3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5.exe
Size

706KB
MD5

8b5408adff4e5bc3ba1a93c097fadc24
SHA1

d4fab3cd5bc3bf27b1f9231f346f10f1e973f3de
SHA256

3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5
SHA512

9f00d66b1ee857c6f49ea90c20b6cf43a34fe85653ae432c4402f05738c44a14e4d94be7a7db67c049cb5b0ccdfb617b5f734a0c10fbb0075b5e3b2ddc0222dd
SSDEEP

12288:0FiB+t7mfXz7Mbb67QTF4malJQTv5VF6NdY8VJ0KYkekt+M:0FiBFfXPWbg8GmalJuvj0vVJzVecN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4360	alg.exe
564	elevation_service.exe
3232	elevation_service.exe
3292	maintenanceservice.exe
2504	OSE.EXE
1664	DiagnosticsHub.StandardCollector.Service.exe
2200	fxssvc.exe
4176	msdtc.exe
4816	PerceptionSimulationService.exe
4792	perfhost.exe
4204	locator.exe
1940	SensorDataService.exe
1684	snmptrap.exe
672	spectrum.exe
2756	ssh-agent.exe
2868	TieringEngineService.exe
4744	AgentService.exe
3680	vds.exe
1900	vssvc.exe
2360	wbengine.exe
1444	WmiApSrv.exe
3196	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\31b1c347a5bf65ce.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108796\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000674b94dcd061da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000b0fed5d061da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e08b7bd5d061da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d3c08ded061da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000155180d5d061da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b26d6d5d061da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aef7c6ded061da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
564	elevation_service.exe
564	elevation_service.exe
564	elevation_service.exe
564	elevation_service.exe
564	elevation_service.exe
564	elevation_service.exe
564	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2728	3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5.exe
Token: SeDebugPrivilege	4360	alg.exe
Token: SeDebugPrivilege	4360	alg.exe
Token: SeDebugPrivilege	4360	alg.exe
Token: SeTakeOwnershipPrivilege	564	elevation_service.exe
Token: SeAuditPrivilege	2200	fxssvc.exe
Token: SeRestorePrivilege	2868	TieringEngineService.exe
Token: SeManageVolumePrivilege	2868	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4744	AgentService.exe
Token: SeBackupPrivilege	1900	vssvc.exe
Token: SeRestorePrivilege	1900	vssvc.exe
Token: SeAuditPrivilege	1900	vssvc.exe
Token: SeBackupPrivilege	2360	wbengine.exe
Token: SeRestorePrivilege	2360	wbengine.exe
Token: SeSecurityPrivilege	2360	wbengine.exe
Token: 33	3196	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeDebugPrivilege	564	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2492	3196	SearchIndexer.exe	116
PID 3196 wrote to memory of 2492	3196	SearchIndexer.exe	116
PID 3196 wrote to memory of 1728	3196	SearchIndexer.exe	117
PID 3196 wrote to memory of 1728	3196	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5.exe
"C:\Users\Admin\AppData\Local\Temp\3902785955b359b6031e265bcb6df2cf88f94dc331c17b86a30fded4508705a5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3240

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1940

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2188

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
108192df34c1397ed8630b43f7050a45

SHA1
097fc507ad0b2da7b8a29d8bb8258de9fe4c6e57

SHA256
ea849362e17921ae800388ef271051e6c0a81d39f8dc3a384d03cc846cbff851

SHA512
7542cc4f33076424ecb0d252d59c0c66419a8afd47903ae23bdb8337ad752b77fa5ee353bc68aba66ad449ce7fd5bb538813449c9eafa04cb477f6a361762ffa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b387ae04e03a72c1579ef045fc4fcf3d

SHA1
7c25b6863a5c2294ac8f795cd7a106bec63b5bfb

SHA256
ba832f7ad69de3ddd6c1c5c7426d9c4405d34afac099828520d257478cacd883

SHA512
a2e2d8e20b97fdd4c8ef7962c14e79b01f04704e9a3b46cc3ed036b4dd61c5d0815c02c9417470c8330a8d43746aa19ecd3c3bd48a3c3ff4b445e9e3b64a612f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
baa3064d5c3a6d72d036f31994b83d24

