a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a.exe
Size

1.3MB
MD5

ebbae19646b810b16d21e4c4d9315895
SHA1

cb5cbc5ab744f92f64a4aca003c6ca4624595189
SHA256

a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a
SHA512

578531796f921643b525b0a3d6c899454dc43721ecbe78cab9bd2edcd6122e8b1f1eb7e689083579462c360e850a4c0561a649455e21851da957daec0817c90b
SSDEEP

12288:o09B+VPMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:o09BfSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3096	alg.exe
4820	elevation_service.exe
3884	elevation_service.exe
4204	maintenanceservice.exe
2896	OSE.EXE
2608	DiagnosticsHub.StandardCollector.Service.exe
2132	fxssvc.exe
2808	msdtc.exe
3136	PerceptionSimulationService.exe
1632	perfhost.exe
1576	locator.exe
1804	SensorDataService.exe
3876	snmptrap.exe
2120	spectrum.exe
4844	ssh-agent.exe
2936	TieringEngineService.exe
3732	AgentService.exe
1996	vds.exe
2132	vssvc.exe
4796	wbengine.exe
3264	WmiApSrv.exe
3836	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f390e356c4fd1e7a.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6bf07c7ea72da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049d058c7ea72da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c50873c7ea72da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000060c35c7ea72da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000570a54c7ea72da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007b7c1c7ea72da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5f740c7ea72da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4820	elevation_service.exe
4820	elevation_service.exe
4820	elevation_service.exe
4820	elevation_service.exe
4820	elevation_service.exe
4820	elevation_service.exe
4820	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2296	a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a.exe
Token: SeDebugPrivilege	3096	alg.exe
Token: SeDebugPrivilege	3096	alg.exe
Token: SeDebugPrivilege	3096	alg.exe
Token: SeTakeOwnershipPrivilege	4820	elevation_service.exe
Token: SeAuditPrivilege	2132	fxssvc.exe
Token: SeRestorePrivilege	2936	TieringEngineService.exe
Token: SeManageVolumePrivilege	2936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3732	AgentService.exe
Token: SeBackupPrivilege	2132	vssvc.exe
Token: SeRestorePrivilege	2132	vssvc.exe
Token: SeAuditPrivilege	2132	vssvc.exe
Token: SeBackupPrivilege	4796	wbengine.exe
Token: SeRestorePrivilege	4796	wbengine.exe
Token: SeSecurityPrivilege	4796	wbengine.exe
Token: 33	3836	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeDebugPrivilege	4820	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 5504	3836	SearchIndexer.exe	128
PID 3836 wrote to memory of 5504	3836	SearchIndexer.exe	128
PID 3836 wrote to memory of 5528	3836	SearchIndexer.exe	129
PID 3836 wrote to memory of 5528	3836	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a.exe
"C:\Users\Admin\AppData\Local\Temp\a3247fe3ecaabd183d04699fba5b67ca05fb71db5c21f6c8c9bbce64e5d23a3a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4204

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4788

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2120

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
293KB

MD5
52440cc0c4860c769b7424d8b38c055e

SHA1
3424a0a35ed9365544038c8c38469e1c48981814

SHA256
1b11e7fadc07b8fed1786d5c463b15f7cb43e714ab9605c480a13d048b1c4e67

SHA512
fe2000ed4c92da9df227b3f6ee5fc46ae2f42af39933a0d88e10c847081f4973fd4dfac69b1df0481e6819a2cab0c3fdecdc3cc1c8f48e7ea6eeecc78e5cb322

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
729KB

MD5
a6af4ffcd8fbe901bb28124dbf6a4fe8

SHA1
9ef64b44c5fb0e9f5b600bcb4cb619bab5eeca74

SHA256
c20e7ec56369e67862316f073a59af72733c0c43fa43c310aeb5338b824c8e2a

SHA512
c7c31c444d1ae2444946fff04de7a37b750d71b2ecc1213a5188ed51d08d5a4862a4f4384f62069199f3606a17404eda5447792f25dc7d05f374498be85f6cca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
68KB

