a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528.exe
Size

1.3MB
MD5

f4210cc507086f11ff455611a8f05420
SHA1

404b5c4e1d9673cbadadb0f096c83a5682cd4fa1
SHA256

a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528
SHA512

98dde4ca755f1dd616de6d3e2fefa33fd28d76c5085d63176ab7d2e51c0ff10fcdc12586cc43e6840b5e16e0771f55a1a0b654790dddb527e7b5f939f10e9d49
SSDEEP

24576:uE9BGCks7WE9F5pwg8zmdqQjC60jiHkU:u8GCks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1780	alg.exe
4872	elevation_service.exe
3428	elevation_service.exe
4592	maintenanceservice.exe
1424	OSE.EXE
3420	DiagnosticsHub.StandardCollector.Service.exe
4224	fxssvc.exe
4584	msdtc.exe
4916	PerceptionSimulationService.exe
4964	perfhost.exe
1752	locator.exe
3104	SensorDataService.exe
4876	snmptrap.exe
2100	spectrum.exe
4336	ssh-agent.exe
964	TieringEngineService.exe
5092	AgentService.exe
912	vds.exe
3624	vssvc.exe
4744	wbengine.exe
4752	WmiApSrv.exe
4072	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\37823435c4fd1e7a.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000854e6d2d871da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fc539d3d871da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f7469d3d871da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e103f7d2d871da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004eee21d3d871da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000006175d3d871da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bec8fbd2d871da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4872	elevation_service.exe
4872	elevation_service.exe
4872	elevation_service.exe
4872	elevation_service.exe
4872	elevation_service.exe
4872	elevation_service.exe
4872	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3772	a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528.exe
Token: SeDebugPrivilege	1780	alg.exe
Token: SeDebugPrivilege	1780	alg.exe
Token: SeDebugPrivilege	1780	alg.exe
Token: SeTakeOwnershipPrivilege	4872	elevation_service.exe
Token: SeAuditPrivilege	4224	fxssvc.exe
Token: SeRestorePrivilege	964	TieringEngineService.exe
Token: SeManageVolumePrivilege	964	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5092	AgentService.exe
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe
Token: SeBackupPrivilege	4744	wbengine.exe
Token: SeRestorePrivilege	4744	wbengine.exe
Token: SeSecurityPrivilege	4744	wbengine.exe
Token: 33	4072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4072	SearchIndexer.exe
Token: SeDebugPrivilege	4872	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4124	4072	SearchIndexer.exe	130
PID 4072 wrote to memory of 4124	4072	SearchIndexer.exe	130
PID 4072 wrote to memory of 4940	4072	SearchIndexer.exe	131
PID 4072 wrote to memory of 4940	4072	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528.exe
"C:\Users\Admin\AppData\Local\Temp\a3e9759c88c30d00163802613f734d82cbfece34b2722d53901231695c479528.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4592

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4584

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2420

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4124
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
600891e1e9eec2987ae9ac9cdf74ec1c

SHA1
76b9e22a13f35b7e036cf9e2bb8c727688851a73

SHA256
9e1e71d7ec4876700100d44e110380b913bc5eb4d72def6293a8d13fe607db22

SHA512
d0b5524854d2bfc73298ab0bb07c6a66e17431a07502a53d80dbf1b8241b2d16e7a38a3f26d32b24fa4d117e7303106e08599dee6df14a175c5902ea4adc3986

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f9ade726e23cdb88eebb73ffdc0f8c7e

SHA1
e2772351fd3d6af21d141608ebccf6ab522b2cfb

SHA256
e0d76b31498825967df8b5b5573a12dece355d9eea8f6383d88ba6d3202162e2

SHA512
df438c5f26cdcb846c57afeb8f2dbf94d3dcba6d3ab897f4d97787163a42c9e2cfc4650603a7911604b4b9eb0f6ef823f6131d79ce97463be36bd299927aca3c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
71792e88a958591c425640db06b32bc4

SHA1
337e33d662858b595c16f2ec6a65574cc85321b7

SHA256
637e45f0bd2a07c4284eb14721ad0294b10d639eb4f1e96e302d87ab68859ca5

SHA512
59905f1dce2149d0758f0259e83c6b4a6e9b375af4e1d5783f576825997d6233fdb09d6a0ab37004295011bde2ac707ca65b14b34901f2fe72b7505968420c1f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e4c3e5b32771450bed3a7729d0493f23

