679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501.exe
Size

1.3MB
MD5

c92c34f10b0f6a2e88ce4cb865b44adb
SHA1

05192737c449c75210ba056e47a5b917a131daa1
SHA256

679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501
SHA512

357ec3e58fcd0035b3845606b4080c3b472a9ab078b960b7a0e7a82434627edca0bab8d73d02429b3b64b64391605d0af83c68bf57236f279bba444821918478
SSDEEP

12288:c0iB+t/MTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:c0iB3SkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4724	alg.exe
3604	elevation_service.exe
4856	elevation_service.exe
1932	maintenanceservice.exe
224	OSE.EXE
2996	DiagnosticsHub.StandardCollector.Service.exe
4152	fxssvc.exe
1976	msdtc.exe
2080	PerceptionSimulationService.exe
5104	perfhost.exe
1504	locator.exe
1908	SensorDataService.exe
4116	snmptrap.exe
3344	spectrum.exe
232	ssh-agent.exe
4780	TieringEngineService.exe
2972	AgentService.exe
4676	vds.exe
3816	vssvc.exe
1056	wbengine.exe
2952	WmiApSrv.exe
1912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\985754c28ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038bc949b6472da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eaf059b6472da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ad52b9b6472da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000547ed79b6472da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3604	elevation_service.exe
3604	elevation_service.exe
3604	elevation_service.exe
3604	elevation_service.exe
3604	elevation_service.exe
3604	elevation_service.exe
3604	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4116	679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501.exe
Token: SeDebugPrivilege	4724	alg.exe
Token: SeDebugPrivilege	4724	alg.exe
Token: SeDebugPrivilege	4724	alg.exe
Token: SeTakeOwnershipPrivilege	3604	elevation_service.exe
Token: SeAuditPrivilege	4152	fxssvc.exe
Token: SeRestorePrivilege	4780	TieringEngineService.exe
Token: SeManageVolumePrivilege	4780	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2972	AgentService.exe
Token: SeBackupPrivilege	3816	vssvc.exe
Token: SeRestorePrivilege	3816	vssvc.exe
Token: SeAuditPrivilege	3816	vssvc.exe
Token: SeBackupPrivilege	1056	wbengine.exe
Token: SeRestorePrivilege	1056	wbengine.exe
Token: SeSecurityPrivilege	1056	wbengine.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeDebugPrivilege	3604	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 5392	1912	SearchIndexer.exe	117
PID 1912 wrote to memory of 5392	1912	SearchIndexer.exe	117
PID 1912 wrote to memory of 3060	1912	SearchIndexer.exe	118
PID 1912 wrote to memory of 3060	1912	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501.exe
"C:\Users\Admin\AppData\Local\Temp\679d2a14ce27bcf907b337610280f960849e743691f8d17e7e0acfc7e55f8501.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3344

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a66e0394fd7458c04cb0a5fdb05eb997

SHA1
844f455e0628d34619be88056dced62bd0275132

SHA256
b482e512e93c14622eb2ce3e3dded2f4c6ac37f0b94cf443643475263ab437e0

SHA512
01113e293a2b5aae74df4d783dd3699ee109d1f5b872ec267dd7a502d0f0b2c320c736988d5754180c16edaaf3d71f4cbbb24bdbcfbe4ff705c83fa6c7fa6a47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
db5b43ae3e332c7488eb005f60c8bdcf

SHA1
d25658abf983e6a480993bc1aea482df6189f0aa

SHA256
be2a529255d70344cfa6426e554e022decccca87b3c697f4e6dcde41afd0dd54

SHA512
cf9c2e5f87c6497f10dcffc9913619ebe3a22fd7e832f8b1951a235935badac72127e227d8145265cc5a185f9b73edf2a527b329c8a331ac1d0e3a82343c60dc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
603KB

MD5
350b4df453d4cedcfbd088cbb5e02a00

SHA1
f2dec52a753d7797ba5b20a03fdb207b15dcc420

SHA256
db462e3ff4d31a745939c8a0a34e26c7c0f527921f0e5b8eab8481cc9ddb8a05

SHA512
4e5d085651ab84bfd019582f05d0de2f17d184f4b8d65b0ce3c8983bd2349f1e38d7b32addd385aceb66f69f6c3bc629745e86298068f4001faea8197208cbd3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
719KB

