0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e.exe
Size

2.0MB
MD5

696e729e0e69045953fe96ed934c1ec1
SHA1

04b83ff116c53bec63da9601f4711f81507f51bc
SHA256

0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e
SHA512

e1a892f0058d7dbbf788442329c6fca373584601f53d4372f6904d588079f40256672d436efafe923b15fc401518699f28c6bde76004d81cedf7148afcea73f7
SSDEEP

24576:Jzs3yG2Rwd14jK42aMQDJoAOM08/85RkptVIJqYatr0zAiX90z/F0jsFB3SQk:ZvRwdG2NcOMjUfkptVxYaB0zj0yjoB2

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3736	alg.exe
4084	elevation_service.exe
2612	elevation_service.exe
1400	maintenanceservice.exe
952	OSE.EXE
1892	DiagnosticsHub.StandardCollector.Service.exe
4848	fxssvc.exe
1432	msdtc.exe
2988	PerceptionSimulationService.exe
408	perfhost.exe
4008	locator.exe
920	SensorDataService.exe
4088	snmptrap.exe
2908	spectrum.exe
3892	ssh-agent.exe
2748	TieringEngineService.exe
4600	AgentService.exe
2348	vds.exe
3464	vssvc.exe
4804	wbengine.exe
4944	WmiApSrv.exe
2916	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eaef278a2dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095a9ca405a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad13d8415a0adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094080b415a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c1b1e415a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008732d4405a0adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a93f5405a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000936dcf405a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4084	elevation_service.exe
4084	elevation_service.exe
4084	elevation_service.exe
4084	elevation_service.exe
4084	elevation_service.exe
4084	elevation_service.exe
4084	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4908	0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeTakeOwnershipPrivilege	4084	elevation_service.exe
Token: SeAuditPrivilege	4848	fxssvc.exe
Token: SeRestorePrivilege	2748	TieringEngineService.exe
Token: SeManageVolumePrivilege	2748	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4600	AgentService.exe
Token: SeBackupPrivilege	3464	vssvc.exe
Token: SeRestorePrivilege	3464	vssvc.exe
Token: SeAuditPrivilege	3464	vssvc.exe
Token: SeBackupPrivilege	4804	wbengine.exe
Token: SeRestorePrivilege	4804	wbengine.exe
Token: SeSecurityPrivilege	4804	wbengine.exe
Token: 33	2916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeDebugPrivilege	4084	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 996	2916	SearchIndexer.exe	121
PID 2916 wrote to memory of 996	2916	SearchIndexer.exe	121
PID 2916 wrote to memory of 3204	2916	SearchIndexer.exe	122
PID 2916 wrote to memory of 3204	2916	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e.exe
"C:\Users\Admin\AppData\Local\Temp\0c1355202a3770b6072e0ae372c09672d8ca956414ad65e7f1e8bd00603f045e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2612

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2996

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1432

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3748

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9c2de80aa07321d37f0184ca111d1232

SHA1
19c54c35fb541651e98105fda867aed5d8c3b3ac

SHA256
042c8c5bcb88855dad5142f03395769702176865f94f870f01e19873411eea86

SHA512
54ec7779d80306a5432aeee3f34874838cb6ec8aeaae718a25a824ccdf9762561d552c13c33d1fcc5ebe0a07c134d483658c8000b68cb7303286f9971a4c4134

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c50cb8688beb66576c70972e7e318c0f

SHA1
188ac67d7c6564cea04c35ae8eef32b6bc2a9abf

SHA256
55aaef9f4dbd06201ee56fa356c6fb4a9624898546975e4a7f8c8e8675c92381

SHA512
3634dbc98fc7d9e173b1e5580f3907ac56161a5f6cf4ff9831aa63c7ede467a19571bb98cee49ace38b8f9bb88e2247b8b5c308804a1a474599a6cefe6fd6e02

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
aa1c1eaf9b8b5bf431c1a84d8200a63d

SHA1
2cede5d4a65b8fdc0c8d74aba73b9e8041e1672c

SHA256
04449a2b25bed739fb1d7332433d47c7b3fbf27dae40a03c08113a019931f7dc

SHA512
2f4979ce47722dcf98dd34687edae6610fad116d707a5e5b7c58550b9f04d9aa195fd73fb4258cfe879ec05b337a74db12cd46158e52cf96727a03892e7b711c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ce0eab1a84442c8633d5d9173e09f0e4