SHA1
3305deebedffa63cd01a86665832981ddcb314c6

SHA256
cd7064e8952856f54df1c8c5377b25fcebc9032a6de2be93815e69ba0c7e1e6a

SHA512
49451d5d1a8d06a533a34c1d251ccb41a1be9a81d9985f6ae756a6cd3ca0341ca1c4a9199773c5161df77548ff00c2e5f48b81c61c9299e1135124d16ae27d60

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c06f9a36d142e213005edb77f7b178b5

SHA1
e5e6c254dcf48d6e3b7966cd211fc2c173a05c93

SHA256
57677abe659f8a2128ad8786f9a5306d7a53592d75ee7c4891c281f5eed81ad3

SHA512
5eed2d7190cf8b7dd75fe7774f3d71a4c0131828e92cb732825b64ffc64149406c32c72ff7c1dfef7b8dd23ef5842d8f788feb621b85dbf50941a5d455e1cb26

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ea8bf98515aae8019f4495328a3c8388

SHA1
3ce7195c0333486a426db45a7733114307e0e4fb

SHA256
a4120f3c139e06542bb56cb01c7cdaa67e4f6964033c99946bc1ca61866a1dc2

SHA512
61a16e6af6f71eb71c05ac79457216c5881e2af48ffd60dc161cd502517bf8cd56de818b238bfb1c45a3d39a6227e9524d587cd4b5e0d0072bcc08c4c3b0be9d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3c313bf7836173ac982f83595d9ebd6e

SHA1
da92e630b6cc354a9188d7088044be670574dbe8

SHA256
79aa61ed51b2e67fa84d2ab17bcc4562341c1e2d4d8c895b0567489ac2c48c67

SHA512
1aa8ca188f77b14aefa5361a23c71536ba02493c9c15207c72f8cae6d16f74c58dc816e0f9062014f8227d33869e9ce7fd862f09b873ef6e2050bc01cfc31f64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fd3da9b1fb4a4d4b20abb738939e55e2

SHA1
1deb52275d193a743fcb29bb9a5337561ca204bf

SHA256
e19f7119a3c0a8e427b6ef24db6f61cbdc3b8c73d5c201a52be05d40596701bd

SHA512
fc5c4a4c55ce02c995ade707f2b46ad1091bac6cac3a1c7c07dbfbcba5ee2aa024bb603c02ca1fe93d037412b17683fb1a27366ac8e02888d237b3c6b6f7a659

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
3.5MB

MD5
48c056efbe0ab851cc295d93f79d7723

SHA1
761b7d7654beee33f7bb2b1789841250fe13ebab

SHA256
98adf374b2eac5feb4fdd6b3466185b6850ea1203b6b14ad51e493b3bf2c7049

SHA512
63463e763461c5b345959b73e1796d290513e621f538f9c08a66be067f66b460ee77b34315c69f243b0d79c9887cc27b63061a25d17ba92b0357d3d68a4b247c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
512KB

MD5
21fd5552d5ffad5a81388161fedbba60

SHA1
e701daa36f577288739b87ef9c9783e05c549c19

SHA256
dcebfb09f963c0f63f27e28d94725a1b290b45ea8cdb2da2dd4761280446fb5f

SHA512
8a1c703e74d17de58b5e51db9fcc530e6be31de81abfc81535ac148965984d64f5fec5f00183653720cbea28c90723212a9b73ceb0791118d33f89df31c350df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
512KB

MD5
e3707c8f1113a5b7ba533244016a87f2

SHA1
4a415bc0fe9aa2b8fa4557201be3f8a36bebd2d0

SHA256
12bc140e4c25c1fcef26b5b7f10ff8dc6bc5827f0a19ae13ceb290ec75201dcc

SHA512
96debe2af0a850a478966080c58d8b6a4be2954d4e3173098d6e294b8bef934a163b87b8c7d9c60ac9874ee6d42f19f69ce61d18270dd2cd0b261a7d5d7ba72d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e1d4525c805d880bc5c2ac912124a625

SHA1
6bffbc849921465b6d5a6c77a524acf69233ec6e

SHA256
93e47a8141b077dd2474126f6db642b4d7ca1b92df1b4f130c932d5a2d256e57

SHA512
5678f0935945fb79007c05ea6730c7cf550b6d5512d72252ff2e08d4fa00e9b544bb4f204d50cd4c8025393a332fb53750ba3aa710b92dd68ae8d8081d01f290

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b37ef86863afd64195bec7bc7a5c1a02

