d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95

Analysis

max time kernel
130s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95.exe
Size

706KB
MD5

3fb7a1b5076bbb56414310c2c54ddda2
SHA1

052564e8c6b413b839aefc1d66655384cc5d47f6
SHA256

d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95
SHA512

f8bbb9f2178e2317f5bf25aea8127faf3601cac775de9672b1e5c411255ced3de39863ada3df837f0b3cfaffddec172bfa7341b7f202ab260da053b339c7e515
SSDEEP

12288:HWiB+txFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:HWiBC8NDFKYmKOF0zr31JwAlcR3QC0O3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
680	alg.exe
3020	elevation_service.exe
4536	elevation_service.exe
1320	maintenanceservice.exe
372	OSE.EXE
3740	DiagnosticsHub.StandardCollector.Service.exe
2268	fxssvc.exe
4760	msdtc.exe
4780	PerceptionSimulationService.exe
4164	perfhost.exe
1488	locator.exe
1036	SensorDataService.exe
2472	snmptrap.exe
3244	spectrum.exe
4924	ssh-agent.exe
3864	TieringEngineService.exe
4160	AgentService.exe
1772	vds.exe
4224	vssvc.exe
1908	wbengine.exe
4288	WmiApSrv.exe
3584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d0700a72c98e5a49.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b27abdae1c36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b8241ae1c36da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f58d00b41c36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ece1a0ae1c36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015706cae1c36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb1a56bf1c36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000224727ae1c36da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c4765ae1c36da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b5697ae1c36da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3644	d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95.exe
Token: SeDebugPrivilege	680	alg.exe
Token: SeDebugPrivilege	680	alg.exe
Token: SeDebugPrivilege	680	alg.exe
Token: SeTakeOwnershipPrivilege	3020	elevation_service.exe
Token: SeAuditPrivilege	2268	fxssvc.exe
Token: SeRestorePrivilege	3864	TieringEngineService.exe
Token: SeManageVolumePrivilege	3864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4160	AgentService.exe
Token: SeBackupPrivilege	4224	vssvc.exe
Token: SeRestorePrivilege	4224	vssvc.exe
Token: SeAuditPrivilege	4224	vssvc.exe
Token: SeBackupPrivilege	1908	wbengine.exe
Token: SeRestorePrivilege	1908	wbengine.exe
Token: SeSecurityPrivilege	1908	wbengine.exe
Token: 33	3584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeDebugPrivilege	3020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3924	3584	SearchIndexer.exe	133
PID 3584 wrote to memory of 3924	3584	SearchIndexer.exe	133
PID 3584 wrote to memory of 4604	3584	SearchIndexer.exe	134
PID 3584 wrote to memory of 4604	3584	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95.exe
"C:\Users\Admin\AppData\Local\Temp\d75913413b5a7f8adb50cb3cfa8e1ed07f68ba40624008b51ef9f914c7279a95.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3244

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
77a31fd9cead9bb6e02663d3b7c12bce

SHA1
4154effa991a05dbc9c617fe6d8579964ff456f2

SHA256
e9a0fc6b84ef53da5bbdffeddb0440f7ac743d4818744a81d8b919fba9aabb66

SHA512
2ced24d3c4c25a3f1f68552391f44b5ec6e279387d8dcb2b88d43b090a13875e18ff8a51651b413a6a275dc1df9e24b5be9c3424b834cc938abd00c3335060ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
276KB

MD5
2081a7ed74209ce3b2a85ad5b4a21899

SHA1
cc5e2853e1bcafac52a429d533f67415e38579a5

SHA256
4787f64f623f4427a7dbf28e4b5f35412a33bd1176e2265fa01f809c7a689363

SHA512
946c99ec418f1692c892f7fb75e284a94e9613b6240cf31588bbbe893810c497b17ada591dbbf4a247397c0b138e151e9a5e154c6750080e40fb77ccc51c1206

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
06acc4df8872a6929f2d2a80522e70e3

SHA1
dc4092b657fb79972a4224da98d4c616f3df0b8e

SHA256
21581ae7414dd2f750630fa8d28d91ffbe1909a41e421a08ec0520af193b58ac

SHA512
00be94ab021ba4537a3b813fcaf553c769de3625901b40d947055d211cfbb0d67aa8edc2da9b0efaf83469e551ce130a923076e7023b085083a85affcab226a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
63KB