SHA1
eb72bf4c308a31932b145d0e27ed0e571a97264c

SHA256
e57f6ebe30f41999d5252071e207e8711f60e41244270ad7717753bb992b8a5e

SHA512
19e3ce0f6c85b9bfedf12e848af752b68b6d86199a11277dab7392325104878170d24a83874c490396ce204eeafd2ee375d07263dc68e66411193d1ee9222a22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6f4fd6607716e5653a99c6a96d81d090

SHA1
a7c113d481ab6a61fed2010ae03bd1a5f498dd56

SHA256
52e30c445cf1bb034abcbed646c9c3423f44394632afe504ef2bb074fbc7f3f2

SHA512
ffb47c34bec3b86f1e1ed9d14950fb205e4644e547dca8b647b7dabd674cc9a93c0d7431defc964234205392356b586a4fc94b43a97003961ceb58885da98d27

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
aae768e9c459cceec1ba71d9c99b2d2e

SHA1
401e01898a0affe5214a9be0b02cdf2f9855b0b0

SHA256
617b48080b3342459193b90461131bdd5867aff3fe4a04ca4caba9cd9f294732

SHA512
cf976166c2259a7630affb714c47be2f5d2bad19f73d01164e6c71525d21fe09f31cef1a755ddf1f957b8b86cc6a9cf4a34f54ec62c8df8838d2d87832f50831

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b2149ea9449f5e84e4222f3de7c7acfb

SHA1
5ce263ca1567e29b6de913ad6a8562aa1d33040b

SHA256
7203b114d193f1ed3ad1be8497507cfe1f44b64cb4901bfeaca7e03eedcc4fd6

SHA512
e746730ce8d12bbf67123ee7b131d528bcbfb29183042cfcdaa7b6c3de7dbd19f0008895d2de80097d99205fd3f7cc0cc9d6c46c43551a13dbc06b5a1e031d38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e46efae7e65d9993144a6a6972fc322f

SHA1
4aa92290db1f7edaed35da53bd3264af4b460310

SHA256
23a2b7398c9feda28a2a69114633c067f90e71282604f9b981f06277e7136591

SHA512
09e51be93be6025fc1231f79380d822d6ac207ff7d0fc952bdbfd33010cfdb5d7c04cbb22159ff9cd777502cc254b0fd0e0006f347e8959304987a759e2d1e73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
aacfa15e90a6f6d0f62c72b023bbfcdf

SHA1
464860d9ffd28d0ab43776590ca09710f0f92ba7

SHA256
bd37a00b383eea4868e2a78c555b7c328e86e92c2181db4732a7467bb768d2e7

SHA512
709018a82e7b4571aacfcbcceee8e9a049ef4bb73eae0414ffa488fe7c09953e7d2613ed3ff8cb95f1ea3289a96369a64607e0c5e0a6fa83bb4cf42432a354f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
07c1bfb0bf931875a5ab00ae22e69d1d

SHA1
9efb46e597f7efcabcab1d5eb3a761c5cdc9d80a

SHA256
60fdf774354ff1d1105d65277a5024bb5d792534f10b0825139802d754daeb7d

SHA512
8634751c54badde4c22a04361013410135227da6ca16276e7b49b2c154de49672fb38271f9e662f934a3de7bed04572d73b0d40fb40e273a7d8881cb44c78f33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c95f14998b8403784aa67fed6f8da114

SHA1
1f2c604d55c4239e311304111f7a937f24d86c80

SHA256
0f05301e7cbeb5be6513446e4e4e8d83310c12a795262c463ad7b07e5fbdb572

SHA512
9a222da36e6e1a456e1cfb55ab38af8dba6b57696415b3657053521c8d5982d0be2e6f3761e6569c58e664140afb10c1fcf647f1f19752f8204adb70945974b6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0905a5fa4c938a7c439d4df3052033cd

SHA1
b0368804ce3d11f390ceb3f3ad4eef423b069942

SHA256
f4e6669280f384ad114c58bc26a352ef4f7fd87e53a694475557fd21048cd34c

SHA512
17da270ba619edc877d12a53b447bd7ee91359549909b2f2faee4907f6979eb46fac975ff3627d4aa928bf9cf6cb5b7c4a08920d086087a5efae633beca99d05

