04b24bf46d926afcee574593c069360812e77fbc32efd0cdab14658fe7b33c31

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4273526b35f9ea94c433a68ea08f3c90N.exe
Size

1.7MB
MD5

4273526b35f9ea94c433a68ea08f3c90
SHA1

da30ac5c2d1e66ea4bb7ab1124797d60f521f22c
SHA256

04b24bf46d926afcee574593c069360812e77fbc32efd0cdab14658fe7b33c31
SHA512

6caf56e2634e6e78add55b86f03ed9a179d263485394543b003b5ff3e0711625555652d44af09804780db9f17dc4487c77b1bb582970a789dd5ae94bcd669c04
SSDEEP

49152:YZ6zY8/7WDaDvfd5iQ8zoBTdoj9kQ/qoLEw:xzY8zWDaDHiQ8QTdojdqo4w

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5048	alg.exe
2472	elevation_service.exe
4932	elevation_service.exe
548	maintenanceservice.exe
4084	OSE.EXE
2184	DiagnosticsHub.StandardCollector.Service.exe
2240	fxssvc.exe
1020	msdtc.exe
4240	PerceptionSimulationService.exe
1056	perfhost.exe
1708	locator.exe
3440	SensorDataService.exe
2020	snmptrap.exe
4600	spectrum.exe
3924	ssh-agent.exe
4796	TieringEngineService.exe
4608	AgentService.exe
3036	vds.exe
2296	vssvc.exe
2056	wbengine.exe
4760	WmiApSrv.exe
5056	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	4273526b35f9ea94c433a68ea08f3c90N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4273526b35f9ea94c433a68ea08f3c90N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\99d42b1926e8edb0.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be4fc9dbbfffda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e3db6dbbfffda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a9853dcbfffda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000573e97dbbfffda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8554ddbbfffda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000537c54dbbfffda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2472	elevation_service.exe
2472	elevation_service.exe
2472	elevation_service.exe
2472	elevation_service.exe
2472	elevation_service.exe
2472	elevation_service.exe
2472	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4392	4273526b35f9ea94c433a68ea08f3c90N.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeTakeOwnershipPrivilege	2472	elevation_service.exe
Token: SeAuditPrivilege	2240	fxssvc.exe
Token: SeRestorePrivilege	4796	TieringEngineService.exe
Token: SeManageVolumePrivilege	4796	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	2296	vssvc.exe
Token: SeRestorePrivilege	2296	vssvc.exe
Token: SeAuditPrivilege	2296	vssvc.exe
Token: SeBackupPrivilege	2056	wbengine.exe
Token: SeRestorePrivilege	2056	wbengine.exe
Token: SeSecurityPrivilege	2056	wbengine.exe
Token: 33	5056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeDebugPrivilege	2472	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3544	5056	SearchIndexer.exe	122
PID 5056 wrote to memory of 3544	5056	SearchIndexer.exe	122
PID 5056 wrote to memory of 5028	5056	SearchIndexer.exe	123
PID 5056 wrote to memory of 5028	5056	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4273526b35f9ea94c433a68ea08f3c90N.exe
"C:\Users\Admin\AppData\Local\Temp\4273526b35f9ea94c433a68ea08f3c90N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:548

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1eeaee40c041dc443867001a04b85009

SHA1
8f03645002187e650e44c747ecd779287a66c394

SHA256
e61278f25c5f4ab535959ec601cc0d00517af3a6dde31cbed348a147c2fba868

SHA512
fb70d05c16cf72f1473cb0856e64fab6a8fd608590fd87a67fbf304da7ca9e43b0229e9e1812e83b9010907ea4ae868f0a97828c7621a045ed78aabbeb12b735

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0575ee3c638b8686ba411387e745aa4f

SHA1
830aef9713d4ef90e2d21d0c4e9eaf0f03f46f2e

SHA256
3fe29725e96328a891131d5ff9a0d1495a42bed9c581ea08eea0ca326e5240b0

SHA512
6615281c3e9b0509450e914ef5f3a91071bc5ef23f865dfeab4b872f3b415f76a775f1ba002b552f611c889e9152019ff34e9d9a418f94b5ae9a3fc9af373b56

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ed0b62edcc0bd03447e52a614c9227a1