SHA1
868f6a922294df8b4511b990d4386c7d4dc5b0d2

SHA256
5e692173a6c91b2d578e93765e28267a5044b661c0b2fd0ce865ed7295d35d1c

SHA512
52884cd2ad42d7116d14374e5bdc80624bd1b807f76468b40a13283b8ce092a2e9412aee43b5d2e6a928c78c06abbec5e1f1d093eadc8dd6789eb583596b2f6b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
960KB

MD5
45d4d905bbe22974064b9dba70ce19d2

SHA1
49519ad16115a747d39f6d25502be40ef7bff8c2

SHA256
29829ded9c85d971b785e341156899c2db9ee24850a4f8cbbfc658d54f7b8e95

SHA512
ad5bd6d39f0ac06f33840a1224ad64acdb4709c88889c0334fe4e29be2e44907626d59e1f028c6c4c3c5365cafeaf547608fba7c599c67c973e936aed7842f62

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
67719fd0ab01483f4bd23591cdc8c9f6

SHA1
53e707da306326db7026b761f2553b1719e3a4e6

SHA256
5567009c015ce8526d1be2e616407541984de58f8d8df7d1bbb9a4bed6137844

SHA512
5fc15a10b4e0fa5177aa1d5edb0b7a0c158fb5459ec8de565297b0876686123a86f58794e8ba9a75b9b204434d74f8d963395151415e903b404b2abb72057054

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c58054649686851be760d6d3d5a14ed5

SHA1
ca8d0ea2e8b0bf4b00e10ce01832e8147586fc1c

SHA256
124b9583822ec5156b6f8f5024d3cacaa71d311771c2759b23591174197386cc

SHA512
c0b235a56a161ddfd50e3f7eeb590dc86c8673186d64ea12ec62ff51b4a11645e3a5cbfadc278a9b5d31f983be4037381a9a32a30ed5719a893b313c3953aea4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
29e32643e35b3847d3719c2069ae0c59

SHA1
c252080ccdc1e776292fc766ddacdb4d83818165

SHA256
caa4b0c45fe9827e83e593e13b039eef7ffb085cb0043c8823e568bf6de8805d

SHA512
4a0528fe617a505d0fd6df7d52df5017bd78fd63053efea3a2addcb5396b133694df3246a636622c5174467343f143474accd5ad2854b351cc549c234c502a97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4f17955c571c5f455738a681c394408e

SHA1
d01801eb722ac929229a67ba70ff9d39b6ec1333

SHA256
fdd3f89e1f1e49ceace6117d35e44b4bbac180ca0568d557d4f948b6a625e36d

SHA512
19170379522eeddb1c234c31c44985724e4ed542b3ab6dfe038078b021e0bb4f2ef9bc1970c295d35e64ad4bb5492acceab3b27b11b9a1cc5344e5926c59cd07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2aa344a6495e983af7b4e1c0e71224d4

SHA1
6b923010de7b387f621eb8d7cbfb11445738e039

SHA256
8cc187a0f3162059cd7aa0821db8ce513ca7088f8974628f1ac808c4059616bc

SHA512
80df16b76554ba9fea7c941ca194869d576b38e64ac4ae432ee91dc31b7230ddafd1f073c5ef13d3606976c27801499bd1d51408db194ddc66ee1c8db14e6062

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
384KB

MD5
43a6d423461ff60431ca8adcd51df438

SHA1
968a02b1a2b886cb8f704253d08168d33f9a6cdb

SHA256
62701b1c36f8056be2ced8957d57a13013c7a99563eea42cfca143ce34cd9dfc

SHA512
d04343348c63e1c162b985658c424744eb2d01da2f2a34b709ff537b463385d44030384fa8cff772221b80762a0101d5c1241330b13018d1e805d2552ae8d638

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
61ef27328474088e05381da7628b17c2

SHA1
6e08b3c9016d8fb5fcf7e9943e2a61f287aa7cd0

SHA256
add2bda76eb02a3e17970485df25598d007c70dc059fff814253640670757612

SHA512
42e7172deaf4e44c3207030981d329c75a0f0ceb772bffc3240b250706654064bbac124686e2c2b3e1918b32768a3c389568573fff8d4603b275e30c4b91c47e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
33a9e351cbc14fcf2e303898e9c1b259