MD5
a13665897e30d58a68e293d3c9139337

SHA1
00e82aa2f0ec95117625f80248d0114f1a1826f4

SHA256
21dff3c44de48b51c64ba0ff5c04498f16f9023763dd664f1b53c9b2483c568c

SHA512
6b5650d41c85b96e2f03d587dfa7bac3314484e7c3a12658ff2b2ab8ec2d1340c98a36eb6a12d934f70cce7841a06120cb43b12d3e3dc64299c9a1a19da4f95e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
713KB

MD5
e6e3143899469e75d948eb8f384c8e94

SHA1
a07e4c93474beef1523674bdf268f75f4c5f9a4b

SHA256
cf344bb221b7d4ccb4bf38fa20c51c744b170d8bb63970959c6b6fdd5c2b8cba

SHA512
eb6c67ab233761c8f0231f6531f21263db0285b87babe9a62efd8e63cbe687db9309755b70c401f67a35c059a01a1c313a3bc6668aa3ff306d99660a0dbaf9c7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
998KB

MD5
7849befa14ee06a51f8ba5dbe867de38

SHA1
03058ce437f1b1854d61f685234f6e4d1809a451

SHA256
6172a1a7d467d380aa7f0444268ed67e32da06000fc8f6c60a696451af7150c3

SHA512
45c3dc2b5ac82ab76049c53df2af1dbeedd674b97c43b2d4c34fc4669e44f05e8053797528491b7ada4b6597ebb9daf408db216deec442a3df49ebf76c62e4f9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b9ec8f803ac9aad1fda0ee9d883d8dac

SHA1
d1acc1c8bd8e6ff30dd72eeb34d438dd4a246470

SHA256
968bea27acd4273b1102e81f6e986487b897e3f54ceba86ed0c968dd764bc0dc

SHA512
e39169e2dac1a91845a7a63085e216f275884e40ba20c39ab076d7b769f27847b471bee3961ada5637843cf568d80371b227044ea20bd1055bbc36f7b413db1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
509KB

MD5
31e762671028120f77328334bbe0499b

SHA1
502ddba3ba99cb002e0c2354f2910239c5b54f85

SHA256
d621208b6f64e935ea7531a02b296607a8115190173710ae4df1ddcf11c6714a

SHA512
5d1f46fc0f7cf4b569b0de05cc1c472d816e509660cc18b1b1e56aee5647ebd58ddd82bfb2555450f53bd9a81ff1c287f8036f86b59c534eda38dc283ea6250d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
574KB

MD5
7fb05a1182690888cf1020704e81af4b

SHA1
8cdf1a47f36da6bb121ac04e1c0345275c5d3172

SHA256
357ab1d8679370bb7d39db5c4de46e63b6e6a50fdc69d8c0d92d0a97d529aacf

SHA512
5afab436f22aead6103743401c6b6402ab2221fba94a1a15b7555ecc36ccbd678cab603af74d09b2c472fe8e9fab81fa8c605c65cca64a9236b5e549b667d07a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
820KB

MD5
718bc550046ee853e8100d51d41b18b7

SHA1
d81d7227678bf84d225a6130cde183e4d45151a5

SHA256
c0e7402acf62b0d612c104ee6387ecee4663db9ecbeff61751b9468097bb780f

SHA512
79e47b40ac202c44b6bf6e186653a4e487a287ec2ed6b89e41d7b74440af4f41907c27d3e069c2c1865254f2d5c162fa953d5c4b63c93175db7aea4db2ef739f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
2KB

MD5
6bd1a901ee2ea5594459a5bf70855bbe

SHA1
64d60887eab29088e3fc49a78118a342b71a9c21

SHA256
0323cbcc864b21b4f5e5a6a6803839c114fe9c24f1eb23c127e334d4b1e6788c

SHA512
22f5b6ad610daf393612b19b5750aef796b4994be2b4a9e2c2a0f2e60902ce2d631dc9ae0b8fdb8f2e8ee1dd88c324c9e457b85d75467b3114985e3e11b3781d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
542KB

MD5
bf4b294629617cb32bfdf50fa11bc701

SHA1
3d51164d1e778c778a9f60e4a1d452fd94c5fee8

SHA256
eb15b4d3289b8f1f940d47959d2830f0aaf4ddc0f4c5be78af3b07d31113fe08

SHA512
08dcc24ba0f4952b50c4319c53e16c27aea2e9fbe97909abc264df7fd35e1453a6b33c5fdcbb2acafc2610175a10927555163e71b918dd6e567d5a97b21efaa1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
521KB

