2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40.exe
Size

1.6MB
MD5

05ac57900eabe9cc63eb5307f45c7c52
SHA1

b34eee34630c7d2309df010adccb778a4592c1d3
SHA256

2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40
SHA512

94c8e4a8021b42cf884554976ae38eb0ed482508e98573cb735590622b695dc25c31330f93aac2073ea7431a9ace67b0ca8c752bcbd781949a0804dcc2ce430d
SSDEEP

24576:Xa9BaCks7WE9F5pwg8zmdqQjC60jiHkU:XeaCks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1316	alg.exe
1688	elevation_service.exe
704	elevation_service.exe
1356	maintenanceservice.exe
1448	OSE.EXE
1244	DiagnosticsHub.StandardCollector.Service.exe
1960	fxssvc.exe
4164	msdtc.exe
1924	PerceptionSimulationService.exe
1468	perfhost.exe
5040	locator.exe
556	SensorDataService.exe
2388	snmptrap.exe
4160	spectrum.exe
1536	ssh-agent.exe
208	TieringEngineService.exe
4540	AgentService.exe
2212	vds.exe
1332	vssvc.exe
3936	wbengine.exe
2556	WmiApSrv.exe
4324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1282a6f16319cddc.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5F218BEF-EA7C-4A5A-8DCD-3014BB946029}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4c2dd4b5352da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9917f4f5352da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adcde54a5352da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002976534b5352da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a3b14f5352da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbb22f4b5352da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5012	2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40.exe
Token: SeDebugPrivilege	1316	alg.exe
Token: SeDebugPrivilege	1316	alg.exe
Token: SeDebugPrivilege	1316	alg.exe
Token: SeTakeOwnershipPrivilege	1688	elevation_service.exe
Token: SeAuditPrivilege	1960	fxssvc.exe
Token: SeRestorePrivilege	208	TieringEngineService.exe
Token: SeManageVolumePrivilege	208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4540	AgentService.exe
Token: SeBackupPrivilege	1332	vssvc.exe
Token: SeRestorePrivilege	1332	vssvc.exe
Token: SeAuditPrivilege	1332	vssvc.exe
Token: SeBackupPrivilege	3936	wbengine.exe
Token: SeRestorePrivilege	3936	wbengine.exe
Token: SeSecurityPrivilege	3936	wbengine.exe
Token: 33	4324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeDebugPrivilege	1688	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2816	4324	SearchIndexer.exe	116
PID 4324 wrote to memory of 2816	4324	SearchIndexer.exe	116
PID 4324 wrote to memory of 4620	4324	SearchIndexer.exe	117
PID 4324 wrote to memory of 4620	4324	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40.exe
"C:\Users\Admin\AppData\Local\Temp\2268297b3667f81a4c6e47048b9e3636a3e0c95250086edf5b04536241ca3b40.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3880

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4164

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4160

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
725KB

MD5
1dac282ea7b28626eec8d58d7441db97

SHA1
93ce0b8f0d97c7c125edc08786e49474b742d18f

SHA256
0335836fb1af72a74b3927b2c2dd400498de8f0be064222685934a1db1a4c86d

SHA512
dba8f4f1eb4264f8c00501c3b67561f0a522848e646ed55272a7f0a319032dd79b4c21162f2c9359e2ee14a569abc5c9b5f827eba0844eea30fbd0332fc894fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
2881bd14e280df2364697219ddcc40e9

SHA1
3781532d0ad8cc066be0eb186929238b1b76c0c6

SHA256
005dfc81b2251d3d0c7e74a26fd2b0e8cdb1eb3be4679a7777288789ce34c96d

SHA512
28266aa444a89a2535aae85526ad21f44a5cbd04163800982943874b5da7b4f28f862d59c10307c30cbf77496c1ff63bec0a26f63b0c5013a0880d203a868694

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
352KB

MD5
10161cb3931755c7432a4be551702f90

SHA1
72d1ebe51e1b5a1815bde3104aace0bf3a5f4b7a

SHA256
031b85643673cdcf1aa8657fefe6cc374337bab01256a6e0e04598a680f22c23

SHA512
b93f60d3ae162fbd0491ee8fd596e132ae0d3e7a9f5c291572c2d0349ff353941c42c3bbc61531d729acff3e88dc5a4061c77f6c8a7087c93f4cdb5176aa5f59