SHA1
44a4f6280e1e8a9fb7e32cc21b17781dee7fb709

SHA256
87bc4ce5f740b2cc04f90fa78e3a125f0d477ca52a9e814016e6f843b797012f

SHA512
49862fa3e3831340fc327cc60bb72b11b6b0cd2132c5a77b4d6b252c10030f304f10a276db839294a72d9f5d4b562eee715ed639cf3843ce95807f274001286b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f36e0b3116a5f74f3ac89a73cc1df47b

SHA1
1414c12a71c18574c4dabe7bc6adf102ffd187de

SHA256
943ccd11afbbf930936e9729c887bf0ac67f0186a65af0eabdc545b50fca8b3c

SHA512
c38ff64dd4f7b9e1b4ce65a1abc335457e4d42ea77e2f87fa77a858c9e83187ac09faef01a1be26443081b6d2752e916c6741114020730f09edb38705b981c62

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
65526e93cfefdf86a110b326bb363952

SHA1
fcdf32633009237805237f44934427ee8d2da4fa

SHA256
8d7444140d5e493fe8bda1cf434d0123a9a004fff430211fa7b69729efb4f81a

SHA512
0292f027e766a654f897f33ba71337c5b0dc459e53017c47f2bd20244d49023c83e19e96a625e13c84fec94bb92bf6928d9c0cd3817b6725286d9636be69ed54

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
40e13a724d75367c71c2bbcda6844e03

SHA1
a14918e3853f2583c8e4a1f2132b4fb8ec4bbc45

SHA256
c05e1bc3f59c20604468ae029cc4b19c7189f8d46ad5d1c91d5bd89c3d5b2652

SHA512
c65b5d7f5b0226c3936a96a1676591f78123c8b0abd88ac55c5289f1de0e8fcf46e59eb90fdf1c40546ff2359ec8eb1385d985ba2a045ffe7865d9a700d7b586

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f96b17ba4012bee8a4fe9a1a5ae07c88

SHA1
b69794a131d8b4fce40e9f891b1fc264f38327cf

SHA256
fb0b7c64ce5b719e0a115b248bf0908a1bfb19c0bfad7cff3becab160db2f37e

SHA512
739d8126409005dad089e772d801fa121d444b12d358e3959c6653c2e4767c56770fbe898109b3b0a308ce09e85eb46aa507b0abd6a02f713c0cfdf8fdd70fb2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
027a7fdaea4d68b9e0843e1e5df8d427

SHA1
eb12bde18560673c7e849de04ac695b252241165

SHA256
fdb5e46610da07a14fc626f61795a4464a13a3ae59d5a8f5ef4826184b9fc09d

SHA512
cb86e19a4d9a8dc43c1297ddbb8c6ce751c5c67cd0e8946629d7a78b7d6201e6fbc350d94e82b5df054ddea77a936026e6b3db16ab93ec6b15b9de3bf657e778

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
4f4ec31a6b995da04d3eaed92764ce0e

SHA1
3fcf7d75b3493c10eedb201e6e811fd39516e845

SHA256
4b4c2a2b0357db564a764426ba5549c4d363fe48dbb95b5cdacfca5bd85086e6

SHA512
f67805a2d45bbf0c2ea237dfff73523686045f92c01d7af42e0ad4eff5bf9c567396a55894624e95c3f2ca0336d9e690c21b1d02801409aa38f28ad4dae080e6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
3c9f51e7bb721f1be06c34e3ded7c38c

SHA1
671169de0168cb70adefba7e2d5ffa64b09c2323

SHA256
6066a655a646b207a5f338975eda48f41738796963d1b62757cb738ce5cec99e

SHA512
731f08945954b6ec3a15bf901a2a84747afb07a8ed80c5e0307e01beaccffd53f40976807235a219e479ccfb5f221c22bdf21d32e507e50b0bd9651e47779192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ecc316bdf49e5b292469a7fe320fb439

SHA1
07ba6ed482d1d719fb313041ad25997dfae07d91

SHA256
4cd2cf355c1628bf6a1acb5b4227e09d1c95e525bf8353e6b3a18f31a06592cb

SHA512
e2accb68bc29e85888556d5887bc429ac6f1bf61065457213ae99cf11a8616fdcea9847b3c0691681e751bfda54ccdc4609299f2903ed2a4ee10a3c0a9548e03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c76f4122300cc6a7fe5015aff7d52fc5