MD5
81e585e795f1abb82969768042f99756

SHA1
191a69b8542e38c747ffa21a4fbe4080feeba04a

SHA256
76de2817d0186d67a12b7628d9b869007dc6d54437c5ae45aa70eb3b9a060cab

SHA512
3d3dccb9dcb7d1c755a6c87d6b162419136f9b3a9a801cc4beea63d5aeac60eab386e9f861408b49e6155947796cb0485c0a82e81e637e26110f51e25603e922

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
117KB

MD5
14138a9bab3a29994f04b931345239ae

SHA1
363243527d5e0b17533e79dba9cac64b71356831

SHA256
13c6bb2ed7745af3c09ba9bfd64b35decdedce15cb5429666b88621120961bfb

SHA512
e763701b7283f0498dc863d06561c269ab86b4b0537dd53a866abbaf624f3585c026572a258a2257ebdcfaa8c98ae829e91d3d2c45668d0d01ff7d8ad59e91d7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
329KB

MD5
82b786fcfd7df3a6db8fe2362c60c75c

SHA1
5ce4e767ae797b166bae631ca3fa3d4d377b4cef

SHA256
056ad68afc76b38f0d6b26118095d40b31e0cf6c962c04fb88bb2cdf69a67595

SHA512
fe1bd7751d57bcec40d22251baf10711d29b76a5adb1e3db79232c0c1a1f55749340819077824503fd622b7a256b7a93e222f979b3de0fc807954d8daca92a36

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
292KB

MD5
5901530639a21404644a8330c35afc41

SHA1
184568914af6c11e1842c748ac4d180769658b34

SHA256
e9bc27022cd2132f6f6a2b486b4dc6acd8622f48e4844a3e1723e65aa3ba6d6d

SHA512
1aa1f353d73dbd383520e9251204fdfb01100063a83a43e865646057e7489ebc208e662de5127c7b2aca4cf2f391ac65902114340e83fb82aa3c20c6c4f8d6e6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
247KB

MD5
817b5811fafd00c6dcac09ed3b45c700

SHA1
ce2ca70dc819723337db81a5d832a3de3f9937ce

SHA256
6562bc07f8b6cdd7ad2e0e917d8ce767b8a28a01a3fe40d9bd4316d4ecd85b16

SHA512
c3b556e31fbf122043d4eb82fdfad30ffdfb9befe75772c83b5551027db9b85061f4e8129131ac0829e75c7adadd092655c73b0ad0050a9a8d8bbb47053630aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
193KB

MD5
defbf0d3e15e17e6d43cf4852139e92a

SHA1
c6760bf786483e4826c17e7d73762602b17e0c30

SHA256
aab2af0e62af9abd8bc476901e1cf2ada0efa9449a8c7a122800cfebb62836df

SHA512
edb3cb2c286cf6443dc509cf5f3e77babac8e6ee602de9ba42410546eb411bf0aee71da299c0f764ed7bff80c6baecbbc84bf9d39a888c73f475c7bc05e2c30d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
259KB

MD5
3908148dd09e460ac42ec9b8814c75bb

SHA1
54c89017c61f6e93d5855acbd3a4509b82a099b3

SHA256
a696158270a09a4e5c8d404ab7f6ca7fce1eace8321660d05753eb3ced2e3b4e

SHA512
4379f191fd7fac33c81390b8d0a684d3aede3ebf0ef03e285446c83f0d49595a47296e599ba6d51ccbbc24475fa28ae5451fff68fa8d6ff5b5d0bb9ff4ce4414