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
230KB

MD5
ef12017e23a7d05130141514815c1164

SHA1
cdda00e0935df0dc7d5717edde580a4db8fdd0a1

SHA256
1c882d1902e6ff2f17612bc933abb304856335dda3e92cd793c88ee4b3dbb54d

SHA512
c110d1114db11ccfa35796dd47348dc70403a6b2d6a86349fb8c5dbc07079d8ff83a602a1167c9fd52cad61afa39e9edb8b0ef3cad87ffdd74b0f891b9dfc526

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
172KB

MD5
d5c1d5285835f7759019ac60c6f639be

SHA1
3a948defc0df291fb70f3ed0ce32f37930773967

SHA256
4546bc2127286c0db824862aff6ddccc5afd54ca6a08633f2f6cea1c8c5579e0

SHA512
57ee8bbcca5bcf5356519280ab9ae55be74508f3b2cf7fa806697ed21897df0f71b28b6e7686e60fe778688247454fac4901e7c01e7826d9674426d397bacce7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
986KB

MD5
652fd7ccca201509cd308172447c99ab

SHA1
6bef8da17547f1de9f88409aec8a5d10ba0d8929

SHA256
fe56dc15f9e499711c61af4fb8684c9195b580c189257b504e4004b259b89137

SHA512
49a1d277138e3a70c0b121708d9e26977c8e2e420ee9127bda41c3277e49832e5643250e24687696418e55843172f921df517f5d2ae26b624169ccaf64f64de2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
851KB

MD5
ffac3dfe06319f7ecae5adda2c125f2c

SHA1
1ef593408304d5cb24e2353edf221e51cb9c50d2

SHA256
943cc65addf05779d46ebe7cfd961679d4cbd81f4ed003fa66561440516f8477

SHA512
148346fde9d87c6d2ae41154077bf643c81fadfa7f45c13e04f03065423b7ea6ab7dd655fa4f7fcb7e3bca5c7908fc84836e86da8b8c11841880bec5e89bfdb1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
133KB

MD5
c70599f031efe650b30f34d3b108552e

SHA1
1758a588ef8ac178cf093db97b2b79b4a9a05402

SHA256
28bf6e167e6280886ec9430131610380bd1b5fa3da9b10765228573b60d6d18c

SHA512
24ed8af580c27a9af1246fd4b7a40a9dc997d4202cb7cf3de3ad46e25e7898c430f140d74fc6771cbb0342f385bffc184d4c798bc4dcd64e38ca175db0414319

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
820KB

MD5
af135242981ea1b4d5d699bd03437f63

SHA1
9485cdbb15b809f17190ca144e8aebe41525f30c

SHA256
552f43ad4b37632be3c6492bfd3aea8f49bb6cba9fcf714b4c3c6c6060856e49

SHA512
0655452f1edbe263ca3a9a710d43fa9bb75d9c80fbb130e5413119f4ad38d992b27561294d2c263c9a7c34cc9fc18ee75cf427df75d9d03bd4f75a8bc660d666

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
104KB

MD5
823aadbf419280859891d0f917d5d493

SHA1
d1f36aff8257392623b0cbe8be12698619c7a98f

SHA256
f5ffc5d1816b9d0731d94fb6072e0c9b43defd4ed9148f98e01aacb2fa6a1061

SHA512
4167c5602fad173571ac49e5a0b72f1393e5a12bc70d0541bb25e72299c022baa3521a92bcd9ea94a6a17dc8d40a14b3dc71b47e81043687e0209d9151462f0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
264KB

MD5
3ce7f9ed8e27d80163018401232e9f82

SHA1
658761ddba568c91ca28c8170434052b0e365d6f

SHA256
539837251a30136b989ac71573d005dfc85f86a9e60c1c34af015882a35a685b

SHA512
cf6bada2f66d16bd511766b1ac4ff94090390da9ca3419a215a3c2686cf3ca4ca91f16384f7e05554012550851b817009b8490bbffb961d55c0b66c7cedcabdd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
883KB

MD5
9d48850e38e8dc067934e03001a88225

SHA1
f3d47f40bd226165094c9141587aa71c6969a0e7

SHA256
3e18554e2e5600a36fcb880bd7795bfc2c6a24bc1b916fb528078ae22b7be097

SHA512
99b8923d6c4f67327103fc9689b19b0fb34faf38291080d55e723e5655770e3a4b1ea25753f101546ac3254316ad642767099ff9c7bab139ebed77790931f110