SHA1
d72c9d573a5f34db043fada9b77248d23a436041

SHA256
86b1912b069e14f857c5affd000925a4108bcade904f47237deeb223927c7931

SHA512
cb121803726f5a3bfda7d14bed5136551b954a83f00540c01e6d08f4ed9b467097adb1e73aabd5a0d85fa9318576e3bd7801bf9a0f1f5170d01db8ec7469127a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
cf4d41545545fba88e16e8dd97b32081

SHA1
1e1c0a3b88e9747d98a4ff24784bd64ddc3d6b22

SHA256
e3e32bc00f42feb18667b9d651bf42f0735a326ccd1c4bab03ce256c26bc0af2

SHA512
d21292866335cac3ce7280e04aa0468e70944e3c85a54c85cf8ac1caf02b45afd07a7ab190182cf92a1faf6d332c00b60f71c910319a0e82ef5f8abe02ebf576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
fa729f7e1e713378ad6a222ddfd442a7

SHA1
f70dd8883457150d4c95d4c53500e53345a84d15

SHA256
6bf2ec2e02577548824b12b23293c08209389d586fe0438baf176b81fa86fbb5

SHA512
f4af37860d90a8530678ce2966af644ca5583bfbb6d17ff23ec05845ac136c4bf3e8cb5bfdd01ce4123e939d678307e77541e450699e50256af249877d3a4d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0471fbf28d0378db31979fa77af4c805

SHA1
a8bf0c82f5d52221ebae8330a756af47d7e1b3cd

SHA256
af6e84c465b0be812b933593ad28b6316c41ed7e76e4dc288119e0205751a421

SHA512
9a1a6d973c1b2d53fc119efeff250fe8b57ff57e8294f267878b0c365605aeb13384486ab1dcdbe07c133d58dd85bdede8c2196ff792cf42935fb129c4c87c83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
72fdb59e18ca02a46f2afbec075908c4

SHA1
2934edadaaa42571b9f6e2c3e887be14777f73ef

SHA256
e5c1dcaf49dadf74adfe79b0fecaf0c546add7b0c43b76440587c316d21621cb

SHA512
828a396dda1ebda87d2c4655b69a410971feecc7ea095ada0bcd7d85d599a739e808507dc9e09b22aa9cdea5f4b96ccaa1660caab7914604eed7cdec90593371

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
50cc99f0206e8272b0ae87077a5b759c

SHA1
2a7692fd58a10ee1ecf51e12b0030485bd811420

SHA256
5565904b857bc92ee0e4cbc8ab0c408cf7e7fe3addde5783e96e88e4aed788fd

SHA512
8ac4c96c13570ecc324378ad6cd87b4fe4d9b75cb13d7710db8a1fccffe86beac61957a776afe10839b8284990dca7992983c18707e2c1735a408feb8a3b09f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
244cea0d963401495ec5365fa72a0ac7

SHA1
c2860e81293ae14433fa4b8fcb0d8c143c6cc6ab

SHA256
496e08e338ed6b1f0e395e57bab912ecf07bd87eb3727eefdc6e5a4671f24e31

SHA512
b0c754397e1d3f0593d1ba2563dc3d3d5584de8e93e4a6107c7e6b173cfbde662b9c4ea17f11015560453d3f798e7ef70be23492d494b32c490445254f4ff8fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
796dba9977cb57f4cf8c87a18dd5aa51

SHA1
83f7bad594f36ee2838109cb663e9d02d6ad50b8

SHA256
007077fde8c0271ff0f2dd738a2779f11464364f4d61a019a8e31a9810e358df

SHA512
35cd24baea652d4a5057bc8cdd6c9aaf92627ca4640208c221cd144ad527a4e70dfbc96846a2219700dbb77c8b3a7aafead1d66b3ab638842f378b8f6a87d54d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
77cae91cc79c3449927bf4a277d4fd80