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ee9f0d2c1d64c785800b34c2be005cf2

SHA1
559896162b14cfd7f16e2ffc4a5da4497d711abf

SHA256
f5916c9f8c86730711c2d26437ec91ae9386040f7a2c33b2c3e526cb39ce918d

SHA512
8a16a1834cfaecc8a8902cf11ecf4dab28201ae5633e2f5e07f3373f18504041bb465dcaeb4c9abe21806a6c5e551ac1a85eb59a2bf7bf34bed2faa5ae57c660

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
bc76c88f93e18a5824c1ad68fb31e9c2

SHA1
f1867cee04cc1fcfaedd51c1f294b19631ff0244

SHA256
214e3c9c76bc2582acf77d414da8c493a99cf5249dfc53b70650da32d89a02c7

SHA512
3038be8fcae0ebb9823f78e2e44ff696a8852dbde8e4e6db1da01374e5c1c8f3b67c2af220bddf4ab8248e7cb6237fd89fb52d454221fe3b6cb8429d5fb5c03e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b9351cc319dbd6d221aa16cd36bb34ee

SHA1
533449302e8e2c5d8328aab1720dbdc4f9f5a2aa

SHA256
4fb847ec523110134175025a284fcf448ba821d85252d797dcc956529ab43b40

SHA512
ac40da7e809f026455b04dcd88523aad64d9c99307476356469e53bdafe96f385340da23f701d2f503969a0fbc693926e47021f486dc5c2a9bc52b93e5af0ec1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
e1b43e2188a0d5ccc4412bf5392eec27

SHA1
84a87a19dd305ffaa2f90b923b53dc1d584d61b0

SHA256
1f44322c1881f8bdda3213e3f8b8900c63be220b1b1aeb18dc15d8dbe688732e

SHA512
04f65d2b98d5d666173807f289db5daa263c54a4be49012289a2d4fb23eeb24feea06272ecc429b26bdc3b9755f9dc0f7c18358ba414b175bd46950cb3bbf4b0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
348ad1eb5f55b683883eaf3e4cfac77e

SHA1
82aae95242f54d03a1bf3091decf7152030cb5f6

SHA256
f7c2aff2f98fbe5cca3f7044b04904a7fdf6bbe16e3b28463516d8589cc7618b

SHA512
adb8fd19b7f803d35d0d38ea5b9a1e41c22206ba20c321b1e15ae8a959dfd3a6a1b68ce4184607e6df3b7bd50d3a8faf0d4febbd3690aa493a7123fb20f99061

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
7e716d004aaf76c7f8af74aac8b8a50d

SHA1
02deb8396dfdec2853b4b05aadc1e6358278d25c

SHA256
f98ab6af18c9edd26c8dbc155633692f577a201d3bda9ec292b41334ea8f4bfe

SHA512
7cadf01feba7e1d9197da01aaaab71c638cea2f959a8d3b935b2e9931c5cece31631f465dc723736743022f081847d33b23e8f7bdff26682e1293e6f273340b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
8b5eaf449d35dbe33f8b533c328b2391

SHA1
c00e9bba910d0a2584c3e28ca93dd9463bcdee8a

SHA256
53dc2b092128ee3ae0011f92ac814e3b4af89ab3f52594a79f9713e974a770ed

SHA512
1fd02b0a286d2046f968874273771066019a6609d95cef893494ba387e39a577a1329c2815b7003e3adc0c29c6db6ccdc60871e95b2aab4084b88907e254d849

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6bb6c0229c0f6c357baa6b2305aba9dc

SHA1
ad8a1b8f8782ee65b61196c813a62981a0318faa

SHA256
b56849619295421bdf8a72bac2cdaaac610ae1b0c47ed0ddebe8861ef10d3f5b

SHA512
9a773704b7f4d04e498e862fc49e3f92e8c3a879e96bfebccb6db4fabf17f8638bcb285c2f21f84d60cf9ed5973e90300405b4eed47f483f9bf0e61fb17dd2fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b0e19d420fb340b57e40927b9bd7d951