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
689KB

MD5
fb06e788d735f1bd8ffef82b7df9324d

SHA1
a45f3afe70cb8c78020905fa5b54d36cc916b4d4

SHA256
793b210188884b4b504a93da06a7fc76f3ea582bc52f08472e79f2ac52bb86d9

SHA512
2ded624d51f7a4a447480963fe55f1c7d812ef088dd6e446c419a3017c036f9c0fe300fe6010f062b9dad8ac1b38d1af6bef6cc3b70b7ea5cc0e5289997a1d87

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
106KB

MD5
eae44a2de3899aeb99b203115db5d947

SHA1
0af86196e7629c59dcaded50cf4d8b73bf9b6362

SHA256
cdff7e72230e8fad3c74cda11a35cc1495663b02a15e4033b43c88a6c390bb5a

SHA512
ea00e7a9f80105d67d0c01b173e4f6183953e5a2ae4469f6166358b7e482e84ec51426e70a720d6bba08839b76b74362172de3d9e779441b4d7d65ffaa1861b7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
618KB

MD5
b6879548a1543992f1c34945257ecf26

SHA1
da74c6a80892b249fcf6ae3de9a0d3a713aa10bc

SHA256
5663e3776931b637ecbea83af71bc1fcafe0008b499263454000a1182e9c58b2

SHA512
9e19dfa5c72fbda081118e0bf92b04c1d76bb89b5502d5e235f2419007d03ab9a8e360e78dbe20264cdf7221d854e63df744f8a97b28f23c81ac68b36be8a998

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
628KB

MD5
6eccfd935a410f9b200561f200d97d09

SHA1
79f507d438d906f506b7f837ce8d23139d585251

SHA256
fe6470595aedc612145665e8efba177d2dea7ca133d0285bef043b4741ac2625

SHA512
43d0702420cdd6c754cf179df3ca9d4048fb179c411c814d16d953ab5b129f0c12e794309e36dfed3b44067574880bc7940d0f8574163487a0f2fcba240ccaef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
533KB

MD5
8c6cad4532a07b1bd2c2b197dc495a1f

SHA1
1fb82b354bc086c9505a35b4381054b380ef84c1

SHA256
5c27a41e8184e231347269da35b3690527a6985dd5f938ba7745ac17f19c0538

SHA512
f3764ab55c57147f2dd16c123a1e9d4976d49073710fb1911f86a6b5b2678684e0fce151c80b18e0a90ed4fc11386bc4135c5f18239cba431fa3eb01f0bdcc12

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
541KB

MD5
815fec3c373a2af96fac261e3e3e9bd6

SHA1
1e41fb0a480baace9a02d25572884934b9076848

SHA256
edc9b52f9db0c4118a85bfbc73d03f6783ef6e30e165c324e39adf8f7aa02295

SHA512
af4f5469afd91aa45da528c8601d47144c54731b5baf61cecdf32478a243a71546cc70e9087f70376f399d21642451df93fbe2cc4e0e424a33757ff728df6c63

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
772KB

MD5
f184dd2e9bc9b9e45459043f2b01e57f

SHA1
3d420aac0d11991c18ade39d801fc80a46ddf75c

SHA256
9122d0a2f588e3fb6537b8ddedf065370e04f41375841aa3c93df72be3731b96

SHA512
fadf3922a8ea72d4e1e71d7ba3a19a75c4d4694ae15e8991df12c861793d7a6c15c5296b11ea3b5e390bc47107d5f33203e915fb967bdaeb817a2c8d7e4b3852

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
43KB

MD5
844f6e665f509969f97a93cf9257d69f

SHA1
36f327b859a2fd02830040ed1e8cd0720a6b5b69

SHA256
e6a5b2be258a8921e83ba9c22a97c3de7e7cc62ced709a1f2aeb5dbc69d6536f

SHA512
90db1fc041bdff3494249530a7d4f96ad725fbaad55c0544b7199d13101ab062ea273446e4fddffcdc89273a7fa21dd90ba12c16cdddf20727bc861529efa736

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
555KB

MD5
d6b4ac257a770a95d53ba50663dafeaf

SHA1
e8836f7045121204a92c927f89ab52b67aafc9fc

SHA256
0c5a617fe0ef19fa5a9801624420805bdff594196d205c3815f2c1d2cc60ec1c

SHA512
727c2c82a6f9ee1d31f8de7b8849108e71eb8d6eee5ccacf577ddc4d963fd9de97441a65de20eb32234d23e78bd2373102e65b5dc4713ed000774ff76ea107ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
640KB