MD5
46e8f2d1b094d86ba460577e2355a439

SHA1
a9b79fa62e1910ba0b236f5b5cd31056bb1cd19f

SHA256
e11ee9b8f13c7876c731807c8c8f2238d36431b7375c57aba92976287bd00c60

SHA512
c5996340d2aa0b9328b123f781baf5212962f0c38b3c07af05cb4427e7961cba7a2e54c3bbafde93f6e27fa43069530927666cb322f7bcf9f0568567d43d7cd9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
689KB

MD5
cdf4d0c4087cad8039b161a40f80f113

SHA1
9b830af8bf1221d516735c5bb795b2e6fdb57ef2

SHA256
8831592d0df898dff2b2e57b5acd48e93d9d6c0b41b12b16b66832201cb53071

SHA512
c1d8816ba4b5cc26468bdb42a6648a720814cca919d0ab2276251d3e64490daddf6f799b6db26b717ed12ec0ca7f55c04467088e997dbbd74ceff20f31a615f1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
704KB

MD5
7b21187262a4f742301472c9c4a67968

SHA1
2ac7e653d2ad776ac764cede99c394309df0dca5

SHA256
b8e94b686747f1a752c91caff8d50af295174d6cd7e685d9d16692d4e0dc2ca0

SHA512
b903a6d32f87f1a00dfb0787d9530fe4cfa0ff65db1404d1148f5d1c31eaf6ab42eeaa400275ab1a4083e6c68af2fc5aa0f3589be099cebc6c9886f1f3ad0bba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
496KB

MD5
00cbb3f347b8f5e224ac8f8d476ddb6c

SHA1
d88df4d858a5dd092d59c2ed0f16a4f3eca15ed1

SHA256
0f85c19b0d6cd1881421aab0b6d13fcbcf0d9370747d279c0b871bd16235e6a4

SHA512
48ae8ac20692a106b3429a87e23ca352307fd051da25ef84b22d8fa4ad2df2f81608e85c92151831cbd08dc07aa6043ad798b57a67cf4a40b5767efa490664cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
720KB

MD5
d96a9dc6fd3cd039cdc751d4e78cf014

SHA1
ed281cdf6d4027e8ec4ebe618df19de66a2508b8

SHA256
f76e22bce43f7c2f49eff2bfa59d6f3f1ebced39bf13e36355fcdccda41e6922

SHA512
1a642635763caeb6854a52627f39f8c381d778794cc91e0b6c204e5c76ec73433a2c1d7e586d47e08cd80d13243d0e5a9f2007a3ff253399c9177237cf21d6aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
740KB

MD5
5d05f24b32f0072fcb1ab488aa7af177

SHA1
78c624c10698ed95346a2aac051b06f0cb2b78cc

SHA256
c4170076ab5e5f18c05a2f4a341719b06c6e436f567ea893d1398d8e88341dc9

SHA512
a6a8a143a83dedddd1a45045157e0a8664ce06b76fef13872f1f1ea456f14f90eec8ac6a5d35846e68fc757c2b448c8e7cb80f40daf6e582ac42247fb5163eb1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
142KB

MD5
304cf38e8f68aa0879858fdec09aa1da

SHA1
a227102f94bf403d95631d8f4acc20adc6db796d

SHA256
170b3d119d54e48115c5696191885f4eff307720ba92774d6bb4fa4d0463f272

SHA512
7327149c96252ce06f47e6a9c5cdbc8a37dcc456cf2c0f03a2f3eb3c56681fb3ab34eeb6c0e64c553d0b4cd88b7f937633af66409123654439dddd047931b7e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
695KB

MD5
378c5faf285a21de19dd1f0740a536e0

SHA1
c7b1a1efbd75f17f90489dc70022c8d951e538c9

SHA256
8b5f6de22e6c86b61318141d49c2b31b9be184c9fa85915e3fc70a8e0453a6fe

SHA512
0b9d3ae3dd40afc6ddf29bd8c2dd1b5e5de3641be02f2a636cdc3c6b57570915d55e1f75c39fa89ee26f71fc6b26d2d51bab633aaf815bbe48e5581d6521593f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
689KB

MD5
395ef00f77a7c62dc4eba1bae3b5dc37

SHA1
a18a0a04bff6ff911d928e52458eca8b9313a9f0

SHA256
bb77f17ac44f0861018e0c71b712d65efb0d88483cb410ac6f1348634a76c065

SHA512
3e60df87295c1809de0797a46f5dcf982690a7cfab9fc25484f119e030aa23582f44ac4ebf4f3127c6ab890b1b1117f03395bc1c1c2ae9424cfccdc3cbf8f762

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d45c02dfb4a61d7a13d5785d2390ffdb