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
224KB

MD5
032d8aec027cc184db19f529ecacd19e

SHA1
7bf8f84ab39601754192340ba6cdf314328260d1

SHA256
3d8cfc37cddf1747a405ed2182a2c945ca1bd7dc7fba26d09c353d8e9dc38955

SHA512
1708bdaa41d1c83e22e64b3e0f4fd4d0e125d3ed0a7c2d16eb8066ded054d1700c33f1e33c8fa031b591f119d8a10e9cdc327a7674b4249ab61ef79469e58379

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
178KB

MD5
fca201acd0fd0e0866bd289c118c41c1

SHA1
ae63d225264186c03070426187c9de67b39d72db

SHA256
db8bce502a3d672f85d34f503f442a9c9c26275055a5f3413937ea42864eb8a6

SHA512
ac81ed624d77ba13ba1a813be4b00a896c513fab4bdba5d1a34ef387a506c433826856005152bff32cf538bca7e9811ac8e1cbd6c07d5926df1e6cafbdcd2838

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
116KB

MD5
68e89e091a21676a9659f42f56ddf2db

SHA1
da26ddab226ab5fab7651418a43f6d95dfbaee57

SHA256
6cafdd9a9fb812c59d887569baf0f523b974c9a9c05b1a1da94888c62de434de

SHA512
64ab9aea57d5cc619e8b50382746201b6dd1ec0e43d386a6db0f58c652f19c640cee1f308858fe83543b3fc60f773a334894ed023264b5ce8956f6a5680e63b6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
411KB

MD5
dfe007387d2a62bebefc3968a9898551

SHA1
98baf5eb3eaf473e811c17b1239c2b2f0fc7f436

SHA256
a13f2b3a6d49e97f060a2c7f3ffa0fb17c5fb8929176d9a54f4b247b38476b7f

SHA512
720d5b2c4dc7f3f371850df9cf2535a114d5922b4a853c99f83c1fa35f56729c1aea0e0bc65ffac969472dce1b4ef7bd81ad73693b0622bce7583627befe28c4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
383c8ec6f480ed119ec390a4ca59236b

SHA1
e9288482d7fccfa07e737955ff882973fcf334b8

SHA256
dca72db2695c840528c721b0d62099c0bd2c75235bbaa16281e8408684787339

SHA512
a857a059d0719f57892a514dbc9d08db08f84546ff1c67027a51a8320b5ce9b8d9fad5f1dab1885196e20058de81acf5af09d1cbde4f3b73790036bce624581f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
150KB

MD5
2fc4323abac7633acb4d96e594a2c60e

SHA1
69d04e2c94140054d6c8d86a4465db86571427c1

SHA256
60812b186d7083f9797b769abee62b48404a4739193708304b548e4b286f0833

SHA512
87a8026f23c26b44caf606cdc1ca5eb648b6cf7c9f286bf5cd72ab3d22c9a4317c38cae10cd66ec30cfd2604c3c80ed8147c3a73c76277a0b03f6285285a41f9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
197KB

MD5
cfc3c203646e42c3edeca6ff70c7c576

SHA1
3636ae9d4b3b424bc68bf8ac219d0b0a46719115

SHA256
dadbb1e2cde3835ac39962cba764f9f6fe890f257441a19cf1ad0ae6090e9c31

SHA512
b68a37e92b6824d0321e56d0f6739aa3fc0a2e9e094d7b008aa94192b83de47ea75813aa562ac2f81dcc502762bc6a8272eedfda9ae09d433c0c800ae2bef3cb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
386KB

MD5
b377179a0a6498aa29a2004b25ff593a

SHA1
32564c8830ecad0b7f005efafd605970b1ee207c

SHA256
0c4dc4758f11d3b1ca03bc4446671cdfeea8fc2f0638b3b8a1bcd92c8cb5bbcb

SHA512
7e597cd83dc21dffc7bde988f43c45469febf59207b0a1afbad9a66e29ecf36f6d5d5ae1c1deddf729753882213b3e8718332be73efe9d5c9b888b3ee4ea7465