MD5
a3f07564f4bc2cf191e11eb430d695cb

SHA1
e0f01b0c8449250133c3ef9951b767ce898533f4

SHA256
163963f58739dfcd40212610ceaf4bcdae4846027e0053fe838cdb976fe7a4d4

SHA512
3ab52a3c8333406bb961e4c840ff48f851e3a56caa3c6c1079b6a698d467bc029c887045529eb5b0a5b82d3af787d2ae6db289eae24df7c0ef724fb6a9ee326c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
438KB

MD5
a9aa613be473c91e654144969b93469d

SHA1
fd6230e961daf0a1f273c3ef764c35a768ea99a4

SHA256
ada22dff007e1a607dfef69a2593a92b12a7868ee27e668afef2535f930f8d43

SHA512
0c10f230bf88f6e4a0190975b1f5684f9c146ef9bba66f41a7f306050220115406fefcb9ff281d4d2006e0442aa39f1cfb06b213a548c4ac26935f8811ba2b8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
452KB

MD5
5fca39d4e5a9005eb211f601f53c62b3

SHA1
fa8427ec1e6b00eaecfa20f6fa371a43b12ee8c5

SHA256
e5bfe1cf026e85425f6fdac2d507f679a58d91b22f5ae837a11d1e8e4d83d9c2

SHA512
56c9fa72e8a3e8606c5d0ecf70d82d094054989e3fee4ede0620e3ded1b509149afe3aedab79ec06556fd48b9be0d1892ae744995f45ab0d764369c19eaacc8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
589KB

MD5
0bb9f334b20a57e71817fdfbb8847e88

SHA1
d8bc2606a18a0dfb3c6b91a50f383e097cd14c28

SHA256
10c73dc631913f0d4ed02066f00c2291b9267bc77ae6056526a696822fdb7345

SHA512
d56d7ec5b43b8dbfd430234cb64474fe2e0e21b18065cea44c17290eb13a78a3f499f34c7152dc2cce9f60ce67c94c757ab442229a05aff2d19a06b19b1293f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
641KB

MD5
c7b53187a45eb3d51d4d50fbfbf93c72

SHA1
82323340b364c1f8c0405de34d27c386acde9d21

SHA256
e22b47dde1f977ee9fb65d16781bd9f5cff3186bae1e32bef7c4c7569bbb6a9a

SHA512
84c4c3d6a6518d947365eb4a2f3a04f46262623d77a605c6a660faa59624f828facfdab09cf9f0146dbbe2d022e33053749deb5618eee97c73fe380accd467a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
478KB

MD5
5799694a0819c3c7891e753438bd94de

SHA1
eadb8678bbd1c347e6144896b5d1065e59d3febf

SHA256
aceaa7796d7216a7cf0dc311778e2db25afbd4a1c6cecda2b84fe07b79072e6a

SHA512
19f581a1e679546523c026132a979234c2c326ee75aa61a76898037860fa9f99478ec6d051bfc1028a805f74740a78ca0890df27a45c43aa726bfffbaa8bac4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
751KB

MD5
3371a1d1567ae438aa5a4115f0ca39f8

SHA1
9151e0ae58d70ee5062c472ecd2d3f25d1cdcec5

SHA256
e9c5dd0ea5243b12cddd1bd769a77deb253c59309ef116756e9a1d484e24aa8d

SHA512
fe2b5f53ef81eae3b85a443e7a9736a7fa99ce393641e610579ae7e0281bb453bd41b60deb6763cb12d2a74ad7f9a329c9416ece7244271eceef29b7f1380301

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
242KB

MD5
5882b87b9d312a0ce39f9cf94c5078d5

SHA1
3a9bb53a82680068829b072197f8627c41789b6a

SHA256
db6a3361a449656f93cd861c0558ae37d3ac280658716d5a68f57d00d15a2b8b

SHA512
5e49480bb3fcc79c142cc215789e8f37dc2694a5b5c31f0c4602a9b7ac782b7f55e92cf5b04d63caf4d3bd6119df8d590b15246947b55251c960b7a159049245

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
376KB

MD5
f1295daf188ff949097b6ae931862412

SHA1
09ccce40a03579bb6ad038af8405e4587503073f

SHA256
7983a7748c01686fd48428063f5ba6374b46c401f065ccc19e157d6af935ef5f

SHA512
1fd0bf6ffea6d13359e6e3a9f9a25a0b76a1d2d506f145a966e0184df781d22143a3e06f4eaec4197867525ca8cdf4e8b80a4af16ba20b1408987ed9ac274628