SHA1
6329c8dafaa82159bbc5c7663afd62561d479307

SHA256
0b12d417bf7dd8a00f618b913c22095fc07598e8e01c4ce29e38c507ef5ad4b8

SHA512
346ea46068841a57da341e85bd8e8a36219d86ba79d16e7b4fcb6a1964d00a786e735a1acdc1b1915ae16a9e3cdac160b6a734ad0a3b98f6f24700e9135028b4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
697KB

MD5
59be5688c9975a2dc31335ffffad7188

SHA1
724e43da8287eecaa54ee94a8228caace4696f1f

SHA256
6ec5aec75f05c7ebbb8d33af6b6fcc5eb273cf324266aef90196a9a519866887

SHA512
7c6ee5d484ed744af323ac220c166c9f9d688f313ff9cb480efc41f7df0740d08d53132a953652e7ca89cebc66e51cfcebfab2597b6d6ab4b674419981a5cf54

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
28KB

MD5
79b2deaec1f7b647714a2cb24628caca

SHA1
08990f9490e1b317d459104f286d7e79d83fa58f

SHA256
2420039c4e32f3c7f2c11163cdbb873434ee92efd49d125a2e2afae99289f8eb

SHA512
3f189e1180e589e5eb87006f4392c63e1934f426095abbc7c26988c57bbedfa6e141c9dc644428c4b4105c29e42976cb0116563e672925246f401a575048ae60

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
523KB

MD5
c9185f8cd25a2854b6015a25b30c2452

SHA1
a48a527b2b26d85fa7534a29b797d0a1d42cbc01

SHA256
f1cd610bca146040af7f34f966d30e445653219e7f62675f77a838acd6cd627e

SHA512
d2af98b9b321685e9c2d96dc0855d71309ce3908b43aba8d6152c80c91ee3d38e1922eb810896e6441a474c5502f8b88f93de5cb27561423981ff1aef095c98c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
562KB

MD5
4bdcd29de75aa69217cba1330b1b7784

SHA1
37d8f1cfe00cde1413b753ffa533328dc83cff8e

SHA256
a04c2bfc0e0c6bd3327a1b6c10dc75d0dca15cd087d3b8679b2547a8ffa081fe

SHA512
732c4acd6a93f439712fb71aaf45c3f08879ba8de368d4c65e00a7c0fa264cffe17f0658e749ad8e88edfe7b43e24f71dc1aa59176ce9c97325bacdd4d9fbf40

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
514KB

MD5
3f09c6ca91b18a07f1353a9f05057b3c

SHA1
ac59c0504eb448f2006f6b0a5a03c59d4ac26f74

SHA256
482e76ef748de518fd8d842d8b7cd1da9a92afc3f2e595567b4f9a4c1006c208

SHA512
11cd35928fa4726dbc03f101013f2e34f1fcf486461f4ae45b4208f752e31b771776c66c7c8e968425f53632622b16341865d14e95a4005cfea86bc432d2c87f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
556KB

MD5
849f310c71a17e36a2add1dfa95c0fae

SHA1
9bc79aefd37ec688735a11ff79b850bb55844adc

SHA256
8fe11f6a41774ee33c3448bd16a9c9b9b5d0cb3c4091649fc9d661e6d02029ca

SHA512
bad3dce0b6eeb9b58cf41859f3e1eb823ad432917729faf5055c389296a7747e3188cec346a4a5b62da23d8f7f1f9e17408c2a146e063c7786e27d00d9f32f7b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
410KB

MD5
09608bd82a4d142fe7edeeceb2eb2544

SHA1
04e95112dc21b37c4784573526252e0d6c2e0354

SHA256
99c055a181462a6f910ca1869828aee4222c2207b044990c41040bac70a2fe24

SHA512
3f640c188c92d5ab9020d1dc8ca5f687dd666a8c5a8ec8e13057ccbc1c21a85a14a82738e0c1e9d53f540597fac09d609d5359811644bbe6609bbad78f8f12a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
480KB

MD5
cadad323f2bdd80fc54cf82a33a2c792

SHA1
74d5bc4568226b5f0d1744a49dd2758f97f85871

SHA256
d7283805ff4914b9be4642a59f5894de3267f0b8503f026a3c764219819f2de8

SHA512
9cbd5f06ce012433bad440f49c14182de6d0495ff5ccf6d73cf770c66933da926b46c8df41ee0857f7e84c8ca6645e5aa21a5f481de57139f81c4ce485a39bd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
510KB