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
182KB

MD5
bb81258c27a23d3247b5ec2838ba64a3

SHA1
ccaae1e2898a20888babd46a8bf152b8adbe9316

SHA256
5bf8d6e03313509868f92b0f44daf7c5b3bf3f3d1aa7a1df9e69812aed0de807

SHA512
8703fe87d4daabd1a1bd624bba40f5c2aa2cbfd165b99db40268b525b47f5cdfbdfb495e94836e3c024790f84be36640301f40188c6d38acf0370d9868f16dc3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
363KB

MD5
8c75703cdb3dbf56e2869ce9d8a24db2

SHA1
1ebe860bba38aa364d401e20246ef0e74a0e2e9b

SHA256
1e83ed6085bd3f384f1b24728888ddc59264b1c1dae863526312dcd69427d3a7

SHA512
3b343b655b1e3fe168ed30b4b88e1c1cf2182548ebad1c492aea69086efc6010d96fe28c574398d32ef61a0231a88c2aed708d3f860191805c28ebffc5a0456e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
200KB

MD5
32c4ae15fc3c6ffad9c3374e9b218fd1

SHA1
324d3ce42c05ab7f8c199bc12037ad22afe54196

SHA256
9f0dd149a25a048cf7d2b3d1e0a38b37716003ecee669d3e2010cfbf781e1274

SHA512
8f43c37c3c6ce7dd3d578ca22299d51b9db7ce10fb02e93f2be08413c136487061890bce5a39a2c97133620bb922a3ccfb0e7d171993465a97c5224d600e02a7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
326KB

MD5
3599bf96d42642eb87dbf755f5b856ea

SHA1
1c04054bd4527a52a6a7efcbf6d4f4e8669eefd0

SHA256
e8dd724766ed87f472de4f8fa1142baa9ec9753a691da981b2062bb1877c35af

SHA512
df648285346cdaa35103a2db64ec1f50f78066761bc9d70fa9707c7ab2446415efc13ff29177fb4aed478030c2fd90d864b8266fced7f3ede0456c1d607130e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
183KB

MD5
9c809896cb4335f8869fd3175f2ac627

SHA1
20a1652caf0fe1e3a978b901ad5596eacf7c87c3

SHA256
a2015548a08cc145b4b68dda6977c21d3af2a5a332ea1496a6faeda1c1d13c9b

SHA512
a9488d28db97b969ec17a1f0cbcb37a8e19d637a990a0bc51bb78bb1ea5b7bde0321d16ecb7a06b22ffb08e6db5d4ff7738487634d0d99f0d2a71d6bf478cfe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
237KB

MD5
661d3463a8d1af5beb03aa9de11d6065

SHA1
509cb568fb6046f9a553a5552271c20e05870a16

SHA256
66b2876f1bcc3f9769b8bd8c3f78daa2872be5d32bbf191ecbc18b5e204644ee

SHA512
5bfce54ba7fa38be1271e1681b99d49b6621aac325a30ee6d2ee3b4b37a8fed700d61a72a3b387dcd72e7c4b6619d90acfd0d1c8c935b7f328ab121c218619ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
289KB

MD5
6b87e1cb98b2550dfa5412e59291de2a

SHA1
029ae9b2c8b6693c0ea83d3faedfbe4c2df7605b

SHA256
f8f7dca98f8d0dee8a905db7f9077961a11f2c65e9e94bce4bcd9920d8879bb8

SHA512
fdf2da328212c37c74b6da10d4bd97afba4dad07fcc69aea95719459947f9fa859b8ebf34052937b21f191a772bdff9cb513759454e52c26a0e77b6644a4bcb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
243KB

MD5
03e24e87e3b16ce8c37dc75eb953b40c

SHA1
d8f74b91dace09750a7eb657e088405ddef62648

SHA256
4c4a0db8884dcef1021cfce11a5382a4301c6b70f30ae5390cbcf212404ebe19

SHA512
4c8bb7e8265cae07dc8ab361cb68792388dfea7caa3dddea48e9785857d72f212ba63e309d1f8cd98de3a729b72ad0efe2d708c6a4ce632d6ab7055fb5a4ec2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
321KB