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
440KB

MD5
ee740e1d3acf89117038563c8a9ce605

SHA1
b4fa2a51272e45c9ea64e841b65336c56833622a

SHA256
31461fc4d931bcf2c685932d82bd72626b7d402bb3fc8c257eb380798d491f21

SHA512
219a8da8e1585bb3482af510dae8c1f4d24d276f6e9e1d82966cbc14f28097afa6896314365c40feb5935b33914f2a85ae62bd7acffe2148a88fd7ef464850bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
318KB

MD5
62f7edfabf2b95299fe5a5331ab09ecc

SHA1
3f3861fefd77557d07a429f10426f554152dbc82

SHA256
48b6c9cca09d633368ee8127a088a1d7fd9b40fc310bb9aa50be1b220dedf728

SHA512
7ae4b6355a31ab53d3bc71ba4c820fca4c87efa51659cbef46e280c3e94d8b88ca10d9c3554fa8ef936c0ab69de56ba42dabb430162f19aedc92afe67f60561c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
541KB

MD5
01ed86649c6e1df77d0dc929909e3d50

SHA1
770f1d5f5fd00de8fe0ec984742abc1eb3e9c4d6

SHA256
d596ed75c0987ddfc2e8fac8946d741b6d0c2ecf853175c4428a74a259283d67

SHA512
69a01d94c64f1e7dd7294fa435c4c6f962166d6a2b9948f84b8f88f4802ee057122dc67567ba66b31a8b4b99cf0e5cee9a29e87065c76ae53e1c0163c80c43ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
446KB

MD5
49249bc3a7c93fcb5d211e9413a21672

SHA1
9ef406707ae23f3ae73bd71a4a34ca03f58edb04

SHA256
c65ef787cd67b1f2481dc97f0ed27a2a81a47ed87d87920fe296a76b207ebd84

SHA512
5e11f93bd5a4daa45e2b51ddddee02543cdd71e8e8b633b2893d7449dbc4ad8b264f88164dc9c431b97545d9d0c197fadf34d9806dc8fd2152348cd837506950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
470KB

MD5
bc218edfca28a417c7e08f630576e8fe

SHA1
bff3d8d2e2a9c3d1877602d461eaadfa422772b4

SHA256
e864e965af23c7b0964b9f7535f42ee99b8854e585beabc0de45d2a11cf30011

SHA512
1e0f6813c939ca8b88eb1d42d1b2de4368960530d110a8889d4e95660d1ee987bad0e8e1e23f61c4185219f3de9a308fe468f41f00d2e6056537619240ee6bd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
371KB

MD5
2313fd217a42aa03cc7771a2fde711f1

SHA1
bbbca2f461cbd520ba56297b88712f98e23fe718

SHA256
27c9a413bbb718a0a4caaace5dd52fb7e6afb41652946be188f89526ca93a2e4

SHA512
072b67cb001e9a6e332c0243d77137badcbf12cf9d1cf35c65e6b574a3acdcddc6fd2aa3291e9cdbf0c3913862e56f8ff1506bb82733dccbe59f5b019c5d508b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
78KB

MD5
52461a05e6118b65f300c279575a63f1

SHA1
48c2c0bfcb1954748c35a1b35a5af102e55aa3d0

SHA256
ae3b8816d6b915b5d7194acba2f6dded35dd75cc7535d1076444c603f8d54065

SHA512
4eed0494b7af6af9419166ed9346a874f316f988a451a8fe13f0a73b6b6fb39f758d98107b60ee5a914bf422062016e0207f1e48c6561c486aad3e4b863a1e67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
42KB

MD5
55003f815091c15ac3b28ef4b4dd5d37

SHA1
d88bde448390a7d60d878892507ebaeb82000341

SHA256
4e3c24954bd759c40c7f787832dfb857171e1e64752b7bd98656f9633ccaf545

SHA512
382080176dfcdfa52844cf7d4478001a062379a213564d6fb9d98830ab6db8b5c82bb53a563c2f6dd2c06492db618f21b0ce86ec17f6d9c5d27776570485b21f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
68KB

MD5
c21a766256ca797a4f938138b53ba3bc

SHA1
972b20bf825df1b50509c5f3197a11652de6fe87

SHA256
f9693d0f482f3f986b940a6ade6f252b7431f48742a052d393c29196e8615bd8

SHA512
b825aac0f869859c81ad6ce2069da11c83129a6ea6010a051ba22050b5f60b88439c4d7bf560d0d277576c3b761a66631e27c69abbec6eb107f603abeb610f89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
40KB