MD5
c9c149201b54f075f935f21285c8b5c4

SHA1
b34cf4faf51770464c0a0a2878b87b088c333b89

SHA256
adf0927036f3ee8d62f81bb027aed1e6c273d68b99527539ff891f007680de3f

SHA512
44ef5418d82125c5b5ee43a478c309adfe41cf7becfc521fd417839e3b045f34d7ab4fc88779e1f0d9350d451c94a8d694852d8d82dba954cae8f019bc1407e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
519KB

MD5
118ff3d32449a0ea1962bb3dc6ec0618

SHA1
7fc1ce3a6766becb68b945be0d3c28295c633de6

SHA256
5a7588eca742609e3872accb5176462ea1deb31863b3c1d1c6674363087860fa

SHA512
3cda1f2aae8390bd42710369538a9602e7dbed276bc7791534db338c7d51809454a9b5a659c42e2c2201a7de384eee942866262ab3e736848e6421c4fe3a8ad8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
632KB

MD5
2049d5e06e5e13b08863cdc9319339fb

SHA1
4110ba3920291f710cbc072b536606174f358685

SHA256
13353d5737406fdc492ba53e43bf1c487d1efd99bd114c1e8e08a770eca5822f

SHA512
91f62af39838bd411d8460577d228003e2ebfb52c360083ad73936f3e0f2cf5264deb0c6ca97437fd795a068073948eca2540c6284953364b4b6e12d00805139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
504KB

MD5
d694936523eaef1c0383734612a3b3fc

SHA1
0c89bbe2914789c2e20170a3673c208d9b4e5d46

SHA256
f6822f8e54cd1c25dbfc0bd4ce7a482c116f1c9b625502ac28a2112c24facadb

SHA512
082800994d5705732dcdf71fd65d657da3d4874e9fc1c0945853fdbeb1cddcf693437b3371fb0b03daf65ce3b74db9673855c68f47d7c0ed2fc1af7d4bc621ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
728KB

MD5
1be05178b0e0476f5287f3755d8ed947

SHA1
215a37e33adc1af183b0f1dab234d63b51ee0729

SHA256
693bd17bca49c9fde097373c7390c4ba74e4265aa68d7f2739eaa72f3ec4f5b9

SHA512
45c1477762659a5d8c17686a096407057950012abc14223b3b287a6ce0c8488dc8b99fe410899e62825effef20a0792efff99c7f59d45372103837c3a7189c6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
720KB

MD5
4047dfe719d0776edfb55a9449a93dfc

SHA1
96e6ad4be9e614e61a4b07b38b620d7dae209c33

SHA256
15392c279ee48d79fa964891c228eb1ef98f54f15160f18235955d0f13f23e84

SHA512
acec6f4c5241f665d4267712bdc966d846e7caff03c61a925d973aa0a1b25a34dd98b389f6917ff19176b96d5f26b4aef9104502fe09bc8a5bbd7fae33ede4a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
436KB

MD5
fbeafdbb384dc21c1c1081797bd14d46

SHA1
7ce1a4e9d01f537d1c278cebf849268eba679589

SHA256
856db868253b689444081eec2d5b46fa6a60157e371ea66722021d17b837aaff

SHA512
8170960deea761350aada778d374cf118f73c55cb603ab7d1c060715fa75b81757a0fa9d3c7d1a11804dacb3c28c21c7833c21cebe83c07150b60c74eafacad4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
701KB

MD5
951cd1c964bdd83a95f46d6f20ddab75

SHA1
e8640745f8a530aa7817b635d7e3f65caf034eaa

SHA256
8b9b4f63a817ddd5902ac3c6e2dd925bc72c8f6a76ca5e3de369754fab14e23f

SHA512
1d6a82a1c31bf972c0b0b123da436aea8874bf467ec84353ca8e6d44fc109204c1dd02191cfb77b505fe51c32327c1676629817609e149d6c0baba8f50a01fef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
521KB

MD5
942b0070150ec83c24720c0f126272db

SHA1
684966f376a3029e303b4141b70a2a97cf16656a

SHA256
7780efdfb0daa0a069de965c00b212ac29754b6507004e1b4f3d579a12bf2f87

SHA512
f6c3654d275d44418d9b5785313ac765d9643b1fb3a57f25d33cf3396dfe733158ffc9830154e3abe0a9d2f9f80b0ad263fb87fa354270e7567d266c3bd9632e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
590KB