SHA1
5ec11e4218c71a533dcc0996ff3aa1149e71f701

SHA256
874cc0469a834fc653f4b955953dab67c76bf09af35cb846639ef19280360243

SHA512
c1d09f489410f08883f9cd262e64b945a6b2e91951f146a3feef6856a2e7eeecd2c48b44da19177364db5452d86d0a02a75c603f9f7c81b8ef9adaa55a3b2ad0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eaf5234fdac2463a1e9bfbb275343917

SHA1
261ac0c6890cfdd74b4491706286ae043d66c832

SHA256
9b9bfc304c28530159771113fded74dfbace872754910abc6747b4ce26790d02

SHA512
330398b8e173b92729c5ea8e6bf77aff601b49d56b9023fab63d334db9a9731ab4d76731b966210158194f6d494bd6642267886a7ea28e38c2970689835c5241

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aa617c63e93e0cc9e725f22c4de8cde5

SHA1
79c6733caaa68a52477e575a4dead5f1e277b30c

SHA256
b98802e16d461f39334498a540f46e2fb000b60dc63a350347895ea343c1f36a

SHA512
0ad40328241208dc71b05715c8c35d28ef65bbdee955d8df830f88319ee3f21e6ca366a95f79c18ce681ff1e7592e338c2f1645b05acabbc6fe5528e1edb755b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
890cee912edecc2c214ec3299a2d7bab

SHA1
3405cf17619734c9a2aae8179df6f13d483e24aa

SHA256
96777a8f6dafda86001bcd59204d579c6bc4458f37afe42119fc2ca765f4813d

SHA512
882ac6db3162141e14d644794795d7baa51c11139d4a2a21b4404108a4b939b47ffa88786b1a28eed2f405621c1ec0dd42efdb378c89f380fa6e228320a414b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0c20f78fa72ae618a97996dae8ce831f

SHA1
63d4b023839ed0e6317617d447c84e5544ab6745

SHA256
4494569184282be9b65fd19c5c198ab7d1f380043dd022d3f192360d4c64fecf

SHA512
fc1cd69fe506b13eef207da43dc2d0166663f255dcaedc05980972d7bc5fc81d7ef1b97e4bae8011af022846f62bb95ac1673bb6f21f4cc5db056ddb32395fd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9968c8852cc045d279ee6373bb130f6a

SHA1
bc3397393a606a32d2bf5e8f761496d76e5b3cec

SHA256
faaa69d1ce160cd809e2d4509bacab2e9edc68866a17d05f2f17552b6e2a5161

SHA512
3a13c3aba11fa04a6a4d24d3ce1718733350c455922873d6af4e7400c012b9fe038672219fac132104af0030f2aa4bb068ea4c6b71654152ba92905507d3f038

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ac629e1ae8a1b72dc2e2861063d5863e

SHA1
b808591ce9468c89de4e63afc5b4ae6b11a43cc2

SHA256
f845e94abbb8231451434da7bc550e8f4ba96c124b69cda77c8fb27f9ffda4cb

SHA512
29016efdb0322080080853f0f316cb84ec6c3ead38b9279a06e6036a8a9993dfec833842795f024ccb3561a469bcea9628d4c7bfa8ee87f82871455ae026dd21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
647830328698fb5c2e29ffebb0684883

SHA1
96cf30480b94ffed60d69625e93882d14173123d

SHA256
8a04abbf5c3e13fa65d8dbd64b74fa3b3b614f5ebcf8e76426c4f163209b8e92

SHA512
5a8d4e5da319e8d04f923bee486f0a902b5b753eb2cebaa68410883b4b48a9559226d0f5d018cf06b76b2723301554c82865be5f3d49aa49dcc3fb0c1a7c3c9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9f6fe9248718bce8e68ed98c90e4cad3

SHA1
155813444ca8ebfbb57ca8af0fd8faaa8d50e5f7

SHA256
d75b83f5f6ac98c27813607d68021ec7ced0abc1a4546b056a897fad278c1743

SHA512
04e083bc608332c83b4c0e9b1e1dd87953f31f66b10541be7968302ce94aa5c0793b511d4adb6cdf4e59f538d742e682ab0bff55105762ecb5a7be91f0e23b4b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4e102e5fb5461d74a8e53311d028281e