SHA1
94b4c3adf13205d11551d67578123c8667a25f9e

SHA256
b699bbd0e7ec5e3082741edb8b64bc55861a75ecd01a731de2bae12409bb54c1

SHA512
0d3e462b7ff6c5d8659e78987444334ce8d1d76a6210123d5f5763a08904a3c1597ea97606dfb0c36188547781c5e8adab726eaf73c04c26302f5acff18a6f18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
36d0f430b01320d96d948f486dba5abf

SHA1
5ec9500116b683858902351918e07ec59f192188

SHA256
ef635eaf0263459d474aa648b2f91f8f2eea381bf88e4c7dd9a6122d56a3aef1

SHA512
6059b2b3dae50abe4cf01a7f1641f056ce9d7e22ce4143d6b303ceecd49593169bf7300ca43edb376107fc17c8975c5284c41d3a3bcab47ed70719bb83bf770b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
4e37eebdba7105b09335cda0ab09a611

SHA1
f0df4a15377412b6891c556a5bad9682cac6f2da

SHA256
235854ceced60ad7b8685cfe0908ee35b62b7ec3b179f91020ec0516cc72eb66

SHA512
28e8995ddca95958ad40645cefeb0b4c1425799e8259118f2439f6a0e7bacaa97cafc0c3f7f89b4c1fbf7e86a0bdee02d2b7be094d67e2261988e3fe4d0b254f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
37885435ebd0f9ca67d42be76d14891b

SHA1
4ea7f7c4b6b4029a9b28273a00f71384cd391220

SHA256
2ca8b2667b37f11a316ef0367247e8555669556130fddbba0253eaa20c7fe95e

SHA512
e300931b051b678b67351571c0792c96e0377e7e790b5fec54c420055fc43316ae0d075658e084f5b1440bc4a61b34ee8548cb72ebc71bf2b58a83f7327e2695

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
25a38b4307f4fb54b03903491c8b726c

SHA1
49ea1a6f4b539f466871758cda8c09456b6c47ec

SHA256
2e8983bfa4c7c2cab5ffe8a2b2e75deac41de9b7fac246a720d8e1bf2e8490f2

SHA512
169c1943d5ae6c3fcbb2476902f6ca13eb9cea15385186cfe69bcf09c1492617f409649c8c6ee1699e93b525391f98ae35f82c469e919cb0a1a267fa67e4f0dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
36e60eb878028d9d02542f9609531f04

SHA1
60cd146136da7e35684d8447a8c8db19bb994c68

SHA256
df780913139942e3d04e74e6ab8bd6f4413e77df8a0a53be646208e501743a95

SHA512
c525415ac44a3ec6292a298db71e82ad508e79ac6a6c6568abec507e8c1e71449b92271cabbb5551a798d70d773d2c5b476e569229bbf9c3bd9d1506bca41326

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
02861dc34ced3eba313a3e1b4ec3822a

SHA1
d70b6e64be67217e4ebe95ba0a862e2e26772684

SHA256
f67759a1d65f107bc05d3d24cc88f16bc345c526c0f66e835f25534208445cdd

SHA512
a9d8863cf63fe531c5d0000f50bdbeb9ffbeb3a3dc1ff409c991f5ba530d2935eabcd8617dc39e4f1dbc116023399428fac8a17d29705dd40ab86d751aa94891

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
5d19ba5d924477892251ffc6046629e8

SHA1
e55a1ca2430ef501b3a77cb553cfd737054ef9eb

SHA256
f0a5f09296dbef2d9533d8e96ffb1611510f55ab51ac3c493e8acd21ae6db8d8

SHA512
0438e6c76081e46969b59bc5e978ed62327476bc027a9f3d6fa2a57fd6c0adc0d2731200e1b6f6dfbb87822ab3ce77f507dd0cf1c6df4feea75b3cc981d554dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
389a7364f77505aebdd6511007cbe787

SHA1
fe9cd709224408bfc8de0909195eb6fd3bb55c8a

SHA256
44bb342c2b2a415ed94507042abe63f1cefb0967613ebceb0e49cfadafb9513c

SHA512
a051c6a11015ccb813cd03aa9be3de8dda49594ae91b626de3494ac54dcdefa77d647d80e3ec53fff4d0908a5fe278cac0dc6bcf44595a145fbd00ff1ed9f97a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
bed12744720ab8042567e26fe43276e2