MD5
82977219eae5cc4bb1fc77c075fbcf07

SHA1
568ef714b393eaa4008cc5b640ab8ece713e6d59

SHA256
395c5e099b43cc3b13af0f36060acc5c7fd29a5d78269e24601b898edb04971f

SHA512
cf83aad7fd4620c936a24a6437fc5270eac53cb5eca9d1712e557af1ae0133a1abf4625cd8ba96c747fc68a6b37d1f86691751c68ecb5cfba9ce855fb5ed683f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
244KB

MD5
bc45e733859c594805de370c9980a61f

SHA1
94a19d25f762940289c31492745bd2f2aefdaf69

SHA256
2d9673443103455552ee1d173eb525eb96cc79e0ded0959c786b10f2521ca4d7

SHA512
23cb81ebb371ce284f61be3f912457017f59a2eb8f2717b501b3acf4dc876db314222c15e2b4141a2720c2d1f97215da5bf5f18cba17aec7a7eac368471c863e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
309KB

MD5
9e8120121fb76270adcfc877055936f2

SHA1
c529674627e2396eeb3c56bd8a8e2df0017d6609

SHA256
fe43618a608b63984ef1ec9ee02fa7c641322945d2e24e9029c97cf50f543f40

SHA512
8352cabbd0a11e8fced6e0cd1b8bdeb0491dcddbe63a3d5403c6f53d9dde831dcd4019ddf51442b5e15e46b25de7ed379eb79a5388759a5615d09ef91b8075d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
349KB

MD5
470d0087acaa015849351a6ec7e744f7

SHA1
0ae99cd9cc2cec824af9940806e895dc5f586a4d

SHA256
3dfa7dc65bcfe38aa2a7c672ac56d1b25ad39faff609e024daa4543aec12502f

SHA512
bebe89bbb2e03bcca8a19186092b3f2089c0ad1603f432a093c383d842ea9393f2f22fa3d8cc63b19370ea49e50faf2a5b2850a80bbf2e1641b170994d479152

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
283KB

MD5
45016ca3ffa51f18eb418038c944761a

SHA1
1ed2f676647a128e5467e26a6a3a2018c5a06bdc

SHA256
2321d60b1f1c996ee21b83a1645c4de9be96ef6a9479089b96ef4ec8a453d942

SHA512
b40510e8854626ff89f0144ea45f043882a6f7a3a02edd15268f0754441c4196c9de9f81935c1f03a1bdd333fd960f256bc02dd86bda9ceb4e1b8cbcbbc28ba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
149KB

MD5
a3ec8a77c475911def7f5a2722852826

SHA1
cbf385bba49c095511e731576a59003cbaa02bcf

SHA256
ff96ea344ebf9745141e98edc020585ea36402565a53d762adcf6a9e42189168

SHA512
e687b551c65c2280bcc6371be0930ffdfd01bce0111ad31cb47d446e3dcf2bd26d4c33081c2bf33b66d7787386fc93b149e67505388c2a326eeab95b79a49b96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
360KB

MD5
db2de3176b06a2438b2ea7dac25f28af

SHA1
c47e41b3ed5b8a124dd766b43b36c2a3513f6d42

SHA256
d699229a6b82ae749d4b90fb6bb7293bc1be15f66e47491c8939c933b8073812

SHA512
1287f1d1695a88af5f2ddcfb4de9532e34d3df925a2d81612099ec43596b8b6285f5c9575f3fe42e6aca50a0c43795edc75fa9a9286ca2135056efc15e554d8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
175KB

MD5
717fb96afeafa287658265ebf1f66125

SHA1
39a12e2132da894490478e35b2c44ba12e7821b0

SHA256
4074fac77eff749d42828cc9c3190adb08a06b02500bf0aed53bf92b94c655e8

SHA512
e9f83fbf5d0031508db0fab4b07456b37957eaf816cdc03145f9c630ff3eda2943b38e8ae7cc4954b9dad3aacce1b78de538c80d9d20f77a094136922ad74fb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
77KB