MD5
6464b4aaa66458001ec3b8c055fccfc9

SHA1
251ab3a299c5efe94cd0a2c1c8218a0437fc0afb

SHA256
503eaeed13b608c2786789fdaa3b5a89261e23d5dfbd67b14ec446472d0cc5c9

SHA512
6ee87604706de1d2174e8fa7d53641da17c8fd84bdd73c3f36f6abbd4a7268c33a08028ca5b5dc24569bbe46892d24f96e24ba9c45402b5ef413a23982974cc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
640KB

MD5
a84b2d1539dd1319e64d0e81ddb63275

SHA1
e2895d84042804588fbe00c8e277bdfcb0c30fcb

SHA256
abda97cc6f6de28a264f8137370015c796f2b25f5c4af8a30523e9d3592273bf

SHA512
9433c89809df4e14498df32482548d320abac072afbfb1d2a5a6e9b3347537d7edf2210ec2fcb1e3c8592e7692a6494a21d2f79c4b2e6d792961876e4e29c547

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
684KB

MD5
f4214deeaf0753c0628fb12e658ae124

SHA1
a24f002548e4b9fe6a8f739aec7bf5915e381111

SHA256
8d173add40ea364a46368bbbae3b102e04a227b02b5386467043406b13e64f57

SHA512
1d3b7b8276e94b34a5ca1097022383964dfe0b7e4e30b61dc62d62f59486dbaa3f195b0092319ca0864949b8960cc06bd882691f87cfc3dbda98548d434fa0b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
754KB

MD5
a2b9ead063abf503128562bc7296329a

SHA1
11e409aa2e88e08949f5c31dfef08648de811da7

SHA256
ce88d60ce39528c985565e12089a7a635ac8e8e2a3d14e3d35cc8fa80af60437

SHA512
a2507d9f81605f951c44732599a2ae8c8a276f09a543722a9492e22b665369650c8482e777104199618a13c83663084be12bcc56a6eaaecb623045c93efce4fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
498KB

MD5
b3e34861023f8e4a249426a09beefc2e

SHA1
80133794e7538fd065cad5d8683516765522fdb5

SHA256
c24de994246b734f01897bc40e0e89bc0f1bdd844cc88edca1ba741c57f6f787

SHA512
24993077bb6fa4961735bcff5771849dacea9cd63cc34755ef733ef092376786cf93026eb3250015101537a03b31387a34adb9eeab13df0f7dce823501174ea8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
529KB

MD5
a93a9ffbdc9b5525d63de495ba4840f5

SHA1
15b1eeaf3c96705a087e6073acb973a933446500

SHA256
f621a930efce2ac1a97689605f5292e9f3273a8a60fca7909694306a6b73f490

SHA512
0fe20f8addee6cacd0da85a41652ac059948c89875f60688ab4a3348e47c926dc89f688e6819660502d52c58299ef1f69f5b9c20b6197f4115bd11b43174e459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
397KB

MD5
9a0d41b2bf976a36dd4f5ac0a011b31c

SHA1
9165e56ac4ec1f1efa864b4c082e6b28269d1bf9

SHA256
d9fbbed20c9a4d7e52a69ced76e3a1585d20e81c6db4484b297570328fd11b5b

SHA512
b75b1cceaa0625bf87b77ddc531c8de3a24afce55fc5f6c4166cbec44e870cbc3ad1c9ec5a1b1b5299471f19dcc1294ba949efd45e413179e9e6770d28c2bcaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1KB

MD5
ea70ada94cb78600ae5a799304ce44e1

SHA1
98ed44925c532b95740e8ef53b8069dd46419d9b

SHA256
65d02a844f295137e97e555917851404b2a9671748078e4ec6309bae9efdb51a

SHA512
4028a31ec150dd8c7907079b21c6d1271d20f0d18972daf5e66ed0194e63385c42c39451ad9d2b635a478f5bd2ea8b5116ae4d3b81e3f9559aade130efbc8a66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
68KB

MD5
f8398e937d4ccdb18b0f6cccaf8a96d6

SHA1
dc7fa9ee01d95fbd765f9ef880d05f2c0bb7b4a3

SHA256
ede04646a69c2f14a9fc45b1ef5a48d893665acaaed9e25cd83bdd0b9330d662

SHA512
69ac9239d2be9e7204e2e51e1a349a3e2b0b87a6992fcc6a2894a552d8a6277f00be299cfe6513232c6878450854340080febed4d65504ad3843733a4c325a90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
25KB

MD5
e4a46979084d373b889f8983398c13d8

SHA1
444eddcb04df2f8ac8e3d098412746a9299d5e92

SHA256
c4cd606a8e33022265494b9f04adf6a6da5627c05a05da95551d0372807e0e46

SHA512
21640eed9bfd22588da58c9fb7f4f46b3d08d1b025c99aeab0d2c01873bc699e2f0f8a7518b17f2b7a9b6f3530fcfdea207a8a117f18761e20f7b44feef633ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
38KB