SHA1
81fb0f1ba0a84fff6a9f765a08a917a33f2ee3be

SHA256
abcf3733961700d691a09b44d9afab197e3aee3164a0184d24f10dc2fed46023

SHA512
da481e5061d381582287250e264780cf18b5ee29ac86500b33d16238fb2687cb1f6f330f9fb605bdae5052026826c5a066058413c7651cce459024c78d0258ee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f3d13a59ff4cb3e1165fe9e9fcce6ca4

SHA1
624537f62b95175c2616aba35c38f408bc274d90

SHA256
8cda2bb02e5db73e77fa78cfc246fc76318fbc7b3443d0862532c7f5622091c0

SHA512
ed7e8790da15ae34801a76213064d96a1ddf4f2e1981553b59dd6254821101b382561915a7db39928eb40f5dc34e8412b9f5082c4df94383066648923c0b7248

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
087de967770a50c4609907955b98bdd4

SHA1
c117c0217a8ce622cca45aa312f31f2bc45ae2e1

SHA256
94ee540a36b31beb70bdc14c7d60069cfe914ab11457a6e6c26a4b5eb885f2cd

SHA512
a7e915389cff00666c523221903087abbf99348d274f52ca7bcfbe0b33216abfad6685a8b0f10f061b1da026bc59afb6df84f5c2edb2519529808b0ec53dbe82

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
320KB

MD5
06606f11756a1a1f60aceff2a320f903

SHA1
6af8567dee2521344845a01671eedd1ab7f50263

SHA256
88797d89ff8634040a5ae57851e7622cded3aba9e2c7f872aac714ddf50bd722

SHA512
f4a01f9b8441b98063e49a27e7b46ab26921b50d7070242ebb533206596668748260f479271c0721dcf2da91a5037fb0949992328d7e5e0e655320dc96013ee7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.6MB

MD5
fdaa2e1daca2432cb3cdf2198ca1479d

SHA1
e53eb15e1324988f4ec2d8214953e5dc2886a0b3

SHA256
69f42d9a748c570d315dc1fda7f344a098c111bda18f6393936cbdb80f3530df

SHA512
3e3846a387e52108120dbee5953afb124186e412615c123610154169cd9b8619b4fc1b4d3f5c4f7a485aad6110fe9425f657cf0c7f9816036392972aa40a51c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
510fcfc8be8a345f6a11ba1f81b864d0

SHA1
2840b662d86104dc93b774d984e28c6c650bd29e

SHA256
c74350099919d56b4d0375e5f5b9fd5704827dd5029be093e9566e50ad321695

SHA512
0efdbdd81f8b2b0b3b1eee1bb3c8d21e2bbf50132fbae58af6a46483b993f5f39b1272422981106781d02e0424601725214238f438696eeaa7ed3dd7c53603ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.4MB

MD5
d0ea7e2af67119b2e7856cb4711399cb

SHA1
1e1f932e551bd38a18acc8bf4e55325c709ede1e

SHA256
2fc3e48f8fb19580a40835a65d50ef89c343a0a758c01db2db5842faabbef701

SHA512
c7f53614e416c61c1fe5d7fc7d82059163616458f07db0edc0de4fdc94363ce530cdbc134e8e1a418e88fdfcba4bc500aaa9981530b2822b4ee413304b081f2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ab070c5309ce420f2d65724b53839703

SHA1
485b9dba8d63dafa02c7dd1d75f235a05e5eafd3

SHA256
1f70719d91e56bf3150a2331c804b47e630c755a500c6f943ef540ae9021b92d

SHA512
cd9514b1cedb21bee764d8e530285e75073b4aaf665d80f6fd714134b02c884cf9e13d0b6643d725ad343ed4fe5e6445e70b1d6df646a363ef87cea517b4b4b9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
96771fd7e990073aa6cd4b3d5cf0390d

SHA1
dffba59b127b2e48475b6a88808b244e8e1648a6

SHA256
c0f49ed677ae226618434025bf46f4a34cae5649bc5a0dbe576bb19fdea0f1b7

SHA512
c56fb08fc1ca75b60ba05feeb807d9a18cfe4855b9d8ed558bb740857734e2fed270fa093ffad5de208808519f83bb9f7e255f13b38424e01a157ac29c5a32b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ecf086caf493eb09297bdd8123b7be03