MD5
ceea5fa59ce64cb8e76e98c3f370512c

SHA1
fc9ab1bdf5d12726c93e09500b27512c0ed91e91

SHA256
744d440ccad8662c7fb31def501192c2da33a5770125809ae653e0132c13c190

SHA512
e517dfcf94e2592da59fa29018a207ce2e65faf984419790dfb117884bd0bce6ce744794e2e5b17c7d8f07d289e64785c50546171b93ea3d7651bdc64e4b1933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
41KB

MD5
f38bcfc3b95da5a29ec427010c059456

SHA1
b7efbbba7b938e7b3e1c16df51585ea489d24a88

SHA256
116ec7cf8fc206b6cf2a230ef6d921aaa15737a8c98b523dbdcf859137456bb7

SHA512
5c3c80e8cc5ebc16a33850571dcce1cfeb43822f35f0269ec998a32a584b8601fa29ddcb302f4f88f301042004ae134ba292903988900b063b1d9a00c05fcc8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
117KB

MD5
097cd005fe990732ede0a5856e5556dc

SHA1
609e3306d9e0ff7a396cf97e318306d6500fe311

SHA256
3dd904ccf9940f4b60d807abfe4d8d3776b3a33cc651635b3470c03499463222

SHA512
9619d8892c4da9d500bf3fd4f4a7ed6016c95110ee99f897c826628b601c050aa7674ed8ab80a3532884f5b938f6303f50db21b0b419567342568d5b80884dec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
147KB

MD5
f30ec103ee50a85a3151e865d24d9f69

SHA1
7100b2cf0f1c54136e54d2b9b7213e64220983a9

SHA256
f6fdf25863081ab2c9228a85de0e568e9ea73445c9b5a8fd24fc9fe426c604b9

SHA512
da7487ee23018d6421c69fd45902e2d276be0491f0361b63ca885273712a5514e958c097f4432dfd48cad9e7386abd6006118c5433ddb7fd7ce0821e07143c13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
11KB

MD5
a1f4193c2dd9e1db7582eb58e323ded1

SHA1
9d8efa503e9a8ca27a1fae4603beb606ff0e050d

SHA256
f117a161e810e55cf41957d1cb7e6f3a87a940658707d2b6deab5da8f592dd4b

SHA512
0bd92841a020345c4dbc137ff21a0edbe8a201f40b84de154404282a144e0fc0ce68921f71ebcb3d9b2266426086a07bf85177b63ee0cfea437b50e9a8077654

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
64KB

MD5
2bd401f9f6d928a48567a568d666aea1

SHA1
3caee79f93c5bb199a07fb4c1ec6350bce5836b9

SHA256
016c6ed17e179bf707b852c4b2ac099ced890c5945ea1056a3c6042ae7d8ff14

SHA512
b12959f6b4a89668ed981ea466abeebec358f2b21bde4bff29068ae4ad4d37d1ff923b8f3f4c62bbb6a913f4d1c6cd3f0c0a6a68d17c6e07504650fe98f7fc62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
85KB

MD5
24f179d10439b268d1b824808acf5cfb

SHA1
1d9e1c51362ac7f0b6168d780ac246598a171dfb

SHA256
982f2d88af7aeef5203ba9106287a13e244f33181da17dfeffbcd5021ecb6f1e

SHA512
29bed26135b5689b73f020141806fbdc9157744e501f2de511b3c95f6fc1adcfc4e423b0089705de771648299141faffef40d239d84818ab541dc78704c63301