MD5
6f94dcf77b4f53a2941d14ceb676f201

SHA1
a5a16917472699843b7e8297098091f72e3c8f3e

SHA256
ec32164514dcdf6315323473b089bf1b9aa955e36612df8559d254cba92ff9fd

SHA512
fb253d06aff9aa738c7112d7f75cf2d6c3fb48c532b0ff81503d4e4c1e9711945fbafdb434f67b2198a3443076aa2d190f443555949ecaa298f3aaf0b34f3bba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
64KB

MD5
9e62135a2fa1d26e06d63db8e9200bfe

SHA1
c3fdeda687d3cc78f3b94e1c4f34027f313d6258

SHA256
3d2f2a869586b6f6aba9c528e48b386e64f0c6802c0f1523f8cd194eba033afb

SHA512
5e2a381f5c616698109bd846caae782f6223668821ee043f7df82d6bbd4796e7879bbd834a2fb1f00925083ace0ae80e5f9b00470224391c8efae44d5f385fd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
70KB

MD5
4312ac29d1f36e480283eb39ac8b2fc8

SHA1
7583d8b44e9bf767b10ddf6c29529ae8b16d129f

SHA256
ec8e8e55a5db3960752540e12c743d7ea0be9796d2a02a45d57e29694c2dcc26

SHA512
01f1f4963ba5a06056632ec5f8021eeeaa95e4e6487afe576037e0494a1f3b4cae879304366088435190f42200d29b6616cafeaa6d040167553ca718af0f4377

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
96KB

MD5
e66249d6835f9f3efed723518b82a83b

SHA1
155213f2264f85754cebe25a605eba5cdef7ef5f

SHA256
1a4f8d2bdecf2957dcd93197b39d0aebc38a9a5826403c352698ad50f9fd4dad

SHA512
ac7d7fa943bfac545b4ec56b17da006574f02acff9632784faee3a9153cdb033d22879fc119d4b9397b3a95568f1f072970b3f18d3d42edbd51fa8475083de25

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
391KB

MD5
f9176f185fdd688de4bfd813ca5ca8b1

SHA1
98d6a10191b4fc992bdcfa6adc847d14cd33763c

SHA256
e0daad68712f5f9d98d3a4dc19a86291fc4dd3fff29985c471e544f0a5f720cc

SHA512
5ef23cda34726cbe266dbe55fa2f7dc214d0e96a039d8fa44560d7436c149bb166eff13829d5a5e4f2a4f5dbce04cb7589d30720dd759016d2fc829a5273b499

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ad9d70e405d23e5c110ae36b5734d527

SHA1
41f92b84ff5c528596dba5c1b480c47d86c2c034

SHA256
b379fed5aae623f58b4f0a89f40f65fe9a82a6650cc65fa0da98199690d8b036

SHA512
8001017ff7b9e5259bb0b9c1751b4cec72d663745fd3dc01f9cae0ecd8687f79722d533e449b55adf629d13723321790b6502603e989fbb64ffe90e8b9191e29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
273KB

MD5
47a4295ee4cdfbca41b14b5d49a3cd46

SHA1
dcb38a904af221f646c8e7644dbb1772dd45e3fa

SHA256
3dd045f03c28ec88e97781b2b19dcc96ad29aa40940d70636d26f66ec5677172

SHA512
dc2b6af84268bb87667903735942a5c7001d4388e11383ce67fcaf85348ff66ed7d51bab39537ddd6dfdb0fbdd5375009dd2134c3488068bba556899cee94330

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
89a24a74f2936bf0646c894cdf48ad34

SHA1
aa81b70865ca9c385e64c862223a43076871f5c7

SHA256
1209b992c389981ed85d463e50674dfd21df3429150cfc56ec3847cac511c6a9

SHA512
f176eb307201bcb185bf0eac7e8b4ff47e6f62de99a8696da72618548797351c9f46b06078aec2cfc7942f171f597295221e82257d0546fa9cfa951580509921

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
238KB

MD5
c0dc1d42ce23e8ee5e598ad10c8c1577

SHA1
eb9d6a514e3ce61c2ca1f8bdb3ca6a3a75a24bb0

SHA256
731b16a8710a7a53af1c10dd9efe117e3e0d8a2311c5d655f0905e878f438a05

SHA512
22b6306770b60f81aed09d7d8cb7b444731ec9278fd1f7b9c190d72120a2cefa6115f2caedbc82fad412ed6030160927f13b5bc63394b3366e02da6024b47874