SHA1
d8c13bbe6433a274630291661b90445a1fd73176

SHA256
f6a2cd1443f33c90ddbbe21e1740478c9c090a9da01ca2956e6a6280a21e5771

SHA512
d39c6da9a315b1154b24e70bfee3a7e359dd38ad4e41a7ad0dc1b25ce730b5c2796aa405d0121b1ae9066bdf3af52f22ae9d765bcd9eca21be956d1466fb30f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c60039e78fecf15c6e60de607d00a688

SHA1
3ef9e5c49e6b2f6567ec1ad72c8158f88de14fd9

SHA256
48a89e53f6ae7030663373ff42a347f875e056aff7bc0b2cb41088509c5c0739

SHA512
c652d8ab7c86b3d0001fc460352f52855d190d07b442f9d750ed7048fcfc2d72d3b0f8f6854fdf9132cbf9ee8d07c3c074c5bbbf784c478c2bf2b79267107ba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a4373233b86469454e3e003365a046ea

SHA1
537790184fbf8723f6bb666029c448bbd26a38ec

SHA256
250588f063a9666750d32978261430cf675b22f74ce26a57abcdc9439d73c0c3

SHA512
9fa6bc4c75c30348ca41b8ba0c5014710de2e24b34ec826893dd5542185a032f8d626c94f04fa10ce060f5d8314adc8f988dd29a50fc15c211fc6e1edf92bb4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c1a183c1972f4261bdc199854e2c52f1

SHA1
895ca0338a4cbe98b2479c80aeb6f16a4439a26a

SHA256
4590b711760b131eb6cf76ac00e39b00d449b3c9aeff5ba840e81788b6e67b22

SHA512
6800745187abb37335464154f104cc44c68159fd2a177b56da0dcae1a080a1901b03ccac9cd6c1a1f3235612075953718258af88bc2b310fae028d998bf228cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
bcd5c598655b423277ea797dea57872c

SHA1
a759c81e3301c69a78f21dcd18fe532ed17aaeb0

SHA256
511e15565dcc6061d2ce2e9ea2a8e94b28a5cb149c5f65b20583ba32365708ef

SHA512
d9bd9f8d2a22575f950cc248ed572e8e0245fa395a9c03ffdaebfdc7f12836e8be44e1400897a749fdffa7582a359744768a617dd5ae07d1ea42d65ad3e5ef06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
9dcc1768f7cb13cd9731b7adc10c6257

SHA1
09bf9123292624b20884ac2e4e298b71dac78563

SHA256
845e1f048933f5dd9cb51fc1f6de63ced15949820a4d7161b914133b47fc39be

SHA512
1ff2558792245ef05d23e31af6518664bcdee45b8eb7a5d5b41ffbab8c3ce469032bd1d916831690b915e05fe2c70049e38afc64381815ece1af36a9acf8c79e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ebcc24c315ef69f4a62e05beaedea79b

SHA1
40e227d9c6f1cae5c91f3f04a0df0de563a1c220

SHA256
4f8d4400e137e19edaabf858deeebd3eb1af4f5a9af6ac017dcd5f356f2215a1

SHA512
5df13e71b3b2899e7cf41f5d9ba17ea9cccbf2441f54c1135685e692cca56561cc7118cf5996a990ba15b55a8f877e61374f60f60d1fa725abf3e1097968b2e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a4a860fa2fd866392ae574a08c1049ea

SHA1
de0805c3cf34bc1fa5f74c7276a5e996b2fb8afd

SHA256
78b064b3ec47fbfc4413477e36c3089f4d478072914880b8b3924d70d5593071

SHA512
1c35232a52c692eb2b197d1331d895e0a0c395c6bbf2156a59ef36197bbaf2077f242d198ad6fc2785eaca545c851ae31e985d147f09d62d79d6b21cc548d406

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
359d95cba555d463429c8d69d714d251

SHA1
d72106cb21cb3862e3105abfad10f8b15a33bd9f

SHA256
8bbed5345f9a1c75872a990266cc249256bf33889a4fb6ed575444d3c9ec45e3

SHA512
56a5c378ca3ec32863364dcc8b7666b1d749ed8413d27026ae54adfb591a0d2f4a220858e3990e21c51767d33e3d3712b4fe7db82f0c020104bba216bf4ac9cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
921239b9aa1dc424238b4a0a002d3e50