SHA1
e4f4cc7bb9a8afc65763b2f501bdf99fb9920fae

SHA256
15c999c9d7376e2d81d940e22e8b00f992d854fddff33d2909d5f535ece02269

SHA512
59e77af6639931f12cee02bf1b1317244fe6c2d2e9de87a0971bdb33f941707eb8d68aed2f5f5aafab2166cb7387e9b58e1c583e6f2410f239e8e4df84786220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
e4c28cdb0ba611877356af84b36e7869

SHA1
3c47f8019c213e839b0db0d38a07bc936f638170

SHA256
7e5d82bc5b05d170e226c97cb25545f0488b585ec477e3025d0ad1f460602026

SHA512
45a12e56cc54923eee263f9d70bcc7b742ca56e49c3fe02b1774b738222a535d4d1fa450a877d7c787b362bddd3ae2a279176b0aefd816a37fd32cea8b51c5a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2939d56f3e228c4021a089f31b76a764

SHA1
594b8f7243ba415fab01c623a9ee557020945a8a

SHA256
2a58e1ed217dc05993a60b3c2775e007ad150957df4015d0355737f13677b50d

SHA512
a52039064d7a5c7f076f1bd06139c652a6af7f88aeba5687cf3ae402c564b03569a6e7834ae36bbec42a2150b5e025e7ed45c242cfcadb72e25710c4fccf3b1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8a1dc5fd37ab243775f9bccd8a9dc541

SHA1
4e01b7c317e3a80acdd8e2dec8c1ada135d67673

SHA256
075b3c54d758678441a1e040a9064aebfef134d820788a857f696a2df9f07fcd

SHA512
7670a567ee77754f191da6a7d03dcce46f151abb08b05bfd8f727c444265069ad0acb00b2a627d342920c8dfb4afcff1011d8ac5ad8acd8bba73d1ac761bf70d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
82e88b09d9d380d57d60edc2785ff745

SHA1
788fa2e1ae0bb18939fd0d8f600203bc3eab84d4

SHA256
85a4e5a7b60779a2c744430a34915a82c65622b9fe1693d118fe1afc201350b7

SHA512
ad95f878161c3a74ccc0858c4dcb7f3dbb52dd9309fe7becd72fea5eadaed215f437ddf7c483b38ca02ee721cd046533c27c4d4eb424b26eb2423a6318f4888f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
11f9439b93e3ceae8d53da62c32201f6

SHA1
e0a6474bcd00a6cbf34c487b797fdf8cb32f2f91

SHA256
51a01addd3dca47462fcf918565b448beeb2963396c747721eaefa643d9f8991

SHA512
b401c5dfd9337e7eb6b863c9a09f70fd30d341814022af9ea85d29b45630608ffbab735599603cc85b3d4eff9a2240c91857eafdf7718c33009c16677123e208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f275fa6b932026515ae778f6152df8de

SHA1
a8355ede94c6890e8a4e1f49900d90bc0cfc93db

SHA256
5d724a20c1c26d59be78ef27b6c2db9421acbcf535633fdc55f05971af84815d

SHA512
67f6dccaf57140375ebe28e42f63c649c4e821cb104701fb4d1c80f88a00429b2e87e6049cdc9644681a8b0751ffde0650145e543478e7f0ffb0a3ef4e9650df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
192KB

MD5
5039ff74d637190806cc33d12e369b7d

SHA1
de39637b3ecf3d2cc62dc9e94dba4b5be7b1d14c

SHA256
2164e6223a40d53bb6397ae8b2ca372d7d82cc7dc6f4fba2523294c6ebd069a8

SHA512
6a40412fa64e2cf3efce9e32f8181bdd01e7d742419afb577de276828baa3f2f743671d5da95c924724dcf854315b38e704fc5c08848fa56214144601f73b67c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
192KB

MD5
e761ed12a168c4e52dd8df94f7b7d074

SHA1
b3f0662f791551b9f267ac55bbf210527f1f3d85

SHA256
32491f8f93a49676d67bb8cbd69aab29ce02cf30b5512a195dcb92663ee8705a

SHA512
38a263dae1efbe15649da5aabed890dea26cb0ca4a8fc83d0889a68fbf368ac5ab41141e73423a336a4ff36674b9d6c6d227ad267b60f2b46e91752fab59f131