Download Submit
C:\Windows\System32\Locator.exe

Filesize
709KB

MD5
c4586997a19286414481122c1f6b3ff9

SHA1
092e00391f89cb50fc7c859902d4c0d5ff1fedd2

SHA256
1591515b2f298a5391f2f68591b3a4127a6f8e2caa76380e1119d6c86375de40

SHA512
06c47443f35099debe282d87195dcb2e4e7575d79b15ae994cdd1c954f64e9bd75d03acc2859663d24a1ca6711c4ed1c62ab6494b85b0cbe18bfba1084279e44

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
19KB

MD5
df07c65c19017437e41bce139d4ad748

SHA1
af99f89bc248b8bf98729af15659b58fe437ef76

SHA256
dfbe6019145a5bc3a61b7b478263188d807a80f2527eed802852514fda1179b9

SHA512
0bad0a283c702157c2c03bea8bc24b82b7ce8264d4b73f47ed6270abf3899711ad7617313d1b9e0b7f7fbfa59ea625fe30b36a4faa6cd4a6b89436b0e7a4a35b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
81KB

MD5
4338cebb969135cbf5ce8250acb03d18

SHA1
1ddc37a8bde851c946d4a484b97009230a516028

SHA256
6213406a6843649ee2768210b069c586d9ea1b71004aa8885b1eb10c1423ac47

SHA512
787da6f7e40bbbe2cfcd1bff14a5032add1fa11bcab1ad656670eb3e76738ed8954e462a5f8731aa2ec9651b975fd9b44a0fd291d70d7e5924481ec619946306

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.1MB

MD5
522f23bd23b505ae05458dd7a180338f

SHA1
963c66cd9a58a362f30137ad8d83d38f04a99b31

SHA256
1284939ce92197607df60ae810c235c05eba7ad82baf95a8611c4d04f9ef6901

SHA512
30cc5e7d1337fb172ed9a55bdbfa838be681e0490e8e4204088b019c4cdd679bb981c6f5ead9bc668c6a1432d6f0fa88c84b1dd0f22ac04dae0bfe6cafb15d7c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
235KB

MD5
28daa15bfd6193d517cbaccbeab32298

SHA1
86e715ec2cf8a8c3cc15d0608fdf624ca129c21c

SHA256
be144a1190b2d78f9cf26037ba29a504333e6facee8ed124c3ae3b764ca947ac

SHA512
8be10aaea36dcb332ef72fa3193b632d35e6d7aa133f84b34360bd1d79c2d91474a0c8b4c84804e9e0e1d8bad7086adde125c97c8c6a2625b1e0ed2fe6a924df

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
397KB

MD5
98809faf38e203767ee4e73abca22046

SHA1
9523e0d21e5748f0c4ef5d988422f88315217abb

SHA256
44b34ec1effb6d2a0eb07cac3d0a30d73276a461b5ab8fc7467f3250930d02d3

SHA512
7fa936875813fdd381cdc39d9eb0ee5dcdd6a2520c2045ae240e1d55c298ad8642646cdf8ea9635ba8e08dafa86f95c64a1eac7e1e1eb6af41a1f8a48687154b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
239KB

MD5
295a8be824fe79b8ebd781f3e279395c

SHA1
1651aa8a2915d0b530521c3674cd215f5d00c39a

SHA256
68d906cac544b2057a34994d992bb4bdfb2fe4e62043a368334492241cbafeae

SHA512
e1fe42c06f8c0593a97fdeb2ee53d82aa26a6da9f1c61c6342f9924784920a3ee791a0f597a17eaaf98084cc1b5aac3848880c19fdec98702879af811f06ba34

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
447KB

MD5
fe28fff0f743f294d1c8d03c4a2ae3f7

SHA1
bec1128baca180c19732eccecdd07faac771af43

SHA256
a91349b66317d8c374d81c71885212b347220b923c4321dcc083fbc355e47b18

SHA512
79323d95ebe667d85d0a32c6f5436768f00f02e82286906200370b4d33784de4d2ec2f0a4732f84851c29a78b5b62769b186ef1908353dc0290dc0566c42daec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
599KB

MD5
3c44d8719480c11263862438a534dd9c

SHA1
e8405c73c1979761dcff054100f724a254113ae0

SHA256
c75bc59075a85a87acccc2ba105f34a393b7aa8dd6fc1b603efb68a75401e6bc

SHA512
b17b1b269a506b9f7b15c147825efd176114436899f7552c3885a8f9b6e7131ab546c75d9c9d5783b394e890baed02fe07956560bdeca9fca29efa2b74cf53e5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
6f6eccdcf6464886bd232a4e353725d8

