fc9a9ce3fc104c8f8fe4628

SHA512
afca0d45eb0992f2c2227dad1021cc9cf4011439943576289f95685fc51ad570b9436a5f6f0042916ab4c144658b45ffd7d775fd226198949730bbe5d3f3af51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1d3ec12dafd299eb40acfaea19f5b0c2

SHA1
ae04124d856c2558f357152e9eaa9163a9cd7acb

SHA256
7dc4d05b35157cf162b710e59dfa89a98deb3c32c46821678f130a3fd0093884

SHA512
669903bfc8a0c314042b2d38954bc92eda6a68409f19c66c04c144be6dce95530fd0024ecdd543ef6ca286eba6fdcc4d1707379bfdaf1328b17b67d7a0c20887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d9e71d87650446bfd8ec713d4cc4b1be

SHA1
ed5342872ebe155446bcf38ab78de0b27ca6eaf5

SHA256
7e1aeefad88d91d932dba1d2cdf8f5379b87bca075f2b320d4cf9c808eec63d1

SHA512
3ab1bff66412f03fce3fe3bde948ef979f0a6b6563e7ffeaec8da6fe307cf86d2963352341ebb097af6f66b14ab2722b004e795ae5a230af1f56f63e040189f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
52495f19e355eef8b6bf4ff1bc54e5e8

SHA1
4a3f3f868d808441921ed55dbb3ca9892db63832

SHA256
f93bf81afd3032974a6bb11a3dceeca3ed8fd4e1563658aafcef2e4416214771

SHA512
40a67a76591d400e630a5f66f9ac203ce88cada00b684f739579dd34fd2687f8b2c80757e60cb6b4a49494b6aaa949e9e5474ccbf3514afbb31a48579869bb23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
363d693e28f6142298c894fa8846b67b

SHA1
86ef74b25c4ce24dc3247af847764fd862bf3e5b

SHA256
ac78f9e32378d047f95b6ad1339a1c5c9abf343ce03a238c5e09f1058302c017

SHA512
2ea53f3cac6e14a2dbe4c7e47bc2d550ca7b4239516aa17f6e61c9779afaffeab59768054477b60ed937b32cfd665cebb0e4b5bc853a6bdcdd760336cbf30ffc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d43ee46c61ef3f9c9044d4af5cabde0b

SHA1
348d5ea974d467c63cd24259ed174efec8530d90

SHA256
a0911a9b3637eefe4e07ed7c146343ea40de36a5badb2931d0668aa374ace16a

SHA512
e9d7ccafd9d3ac5f797bc35b5b37cbc94140a2aa5e7ffefb4a9d9e543afbb6fd3f6064fef06562f9fef16b9f554499cf6f95c45da0e806c842ffc1547c9d75fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
33c37a83446796a004fc05f106a56175

SHA1
af6e3d928158c693e90fb3d8ea69cee8c773e731

SHA256
fe0a49685d46453242dc7e12c90fbc94d470cacb8a8bb7f9c5d2ddfa2c15b60d

SHA512
ec80801e332009197e841457593f3923a3b04110671227ad7bf1ad709060027c7450ff5e0ee288d6ad3aed5fc7ebe472c0768825129bf9e79ee11cfa43321a05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ecea17e7435bdd05341311d907f5a453

SHA1
c7b7daf9868a7bd3269d35f5156d5a033bda03fb

SHA256
ba8af357651b89981cbdb448e88aa20e4c41bfea12036bf87c5d6999b0b1a78b

SHA512
1640fe00f3e4b4903a5f0304ee5beed5c3f468c5f259d55ff1082edfeca1980ea437d103aa60998beda2002d68c815285ccc2285de17cd4ccdb9ff80d7a3cf6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8d923c16200efcf73bfe7696ddda8bad

SHA1
c4be44b8197f0dfb2ac1b74ad052f2e4a29566ac

SHA256
d7b415c4a821625b9494b5458e6218564edda30f9676bd77c14c0ad5ad709e1e

SHA512
fee52592707d88842d9dea791fb8795e7a46ec513ea1939782b64ecd82aad71a4143f2b9466a004e82169d5bafdb32ff9f179465d66debda1c251dd2bf618bc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fdaf2c49e0df7cd093d4b4b0268013fd

SHA1
d716c8e34b1c422b26a6902c57a965211da22be3

SHA256
a21782c72c38e5a3d634e5590a8df8ce89fba28b54b8a703c01e965d9c7531e3

SHA512
64dc8ae3ceefe48695e648008bcb4bf09503f17ce4a22f69f945c76118e68b6023470b53530824ddd8356c7fe5bab5a34e6821efcb987419f79de7a78c19b845

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4bcaafdf1798ffac46bd591ed4b8030d