SHA1
68f12f2fc6a170185214754881a2a47c1389afbf

SHA256
cf83819d03125923e6e4ff0f44da4771b1fb4794b0a2494aa641faf3fa1be41f

SHA512
45196a1ff2d65abd7b1c20eb6c33d9a288e1ec0e6d25102a6c3f0bdd01cbe0e780cea2f3d4b085a6cfe4575c505e52e8f7dc8ec03d8fb33d0534f3b0336898a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ca603fc521b246003a43366bbe5f87b3

SHA1
9946f4afe658ef5170c4877a19511440c370b8ce

SHA256
4bfeed55ff3d52a3bde7af00491af3f6cbf921dc11fedcc18c7fce5dabf4fe98

SHA512
df1c0bd1de4815bde4bdacf20c2cf5ec6bf11afaca61a1bd9592cec446ef1887a5ff75189636707f13c0be4e5b397a6e0f353b43244b71de1be3566c713aeb80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
edd3a8b94e9a8329955f78fb49fbb8e1

SHA1
01a483ea256123daa3b9a23bd0e049855128025b

SHA256
baf82aba43b46f5bcae572da30b16a28c41589e6c2137a714c0f1940f9d2c873

SHA512
dc048d99778f6def98a603860abf37d3d7073dc1b1e25c3cb30a74e7a20df105de411bb940904d0d0f9d97603447c7bf5045e54ec7d26c47b79519ed5e4790c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
56d12deeaa19fde359a6547fa9a4b442

SHA1
c3b6cde3965e1a90dfb4095e0d0e048d789f7005

SHA256
c0775213b43afb4d23b38b5c64814a85668d8722bb70a5f6478f7e7d05b30d3c

SHA512
822d42acc7bc8977098f3dc2e8edfc24d5b0b803b4f06a9c66c4227e3fe7972d2580f9c80e8e07707e8e21d99e574e3822650843d422769ca7bf69edce7ade65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6d00186f05694bea210702914371b7fb

SHA1
1b465d3371bd9385d8f58b67a60d47a2df64e73c

SHA256
36b7d7a3c42287e9b2fde8803480ec5f1b0987319cc0d7a0f7b8a5af3d264be6

SHA512
c811e5a8a52c4e37080b1c60e7b78e907476ba58c45fb00019a20dffce63b293dbd774f955f45115fa5f26378fee656744995b88ae96fd4cb130c9ce9fc9be92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
84050312672746ff45c2de2b1477de9d

SHA1
93e053e224926b4e99f0d4416f35bf09ce3677ed

SHA256
6bbf1578b1b6d3fb3fb4fd834d2a0e314e851329e519b8db7d03dbb1d2d3d3fa

SHA512
c6b13bd622dd31c0cc91b864b818abd5dc788b1911387bd85547f9d6b0d150bbf2689afd84ff422cec0f3be7b13602008f235115dfc2e2f25f5c43f6faaf2a17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
92e1124c6f06f3dd9d2892506595036a

SHA1
f886d8f6a9adfac0a98fa6b963a76e34eff6a4ae

SHA256
01df8ca0ec197b17245399aa769dc9e10109873b28ad10516464c012b6a4c504

SHA512
8d6ed385c40279db8db4a2dea8f4f970458676d6d7eb4b5b69ffa72c2a94f3ad83cbca437fd4a05f65bd788770494f4f9a62fedc24746386c84a56d7075bf3e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1cf8fc09040924afc1ee9fae6e9c24a7

SHA1
9d69d4267fd19c9c1deb606b96d1c77cc88abadb

SHA256
43d151ad1513d94aae10f11c707d610cc99f1a29512947eb7734f2e24cd85ca9

SHA512
932f6e63f80363787ec31b125e6a7c18bd18ad8ba6c7a516d335b79122a81fcbbe987890d57a899da90dd3eada73f3c25dd45b10fb6d4e0e53f0cef617c50f32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d797244de69c1bbcc4a7b5d6cffaa653

SHA1
1f45362cca14f63de5626dd3687c75a47e66b577

SHA256
e97915b3337b5df7b83515b09ca22ee69ef43cd18143e851873b2673cafc5bf1

SHA512
b59f8bdc22f13ac394b09f478e034bb5d78d903e6505c340b814e0a5777b8a1f7b6c74aa089f757adba4aa9b1ab70cb5a5d5ffead65fccfe6b57fa1bde8ba4d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7d804c9cb33abfdc34946bf9763cbca5