SHA1
e02af36f86249348f058696de45ecfce0fc13c9d

SHA256
22a24b80e005ab66670939f8174dc765d83b1b9149b6c060f56c385d8fe59bf5

SHA512
0a4729658a5d23ae5b6a6dc2df76be426833ffca6fe5a6bcd2109f4c6eca67bdf1bf9edf0ca0bc423e50559875163cd08a6c7f8d15b5c092301b20931b006f98

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
00ce960c8fe62ad1759c9eb9b63603a4

SHA1
6ba9b7e50c0d79312d1cc8f165d8331ad0b35700

SHA256
1c77997139a18294d73c0fce1b12e31cc348f6d36b5c4a8e5f159d10ab64421c

SHA512
b680c065a93279166d042fd467a840030e75b2bb0797d29c06bdc039a41a9b0fe3fdc4f7e7090a8a95b4d0fbd8b1f8b38561cbe1a9df0664e758e3a6b20bb445

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
465KB

MD5
7ac8f7555a6eebfdb9ab602187264db6

SHA1
74b77768b7cc814f233cf189311ff644c7ea2a6d

SHA256
63a918fdef695be55b07d230306ca0990ecb202ac0017bc88b2ea92f17408b17

SHA512
2218cf682660ba9214c85dd6f65255b7828ca06d01bd54a08681793cb22709e11f877b0b391e77b4fd80b38fd7e52930c282770c9847ee377dd20af60c354fcf

Download Submit
C:\Windows\System32\vds.exe

Filesize
155KB

MD5
529c8d7908d8bad4bcf57da85c87d93f

SHA1
c4a227c8586c6a7b081e414c2a2a87126aa6883e

SHA256
183e360bf0986cd8a43057bccfea0f53833646e487904cef9e73395538929e83

SHA512
f9c2b071a4534acb3b97863ad2d4a94c9931c45e52f3397b3104c7faef99a08d90ab52326339545b89aa4d7a5f1a1de9995f9a6458b4efb8d1d06465aa7078ac

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
443KB

MD5
4082f7e555a7ecb668a3a6d8af83c9d7

SHA1
7f27b87a84148fae509e4d09cfe55716ddfdf792

SHA256
5511c58eab9c5b70fccf78e97ae15187a20f273d382488c83e44bfb860841467

SHA512
57923827d3559b2f113b28f660e5d72a2a0de7861c686aeb76956b3bd1113ae3c8b95f0caf5827976f9527efba790a473630f6ab45a8e79f21425eb22240a5db

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
368KB

MD5
9651dcfb496e7b821346fb333386940a

SHA1
1a014b7a879464b98cf7ef130a1e53e13b34ca11

SHA256
f007e55bec7afa3528822657813be0a7be16376241e82d487169e304e161dc30

SHA512
6ce119532b30864b0cde87049c0e0868e461fe42f625509e05b85ee30111bb7401f4b2d2aaf5d60697f354a2d5f92d84dddc9182967a09685176a577668189b8

Download Submit
C:\odt\office2016setup.exe

Filesize
185KB

MD5
6622bcd216fb4b33e59a90de9be9f627

SHA1
d0121d24c047504fdcb40e69dd56659e93d4bb00

SHA256
98db7d130fae52132b0f75429370df732d99138c429984ecda65ec0781d4c9c3

SHA512
ebec82111835230ed98dcb8ded68b7934f887db4435e947d37384de9f04bc14f6b72e849d66596d810b450c731ae8b12629b07fff7a07d178397f1722d626a26

Download Submit
memory/208-373-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/208-440-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/208-380-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/556-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/556-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/556-327-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/704-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/704-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/704-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/704-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1244-253-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1244-252-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1244-314-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1244-245-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1244-247-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1316-16-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1316-15-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1316-23-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1316-158-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1332-424-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1332-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1356-52-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1356-62-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1356-59-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1356-65-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1356-51-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1448-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1448-68-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1448-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1448-238-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1468-302-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1468-367-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1536-427-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1536-358-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1536-369-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1688-29-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1688-35-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1688-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1688-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1924-352-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1924-291-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1924-299-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1960-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1960-272-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1960-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1960-266-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1960-258-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2212-411-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2212-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2212-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2388-331-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2388-341-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2388-401-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2556-452-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2556-442-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3936-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3936-437-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4160-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4160-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4160-354-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4164-275-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4164-282-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4164-340-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4324-463-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4324-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-394-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4540-399-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4540-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4540-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5012-14-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/5012-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/5012-7-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/5012-6-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/5012-1-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/5040-371-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5040-315-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5040-305-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download