SHA1
4ca1e2482bbd8f789f972bc0324268825e761f70

SHA256
a8e0902732951309e911c505064bbabf7d5aa04fc24a641e9569994e5ef64c87

SHA512
4800d3bd861138007df7f100451eed7eb9e5cbe0b4fa0e1b56eb2def4ef3352719c03b12fc67764e92ebdc118dacbed19577a730bd5341d7ed1cfec19ba38c7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
237d706be8942ee43d2aae6a81b10d15

SHA1
dbc9d28d4fa21b3213d7eb10abf642c8c89e4ee5

SHA256
440ae8a10e898b220bda560489286a16ea40370bb3f057243d738ac9aa882c59

SHA512
330231d0c0290213de96b8a7fa1ca532509a35c5118499e5194ab79ab67987a4e16d59b74d455a3bb57f82c5be77c12f74d8956d76d2d6268dcd008bebb9ea8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
aa46eaa3e9794f26a04f2e420c670808

SHA1
f725be411ea83898c780f7fc30f7c47c5b4a8204

SHA256
b0c9afb7924f429048f3151b50d198f2d0dd10bda8701025216a8380c333b4b6

SHA512
a0f8e09685841c0fc62ebb1acf47ec229eecba8fabb24d796e45b69edd5e17879b17927e58bf07e72d2e8c1cb0ce2b62916f3fd41c3d2964e12d8cd5eff1f7b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
41b54f864531d9b5216a8508958ada4d

SHA1
132c801456a617d626f1be14670fc8a4cafc328b

SHA256
054edf3a4c122a368811b83c0b2ddca5f6d95a030cb655631f942f47d1b04caa

SHA512
ecbf2a425e7fcb1041c36fcaf12eeaa4245ee36a93f95f1c3a0317d627086af64ef9272d7b33fac891edc04bdeb49e28091f6b7112ddf4029ee21a09b5c99cd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
2291e0bd74276264483811e1410e2119

SHA1
bc05c70c7eb108aeb309988e3de315fd618e05a8

SHA256
a892cbde17d2d5c673df4bb2817d8261a528494e64e806f93df661832c7d7e22

SHA512
53d5aa60db5df37bc5e47ed8781a4c337744c4cbb1a5b47d3d882fa50d73d4e74db7536e56c7b7ef6b328ac82a3f122c2e3a16667cca4ad7a7431f651ed26132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
c1f684bfa5e44829cdc0b4f0284f225c

SHA1
256d8d8ccdf5c047f27d9255131c1eab52239e4a

SHA256
44f4977d101688db1554f8af824bb844f1d7f5da4c2cd834720d65d908d8c192

SHA512
45097a4e5a6a6067dbdea16e67afaadfb8889babf2748710f01bca2f703dae1ad8c2598c2871f453c6adeb5b21e90fb3c728a602bf785da1ebfd67519e648700

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
045a93392fce41c95f7f3d59670fa35f

SHA1
f2e4c69b98bc5947e3d1ea076e378bc2afb831fc

SHA256
c1b14a868570083e1191dcd50ff06de3fa1b0be754909699252a1f0c562debba

SHA512
73772db9df4fb5b8e75368b87b1aec1897d41ab8084133a6b676d6321199689120f0ed28d850b87a34eb9c77e2d5c9382edb855b8f12e93f6197a345c0582e62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
6473ba0ba8e0acab4afc86353223b196

SHA1
e7ea429a6465fe2744dbd14ccf0464c88516dca2

SHA256
712fae8c4bec4e714a862ea67c7c5d6c297b54c59befaa893c5260d378e2de62

SHA512
b9cdda8890aee0f115527e95eaef832435181e60f354a2860d4d58e1c60b16079936beb73783b3e5f1da49b02185b9cdcd4f7f8d5fab7e7b3b807dddaccc9bc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
1218d8958332f9ce282d74d4535173a3

SHA1
9d28e7e34279f3223171015da6977cf390ca0e19

SHA256
53910632db7dec62706b463ef8863863d9184a43c51826b34c1b244402a696ac

SHA512
dc8370c670c5062b3fbc37d27413041b3563c4fe793998a916df1493f58af838fecf541126324c9a69dea24087c8678e845f6c8069de588c1b206152ee42af81

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
66580e207d4c7ea27ebe794049857d86

SHA1
addb5e9a28d50bb0df6d410260250b8d08baae43

SHA256
6cfb4c44adb905f8fec24bae474448f61cc0b55fe918cef3a64922e67fdf3cda

SHA512
ca267a4f316baff2c0f34376ad82efa13c51aa1d8ad1f53e6355b1abc418efdd7a60afb82aa5d8e451d30b55fc9310121e1e9993c337295c344676c1b133c63d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
114bafd61d1752cd3b2c19f2e5fc1655