SHA1
80a6ff8cce2a87b348ff9807016ea3e59665a1fc

SHA256
3f66bb9fc2362885d9dd5673550e90a29ad6f1c3a3e80891c0fb1581a19d6e6c

SHA512
77b76b69533fcbf1e067950293bd5bab8a51896b83207a79a9a458336e8476d27831795fd2d720de8aedb518b4f72d3c081247df01971f6261f1349929e54a11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
89cb930a77fbbced0e221cb80772f603

SHA1
c27a063fd2d90aa854168fd8ebf20334fc6beed4

SHA256
07f2a7849baf032e09a507a00dacd66cc9a248292b39d5e3e2a18b5f10c7d85e

SHA512
75229f4be7b3b730f42370492a2f6dbd06d69edbf90febe518f8931bc9090256dd0856569e45f4ca4739b336a5fc8eb4f2bc73514a942e5eae3348536f515aef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
ba6b04918fbd64c85a49ef1770eb75c9

SHA1
0731abf5300232620a9f36f79579f3a36ac79f7d

SHA256
95a52f036e9c9bf86e0f830c9ec5b99528637ff30e2730d3548ae3d956027efa

SHA512
df5f228ee3b9b57f3c38a83661812ef70c858bc9e5a3841b6ec53dfed8e2af84b05e116d1ea0037a6a14809c9c8bf6515a2964ad8e4e84589382a570331ed4ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
9673d9897b9015ba92b34e98230d0e50

SHA1
bbe3776c0fb7a0bd96e45b1369affb54cecb18cf

SHA256
4ab8cb10af79f534d9573fe95ebb1ef18a3eb84b2e02adece1a02947d804c7ea

SHA512
a21bbe426305b590ea0182bdddd4bffdffccf4a1929440d0b2d11cb3518446d8abe847cb2707b6f51b76070f72d1aaecdc6453e5b289a21299dc155db773b011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
57a36d4d1fef31485e1624ca542abd65

SHA1
9af2980cd4a37fa6d1d8230641cd037df54ec4a1

SHA256
e72de40e53f78efb2b45723be0cd7d66db3a229351fcb48ce16068c66eee7a3a

SHA512
c978a44f355a8c11fe2b0225b9b673dd69fea85c1a46c230462bbf01a08c3cd9d66f89451ff8810d2b6f226fe2102b6997fc95007885af038ffbd1214a334e11

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9cd778cec6c281111d92fe26e5070047

SHA1
a167126ea27d76994a8d8d03e6f50dab486486e9

SHA256
d6c4b8bf4693bc9cbd242055e098bb7ade6818acc0b8d39cb7f762ca4fc74b46

SHA512
85af01ed0cd154883d0d3dbcbca07bfb5f0746f714e67ba60f85951d2495cf2001735fc0611e5072ff5719fabe05d94b269ba81a1ddddd4e42871570df919a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log

Filesize
1KB

MD5
766b865a3d18c1dc134e698dbf6509ba

SHA1
99e603ad335377c9e8130edd8a4b8b221d17ccb2

SHA256
f18c41e63c44ee84b6c7c76b1a26f65556a8bab048bf9a762568acad6f751f96

SHA512
88ec74e245ccd18fd177c80878bc6e8176c6bb04975568abb5ec02b35069643275967c1ff391f7c3fa2a8ce9c2a18560a2fca93e94cc21ac43126cb3ca50cdd4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
688f8671cc63c06abe323b36e867c592

SHA1
35e37dc8d7e74dd7da18c4adfacd08fb2f8d98a7

SHA256
39a4ba2fdaf490f9743aab4109b62949468a5369c30c062bbc9713ba5e10c7bd

SHA512
4d289b6a6a64e899d9852b4324604168480b5b46cbaeaf681a7ddcc79d9462884938c5b56a23884b094191745f02b77dc8876e5db8c39489b1d166a10f573f0b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
381bda6865cb6f8173d01e8c803f6be7

SHA1
2cd08552b3143292038c25800052ce44957e17ca

SHA256
f9d3d3ba324344b2caabfe3dae5c1562f08ed45662aa2cc9ac58348655b97824

SHA512
80a6050eafe66b2b14eaff6484328ad06ef6328954a903e3ad1ef12480bf66d51f47dad4f533b16b5e43cdb3b7a0f03e00ceff068ccd3f109a08ff306138b720