SHA1
d505939d150863874e8f653af72eaf42b79f6912

SHA256
7bd1ccb4f1452997d159b9598a5098fe0144e84c0b49c16b5603903d797f4cc3

SHA512
264e7c6e3039001e8aab0b6e25442f8ddd5ff2f8053c972d76a46e3afdc9eda7a5662ba0500e83bad72189b7341fe23b9e9000f3db67b2ba053dbce5e5a3f28a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d404301e18debf733cd6110aba73ee9e

SHA1
fd12e34307fb9d6c56d6548c54a28c86c7bbc1f7

SHA256
5c150b40901c6884c1fd71c05f90ad67f12c2ffb4a6e3b5fc94cdf521a5e1a60

SHA512
9a8927825eb7915011d6a0bc2f0c4a155f60c2a3c44ee59365c57444df244c631ec24fb4da2ab061a7be91ba95a4787505d9acd3b23bf21d43b23dfb25855889

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
11449d63fec42e62480bb1d59ca120c7

SHA1
f86b2f576494dfdf562bf95a9277f458b43b1296

SHA256
e56d9c24700001ae3b1675387cd6539a49c1fe885d086e3971dbfcda1745101c

SHA512
075de9e3e082410e1bcc381bbc2549d3d6e5345019ac6d7a1aeef606735090aab8abe393c36ccfd6e9a4454317250a30341822bdfe6db045d271ba5093aa4a0f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fd410333aa96cce696e7e4ea6e249d6d

SHA1
3d5edc3ebd6c26d38175ec5c35920dcc9a9c87bb

SHA256
9b7c8d8ef1284d03c7f6f1eabdf1f438386af8529d769e4a7e6ae7aa9cee2d07

SHA512
fa64139c620c1b8f62ce104130702061bbe2f346d1a0692822518369766cac79bf56d9e6f68a229282c51bc018ff508064bd195732831a07bdd618944cf7cb19

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
807605c6958b81c32bc85afa79ec008b

SHA1
d9aca60f7631dc7b1b36650dbe48e3946753c619

SHA256
d019a183eeebd11af413a8ad63c2bd997367fd308df31df7aa3817bac878a14b

SHA512
0026dba0216fd8a45ef01494a133b8d517f087a5fb400dbdd4a3e57c5b680d1335ed17a426fe78a3900226b9e6a256f11298328e0332a30e97b8a584cac3cdc2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
fadb25a59dd8f45676c107ea505de8b0

SHA1
fd5e803f61bf19807031d6edb7c40a9d02fff253

SHA256
9a78e44f2d0691ca8fa84df5a0dfadae0e56228d1b71a6c2c6752d9fa706688f

SHA512
d895ff74cfd38c8820f8d4db8cadf170f2af660f37a3673598ff0965d19a4727cf7800b3a3236594d79e5b57a7f2bc240d6d77d47256564204a4739d17a0d3ba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
97fe3d6bf2db3ab59765c5195839e044

SHA1
ba9128affcf4e39c2174bd9cf7efaa9c2bfee75e

SHA256
d59eaeb12e50989e600b544eccbcb217af17d5f69460a78172ca6d77565852a1

SHA512
d5f1beb9607eead3378ab0fb962105b8a9d16d5b7283416ab4abc38e7d59da402f1e3fce36300f32e13a39845ef7041c2876f33a41c9d85c419b2262d5ee0531

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
5365bbeddc43d01c2aac320ea2a4cbfa

SHA1
354480a9c0fdf93d479a5ee7dbe7e859500a4165

SHA256
f1fd17fa26b2c81cd2fb13e749e89355a490cd89fcb7d945f2d4dc5f767cdd46

SHA512
23f278841e179cfa540077e5a8bf3c60faf6765273dab32e6662aad6ea2c9c929995ae9f8f09341d3290ca44975c2942ed1a7c45956b2c178912e1271202940a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d6e11683b6ced73f4ea1df0a76a54fb5

SHA1
6aae2cdf2875acc12c3ef92c66364fe49b35564b

SHA256
5ce917b1e53f0ac1eb7bdce708749dea969f785782ca93745a3bc6af47413013

SHA512
03b46226d8ec5d8f09d9b63abe88d03bb910c99bd5815c37efa545b1626d39786bbae3f745a601a0bdbc5cb76a1d2bd720ebe83aef96dc35ea6851e18d1158d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d6953cabc647f30cc39661d8355ca7b1