MD5
2e92ea4e07e0d56441170bb8a3882a9f

SHA1
e8bed2d10d5934edcbf24910528149a1395e968e

SHA256
8f8bf4b1780e6d14c4919c36027bc28cdd1898f4e4a95b2f6e9b8579fbf2deea

SHA512
c94c5d061d419ed18a2a1b627dffe32f3d783801b5afa6068563f4fbaa404623a6790af02c73b9e1ab94c0152bb7d521fb29f015ae34a8b073e9c42427acaa53

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
388a0a38a0dd1a60aafa578ade962c3d

SHA1
f79ab8a6462cd8f580111ab30cc304c3e7f234de

SHA256
fb388ea0a65c96287ffa20d5e6cfb6d2c4e707211104528a53819050ed82a39b

SHA512
0c9d5bf28d52a90f07252c2025ad9c6a86c42952478a473c990e975c7e34ba2f638b9e647b839a4fed1f1c50acaa75f395e94324f237302305694d23dadfbbf7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
157KB

MD5
9ae0294b6a53d6aeee0d57b5baf96f4e

SHA1
2413063fc842e10bbce7f6304e53b4b50a7a31e4

SHA256
c93d346e7d16da77d5c07031261d5231cb80407e1759e4f960a0cf3f38260464

SHA512
a1c26c659639ad104fb9e7a42604f45f190b0d5a3c48e57f8059962f6cae16940bf7798bd51a115645992154b8b4c1f426d6bb89365924198c1e29cf8b6b4cdd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
561KB

MD5
62c5a9385500b5477cd9a5e7fc426951

SHA1
5908cacd3e6317871496ffc21e816861ed1e8ebd

SHA256
ee35a3f8719ebbbd514d0e83340493494b52b517c5704058fd0cd0ff68df1be7

SHA512
cec8429bff87be4760bab4d9544f90342e7a1eecd1c87caee65b6e2c8eff0d99b07cf8f9f9b259095547a0ad6405096a8f47dcae866001718e3ce2247afe3930

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
557KB

MD5
c47de86bfed9a3db4cd168e49c12a65f

SHA1
726eb3807efcf5c223c6211b948fc3a5d897fc8b

SHA256
331ba06d9facf370bc8a70d11f54c376c7d376daf0529ebc2d460ad7a6e1d4b9

SHA512
b9f769eb08e9562a6a0addfc44531e8593d480ea5ed03066cd23337c52709a4d455613594549973d1f126218bfee3264792b0555da3f8448739c8e7b3b0a97b2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
520KB

MD5
aeabc7ffbb81179732a6d97db897e071

SHA1
b9a568dfc182e436c5d13262b2d0f31a1f4fb298

SHA256
7b3da4c02d05fe1357e8248783659ad78c7cdd5a57ea645f86f99e5066c5f01b

SHA512
f502ed757ea749bf0082c756fcb512e9e17e664f3bb7228f8bab6afa946e16ef36eceac8a71facc6f92af1dc7328c9459377dd0245bf57904bc708d50d677b6c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d6e2b56e7a98e5247715d040cdb8869c

SHA1
59c24c15cc411ad19dd6cd661b14d87a83fa2efc

SHA256
f428c89dbd3c7a4288daed427b5c90d584f9b76ad0780a7801bfe69bbb2db8ba

SHA512
2a0e1521b973dc1d5224522a60a334a8cdf197f3c2b5d9ff85e1258a570174d36a0625adc4481ce25c5a4be8cac8af1b32e2b82f31d240fda2660b36ac867aef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
481KB

MD5
b668d04c33376d7facf25521637a0b69

SHA1
3d50816bbfeab836744f07dfe318c7d65c681de6

SHA256
df851da82223f4f280be64293cfb3dff8de301b0f8cd464df44dce64cd908d0a

SHA512
221c1e6931bdace525d9a6e2b4af70725aa1b4a29bc7c071ea4b7d12414cce69eb449a4ef5188ba58d732e8ff1fa2582dfd40de83ffebf0d4c0e716abe02e809

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
554KB

MD5
3aff590ea5dcf84e075035a6b5533192

SHA1
0397728b5c652506bbef969b617a89d87546d43a

SHA256
62045e8db6506cc3fa7914bef7e945141c48c8a0d5abb455913d5942db6ba479

SHA512
5ed7f2206ae5a4d45f53f9b9f14c902a9b7566e2c1434bdfc1baeeff2954e98244bb2b0eb226f3872228429b92590af085f3139015461d0a9a5b6649b6eb5ebd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
484KB