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
192KB

MD5
a240ace8f1ed370f8b8987bb13ba8edb

SHA1
5ffec5376caa7a1840a70e512e612c7999a8d019

SHA256
b41744968324066cba979e6be2c8c3eb03e78815bad53e96d9b23c7fd99010a8

SHA512
6d13102094a8930d92a7f040bb0633a06fcac315e9fdc1c7a869faa02cb7b9e1c2abdf4b5099f554090e4c1d309443984fcbfc8bf34f59579bb878d2b7df80e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
192KB

MD5
07cd0fe6c916815984b6dac90c5cabfa

SHA1
ee8d937c10a4070107e806067c80429bb51e3698

SHA256
bfd9ba781e31cbb1f7c77464a481c7e5aba9cf00dec359ae96dff7f86bb1525c

SHA512
26a7a354d92e9b3cc0e3b23a7b772b065a1dd1e7168f4350601d3d73b0578213b47220c7043fae04f13eaf38f9f69ea5b3bbc243efae19245a7c815a12863e55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
256KB

MD5
314f9d3bee8e9aeb777d963309b50d95

SHA1
0d1618bb72098f3f15488b43f351854e2c59d390

SHA256
b8755ecc4a579e7c066811aab775c89f4c6b238facd21cac073ddf8ad5cc935c

SHA512
e523add6c32e657bd74af7cdb8ec027c9e41045d9a109260524eb27b8b591ca251ea03bd8a31d675bc59811686e720515f1561d738904424db86eb4b010281b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
256KB

MD5
6a1749f958c4e508eba5fc15dd074c99

SHA1
8b2bf7582f8c8ac2ffce43f9c1e276eff71dbb90

SHA256
d1dcda42cadb1dd9221cbf41ad167309303fc5aaa58f5c8a736d0901c06acf58

SHA512
4d84d23b79487c6010bcc3a0cc87faaeda655ef357b0a3d52d3002acd5ec4ac1812db42a89907ac789cc6d297a13c54483c7afc342408cedb28343ec4be11609

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
55aefe2baec039542e0537c219077d48

SHA1
aeed1396dcc4918c42522b0470abdc58c1739d4e

SHA256
901fa7251cff22a54057f5fe459ebfc3eed7c3d75565011bd8f03b09fee3353a

SHA512
600f16ccc24801252b27eec4e2224610709cb68663f2018deb68a816333cf8ff4c0161eb6b5d5ec5857dd0593c8d1969dd8388e595f068a5c9a9fe81bb3314d1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
722159832f90ba3ebfb187ded4bf29f8

SHA1
1847091d9d4896f087643da52b92ba0782100e56

SHA256
7466fade281abf0505c86aed39fabf8b17c14a0c8899c4aa5faf1e027f8790d0

SHA512
d2eded7f0f7b770d50894e9be6d9f2fbfa4b0f3fcab56f8a3dfdd385bdae612e611e05ceb2839a8c51048b452cd43cdba3fb629a6bad9ce3f3b31edd419d0944

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
70691085347b43648f0ca846b8dd8f52

SHA1
85c831d1ab8f8840f1b7715114873b36e30855b7

SHA256
285277b60f0dc90a827af01e48ea5cae2ebc510c9d312dbb3dc02056862eeaa2

SHA512
fb6b24c3618f23d299d320ae7a8478ff8fa29935fb5ded5bb3e578447d2da48e7a4fe44b15c54b1d0ac0b43aed3227eef21d6b7b2302fbfa4efd8976552f5715

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0c771fbe0f9fffa1d80707428cac9ce8

SHA1
1d898821dac78a4dc2386b319f1c564feddc4999

SHA256
52d697856664dba2d7589cc598300861512d7bf2f2c55a3d52563035dec8e829

SHA512
296192eef5c2a619f7e19a1311b576d427d11707f6127d53c3ece6f20ac42ccf11cec6ae4289a4472331174e8dcb4033711c3691b9f04ce9f54fe8f91af2efce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6bfce310492e736c61470533aa8fe72c

SHA1
afb4b34f3948ff1f35220831add24b135dbfe5a3

SHA256
6d7718933322ca267e8351faa9c004ce2fcaf49207b45f5df772b3f79410b716

SHA512
16598c6ec9fa71cfa569095f5b281172edfea7a6b3fb02118cc6a1c07b57e91bf75722324ea8b70d5ec9a99d56b681418c3c6b6fa4c1b79ee5c8dd156ec05762

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4693110493ba38dd4e4d777272d9a96d