SHA1
5b4597d2b0d51fbf952d7ba156a4e85fdb6be383

SHA256
56dd4b688c61045e6a0a94ced1e0d4cab1675f850556d4f5f0d406108780af1f

SHA512
73098617d3abeb9a50bc75f48cf8714681145d9352499e26093aa26fbe2d05d495d2b72896f098a8307ff0aaa16bf3c24d9a3ca14bb11773a143f298325e2a8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
dc79d8da53d5cf32322d626c5ca22dfb

SHA1
1118f85da1881b82e739bf9c3db673fd4e7d33b6

SHA256
1512867e4c6ace08657fdff88f7fa04ce533aec8644cfc09185d9b6c9912f8e4

SHA512
c128d8a3820be6fd9eb6ce83bb534d4c3a04633b778f860a8fddd7ffb66d7fbb78cd89cec748fb2da5f344aaf1398de9e8c01d719fd4e4e7c8bebf626f09dec5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2a1311f68ce634454fde48136145c099

SHA1
c3ba6fa1f1248d46beaac000d1871a211fbedaeb

SHA256
11dd065c8d97f6b6634d7c9dd6145c01f747a28118a5f352be344ee88ed1ec6e

SHA512
f0299ddbdbd43ca65d45c28d4902a7b65c94a5c1f85ccafc40fd3353f2480891f72f70838d5ce65989a83e4d1d1525b9949daaa2b8d77e85bef2cb5261796432

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
46e6c7459bf6833b87c0376ec00ed01d

SHA1
f81d624a8c496afff679fbab52f941bcc3af694c

SHA256
0eebd6b155410a408ac84427e346c7d73b0034ad7ebf1b36dac4cf7781b41ebb

SHA512
cc3997217c4ec1acb47be69c0b9b59320d90e11fe63f19fde943627c3550eb0a0f072b627fa8f36680d5942afe915fe9f8da009e86b1f80e2d2c7ab7bf8bb1c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9e2a251930fc8e7329b9bf7e9aa1c323

SHA1
44a1bd300805ae8d8db84bc70113e8152d5ad3bd

SHA256
5fce9b70f11f6b4df6103bfcb8c00989f4d1ed45db245ddde3543c4a2311b391

SHA512
4f69903a3c7d81c0cea275c7e585a31e04c5fdc270608b93a449c7b435290413b5c51b01bb137f811b86b029b6acab394d6a6429eab67519e392f5efb179f193

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4ae9a591a40aa72536ce55a1566894f8

SHA1
f95ff6c2a4f564ce5c104454da642e2058186170

SHA256
3e335a7c8442728a8269b8daf156812c3c4561a915889bf6202d2a2444b8b188

SHA512
0abf66f541a4d79b365bfc300620d520ac5d5532f3fb6b36d9e2c42217e2fa4c8dab0235246fc79335f04356904e6f558273701704685e18fe33f2a7ac253e2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5b0ec319449f28b6cb6041efcfdb5d88

SHA1
b4785a27c1c5d68e60cf828f4c6aebe0dd9e1d26

SHA256
348f3e80efc66f52b7dd34831c53c997ca500de2f931e5f3c3ae2d8bccdfa9e6

SHA512
94f5e602a5654dd68dd0e8fb86a081cecc6d984792eea655fa5fdf4014ad63f2b258ca908b428b0f2c2d7261a62b5c12d3efd1aaa02e4932ad480e4feb4e3013

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
535d534e64a37f997491f73515f31ddd

SHA1
c8bf9cf119ee2bcc32b3727b6b539c1ee09a422f

SHA256
10642e25cc18e1c71db1cd37cfcf4944b0f0b10e53807a0e7ca0295436d6ef97

SHA512
5c4a612c6cbb5ccc638ca00ff4a8859128f04e09483f851728bc5aac13d8d4bbcf0f0cdcbe1948d6daaeb67120079f067956e3b62322b568d92f2b26ad9aa0be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
98a3c9d3de246b9d7ffb06044a074c2a