SHA1
976f0c2dbc703cc6f18d43d8834eee6def191a83

SHA256
995af8167895927bb5d033c305d48426f2c920f67e8b412f2e71e3d98d855ef7

SHA512
ee50edaffc78861d3fbbbdbbd37f0aed5a72b2f9064f17470a8c0ff838ec82118a9fdc799754e0457b7d139ecae21ae1f9674a33f0d66b9fc4b8f0fb0ea2fd7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
77c0de3cf16951a013825dee9dc93ce6

SHA1
57dc0ded51af0b6fafc53c0e30e6244bfafd72b8

SHA256
62551571ecd2d582612cf95f8c753859cd8f55c6c66504a2ceaf037add3bb4ba

SHA512
8651b04c52d2ab232c70b97fb7073ae252cdcfd3d3ab345089165dff7c63be6aa53e8c1d3032f88730e1a5de8ca903fd08397cae32de593a1a5479af21cad070

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c8269e1bed1f25467dd71cd622437fd0

SHA1
89ea19bdf028efdb63d862eefb6552a2cb6e2c78

SHA256
a63db45be78f3bb6bee3b8b871df3581afc94c6c693eefd469203eb78a8147a7

SHA512
90f98eda14f11687ad6167976454874b321007a0279d7d53ab15d7790d07072a49e2ba42f27805f7e86300c64ea283043ea241835d944fc3193005b3a196ab8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
52b5e89df650fb927ed7d412060c2043

SHA1
b670ed755c07508249410bd3991c63bedc57b013

SHA256
b5c58c973a4f0cbb739b17c8aa26b9cc9e3d475cff5ac8185dd5be806fcc0807

SHA512
9254322759216bc6f6f0d61db952d597ce2220b02e0d714a5861ba8d9f664bc6bd9b50deda94bbb9d9816fd44125f755bf6bddad9aaf8778965f30da5ddb8ff5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3939b779edecb233aa96aaa4e7c29459

SHA1
ba9ef3d765639f332de05c5d0ecff39469b75f81

SHA256
7cca17f15be3768313d7864ad7c1219531d8eff29327bb7d2b00c7d267437fe7

SHA512
6cf3f0b4018619f78024e7e7fe980aa174eb17dce9508cea3ad63691a148efc1c0dcbedccaac62b0d8cc0830756378706808be2824d08326e44f03b22e1070b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
fc3fb864aba0330a2e261b60efedb228

SHA1
99fc66b8885dcd52545e8f24c3d9ff19a09a3757

SHA256
64b951eec313fdb0610043bde8f9585e9803909d69344568411bafc8960f2f94

SHA512
464fdef745d5bcbc0efd615ff7614b7d79c33feb74da45bcccdd9c7f5be33dfa26e4cb4e991b760971d2f2d33d14a7941f2d306916b717f048f62952452ffdb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
192KB

MD5
dd82c84de3fb1dfcbcce967a92ac7e58

SHA1
2bd10aad8c7126524903dca7eceb51f86ae7f8cd

SHA256
61e90750ef65b5ed2f68d9adc07fe624542aafd5ce6b45f0470026c7c6adbc7a

SHA512
ccd520de7dc5e7120a038b0dfcc1bd9354f378a4027bb021d6c14934c1f2acfa8f58044f4155bf621936cd68640f0fdcce3f89ec609d24449e18f02f3914f027

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
192KB

MD5
4164b5a9182c8f184e6d922acfb04f78

SHA1
10dd8112248996163e82a7a3ee1cdf57a798b8a5

SHA256
817ddd3b1dac09324dd7ad25436c5fa80b4b5f55449a49ef90ef0326cd4ad305

SHA512
f0001f32d27e5a52f315234acb8e32020898986b8fdfb060e7d0b7c6979ce89242e68ce4c5cb1acd86ff95494de74477db712d2b6238b28fba64fb5cea9b2f70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
192KB

MD5
432dfcd9f4060079dcb0655fe1eabe10

SHA1
9852ca5b7cea81231d75751d82520f35399e894a

SHA256
fb6e91ca53a1092c60acd714779f7fd261360c0ccbb678ff355e74a63a10694c

SHA512
7c9d3755288d2bcc02fe2c0b990b98a92cc6edc5f354d441bc9a6ae72272f0fff43e03ebcfc4bbcc47e6838ab4df679fdb043adfd6595ff2f465c15fa990652c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
192KB