SHA1
95b2f7528920d938effad055c97a34be4c2a7a7e

SHA256
f597f22b2e373c9551735ac4b1067c2a27628566cf6bf77ab39361c00699187f

SHA512
fde8f92a968b37fcea2467e96e4beacd1ad6fe037390b2c6b767dd6c58a6b83a7ceeeae63ab7bc3491ccfc3462cce5c823da235d48c8ad45eda617077348caaf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
436bb9caf544689b2049776b9610014f

SHA1
59438fa88acc84b1f52ba1fd8dd01cb65ed064bd

SHA256
e451a59f708dfcb1764aca8aee8a3ee9c8d38cf58184f2874b3d9c46730e1f53

SHA512
d995602621ea40ede10a98a445f1e8345352f017c51a64ab664e5b478f752c623b96e2f50ca885da68967f5707e1256a26485e5e9842731bbd64090dd2c0ea58

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3540530db8e7261549c0d74ddc82f9bb

SHA1
92bc7e822c345aa9b4cffe4a0f53d4c1c236f762

SHA256
65a8fd6c0b339507c5de77498b96d536e0ab8b795f0d319e2643b245f01dd697

SHA512
24bd71a26aca07c1a23450b9bb401178e41d47c3c0284e8f502613d41d8505f84ed56862abd5ed370d1ada31d5ecc1a89b176fc9863a886923047148db540a00

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
25ea92c0c4edd6976044957451e4559c

SHA1
a6379538668b6c7d1027945d9ed60f81b0e4c190

SHA256
5585d57c5168cf23a0dad7fc815a3fbe57ac9f7407d49972d8ac21528517d2ef

SHA512
7b3681ab079077fb2ad8a50d0e03aeb0ed3f82b718da101e3b559e081494d3ea3d8837ed8e69d19b68b9fd4bf68870d96906c8c244596685cfc3b9960b65e703

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.2MB

MD5
686359901150588574e5d6a0650b4a78

SHA1
038fa0b3121ac894e670a0b3f934b1b856e74744

SHA256
8df27b15185ec681298550a0a55d303fbf4030a26dfe5981c9418feca59abe78

SHA512
25b8a054f5ebcf4cd7c45b1088d19edad5adc9b27c168771e8db7cb9d7639dfe3120b29f4e371b1140db2b407ed841b31e4543588fc2a2365bdb8e4faffdf99c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9589b7f6002cd8d08400016b9dc79a72

SHA1
e9dec95fc6d9ec33b369d26d8104d3862e5c6c2c

SHA256
7b40820ea080ae73e86f3cf227a4070c48779befe4f708f35f5fe5a9d00a0d54

SHA512
13399364cafedc35e72c2cf0f9b0ae77bdccec779b75dd22eb5fcfd26d8f99a6dc96d587746cd24a088d2d6d3a6bc85d2f3232af5c94d4354125b76f10644be6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8da7d89f7d20cddba9c0b8d2e39c0b60

SHA1
7997e3a9a5c9003533b7bd6b2ce5b71dc85a5411

SHA256
b89ca6d57593900c61fffec039a442952c63ae1542a816370cd2a6d94e7e16ee

SHA512
5932442b36ddbb4183cdbde3d5abf76c0842f1161d02b38c0b6baa6ae352a39806cd530fe3c49abf86851736797261c4ca70d8f13437f7a495401b56bfdfe16b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e0acf8c896c31c9f87bb3f86958a7012

SHA1
09b1dacc60c18370a54d2a4d8469f3b1f87f1126

SHA256
388b030780d5dd317753fc5581fd05161bfc6f4075c2e55fa22c37c9b7c383f8

SHA512
ffc9688ec07ac556e858966d60a5a35eb4da561a16623635cf7adba597a43904073159782b1986e1f50213a49a702f219a014fd3ea56158ea245a98ec78b5a09

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
49b2a01e793d733bf110dc8750cbd4b3

SHA1
9be9d07125ef865ce4efe452c749a78a7f7ee1ca

SHA256
4efae04e13aa7d11dac9b1ca60ac436a6a4ebccb12e83446d1391f2060ec2d90

SHA512
b02eba9b282907665b3af492e0aec0601d14e6d5d13c1502da5c5630f1e27346ca6795f2ee3877d904f3e8e7a1b6ee4d4793ef1d4e06a61c5c989390e3b29fb5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
af4387364f68c7b69d232bd7d93f87c7