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
58e9515f2002ef14143d074978906907

SHA1
2b7bed5b4343f2d554c0c3127d0c603695062975

SHA256
dbaf1c786fcfcb1d89c958233cb223cbc599acc82b2afd8c12249846bc982172

SHA512
8e466b97606baf74b3e2093ce93b746b64491aacc42102d2d81c26aa742924dc27f98b2df8901c05419ebe93ca5cf0d24ec647f2798a86925634c2405b112044

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bd5fe9e0e20627a5778e1047e0e29620

SHA1
601fcdf77b8e9b57091409d6063d0418b8d25b6c

SHA256
50b6bee30fdf642ffd3857f30e06fd38c6d6b963604c247cd6cde38857a226c6

SHA512
705971a5b73a499338215986e0bf08882573f3cf00077509ad4f706a45b6eaa8cd4dad300803112e680a02996fc0136ddb68c14efee7c4b08d70fe8cc10d3618

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5cc3674d9a2879467130646629699be4

SHA1
f48e3a57f8ca754220789f978e811ebc3061bb4d

SHA256
7b8f676955fbe986e8d96ce48dbc9a97d2e7dfec7b6599179ae567f2d08b0859

SHA512
f79892aec653f94cab7996bfba27a13c7c1e1013e7ce34d22102b883189df619b87bf1d9d0e27f756dcc3760bd5b985ccd713c637933101c95fbbb2b78214ed0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6a91da8c2ba37c2584a08d95111bb8f6

SHA1
64df2e55c29cc02f41b8fb1fd9294b352bda99f5

SHA256
a86cbfc97e36926673d776d5544459d9ac187a6b56019dae60758d9073432556

SHA512
894bbc94d317e32a29be5e34c2ae3aa2e6e5c894edbf8c6c8a226ca79f3f35bb00ce6276c8d0d136380055b73e486c003cbc188fd6c00263ee69308c8f1b5594

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
35f206c9d28b666aae160554b5927bc6

SHA1
418350651756c02293c7392e68a170ab11c88006

SHA256
84ae16a3e0c2b2f8aa49b24f3db6fa435e8b1487ed3a4f8f4333471f6004345e

SHA512
046750d142c0f794f9b023430113cac305f034b3e7ce8797c4ea73636bb939fff09b00f138a860494092784f4d4837521ab2785d445cae7acf74f173a46a0c2b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
155013238ab1fd01c20b6922d63be93b

SHA1
0e6d8957a79c7c04723a60e2db6abbf76f3d831c

SHA256
2c2bd2b98986c116bbc4227dc0b379817cfb22df9b982b9affb4cec5246df20e

SHA512
e968c946f77ceb5fc371d76712e343037b05927df1d2dd6675470828fed4fabb2700eab2916480ff700cbee80da0d93ebf7121916132f432be5d470d6300c5bc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dcda41b3ab32dcfdc0a90b69a68de807

SHA1
e97a10f4be8230eb320c533cd646509402230ded

SHA256
91104ae4d8cb84581a880b7a3171a473c72e6e3810f5c0e93d643f7ab55cefa1

SHA512
27ef41d4febd1b330d6a2e1cdec73f24889050db7fcf1b08c82f98fa5fd382362b5405890b5427366653cd5a54b69935395d6d95af351a53791174fcee51a191

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d4a3b1f15ccd7d55a0ab907bc46e994d

SHA1
5a2bc141a55c9db9a5ed5c9ce9ca201b167a156c

SHA256
04916bf425ec526eccc80dec148a9f443d2abb0ad5d34554c2df8f6ca65205d5

SHA512
e5b0da18496f030a165cc365b18bae26218c9a32845c6b124cbfe26c133f93fbb2d19d8be37037ba1c826723ae7d6750f401edf571ef708e86b10be041be751f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a6f4a46acab0b77aef0302f98ac72a83

SHA1
b50c0d78e71a962633b800618f9921468a2af305

SHA256
6d1b61ebbbd14fd1417dc1df1997b72f044acf5db1459c0617b10de63c280ef9

SHA512
b9737a4e6db6a84f76e57bba09c81a55efc69b0fcc01f8e22f918a9aa44f83aad64baf764e32a38b9effce7a9f2c801633c5a46dceadc5a1e2f9468b9c298428