SHA1
a1da0f69302b07520dfc70e1d617b5f8d715c09f

SHA256
d80555a15a6eee4ca3f65466d82b58184bad2ea6f505cb2a38177ee5b7c08fcf

SHA512
47316c0aa8d4fe3c42e18563d6b16881dc53e4090a03c8dbb50bcd8fc22a088931bca503d7c5373d8d2ebba03376620d904030c3650f32d412ebd6c6aa657489

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
578c69575af4878affbeed46e11c5734

SHA1
5bf441a1d70ba13a8bfc3e62bc7ed46788d2ba5a

SHA256
6c9b5cd490081bcb3f620af4fba5916f52d218f8ccdca12b5bb24c050143f55e

SHA512
c107ef3a87aeac5cd7e1f22fdba5f39b163874ae01ba2c009000880d5e0f25b12c73deb899e2b63e0fbe394091cdf585b7f1549847ab3382623d1d7600347ef2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
618955c481b25eed6c7395340afb8b73

SHA1
de5dbd078d3d9fa6a1f5a8b0409acbcd8c944c01

SHA256
8687de1f396aead4114d0afd0c8bbafbc791a6727e4482d89ae83cef3b6394d3

SHA512
276ec6d5e16ede240ce5d54634579977c0c0860f0efe945932b252df7db5a0f30fd4b17d434ceb7abc41fc58787d8454280b46c8a8f912efe937fd9e78ec58a3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fff445c0d67fb149f1135943894da76c

SHA1
69d58215f2059b543328806b2564b6159b4393db

SHA256
01180f336830767549219d14416ee1fa6af0f9b9fee7e4d28bfc82f40858b584

SHA512
c59d6851680b4b8a3da56abf3f6c204e66648c3ce91c37a40ca5ae6cb5ff7be38cdaa3e8a5f03ffaf4efa887ef169b953e61fd0ad72cf60d9450f250acf71364

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4151485c26cbbf496a0475cc114bad57

SHA1
74a34e99070ca25f349d4a8e347f114fdb2c6b90

SHA256
86d21aee46d070a9ec45fa7571a1b59795dfbe4f940da62f71459741d2ae2776

SHA512
1db4a47dcffa0e6cf42262ffc9208156c6a660c8f9b3a3f97b4f6787594dfa469b70ccc2efe3a400f994fa1b1ea19ec6de320a7d8792ba4c53cdb305d5c0a528

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a325815f10d0bf9981a2282d07977a2d

SHA1
72f0d610250bd7bc77f55269bf64be8cf552f4e5

SHA256
2e16a78857e1921e5cb6a6db786767f91355f0c12a132912cdec93ef08ca2312

SHA512
09b026893f088a4900f81c4bc08a6a8c7a60d1bb4d7661475fc5e57e462401a98e7356258d2beff655095b18aafe546c7792e03ce81a8093b633c758c1c5d30a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
82251a1b17001658d40a2180d1748da8

SHA1
af9538accbe11d37dea9bdbc241171a4948150d4

SHA256
620bb7276d9fd90b3bdf555461157843cb45c89a14955c272ad07818286ed4bb

SHA512
2a064b7fcf1ab66a17ab9b3b5401ab93d29adce10c5bffaecebe4f11f7310d3db0620b0df0d9b4f852f1393503277474d2f97540a4d7f37c8fe393b0fe8b8310

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0dbd3c2c930808df60f1cbc898fc778f

SHA1
752747b1ed40f047deedfd164f846c290f8544f7

SHA256
20441c2fdb00bc0be11da593131c40bed72afa7ae591ed731cff41e7af6961b5

SHA512
09875920b17322b1173469bbb136a0b6753b0e1e08262f4a143cd5282911701ce017d9e7f07b313cc777c5a1dd8446c8afc53a11b0e78c00b6b17111361d5dd1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f77ddbdf21ff1b3a60d5c30e48b3100c

SHA1
a3112cf03947155f90210c9af90a862d6366033c

SHA256
13edac8e077ad2e229ec5267e21f24f8fe44d234a54a159ea0d361d6dd400bb3

SHA512
b6bd20ff7ac81127f7e9b6bfae09e059cb030ddae269f9589eab171f1343f4d5eabb686f385765e00f212811780f6dd7f0bd6618e09dab438b87a2dbb63cd2d3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6da9ced0455ac1dc4727660697d6ed10

SHA1
4e4d48dc7c64b7a1d6159d927423147e677b7968

SHA256
21ad2d606216dd87977fa37cc7e4bf18eed55eb0379b3f58be9a98b9c9767157

SHA512
e906362b7f422a2901a4a8f904dcb315f8093323a5418f81c3888ec1232a57c2f823d7e2b6def9644d1cd70a09a37015c4719cdb3f6be682c4161089f72f264f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4c97c813112672342977abb35e1f5bb0