MD5
4c37bda4b22aa6633d6eceb47b8d8b8c

SHA1
8f14c5de9970722f7d19ac6a38483f78594000ee

SHA256
b69a29942b881ddeff02d3239bfc52fe768fc80c32e7609805c4fd1a44e564b0

SHA512
1248e8a868133ff8064b43491875772d5d4c97dd7abfbd83c2a588a785ce7faf28e7d36566c1e33abcf2a41f79557a3cfbf0c7380ae6880424440a4ed2ba42e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
440KB

MD5
789fd3f0a7eeb48d04125940fea6abb2

SHA1
faafc22d65a9d358761d93301d413e57063c71bf

SHA256
93d7c9ac04b6074ecae8bd3bdf50c31555752828c6f9e10769d2f0c816902c95

SHA512
88b638b19716368fd7a2a23cf3181523c0ae9590b277918e54e26fc871f977f6c01ddefc96be7eebaa3429876505cb2d97944b85cbdddb33fccdbd86b951c341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
312KB

MD5
abca4955e0a77306da8bdbe02f3a5432

SHA1
c8311631926b8794b10cc4ab576f70fc081e1f94

SHA256
2e8beb5d5ffc78824858ada9cef02b4b6e7b2c2e8c56a2602ec835f675558e3b

SHA512
e97fee178ae446975c6acfe167c02e01390b4c7134ff4aeebbb44d633e372704e134b1b084b63b928efe87edbf8be1ec49215cb2954d1e107c2357280c6266d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
362KB

MD5
55cb2cd518cc6a2a378897015bdbf988

SHA1
761d09b0067a18b1381a7159aed4ae6da52d1cfc

SHA256
76dca9d945b3de4276f7427f5a897a9e6dad5b2d8e925f4dacc881d19f3ccb15

SHA512
69c6a5be14027f69f020594273c00060b0ab87bc09815e858e377482237a52eead0ede2aaf9cd4d35022e7369b089ce94064e4cc027b22ae00e89226d9fd0062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
436KB

MD5
9b38214930e3a1f98a1c4689ca475a4d

SHA1
d54d1d93f6492869b29ee95de1cb3ed3fc7774d3

SHA256
4394603b5f9528478c1c1efb2ca648e7a066c1d8c077f4d72b1f2036deae02bf

SHA512
1b520acc773d75db8124a5ec0c4653ca9c0dd97211c53dc18143f727a1d4f7e5e7251f6a8858d6d321b6970de9d0d418d6e1eb9e3b584c0795fd834d8462da0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
534KB

MD5
3cacb05d8432e54b160cf72d9fd09070

SHA1
ddaca0da290f03fffb7c7e356a73e3f733990f35

SHA256
5b8a0e8f3c5d9abce3766cf354f1595b7d098ed59de698a3fdca403a686c3bc0

SHA512
ba08b9c519e0f189a056ea9710e73900eea100dfb5ff2d2cb726ef1f34764fca0b343cdca4372f20b9f7947a4580a7ba1f1b1ed83079b4a41442b1bed4266196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
395KB

MD5
c91c529767ba8f706fa364857c8aab18

SHA1
ba96a1d00d59cb670961e55491d12de3322940cd

SHA256
064a67c4a39c9f9fb5907a1a6f76a8ff675483bfd6d1dbff65273595d3487964

SHA512
b1c952c56c73484e0aeb7bb7e415811741cf8b5f05ecbed02b986d5cd41800d11bfdc966509bb7f3900f15cb51abf84a1ff46eb09d5242c7d0b6cf6581b3bb8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
433KB

MD5
e5d3e0b684804b38758295cb37f48f19

SHA1
319733d198483c91cc5e4be9a4ea7a07adb4f772

SHA256
83f91c24c77583a931965632cf7e30aafd58b7e48885bcf1eaf970641d1ae5bc

SHA512
d43763704467a6cae37bf029913747e91c2de0f430e8fbbcd1452b6035b01211b39bc7290e053998930e7260c010928acff97893ae11d17e99ce4e321f80d926

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
195KB

MD5
699d3db98f29fa78ef861ddcfa7b36cd

SHA1
a461445e45c76892e23d6b2716efd658fe1a34dd

SHA256
0d855b39521971412e12bc3a480f1d95e1f182545129b859365bba83d93e0982

SHA512
a44e926d1385f28d40487cf7c9304aea1991c95aa69fc13fe209d5cbeecc7ab8db91cdb6fbd290deb3966b182eb1979ffed5da9cf5a65c0ac0c580c1b2f272f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
275KB