MD5
77d10d8a218be1bdd7bb3c61d5a76b2d

SHA1
17a1669230e2417e23b17c18fcf65ae77bd7fdb3

SHA256
ec95a6d974ef3d7087cfe38ae39dd103c4fb741c53a6a2f69894a84865d0acc7

SHA512
eb035d2eba134a5e12f74cbb4075687d7ed50af146cdd4f407e73c2a53eecc9b4d97339462788c06a160dc241b44ed0de1a7d903687565ac6a04816e5e2cbf41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
192KB

MD5
ca3e611ab3331c0fadf97cb5c1f51e3c

SHA1
ff41d4ebdc54a1e9dda4eb0d3741c0afdeffbb65

SHA256
d09ab0318a2377dc685a99e39a31b85466274edd117a0c0fd290f97a287921bb

SHA512
14b74dbe3e702ff328db23e25d4032bb9b3f2d971454888fa3a3c2070f0d09a4e6c239c57fa369a93cb969d61bcc56c3e875d8da4d0ea552153150544b089c40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
192KB

MD5
dd8a46889c93ba9e1da4045858a1e0b6

SHA1
6f141619f5e75590069237b88a8f56e9c82c6455

SHA256
605a1c80cdd2b46217bb1db5f47379d78d13eb6123bdcf2563794b0f26a17680

SHA512
ffb8c1826f4639b713e03308624e6d2481b0d1aa97d7a192a8eb763ac1442de29adfa6b4e50594a18cbeb9a38e298cc002ef5ba06b0beb33994d3e3a9dd8b858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
192KB

MD5
e3e6499e153e11b74b808d28abcce245

SHA1
741bc492b56b14feffa34ac80b0d83f9d7200bb5

SHA256
2adb1516589548963d24a685c74c98da9cdeea1d43a5c71c79f6ec777215782d

SHA512
f499c802e30842938a6b6baa3af9bb1e32821486a691ea32901efdbff6e572f290d0bf8853138df613ecc197a303cef0206b5a0d1313e7516e7924a3f000970e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
30b85560244a3ba8d874746657fa2bf6

SHA1
dc8dfcfc27110e2793b50a6c7462d17287e0d376

SHA256
4df5a9aedd0671645f596b97b7c339442b0b9f12e60a6a7aa06183e5cb28b32e

SHA512
3571386f91cb3352b11a020184ce8873a59fd2ea1a9ee848cd64486ad3cd695f895c8388cbbe403116356e6515e263369c5f9f36cf5f299a24ee3acca2e44e1d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d7644a4fae797e84ff8822bf1c79738d

SHA1
121a29b7028a32c2e8356e65e5bb0b01876f815b

SHA256
fec0d776c4443ffd04674a71d0a0caceb39b33dee36882a0914c0bce38099911

SHA512
80618772e509c57774a4403bc6d740ba99b28e5996f77c8d90f08eb2f6c9331f666a490865c64e4fae7325aa63c56efea026d2a75526d66bfe0b38903dc3dab0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
832KB

MD5
5efb638a0d230397514e66c5ddf283bf

SHA1
45f5b3dad2f88d9b71a9eeb93941812f5cb057bf

SHA256
85004ead48cd8f7f6297832e829499e0a46318263f013f8c2587f99d5d579e84

SHA512
4ce8c5958867dc76d3f60d1c36da8e99240691c7628fa048108c98750650f81d299d6f420055ecf3261b6a93de3eb7c1674a4ed620d6166e483c4d1f468c73ba

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
50ecd8f3d79711bb5f96da0ce09005b8

SHA1
291cdc126d7cd6d9373d51516c39e6a71ec31b3c

SHA256
cc829f1249f5bac58b6f7edbd07de4041d457e4366f809b50452d7585b8f3e94

SHA512
a94aa229ea9e2612ab27c5dfccd12895d67ec34b1793d6fd9a7250ce665f2ecda683e5601b86f6fd169df83ead519bb427854dc11a10b0b826d61e2aa45a3189

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
48fee456432096c3ec9380bb9c5326d2

SHA1
91a26d43d0e8b4e081d92d467067654dc35e1d84

SHA256
df191aaa13924c4b29b8097d1504b4e514f71ede2d55dc1d6bf0cf2179130e6a

SHA512
756e511af8bc2c41d051ae662b19641836e56923a2754e4d2ba871393d1651b810aec28adac6051ab91e0c81fd40fe6520cf5342e182a5bfc8bc37c50d5b1287