MD5
d1ba859beb60b994addf94192c5c523d

SHA1
63bbdd74576b322f55b4f1bc3f6fc07a34ada478

SHA256
e8e471415e248d996e1670295e0964a603a24b09a813f485b1329c3563fcec4c

SHA512
39198edb0710ccd2547e79e60895ed56752d4f439b679bf0fa61f77284af22ae49704e28a78617cde73e3baa3e7d5eed32a1404321f14e37163b2fae6107a4a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
64KB

MD5
c754e2d306881829890b9afe2a0e66bd

SHA1
ee6c7760a91ee2d372b393ca3a4b7aed793a7f75

SHA256
9bc555fd0940bab1f68a0b0d224ee89a19960e0a14135328dd32b70397281fb9

SHA512
010b299047c1cb05c8101142da086547cf7f4445ee0935a175d8e8989426aa6676be3e21eff5dccddb502140edfceb727cf09fb2833dcb8bc2b3f541f04e8916

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
512KB

MD5
232449252a9d601f2b4e18c974036346

SHA1
343180a3594b043c57ddf51c00b46c6dec8e382a

SHA256
8ba3b8f47807973c7aef9e5ba039d7c497f2a18d6c954d8b74ca05721f92efe1

SHA512
a410c275f3cd5c7b17268a089af36104fda054ee414e8d92e428ce3094741f4cd8e71166346832783c5c2c825217cc3fc6297e2e26d9e30c4a75813bfa8507ee

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
697KB

MD5
f67d7ac54d0f049730db8611e90ee068

SHA1
64156c59863fc3d6dc901f3ebba6083bd6c7da72

SHA256
5e7333989b65ea2efa0eba5a360962037a1fd1c5d7999443c86989a7b74b9b68

SHA512
af0e2a895dd0072b0740152909a6d51a7ff7ca6415f9ae3b4ba579599ecd7bac8bcf675cce9c4c8c6990c8ab62524282609aee906dc0dc4ff5b9da94fdaec7c9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
819KB

MD5
540b205401c9cd73b81aa75cbad14b6f

SHA1
f3788e7d52e409aa0e5f3b8fa16edce2510f30cd

SHA256
c5ba06d75c61421fa3aa43a01ee49843d4725e81ec6e041a889e919454a9bd74

SHA512
6a134a2551d813e7e730280d97a26f96a923979e3d472e34e196ccbd61e474c3898f0580538337850c3c0cd20d810ac5ac3c4c472bbc3d360fcb0336df85f018

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
843KB

MD5
0a4262d8aa225392271700030d08843f

SHA1
3897ae753dc8eac2d4832becfce922a0b9d963aa

SHA256
ee0add7c213e7e0223b65898be55f43326c4bc06ccdf5bf067ed35eea33e245e

SHA512
ac4f028a1c3f9787665373c21e0fbeaab84554baa4c22562912d95cb6ff2f75df88ad48e19521a96abf2f7e9f16c5aecaac8531144ae15375fe5876908a0421e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0d6af6362db772290db5937b92527a79

SHA1
2bdf5656f329504f0a6b39262fdb2cf64a7f9a18

SHA256
2bda19254d8d840b985527527e587345a31d23aa24e1450611517ce0fe577a2f

SHA512
359ef662878dec8983981e7f41873af633856c848a6fd2a0efcc9e1b781ccd53e6d6fc7d79955650018d2c63675493aeb2f48f779fdf082b7694f3cf2c4a0e0d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
341KB

MD5
dc7171c467a81fe723d107dc45eb5b1f

SHA1
c3f4f2b404ad54438d3595d9ceacba569a851a17

SHA256
757506a95ae3e63b30efb26f12c6d3d556d83708e6888a2d3771068f20f6b84e

SHA512
0938aac19d3dddb5b88179b19558b5d9ef16e0b71732516105edb4811ee689772f7ec3fb12f436b1cbf74f447c67483efd59b36b79171003af5d106f7be97ee3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
181KB

MD5
c02d1a757bc08b98a49ee6d1d370c6c2

SHA1
5dd5872bf08f65547ee4b92503f229da73d60ab3

SHA256
57133ec7c05ee06c2356e0c0ccfd718e3d0b025664c48423b2ed2ef154b8b719

SHA512
04b00990b30ac6e7eee755ec3436d11fa591ed672be3240ff4fee366664e5243ea017e80612bd7a4bd8745b9d3ed879d365ae528f53c62698ae8bb226e05e190