MD5
2f4e3d29faf06b95f1602a689abf3c08

SHA1
b61e8d93c4fdd130c20f4a392519a7edc3b0d3dd

SHA256
d4543b0aa5874cf4b9ae627ed7c4d01c1c77a209d289660459c3937d6398d98d

SHA512
78db39aedd10592ab38dd787c297b98600f5020a82a1e3c4d4b208b6471a744aa46cbf5a947afe304ab38de889b5e65086079927e826dd863a12a17f11764bfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
114KB

MD5
0cc3f6dedc765d0c6a5d6197cdf1b3eb

SHA1
f3a324c4d87177c9c1c7c8d89292aba82dd144c1

SHA256
0fccdd01c0c9043cedda7ca74b6cd817a9094437c17804a2e9f3ba6d83f49f27

SHA512
d7890097b47abfebb4418f6e22f55d031b06528344f7bd230e611a7e09a1aa2eb979f3e957d77d2563b993b0cfb8153f9a06d37d1683cb4b1e4b108c33fc6788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
155KB

MD5
8d9bf214d93bc323c85163b7d48b3267

SHA1
57a19055f44451396db265b1c4fb670cac2a172b

SHA256
08098267b4d8889e7a615a1a3e721fbcdfc90f58607042d54bd325829dc3c8ab

SHA512
450c51c6f07e05d321efb157769b992c1c5c7524f3be8f6f8e9366ec901c9fa3e3248cd658939b6d2b3e520422ade7eca9b165f9548d968baabcdecb40fef5cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
144KB

MD5
36080eff431a7deda185fd3a520cb4e6

SHA1
a2ea48de0d0cfd9195baf873167682278b023951

SHA256
29b78ffaab75d75e379919830b83233bf84c29619081dcfe2bf63cebca7a7b79

SHA512
053a0d1c72003c5f8fa3da2d09b83d6087769bd92fcb535f4a0f9adec1f4e752e0e3d47d9a1dac3924d59d6a21ce47881978db6e7e551f222bc2440c6b79e50d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
145KB

MD5
701c3268b55e54028518526981bf2c71

SHA1
ece4290755129ba2337f2f6e88ffbff3b7448adb

SHA256
f7cb215457eca6d64abade59b588c1a9d750f6db1734e22a1b120cd7a1015433

SHA512
b292506d7fb983e171bb95d04a29711aadb82991af7c76ac70d4fde1e1ed7162353499658dcd5935f7ab0dda69cf96051c904f8bca615ebd154698bb8b46286d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
161KB

MD5
fc5085668cd4fa88b1b12ecc0f8cfca0

SHA1
deb4e5d7c3129c716bf5ff88b2723bad8ca1e611

SHA256
e939d4ff78deb12d612e45055d0a2fb19124e9224aeece80ee2e9330b9dd5953

SHA512
704c43daa8a19b1288caad7ef23adcec37cb74bdcbe0c796f8eb2f9795406b0f46d003f560b9e24ccfbe4d0611421e93ab1a6b3a440e878c62f27b251a8c806c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
55KB

MD5
38dee21865cc240269968a3e62a30d1c

SHA1
da066f44d727a2ddd8b2253b244007dab92af9b4

SHA256
c8fc297f4b6071412e5295a7a05115b5655ffe16b1bd7b63cc33c0725ea86051

SHA512
150b0c123f97678cea39cd3bfe013c2232ada38d659636434130dd3d43cc5b8cc5468c39e7333c484191c107b7d94d66266a1b3773bde1b973477156e0e4ea00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
92KB

MD5
e69f9d966a99e6598b6099d8e97e85d1

SHA1
1f92f50761d95e990af3abee56049328cfef77a3

SHA256
2011f8dd050f1cde9e55ca0c81332a900748638ab7d42d36044302796139e339

SHA512
2d2601b3ee89909af2574e6ae3044805deed3305a3188ef341923fe84d799da4fbdbf0be938842328ca7e8c95aad4585d49d995c36a9d055c60c724fbb28d4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
108KB

MD5
8049b7cc130d1c7a0b170de6355f681f

SHA1
2d4da930a826d935e6ea1d4d32114be84419666c

SHA256
7d1ff24bcbceed9c0c66cd5ce223d2fae8bf1e4f23b9ba94ae91397fcf9f78ab

SHA512
6d3ec9c09f4228fa701f3cbc12ba1bf8371a95947718b42c679ba2612b2876bd5b2250c2a28547816679f322a21103ec920b096cafb4c639b32af02c7f5956a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
95KB