SHA1
e343b2053752a7b8a100f7613ae95873a4471a7e

SHA256
b231f1ec7773024c5224b6df04854495f5bf9fec6b6e76ab41297f881716f1f5

SHA512
265f8a7bf9d7c97fa87dfdba3ea85ba28e5b526de24bbbac37e7ac6f02d8ced9441d562f4d9d15243e29a1c1c0bc634b115f0df6e480ab6c74ba0b9fd3784e42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
cfe72fde2e7516a3c2a71ea1a69dbd18

SHA1
0a2623efd826a726d5e06086f2d182a58c0135d2

SHA256
61837955bb331dc0ddcf4e1def185f1ee3d8e865023ef267aab0613fcdd786ac

SHA512
a37d3993b8727180eefda3198dc90c9aeadc7efe5f3c1819aeb0df113538b4339b8fef708ef80479c076cd11ee5f141e3881277c3200123604ec0153d252de2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5e9eec0fce8080f943aa32abe6b850b2

SHA1
cd9d6d0c30fc9607ee122cdb885346d875c92c97

SHA256
dc7d44430d62408552db20b916087610dbc31ffad66c84afbe1770e7717c617b

SHA512
e75bb9fa9b398318d47c073a2e7d771d69da2ae55f14f146a4535cf01172fee735eaabf752d4e5a5ef88204c9b6ff52c3be490512155bbf0b501207a4749b341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
cc67db376f78f0fad7c7d71033e50a3c

SHA1
5e6f1b706aeb742de3ff878e5a97d3277d8f904c

SHA256
f0354957f752231a599a1f718d97c9d3ee9b91516d89129349e126e4117aacdd

SHA512
0812bead824010f6d41349131ebbedf299edf787abe21e651e718a9b8131ff1faa64936a91b9a10b15b7d8e8dd8bdb02df4946340117eb9abf6b859f61de2df9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
626ea18a50387c8719b3756922c1ae62

SHA1
3388166f27268c35fc77598dc0cace6723f1bc06

SHA256
1a4650098245786e83f244a1e7b6f7015ccd65e6d4e3ce76cb83ba2b8d4e19ee

SHA512
3cfca8db56b7f4a3fc2fcac4f043863f375030804d9c809ea109c17b347ac4e47c9d7ddd983fe26aa8f38c72a90087ff38ea50825a3670a260904ade3de9d6a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6a3c87bd1a951ce86e8927bbb949df48

SHA1
82a988857afa817590c1656d05670de899acbeaf

SHA256
c68dbaa43b814aa1a083ad29cb0fe32f8a2e122e4f2d992d4554eb80a08c3777

SHA512
a52d896aa9788fed265ec7da1e43fe2c422b3cd27d566b031c1746d5095067ff9a7945bcc453eace3b953c61b992931fdfcceb4d514e0084d2cd40c9ffb56102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d7071a3f5b006348909d82235cee409d

SHA1
371aa26836e2d4bc2f1e1d4cad15601ab2cf2056

SHA256
0e794c785f91599cade7d0c70cde88189a9cf98ebe3279529ae669d04a7f3c6b

SHA512
df9524d9a8639974a7ba080cf4f76974756797763d22866942a1ab122f4e82f5cf972cb64a21156eacc526861d2abb2271097e956a0231b9d5f7dd7fb03e2c7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
dc9e6ca4cc7ba67c3f8240844d6db5dd

SHA1
1f751611dbc1a42106b6c8cf357aa3fcf5118d67

SHA256
b5b5df03aa33158ec96a9ac88c5a1379ea4ea592e169a1cda8bb29e7ed624a8d

SHA512
bace38adac81f322d3198e7f8f2c287c208fd66975b083bb3fd1a17b59b53394ed8aef4a0c89bf9cd4d58349e81214b1bf67e4e44b1abb22cfa6d7507c19b9d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
931e70d745755cbd49732b884584b108

SHA1
5f1569dbb7971e0a3a3a5ac5e5e14aab33b4c6fc

SHA256
9e6a27fcf9855e17cd8aa6ae6e6c6e52ffad38df17a73a29cde0513c456af3b2

SHA512
61b589a647014c143b93e132e0bf46d6ffa050f53193b3856dac625726ab51ead718f4ce7fba5ecae143009ccfdb19b6d290df7cc4ea4f495798fac52e05f8ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
da880bd055f7712252445459169d2043