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
825e217a335997804cfd24c903a19caa

SHA1
7e0b497a3e71ac2d7ed8e1cd8ca9aa68130eb9f1

SHA256
d26cfc424d612b6842a214cf37df86052a9977f4925f74451cd2b32dd878fcdc

SHA512
503de7eecb24f0599354df5f2361452ad000e6481393830d73b373e2daec691f1a7d450ab969718cc736b4d734e653aa6b3bf0e2412bb1a3e8193aaa18722049

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
227857aa50719b78ffd1b9519891dd26

SHA1
e2f9f489f7f7d37c6ae16908c671d2884f534c4f

SHA256
0fd3b04743f11af8567d058e64872c3f7b479347118df765e494e8ebef9db946

SHA512
bc49eacf57edd316934d8bd5c608e5e1ed4fecefef24cf8634b97320c9fdc6f50bf40e699be589e1460ed031121489205432271e44c9de53f5a7c9557bc1e654

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d3ba992beb281c74cdff87c9ea7440c1

SHA1
4695a090f870cf36023448965503233db3c659c9

SHA256
47f06c8ef35d45160a4ef2d476b1f3c0f5d91bdf4ee4eb4409841ec1ab4d856d

SHA512
87446fec6a642e9f2f6596a03bacaea8eef760242e79764804aa5f12ce5f51e4ad6fc5c8415848f0640ea193959af984082a00914ed1e6cbe995ed392bb3bdef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9e9e1b8da8106778333f17e630dbd7a4

SHA1
5d386fd2153b731177160d29ee3073296500917a

SHA256
97b87783d0eea1fe8917e6424f1f4513d35cf7e50f0704e307ea2883e288deb8

SHA512
bad89d703ebe82fe7df14b3a90c8ce6caad955cde65eaf8799560723829e9000573dbfe7d4e3067d361e154f159ede96757bfd636e790d114e37df5e765fd541

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
89892c682180e4d4feb1921c29c38d59

SHA1
7a212a70c903a1272d9c199949b98053b380492a

SHA256
36457ce2eefd4037ad01873c27a3e90fe886c8dec779510fb44dcfd606e330cb

SHA512
20a202dbbf943a78c8e8cdb98efd8a0b799e3cd043f3e18933bd7c5db6ddf85555cfa83c6eac65c06e94b31dd9c7a5fb0f7dd69b703dc0a31e0c12087f42958c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
11802b7b8f2c4270f0a27017e35f74c7

SHA1
5257a4120420a98f2e9c01b5709ffa9ce44a2a2f

SHA256
b398a68788a50538271b9958d49ac5f61965455949f77a6a4873c0b9b5ea85a5

SHA512
3a3d33f0b0ba98c8b574a5c8d2b429fbca9b89b7f380ecfbe32d84de66daaa5eacc33a7c1e62890199a9f0f447689182e163e0488d43c106428764aeb04ee5b9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7aa52dff5b1e00d25c018ac6ec9defa8

SHA1
fd86b5023d2a6fb6c8a7f24980f931a4e73f9a62

SHA256
91b9463c45f970153452deae49c536372af6944a3c37bb050b9aed0ca9d85a61

SHA512
a366e552cffc3e1db119ff8b5146f3d9292dcab98cb15cda0cdbb2c3a7be91e914ad4ee70889601d993a5becbf4b211d98a73f5ea177cf13862533d3a95a3f15

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe8d05ddd5885d6e6a78853ea2fa6dcd

SHA1
2a9f3cc6b401aa820956069e0f4da4e7f0991189

SHA256
4c4d07938191d892b2f02293ed3a794954ad4424fe742fb4e86f5dce89e3520d

SHA512
09070bc243a5f75b937afeebc5f92f6b7227fcee1beef7a0e818dd26aa840bc015e0731bd34a673fbc977d100d578e80ae56713e03cf06952e7f017788469b0f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9c3acae7edc34f280a63e1c7cba61bd9

SHA1
47c99156f45b1d23f421c7d31073c2d3ea761e68

SHA256
67cb091cae91e4938965b0ebc1c63ab432f8c30140bd4f66a8bb5a7ccc928251

SHA512
facf7635a8cb6b0d3e604a040f0180b1526a37e5da2db93f3e585729d8865367bc169eab5c22af127c166095b0c996a9806b4aff2ea5e1ceaf4e2fc17ab65212