MD5
858cf551125a878f10e47bc8569dee8f

SHA1
813c825fb15570872b27c37c348868039789aff2

SHA256
bde6cb795b56143f9bd96bbd4d28b0f2a1de51c406ffbd93b585c89fc09149de

SHA512
afd35978c2a5c9063736333dfec4c732c617454693d33c451658cddcadce34e8e83773e9c1183c0dee019b444b326e5a1f5641186826d869aec902688734805c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
169KB

MD5
f0bccc27f203d25810877c20b88805d8

SHA1
4e16597b9f6f402a55d24e29b0389cd5f9cd7a55

SHA256
ec3a95067dc0567f112a0285622ccaa32a22e18f3f3181cd98a2b0d0777f1ff8

SHA512
4907fa6d017aaf21231ce4cc8b7ece97ebf03ba0d5c80dbfe53776fff287f2d2d5e7a1f578b0a6b5dda921629bb6b38d805b973cc79e426a8f94c88349ba07b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
95KB

MD5
918356c919e6d95e81e5939252e3a575

SHA1
b974a8956cd029ce7f3d5e67e85bc5c3e87fe4bf

SHA256
07e9c36cd5d10294b8580ed7c4bf172125847231e71cce78bac6e3ce921e18f5

SHA512
d744e24d351988238756996aaa27caab89b65ac8a1631961091b01a00a6e705265b5db61fbdb40140431febaa15b0d3b22d94f56ff1ae4f62b5faf9a1fb05f84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
90KB

MD5
e14ba4c2297e2798bc0fdbe9f53c6063

SHA1
2f8e2934b58675d314799adeab33c9e5a549d2a9

SHA256
d0c59f262ff64ab16ff6ff75cc0a358619020557a06f478c1d58d088c17e3de9

SHA512
36b8ce2499a8b2a845aa6657c5a5877af16b6d19c182a571dc99f3e272453c274209b626bc6ee294af052a7b865d86adcedbf0d1b09c164c709d37b3d8621e99

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
654KB

MD5
e9443bb1eb26986b7940cee86d6ac761

SHA1
67bf914541d90e5cbf83c95bc70436c060b0a6ba

SHA256
d1b56b3339dcc9ca61537070de506a742f8385f3ebf1b5817173df14681a995e

SHA512
1772e2d7640e9a2de2ba1443cdca0b854cfa95ca203ab736c1cda64572474bb6345df75844f626ec12c4038a23f7730116f9a4a42d451e198ffd5d4f098c714f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
203KB

MD5
4dfcaf620b7c16977a775d240bcb1a0f

SHA1
91d36c491d1adaeb8470ec0dbcdca3723705814d

SHA256
a0e75005f3d2507c29da3c41755820778cdf0634dd9cafc23021e0dd0c677868

SHA512
91fe783c72356d8c3b4bdd5c719402de95b4448e9039caa77e11cc7d4097121b52076fa31ee65161c2d9227708914bdd94b2be755e6c3fe75bce8a9e7b3a643c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
218KB

MD5
32ff08f85718b6e6270bae206cedd2f4

SHA1
64948f0abe1588349f7565a01d7d63327d5300d2

SHA256
fb50fecfa16e5679924d8b017374d681f88d61b2413b0b9269e86fce001d6d64

SHA512
f80bd50e2ead0e6b8bd815492f9ea37e92adff328dbb3181ecacce137b152ba6cee96e2c46ca131345012db35c7196b6f14bebb89ecce070ab0b40b1de3f1d85

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e2831ad9ca2dde491fe3ff9f8a12db01

SHA1
25fea975748d42697bbec3745c8797ec79f91946

SHA256
e8065795fdcb43dbdb688063c919a3b838a687d08194effa4c10b28e17dcb338

SHA512
05e4ef0d3631aea138a7c75eb6a747e971899a3268d3cd81c456356ac6ab77201ffbecd5a4ba30186b92e4ad8323a250baf438ece3e04f20a6849b71fddaed51

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
631KB

MD5
e6d7cd95a0ee2240d17829175991cc0c

SHA1
e54302307a87e74326c93fcc67a89dbed9cdcd8f

SHA256
58c34d1f3c7481c8e9026337ede045c33687ed39efe678a12f9c3a1f0e236a02

SHA512
0fc028334066baeb5639b1c33ad2205e4e1fbdf52e55cb5472eeec4885f94c7a9d3e2d22b9e7e965fe334d701893091e5f828a6aab1497390d8592cdbb3e2b1a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
225KB