SHA1
88ab3fe671dbb0a14f0b13cd45681bbd10b3e03b

SHA256
d354ce49d147044485acc73997d366adfe98b63aec1674094c131e3b97c5ad8f

SHA512
4f6b11313cc28861db09604b874a38f1c80337ce24c3ea2b39308fc536e2074e729f36eedfca14b74ac3b00252164464b1ab80ee6b41be857bd62807e6de85ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
fd7c2bd7bf6fa734b064f7d5b2eefb76

SHA1
65eea90668101bd917667cc17b2dca80fcc541eb

SHA256
0f6e0ea7344f415a3a58ed9094f51c5df80e1ccea15b14e96c8f9944df80110c

SHA512
0b003920aff33ae2ffbabac153d80a1b0ff49d9116c9bb0c06bd2bc5979541c8b06570f109d23f96b79cdc41958b5926e4b34d80c479da26f13516400946efb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
c43e4627bff925732db3eeb9328551a7

SHA1
0e93a740027f625aa0e2eaef9b01f75d1ae605ff

SHA256
e3784eb755a68d0a1ca83334cab67e01a839fca48c59d5cc10b8510eaa1290cd

SHA512
dc9a021e286a05fd04c16fd83b5b06c8d7f6366dc46c443e244145e59ca0b709d5321d2fd614f165c3286e7a0de06039f6c00091ac166db5a620d872ac37eea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
7fe464fa5b6313742d0a482ed5d905e7

SHA1
0e29e07a00b71b251cd5c63a7b2aac9a68c51ff2

SHA256
70c01409f9d1814cf058fa82c34af99be8536ac8e4b65d868b4232f9181777d5

SHA512
2bae7a5357b1cf57fd276c66ab282bc63965952894836ff6e301ade09f35c57855905ed76f345ae51a01c27c1b6e79310bea14867b63184821066cce7588e317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
d32b60ae8c11ca24a83766ac06d37605

SHA1
3091183288c678dc12bbfdbd9562527569590fba

SHA256
294d302ffb580348f86ebe0c85accd31aa36577a728bcc7b9c6fba9890e521cb

SHA512
e83df5a7707906b5f2852597a3f72a2ce34ccb35f745ab6b469fa13c8b0d7febe4833d7932419be287f2a95fab079ab610d0b796f0e525dfa43b63d9a3336047

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
442cbf6c155b8e4d0edf056d2178d5ca

SHA1
2ba382fbbdfd79e8f73fd8e19502a3e9b1e9266e

SHA256
d52b3e03ae5a184573ffdda539eaa81913fc71b85e234b2af5277a3749141112

SHA512
c0b54b2039cf2c546ad0ef0be0f5a0b72702d387a5f0bf11588c1ef75d7ba9499697a6962ee2a7bed2076aace40029ea3b399ddb167cf71e103db1d182c1b89c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d8f721587d74e47ea137553db4a8951b

SHA1
2de03df0745281d7e5d9f8c688de97b5c633acf2

SHA256
1f407daaa60c36692a385e5d1c70302b2cf71f64e10e36e8b1fe6ed47a4cfc2d

SHA512
c2132cfff1ce23d83e0196202174b58b57525767983d83e46ffdf903d29448e105aabc91351c7fa0ac823a87b74e7794c97dfa24a6b0597bb4e8053d5ae0b127

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b4b4858235a3596aa0119007e888cb95

SHA1
2350f21ac945051a0646c8b7220dfb47240cb32c

SHA256
e766e1c2f72f44756fa493543166cd90b344cac99db5193a1d85dc6b50f8bb80

SHA512
7e0bcca45d7062d31b63497939a2b93f8cd6a971d3ebb0a0728fb398682c1c55ad06fc2c50f423ea4db557e29b578c4b82d5ee9a66d84fad72dff170c26d3854

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0c25160e2bcca672b5b030db2b50b9be

SHA1
b5858ab648e95d9de2559cf68d85f07e2cdfce1d

SHA256
61e47a2037c97e39dea66b90d726950d1c92c68e61be7a3b95a2c106eabe1705

SHA512
4d92aacfa33624756405abda91211c9bab9b9e773273683c76dff5c0f5c4e9d2cb813bc613b52776f1358b0c9856486f16231f545268c17aae98670d3f616f13

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
643bc7e12bdf41741232a2df704bba29