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1b5ef939691d3c452dfd746e4890c052

SHA1
b6393d49ca0d2c53f9a1a68e90628b2e19afbf09

SHA256
4a190793cf863b8ac39f3c04be6d0b0d7dff2a8875b5a5947d13d8b722fbb039

SHA512
6b901433db474dab146926366fa9c41b5c9ce479034b7a707f14ea2113462f7ebbcc9a4f6eb9a848cb51ab3d3a93d7c4bef42fb9c0219df74f63436105c5df61

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
549KB

MD5
12497de6cef4b6e1916362051fb3135b

SHA1
3a19624ab6b9b6295b869091a8f8295517d3e6c9

SHA256
d1414541c54b85064c22a050ae3730e68b560b18956cdcc630799f9fab285c81

SHA512
48ff05f6a28e8706a5a1fcc79c92edd2af34c134ab2309a4dd325c79ce67646a13cbf6345f4736bf25583768e01219a00f97230feef275daae30ad4e9bba9c0b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c5b9d76ddde254130892b8e28855e70e

SHA1
ec53357a31437e961e29ac66aac5cd366586ba62

SHA256
31de0a9786921d27f807f4d60a67bd2a5bdc8972de9baebbfd2f8ff55cc0c732

SHA512
267760e72a072bb9aa48e71c6dc8226a0aaaf54a9abd820a3d9284a3a3c393917e6cc6e6196aa6672920027686e5d6385f87db3e41b960145bfd74c1a6d3417d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4187e48b833069795c18059e939abb57

SHA1
3e49ab5474ab8b6fc6c53e49591931bc5fbe3f01

SHA256
c6af7d601e42318b6d0a6e6a6b7d57ce4138f986cfb00e38d13206d4f2971a8e

SHA512
3229f1c5405ac20342a59d91984cf7a6c07c86a2a439aeeeb3ab2532fe52105997a843f26f61e3183b5303599093332fd8c163dbb7b4baf1d8fd8acbdf2652c8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7b22adab3faf4dc33c693b9b79f2bdb8

SHA1
4fd996667cedeb0127289145e530e39a55b29671

SHA256
6b93f9d75c3df8ec0fd81fb559c5a5066f548a2ad8dd94d0d2e23e76b85c4cc3

SHA512
dfa2ace48f24c051ae576211c596f7d00882686d83f21b7041007b65bb1b21b2447ca9d2e3264279c1628932e95dfa1eec4fe3a2cb63a014e56d980f469df767

Download Submit
C:\odt\office2016setup.exe

Filesize
576KB

MD5
f07bb02d210a7eec3b2d8ceff1ac4d6b

SHA1
33a99280dcb88871ce037f10fed39b6b45d95e1c

SHA256
772f0d0bdd8d80f0708da702424f38ce383519c2ae2ad3c90e9d48d61cda8aae

SHA512
939de45a8dfc5c82b3db9652cb523a9caa7902c0aa60d050ef7542b554368c2202f7dddffba0822e6613dff27bedf1451943b23fa4dd6b960dd8343c9db99605

Download Submit
memory/564-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/564-36-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/564-35-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/564-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/564-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/672-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/672-359-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/672-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1444-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1444-457-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1664-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1664-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1664-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1664-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1684-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1684-346-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1684-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1900-431-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1900-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1940-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-332-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2200-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2200-264-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2200-270-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2200-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2200-256-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2360-443-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2360-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2504-66-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2504-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2504-73-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2504-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2728-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2728-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2728-7-0x0000000000AC0000-0x0000000000B26000-memory.dmp

Filesize
408KB

Download
memory/2728-6-0x0000000000AC0000-0x0000000000B26000-memory.dmp

Filesize
408KB

Download
memory/2728-1-0x0000000000AC0000-0x0000000000B26000-memory.dmp

Filesize
408KB

Download
memory/2756-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2756-375-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2756-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2868-455-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2868-386-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2868-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2868-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3196-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3196-471-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/3232-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3232-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3232-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3292-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3292-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3292-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3292-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3292-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3680-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3680-418-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4176-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4176-281-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4176-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4204-321-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4204-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4204-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4360-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4360-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4360-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4360-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4744-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4744-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4744-400-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4744-406-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4792-374-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/4792-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4792-306-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/4792-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4816-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4816-297-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4816-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download