SHA1
4b232145354c801f5a9773e18bfebf960383c90b

SHA256
170c8c0d6cc05fa9d459be8363cd7df6d07a5d8e51043a41e6ee3bdbf7b26ef0

SHA512
85def8d20ac50ceb6a13c5874fbc3032bb1b69eef28c8ca55118fb433d6d43c1513ef766d33806c28474be4a0c5da0eab4d08c710f300e0f6f111074d0eb3cbf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
53311bc8a3911415b80d10236874625c

SHA1
97065111c3765848fe206c9adab0d693c94a8351

SHA256
76f06987a65d3217470c8080c16b77f19f6e3610f56b28ec22a7e134c8d4c1c2

SHA512
5873cf1247c0f06acba26383dc1eb0a406eb176f18a6fe13a6f5de6be26fae7dea4b4db3c4d756d5aa3a31173af8dce3a883add74159064d196e68e88b339574

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
59e44452fcc6eb6d39955232403a5e24

SHA1
c23b841246eb4a0ed63f31e86d21f3607ef2b725

SHA256
0e3619fcdb884df5356de31e37965957c791008f3b6934548393def91495ed5c

SHA512
a876c0f3e79f85025294a4ca92227e87c30ee4acfba138f004d428433c9c96a64e616c5fb25562a32f04448593365e0e3ae096037d4b29c96c6bf5d9a580869c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
13209e3655cd47ab244563991be747e3

SHA1
e2b4ba0a64b2972d1d27649b29747578fd3dd8e0

SHA256
639fba1deb19d07d31459395a36dfe997ada084ca0512c0e1b45b9a5faa76279

SHA512
7e8e064430688cc6829694bdb7a166edf5aaf1a14f0be484ac7dad13a5ad82abfeeaa92ca4a1185256e52fc170c415961cf35c79004a53d22c58b2be5dee9589

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c93d61c2054a31af663ac96c435d5e5

SHA1
cb15525c3aacd452ac7d1a9456d5553a58fe91aa

SHA256
999eb1d72c5fcaba72cc06b44cfb4147c08149ccc5eb39ece29232230e1e4cc6

SHA512
d4ae10e7053c9cd9e693838f48e689e5fd8b6697708f491c84e2e9d169735f785a766e8b383393a30862212dd77452bb7467b15d6898c413a46d23ee3f5a414f

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
eabcb52dfac6622954b979debab28c0a

SHA1
bc054c1fa81365d1f9fad5efc25c4628e7139c3d

SHA256
e94f18dad5b005f10f003a7972238ffc3171e64f014adfb4069cfe96364b9437

SHA512
f90a7f04d1554e6b4a348be80144adfe43c712497e1df835254d4b2ddaf96e0f8c7b2cee710ba8b9684361a0996d1592f77acfdd7f9aac976348078246d42bcd

Download Submit
memory/912-409-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/912-542-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/912-400-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/964-371-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/964-438-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/964-378-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1424-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1424-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1424-66-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1424-65-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1752-369-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1752-312-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1752-302-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1780-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1780-15-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1780-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1780-227-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2100-351-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2100-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2100-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3104-324-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3104-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3104-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3420-311-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3420-244-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3420-250-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3420-243-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3428-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3428-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3428-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3428-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3624-413-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3624-421-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3772-1-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/3772-17-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/3772-6-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/3772-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/3772-7-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/4072-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4072-465-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4224-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-263-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4224-272-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4224-255-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4224-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4336-425-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4336-366-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4336-357-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4584-337-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4584-269-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4584-279-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4592-64-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4592-60-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4592-57-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4592-52-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4592-50-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4744-434-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4744-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4752-447-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4752-441-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4872-34-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4872-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4872-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4872-27-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4876-329-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4876-399-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4876-338-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4916-350-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4916-295-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4916-284-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4916-354-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4940-557-0x00000206E6880000-0x00000206E6890000-memory.dmp

Filesize
64KB

Download
memory/4940-558-0x00000206E6890000-0x00000206E68A0000-memory.dmp

Filesize
64KB

Download
memory/4964-299-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4964-364-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5092-398-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5092-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5092-391-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5092-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download