SHA1
8bcad5701d74d734afa0250289bdf95b1c51b44f

SHA256
de4e032e929ea6c625dca3b08076c99d05ab6be8c0274e22be75545d3f9b6d1d

SHA512
0b2cc3c949d27f1055704426e450f32cb0fe469858f812d86e3a8415afb591b227c0f64895922b1d7ac3712877fb64571f33314bb8c50c350f80276f03ce3224

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7cea6f2ea7f0979bf2f96e992c3b29be

SHA1
b5e29894e045545a853f8ab7200e73b7f4cdc40d

SHA256
a684533bd63f47fe3aadd5a0e6f5f6288fb9719e12a6946f800b91574886ab87

SHA512
ccfa7c48dd3820acf65a55e2745dad8f8bb5c3a8443d94e831e7c2b8ccb949c844485984e00453ecba6af2f57c36f3799463827d9fb77a84ac300483ce2ab6d1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5a91e38148e1975e86e54343322a08c2

SHA1
6042e4050bac575826bf28471780ffff32a4ac56

SHA256
07cbda22c6a422d790136c15d95e969c7d0430e4ac98fe2cd14e76a473c2fc68

SHA512
9f1c8ba85eb906cf62c23f0b6dbec99dd39569aa3b0da03e52bd464890904bc8547c428afd9dd9d3cbf2b4fba51e8196a7b864b561bc4c9c47cbcf59c3ed24ed

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
1a107b8bdf6cab35247259eac75258cb

SHA1
b0795fb5c28701ac93c14c58e9454ec4481b0dd6

SHA256
037e9c4e7cb7989a81ab5d58eb37bc9a3231d79b00e1337ba698574663696f6b

SHA512
07faa10365638c5b0c251d9f721f09383427acc838af38e586efea2590c0778ddfee153f5364c4d65eed9486f0574d6306019c60a9fd5e67ccc1adb67b08c075

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eb70bc19f6f4b4e184ab7ec745adeb28

SHA1
6de178ea0e9502ee1f6d21e14f8544b5e5b396ed

SHA256
d85bc8c06b131f31e4a6d0ed832d642682ea7c3d74edb8d95291aaf690e3ae29

SHA512
495e7e9aaa83d51f564d732c1e67ec5aaff65fba45293b6660d72aa05be40c9b214786c0e0126a6046bc631d6105c4403373af3e77d674560f474fa49da6d258

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b4662ca9a84b25664d9b29783622a6f9

SHA1
b1c829c2b065bfd18316719411ca468bdf84d40f

SHA256
fbe5b32234f9aa4e885390cbf5fd1e948af547261e2d5c79057d3d7fce4d22c3

SHA512
ce46f7b21702185dc55168dbf9a75f94b62b22f22dc21a6ff1d82b3e496cbada24390e60dea903cc5032a13b0378b3ccd0c1303bfe8b855aa6778e80c0eaeebc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1b7e308edc16b30cd3396235e3ba4177

SHA1
71e7c9e40dd5edd7063c3e95b777e0abb6334457

SHA256
ba55ed98e92eb02be43a19cda08b6bc64e383e492048e487e408224a1f4471e0

SHA512
6aee3e1570c2ce154b990ed2c877e110e46b209b5ad222066f7eab6909e7382ddf7eb7c1c5c3f37cacacae2f0664d358fefd3fad35c7aafd16a48d22052f1cf1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8a38b61f334837352546886b9aa624b9

SHA1
d401cdf8a69bc271349c315f8bd76ecf01be9e95

SHA256
a9a668c47bde887ba4eed72948c1940fdc1f35e7b0df3efa365338d8f4e3ae5b

SHA512
e9dedb963b90dbd6019d1f55478031c3df80cbca076d5a6981e7a3b91a21701b260d2ce783ee786944082c03b3dce9cdb9aced29a580a7ef5f150fb9a450711c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3024f0eaafcb795112bd8c0602b47765

SHA1
e4175125ff91c3efddfd9254727d7f72e3109996

SHA256
2e0ca0013f2de9bc2ff0078d2790e9d8327ed510b1907a6e8cb4efcc3a352c29

SHA512
da927b2f3f680fbd4a1d5809f5d69510e48c793e59190367c5ac6b764ef10a8e4edbe8d3e95d4d945e77dd070b7285e918b59df3f52c3250e0cffce2f9374d63