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
569e3af35422f58e7e41d0ecbc866e07

SHA1
445ff97ca43cf69762021c32ab1387f8a48df657

SHA256
db55701384811a003cda25c25325b4f616d350dd1d4831bc630292dd48657812

SHA512
ac39ec4b30734f4bcabb27c639202b7bf8eb7dc9248367c6a41bed0d7b50068e1f39294e67525b5af7f14f0ef9d689dc9d3d0d88506bba17ff4ce1171cf0556d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8738496adecf6b9963e40590c23b1d7e

SHA1
dd74f6a01be305b8762856e549fdf482c18404c1

SHA256
ca6b7b808eee33ac4677943e9f441131ed1a44869b75eb34e6fec3406608cb96

SHA512
2e808f5fc85463a2872a4d89e07fce14d14354a76210426ad439959b50cf187b54c5d2305437a2a1961d7ee86a2d2ec4807ad4f8dc372f35834fe0ec0afdd5c4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b6222c62e7314b1ae7d7e52528119b23

SHA1
4ed7dcd82080446a1383ca3330a1d6789cccdeee

SHA256
310ee9d6442ca195514445e8aa346fc42a14ff27099f21c9d505d9d5975c5129

SHA512
1781177745b3f8d653d3855826afdfefa578d10ba44c445176a41aaaa733b9b6cd63188d9a7cfae52d0a085d395afc5e74731c86c385e1529ea413b1845b1e3a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6666375d68d3e35a2ec07630986fa6ea

SHA1
66fd0b2c2a02cf27957dcc697ea36ca0c94fe76f

SHA256
f0101fad63a123decbd1bcc091d51a6f776a732cc7f0fb06b515697c24955cfb

SHA512
5768e41da035e838e4354e34e5f965a13a7e9a33262994d613e8e71f66d49eea167e48252112382f33629337f36f392b4e6125b7de3919c8873b8d946a838f64

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9310c8e416da6a9271dec4b01d06b21d

SHA1
4d386c4278d755f3fc7e1c96bd99b764ce0f5ca4

SHA256
1c510be86295018a5e3551a524d9954f03f1c04df53e842e115cf1cd3c8daef5

SHA512
f283b7fb4095634f46b6c889e6013f5f7284790358804bd76b26087d4478d7066916e6340839a2198531d2c2af0fe58cd3beffeccee17346fa3f11bdd9f1c7fe

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5c795b37c55a03915df7e7f8826f539a

SHA1
a8a0f4b69a36494092a1eaa8adc71a52f038722f

SHA256
5f6634a65b51bad54c7c16fa08171cf71a384223e0e18dc5aa35195e519a9cd3

SHA512
1603ae64ed930d288b3c91e3edc841634789dcb211e891c396788dc5a44a212b5eeb179d8698ac9fb2e70d30bfe4dc9e79e2868a9624b0ae0a864eeae756766e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a85136e77170d871d4d6f992227f22ee

SHA1
f05c2958fcb71f0d07449336b76b5b5e953f43ab

SHA256
5e2f9407f789d649483deeb5b495675f71a907afa7315ac7737e8229152023c7

SHA512
483526f7e35243a03e709a15c301041334a872b3537af6c0d077f3cb9a25e57a7ab8b1d42c83e688e2fdc15884bc7c71dfdf3b0fd6ee37f5883887f13c106da0

Download Submit
memory/408-302-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/408-419-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/920-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-633-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/952-243-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/952-77-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/952-83-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/952-76-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1400-62-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1400-74-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1400-72-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1400-68-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1400-61-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1432-395-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1432-276-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1892-369-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1892-257-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1892-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1892-250-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2348-630-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2348-396-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2612-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2612-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2612-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2612-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2748-370-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2748-549-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2908-531-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2908-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2916-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2916-639-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2988-288-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2988-407-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3464-408-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3464-634-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3736-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3736-236-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3736-31-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3736-30-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3892-532-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3892-358-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4008-312-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4008-431-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4084-39-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4084-38-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4084-45-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4084-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4088-528-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4088-335-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4600-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4600-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4804-637-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4804-420-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4848-261-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4848-262-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4848-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4908-35-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-1-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4908-14-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4908-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-638-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4944-432-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download