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
118KB

MD5
18ea1f44888e0b68246acea0b355b3b5

SHA1
ac200071385f548d8e759b707de3cb51e163ed20

SHA256
d2f7d030c316cf1b885e7b7637680970264c17da5ae6a1a14877133e9447cfa3

SHA512
ec97e7d5ed107907689d76cfd373f32a9c0a4f83cb7621a58be43e1b1d36fb86d3b4034cbb93fdaca275834eff00fd0fa3cd3424632c75528547cb4345bae3cf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
542KB

MD5
07a9b634692c4dc07ebe058af200d1e3

SHA1
5343a93b30458b44aa611663c6cee3318420c524

SHA256
4a62904c52ae93c46e049a4aadef58e3bf153dc8e37a4eb8ce814a02c4df8f33

SHA512
b403ffc8b9c42f7199bf33af7faec19e4e54f330444f322c5515aef83bd501e011c2b7c9e04807a4e5750c9ed2aa9131c63daab8dae1cf90f3f2dfaaa79f88ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
180KB

MD5
5d740c9a3ea3b8740e1563f501d85c9b

SHA1
483f8ec3db2623a511081b91de802b50f4aad4f5

SHA256
5c088c5c358e1ba65e07a73dbc93cc1f2c94bdffc54ae8fef0b886b40b748ed8

SHA512
960b0ba1eeb6e855e37772f01e8d538b3a263df09a20795e48026d0973abc24385e2429389124f51b202b4435ae1b381c07cd4ef1ba4665e8e25be68d3da093f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
237KB

MD5
50927aa0d9f9d6fcbc6d734ff10c401f

SHA1
a40bcdcd51f5df5650b27c824996661ab62dfa74

SHA256
d1e59237e3a7fe6e64ddf467f9125e5050f8eebdd27037dfac10de1c3f60b3b0

SHA512
66ae53cccd568b113fd105bbb5cce871459270f6d9d1469761c4a1e716c65bfddbcb24990068d71b43b6926a63c52df2608ad7511d28f0e39c7a88ffdf5137a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
328KB

MD5
cbc4c52caed8b26a81a713b9c5d91f90

SHA1
a7bd1dd2b4e4abc9f0c713ed3766d38649a83da8

SHA256
3019c034906cff00bbdf9712b90f38dff38cad81a897288365ef642969f8024a

SHA512
d48016c83a38f1c521029ed74e41be8dda1d2841d7d60240afd70358d930c0ba0821daa034e087a9555b6de473ebf0321df878fac0ddbe794db5c5182c87f13b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
26KB

MD5
ed4a1d85c46b8b3a283200bfa9ff9376

SHA1
782b54765acb8bb8baff3b56a2298064bcf7d3d0

SHA256
9e6aa834d47f10a66a5d6dbe5ffaf9320c55309b9b4d8385e20ac12ff0786735

SHA512
fbd9455b9da5a72fdfb7dc54f4d291509d65b09f1b32f89b8b454ace3b73d42829e9a89d9f90f2e5c0c8c5b1a77f84609f9d6bf183e0db6c71ad8c1acab203db

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
583KB

MD5
4aba4984b0b74e20b2d5eab52e27ad1e

SHA1
fdf1f3fa2b5b03dc87b5d1c0f057808a8f14a8d0

SHA256
cc6c225ebfb984440a5924e2ea54a5da741e2c5d6e4ff1e5375e117ab06f41d0

SHA512
dfd6ceadeb4f189893b4f6021ee4cdf4729964f9681626c7ae95d549e3d03002b03fea8763832349cc0463db7b8bb462d635e88bb8a602112757830d1c11d51d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
b637a07cead70a4a698f86a3113029a9

SHA1
100235429f0ec15337cf3169964eabc8346da027

SHA256
ec2eb3eca5c805ebab3c3ee8a727e6f9f1accd1acfb269ac04b86ca87caab4f2

SHA512
97fbd5bbab3a9649ca2ab06add29c810e17805cc76ccd66947b3c3c443081ee902c66bcc58c7c697a05fdd8812d71155cf45d229b0b85820975b9132be37693b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.0MB

MD5
11ad61f13a0663f1d84347631a639b64

SHA1
a3b24a67e4792320262fbb0354b917941fc418d1

SHA256
ca6719b10ec9b346e825f1614babf775a841217656a0c3c9e0bb46131c7645e9

SHA512
34e39545115bbc0d0d017969561e02e6a19844c8499647369d7aac2c3ba4776c913e54d617a2594c740f6d36d9465e8a651bc106ec799e2127ea07f97ad3ffc5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
272KB