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
aeb3ee7d35e7528168a6279a98b5199f

SHA1
108dc879b003e713595f9b9d312e8b9241a2598c

SHA256
ff27dcafee2880c8581eb589f2645906181adcad4f69786cbe3c2c92f64c0e2b

SHA512
cd617230ea496483a8127badef559aa50ca65b6f3c29ca6cd135fedda8462b8759a15c44b05745c034c9cd9a0b8a99efed43e5c1ebc1a5bc26799bd9f4144345

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c4d3e173c760ae764643da9ab814d9d8

SHA1
b036761f819b530b8d7200bcac255e47a1bd39c4

SHA256
813cd323c8f1b6cf87bb36cc6ebca2214b44abb605b15f5432bb922d4fb25c32

SHA512
dd7b2ba83a2f86201308bc84f05e2b250e647c0555239be74700d15643e11206feae24af9b7e1572153e0a7c2d7da84bff6739d9a98918417b0848b8a48257b3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
300bc9f0bc20c2882a76bb8f0240b5a9

SHA1
40e4d94dd2fe3c101b37f6170ae29228f36c8882

SHA256
1f35870feee5ffa6ca1b1f2a4d98161253a22ae711614ede4ea16732c9cd82ba

SHA512
ea4d682042870580c0a8a22f6d298e30c30f2d60f768c9a98385b5942275d45c151be27cb0f45e230934e12f7103105e6d034b33250e07e453bef9ae6111e31e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
43368989520e92da3ef8e1d7a4f2619a

SHA1
decb438d6cca6bfc170f79bdccfbe367abc0f1ef

SHA256
7f44389e356fb8033ce7dbea8705580681f016eb9f0a9f1bc6e0ec8127769320

SHA512
3fa2d1e1ccf7fea827771268bcf169b6538c749b16f9d31411d4978b127ebcf14645d337dc114a00f651126ce42e09330368513c51cab9a269f292b388a8f12a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
0d94bb3c4f26085d371fd3af2e4e2327

SHA1
2748c510208f8ba76c1faaa3029d682c56de528e

SHA256
9289c64348a588701a41b59d54baa964a2c7dbf3ee48ff996b5263b92272d2df

SHA512
35812695bb0ead573c4bd3fa3430a449b44beccebd0b17e8eb48765273e58f8d53ce495c7c65152f7bebe9783f515f9a27a044d7bcf42f7c9ae23b20ffb1781c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
75fe99e23e73e73d37ffa93ca96254fb

SHA1
411693a3f2c65a19cad72e84571c18cb4101ec07

SHA256
e32374929b422b34d29e67e425a52ea9bc2699f553cd8df82ad6a72cab9c73d7

SHA512
6b58793d356e7580d9f17016b91ad3a733846dbcbc682952638d7fd91830180f643892f565e4f156c1af0f699d18322137965ee6cc9da833e418a0e9dd1f80f3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ad2270ae57c77b197b3d04a101875f75

SHA1
7a120229d0cd7b65029fa8dc27d7b7c842af6725

SHA256
43c72d693b3bace48a4b7601c3f22ab4ab1d7987ef4435a25e8f34c685bbc000

SHA512
6b77a0ff8843724101f15de4ee51b40b48a382f468641f39e0b5a43c292eece86045904c20e0c8688ad00bc331b5cb41191183295ba5380dfa6f90ade0e5adb7

Download Submit
memory/548-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/548-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/548-52-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/548-64-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1020-385-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1020-263-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1056-409-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1056-292-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1708-421-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1708-307-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2020-517-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2020-332-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2056-624-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2056-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2184-247-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2184-359-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2184-241-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2184-240-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2240-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2240-252-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2240-276-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2296-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2472-38-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2472-74-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2472-32-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2472-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3036-619-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3036-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3440-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3440-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3440-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3924-347-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3924-521-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4084-234-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4084-75-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4084-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4084-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4240-278-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4240-397-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4392-26-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4392-1-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4392-0-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/4392-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4392-30-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/4600-518-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4600-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4608-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4760-625-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4760-422-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4796-360-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4796-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4932-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4932-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4932-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5048-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5048-232-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5048-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5048-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5056-443-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5056-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download