MD5
468b9428b4834b7f09ee3b3d4dac639e

SHA1
1af8c537c9c34bb62b17d8ca5c6b8a6e8d008733

SHA256
b5dec3dcd6908e06e340d653fea991c647bf62bad3ca94be3f8b44d17a1d01ab

SHA512
a7c84b4141e43d5f5872b30543368d4d54ebedf4f244eefcf8fe226276e9699130532a836ab996f2c7288a406d30576e6a72369c95d0a269847d60dbca0f8f58

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
236KB

MD5
46e40b088568b821ed3ee2ff53cccd0b

SHA1
3f2274b17724c356df09e6bce34943a4081bcbd2

SHA256
7de3f2caac77fc1b1f09b96ed6169f4e0de2501a77cde99dbb3b588fd1184633

SHA512
cf48dd1ad9da9cc28ad2c3b6fbd9678502d0a59e9010ae92a36a47607888b0ba4e927fcd465c45a6f8a3a85ee9149d6ca09a34186a6a4e40fe5ecd25b2493e9b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
27KB

MD5
e8a278785ceccf8e8c17628093a89318

SHA1
67734c926031310772ec8632c684a42ca44adae8

SHA256
0d82bb766a010c59d56bebcf02b54f1bec4c704fa2d2bb466411dd3f8260e35f

SHA512
cdcf80f0a4d12bf05049d2fcb673811154e720047b365d9744079ffb8d71a69ed64d0413a8301f20d1a75c725755baf1310a88e15ba7fe12e204b8a054d86d5f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
65KB

MD5
3baaae2a060bd374d6a9df05b3d7484b

SHA1
a96b175b99e81dc3ebd64e74ed941119521376d5

SHA256
364262bbd2bac1bf709300b2a593f34af5064f897e0ae4d142c653146cd9155e

SHA512
b181c03af0663d5ed700be22cd8b92366e4a9922078f81f49a76322148f93883ca765089f7eadc1bb377e8e1ad3422fb85362e797a65456b157b073bfe46339a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
63KB

MD5
23c24e021d8b9b59c115def3f394a661

SHA1
8e2a8af971f720e3c76877a0a6ff334dc24885d1

SHA256
e1470fecf4f8b630a771e3bf5ce78c0dab04fdf68a97d1440136b4384171b70b

SHA512
9b3619f2447b3f835a3acc02e69e38fe0fc663c598828a3af1486facf7e1573496ed1e9f1516b5dcc31e03b8d46cf1125076b03d867454d09aa216d4d6e46187

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
204KB

MD5
cfa9699eb94729d047f112827f61dd67

SHA1
f18de90b18af32618ab317c8ef2931c4c3ec3112

SHA256
1136c4388c0d97d3b71c5b674fd9e58dbc5c3ea1c62eaa9055010706b933e503

SHA512
d94ad2bf45867714b2f04ab7be372aab0bdb187d8a460186ea9e6ddc6ee9f7bd9d31f9c7bfa4fd092b55dd843f1204e080efb2c14426611c624201fd25f63a47

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
68KB

MD5
a0575e8af69ba875ac4ec989ffbdda90

SHA1
c6fa5a02572518ae09f7349659dda5f6152f70eb

SHA256
cb2fb70bb82500307d0d42abba7c4ffda78f1a7a01cb9d03fe6ac86d64ccfcb5

SHA512
6938f2d9ec9ea313bd34094464683e77d3f7420b223fb929ac375484de4943ac5b8a042379239ed1ca85432885c69dc623ca30b558f36a3a1ef7f5488e168db2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
11KB

MD5
ef57e892fc5acdbd5590326b7c72dcac

SHA1
ab357234542173e934c45e2632703ac5de6efb62

SHA256
d029035ceaf7a8854288670717e3dd48eeaa92935fe19d7f4669266a7e2e063e

SHA512
7731ea95e6535defc65fea8ece691656e396b652c894a6c11523f9a5c4af5e23b7fe77bcce2dd117b3614a9b8a330e050fdaf78914da69402ed4c61d051b9985

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
242KB

MD5
61f70704d700a4531751af1625a600d4

SHA1
25054893f2e5f8739b679b01645fd4a50f6b54cd

SHA256
2c1e42c00f22741dd091522e25c27c13ff59f30e18dedd8d4a0f8dc8b8f0795f

SHA512
e087a682e7bfb1e0f8d2d3692a983797c3ee20f4074718d5bc8cedfde737432ee777d25f16649a85b2a7a78255307b12cbbe69174d3196b68425d1ffd1928f24

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8971d3769d3b5e8bac76af6bc2d0dd4c