MD5
dfd78219021a4e2402df4bb72598c982

SHA1
3132951577566251af72ca6cc926d767f5abbb7c

SHA256
c1b3cf0fbfe4d22f291ed1c2a561aba80919799996d71f6bc2122b989ac1f683

SHA512
0774ee784a0a4862d32aa191170dce575199705fbdc5784f6cce1e2e31d510695c9a52c01c269cf3e8022599a461b5f28296c7bed90f5a5fa897ef8c1f95fbd5

Download Submit
C:\Windows\System32\vds.exe

Filesize
505KB

MD5
a4ee82eb794d542ccd6eb9bf306da09c

SHA1
a5c38895929824ad840ddfecee2629de0395d5d7

SHA256
9d0010c869411722d7cc59c3952e1ca60d8f61dfd35caafd4d511a64ece59b47

SHA512
50061428ee52f269cf2a32f69cab20da6279b408b94676f72fea0d8e320815eaa4c8d6ad81ea1c2fb88c32d864f0295cf374c8544165f36d248f31e2a8ea92c8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
274KB

MD5
cd8cb5970407c8db1d0562bcd03c4f10

SHA1
d7a85ec24f2936d126a5b94b8936123e70f84ffc

SHA256
83c50177785801097e94c535c1ec8ff9b75ebe3a5dd2ad4f8e60891e7552063c

SHA512
e2f17407a70c4d692f2eda268dab5bfe7f7836db2b577004b5d8f672454aa70c2ad5430339ce14dd445b5daebd3f5fff05328c0b045c4d68567ea1e1ef0d652d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
402KB

MD5
be87b4478dfab206cf52e413099b84a6

SHA1
eda2422fea329924ae3e07209516ee44bf9f74e8

SHA256
d6eb59b5fdb34aa2643404f8eb8374fa0aec25aadde81b7e441d01b8cc8fd6ab

SHA512
faaf1f961ea336f9e87535ba7272ba6fdd2be0c2c12d1af927158a518faedb8d09ad890332879cfe2045c1381f28f66e58e419d6bc4ddc4d4a09bac61471acfd

Download Submit
C:\odt\office2016setup.exe

Filesize
757KB

MD5
ea2a541ae7815627ee02d56f0064fb50

SHA1
f1b24803ee3983784ae74eaaafc20e31f9635f10

SHA256
fb606ad8a07b031c158607b8c92130170a1248fb5b4d364e3cdb003b109e4501

SHA512
ab42052fe5a25638192a3226fba0ea9f9413cab9945d873fa757d258f0cdc37607806ea899b35cecd5b9df670a26758e5ade662b1709520a724ff7725cf0a70a

Download Submit
memory/224-237-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/224-64-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/224-63-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/224-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/232-365-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/232-374-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/232-432-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1056-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1056-442-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1504-377-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1504-312-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1504-319-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1908-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1908-331-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1908-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1912-466-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1912-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1932-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1932-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1932-61-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1932-48-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1932-49-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1976-270-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1976-279-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1976-336-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2080-357-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2080-286-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2080-349-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2080-294-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2952-447-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2952-455-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2972-403-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2972-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2972-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2996-249-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2996-242-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2996-309-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2996-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3060-552-0x00000147ADF70000-0x00000147ADF80000-memory.dmp

Filesize
64KB

Download
memory/3060-553-0x00000147ADF80000-0x00000147ADF90000-memory.dmp

Filesize
64KB

Download
memory/3344-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3344-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3344-359-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3604-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3604-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3604-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3604-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3816-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3816-429-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4116-406-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4116-338-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4116-346-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4116-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4116-17-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4116-6-0x0000000002390000-0x00000000023F6000-memory.dmp

Filesize
408KB

Download
memory/4116-1-0x0000000002390000-0x00000000023F6000-memory.dmp

Filesize
408KB

Download
memory/4152-261-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4152-268-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4152-254-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4152-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4152-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4676-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-550-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-416-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4724-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4724-11-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4724-226-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4724-21-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4780-387-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4780-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4780-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4856-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4856-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4856-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4856-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5104-371-0x0000000000880000-0x00000000008E6000-memory.dmp

Filesize
408KB

Download
memory/5104-299-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5104-304-0x0000000000880000-0x00000000008E6000-memory.dmp

Filesize
408KB

Download
memory/5104-363-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download