SHA1
fce719943e0d02d91d4ac568159eca9e20ad198d

SHA256
ea588a02b31df6784fdb24e07c679dcc87ee16b551e228b730b59577b7a605c0

SHA512
31ef2ce95cc5e4a642bdcb39a8b142ad298b7327a15f9cb9fe86944c0545beb2ea8afe6e7bd5a79d3d4fd06383a8c7022e42b786a7c2b6ad409717fb359119f8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
da3b760f4f3fe02c7c4073be52005cc5

SHA1
1385f2e96987b24497eda3efe1d2937820a41a7e

SHA256
e9b76a431f2cc4dee5e69c60d16a83a7dd41de141633ae52686204a9af7f2d33

SHA512
2adf473e4ea1d8adae9858a5ee50d165520eb2aafc157c39aba3454e766a6ca476eccee6fbdb0705d09b8335dcdc7b08794a03e263821f4ecf600b0340e77003

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6ad1a5cf0408436746ba5fa1879b76fd

SHA1
8f4ab91827ffd7d85df36bb8cae267eade435490

SHA256
70858d303bcbbbc39fd32b1b4c56da62304e92217e4d20381189ed38e6b82c25

SHA512
3fba23d1d10d38a9ff39781d77b61245d9efe040f8b8b43a155eaa6ce74607b2d890cc31cc8b23d60c7e2edf5e63183ecac2415cbb2fe1b89f6e5b3999cabf99

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3a579e1fbabe0d899670258fdf604711

SHA1
c4f43c8ea2141a3fc297acc00f0b47022f72d233

SHA256
856de1ff0712111ad48e7e0e900395ccdf5bd7b5c319de654de8b7a89e5dd20e

SHA512
65f81412c96c0ca648cea82fbef5112576dfd094c236c9ebc0904c56220a737c885f28c38563cf6831c0cb4ded074691c65376c79a28ce1cfdb3abc56e37e5bd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
998b34df6f2f1908ddee7981e6e0eed8

SHA1
7b9a91adb3a62df316f4d88319c81368f1564130

SHA256
31bca16da99408623721098fd1e0d40573f4f2d963ec850d3f0f60fd913980ae

SHA512
ef38ebba357d590ec46f4d1f7be7e01a705a3df7b8bc360789a736ba80b2c089e63c8465932f84b3e54678bba069db0c4b455f3926153af5fc70820b4eec9439

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2c5eed89c4b4e93a419620c59c3a107a

SHA1
7191762428158398aa477e1c9ad85208445dd47c

SHA256
0fc26fcfb2db39ff3de8d0729bc5412ed71cb7819a393e88749833731c932140

SHA512
a30fa66a0b85d98cb864b8c389809df557f6983486e0f393a1660c8ce9f08761daeb249966c5a9f85b147af3c98d8a8f3abd5cc2117ee4a29de011f7eabfc3a3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
686b6084fd5eff58fd00164d3cfaf664

SHA1
e64a1def71e1761e2e6d0ed341b843637033b12c

SHA256
06aa68f2340d273eb6bce7561c3fa92eb7bc3036316c7a877f44d5476c14cd03

SHA512
23cebd65b9cfeb90784d18fdbc9ec90cbe822f1b670a1e81dfe273e30f8da64568be19bb70916d34cf51c16ab726562928661ede1c52cae77adc319ed15b1f39

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4c038b19e6ae4bfb817dd7bba46b5f96

SHA1
14acbafa9a955e51ef6e0598bf7fb7c8a414bafd

SHA256
27a2f5ea75d2492bfd938b562031d693b41279b5963b58532946988c7d2ec1da

SHA512
1495155aaa4593fe3304fbb4e12416a76c98f1d55ac19cb2e373109e892187ae14c51506e3484f845c49dacf05a3bc16f9adfc770face74cf25ab95af3777d00

Download Submit
memory/216-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/216-662-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1056-666-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1056-433-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1224-15-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1224-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1224-25-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1224-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1224-24-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1676-399-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1676-281-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1876-408-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1876-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1912-664-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1912-418-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2212-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2212-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2632-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2632-657-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2696-249-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2696-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2696-251-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2712-658-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2820-6-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/2820-0-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/2820-2-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/2820-8-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/2820-27-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/3016-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3016-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3108-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3108-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3108-255-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3232-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3232-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3232-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3384-411-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3384-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3400-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3400-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3400-61-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3400-55-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3400-64-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3500-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3520-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3520-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3532-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3532-76-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3532-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3532-70-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3952-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3952-387-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4040-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4040-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4040-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4040-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4060-540-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4060-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4120-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4120-431-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download