SHA1
c5a7adbe3fcb9680c348e6dc144cccf91afdf18f

SHA256
2526073d5d4f3074dc7abb0853bcfa1695500cf6bad01f7957fe28fa6d669c80

SHA512
77d7ad8666d7106b1e521018546aafb248f93cb6acde942085e8147484edc0771f40467b33d7e20a45af5783857dcc0f586e0a1aca0364ab880a27483f46be66

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
223KB

MD5
92508dd92b74f0d1daf587e8040457ab

SHA1
5fd8bb8470b16d9382c33f8bf6bbe7fa5dd19594

SHA256
fe29b58dbafae8e15be488b9cf5c65655f558704fe3f08dd5e58032e86b2491a

SHA512
305ee598c687b8e52795023f48c8350a964b9633b1812b04072372b6a2b36a81be2a6d738774c89e340e2fe6e37e0e54089a30fa5b4a10c6a751b788ee56b55e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
185KB

MD5
f24f26c6163f3d5e564bc24f71c7ce0a

SHA1
b8f01e1272f2c5b8f9fd5099ce6eb492f0019a22

SHA256
53a0f3b66ab6486baae8466360a5f1479b66de8ca301f1fc85fdbeacae807198

SHA512
a08465fbf42d885df2f8c967d309ce06918eb3157eb2f63c64287743e64203d7b4c75860cecab4107fee7ce65e75c55545d3ac6d76cbc8a33f1c329694d715ab

Download Submit
C:\Windows\System32\vds.exe

Filesize
92KB

MD5
b78788a90de05d0b5f0f3664f5d73314

SHA1
a4e1d2c5617ad2e7b0e3b8afc939b10fe517f3af

SHA256
e4701b26f3a648c508913e44f8493c05e594cac27f1a0010d0ef798ae814a994

SHA512
a2dcf0b90eb533062e4e5afdfb34c8362563ea333fbd69bfee1fecf8e9eff59a6766acffd4d85aa3e04b09d56631ffac0dccca9563479bb818e963c10036a5fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
135KB

MD5
cb81db0d233f76a10dfdbfbabab6726e

SHA1
c99b83e87f57b13cf7ea0a40dd433602efb2bd57

SHA256
8d0d818bfe94f87940d7593b92552a93739b9f3ea352dd02db6efaa008416bd0

SHA512
3fe8e78a0197f782db8092c0773fc520ceaa78ee39fbcf7798d0557e1db515267b5775611c67b6a2556f5743489cba8ff6a946f76a20289c47f0319e0f309bb1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
161KB

MD5
ba4b29281aa0b8fa97354f13027ec0c7

SHA1
a3b5405e433a2a1475481fdaa25643e5b29c2545

SHA256
0e7cf35bcfba99701a0b508aef65a6aca1d4b1d8ddc7cd8ee8bf3e76b7dd2d43

SHA512
8a7dc88a24de35eb772e36bd5cd63bf69b4bad3524f3883a576d7092506639fa437d5ae16bb4e1d195eb70040f4a38473e745af4f09551ff91baa49308d1767a

Download Submit
C:\odt\office2016setup.exe

Filesize
838KB

MD5
cec158c70a767ab2f8a460663690d589

SHA1
982b12c71fbcb94d08707f778b3f45e352c00fcb

SHA256
211231420db2c9097797a9cef40b63e19fb7c025e0efcf156970838b6bcda33f

SHA512
72cc08edaca4134e3646ecd71c469fa76e661f6b6f6096852f4df7e60bc8cab8fb4b8a916b91c5ca6a367f396f9fd70b445214a3b9fb195eec22bd56d009df9a

Download Submit
memory/372-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/372-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/372-66-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/372-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/372-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/680-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/680-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/680-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/680-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/680-141-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1036-334-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1036-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1036-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1320-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1320-50-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/1320-58-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/1320-62-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/1320-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1488-322-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1488-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1488-313-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1772-418-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1772-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1772-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1908-444-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1908-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2268-263-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2268-271-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2268-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-257-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2472-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2472-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2472-348-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3020-35-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3020-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3020-29-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3020-232-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3244-361-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3244-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3244-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3584-469-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3584-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3644-19-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3644-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3644-7-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/3644-6-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/3644-1-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/3740-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3740-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3740-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3740-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3864-388-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3864-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3864-381-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4160-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4160-406-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4160-401-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4160-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4164-309-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/4164-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4164-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4224-431-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4224-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4288-457-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4288-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4536-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4760-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4760-282-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/4760-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4780-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4780-294-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4780-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4924-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4924-366-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4924-375-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download