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1KB

MD5
2ddd5ae89c08712fd8a9bc523bf055c1

SHA1
7259d1f70aa836162cea07d18914645b302d4d50

SHA256
cb57b3cfed93f45f92df2e7535163ceaa4d22af8dd605c4553935d11c751e5be

SHA512
e3c0df8bd951f684d9b970ca7ac41b4bd304eae426ad77aa848dff29271b537c24db63da0084ad839fda87b1f91246735d56d36352f3266c08609c124afe754f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
92KB

MD5
f922fd9e76be4b647b1a012c5555ffdc

SHA1
85056ea3aa691471b0e193f0a7951a8e11d92695

SHA256
fd6fa1a79312b61d93afb4c97e6d97a8cd8f02befc94623cfae5237e70b4b81f

SHA512
cdaa6662d8b8e0099bdf840a86e562172f00d3be17c9d84163a5127c499b7522fb8a61f44e7a6bbabd0cd1a45097f5021381cd65f0a1d90a8750dfc3953c0fd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
94KB

MD5
ad1adc684d3dbcd4772956e5d10ead6c

SHA1
a212baf0ca4ee298bd4cb9bc4ad0dc17159f8c38

SHA256
fbe8520899e38dc8db723f16a46a224aa47d4ee6d815376c7a84b93d323470fb

SHA512
2798c5caee52c8518f3b60f1cd62029c9ea3b57a5673f86d18c616c02dd67b3352b2045a2f207399844777ee15c81817c79f385c23af680e176bf2a757cdf601

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
410KB

MD5
f4bc51abc0bde12b18317fca634d1206

SHA1
4496bbe41e40f40d24a7b8848406d8f010f7c8b6

SHA256
49c15d91e0935ca5b28be80dc9ba9be5942084c2eb56617d22c3d4e7df560a70

SHA512
fb1bcb4c843fcaffaca4b7471533c709637e35d46374e7a18d9491a5844496c35f1d4ab3a22c6ff7d14cfdac786b59ea1d2f464d536bac24299faa54a6a17e12

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
421KB

MD5
3d47d3d6dcf161917cc4c9399f0c08ba

SHA1
bb1822aa3448094a58f00ae6ac2709bb4c12af42

SHA256
aea6d6f722e3b7cfa2f7176ad11d1108af6385aae4a36f831b6a143f32e71a95

SHA512
e883863e079005436a91956def5e4092b754cd109108f32509a1268ba1339fa9e3f8b9c5c950d587dfae1bbdfde1ff2cb7e90080a6b7d22b1a4a63cab08a1bfe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
440KB

MD5
cbdb9e415e3be79d63d1fbb6876229a0

SHA1
b04fae0a38e9eb4cff334343b4c0ee4192611d7e

SHA256
4e70716663f8d20cd205075d58b0062d7f514f8882ba1ae4229f21252002f1a4

SHA512
3e9140db80ad0073d8f240abc0ac34d25561652ebc26bf3933e2097cac24a54a8381ad25c79b081e0b2964e7de885791f9d6e86cb004959d13525ae4e264e9dc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
7db88d3dea12be0cb011c3a8f184adb9

SHA1
8fde2a8703e95d1e08ebdae90bdc983f6c711546

SHA256
dda650a5aef7c3bc1e2bd230a193b32559dca1fb88df8f21c0a163eda4590824

SHA512
9343a4e995ae44667a2ba07cb6a10410abe1505a32f81a9baba641b236ed767077fe804ce1df1d3df706bed0fdbbc7a11cd508d6b12e149c4a9eebb45a792364

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.1MB

MD5
9c0a4d1ced2abd886dff3f46c9b31028

SHA1
c77056370327030c9d553f864255ee58744f05ae

SHA256
f02c29524d314de604f3a68c16b7e659e78a17b5337a1315230eb489677de97d

SHA512
2999a9a9f0ff2458ff155388c4ecd8cc7334989aea2f8609ac8c535e4e790288e8bbe7f219efa3d8bee3e2dde076876ea5aa9d6a48bd25434ffdef92657450b4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
285KB

MD5
809ceaa7e4d8ca140605272129e88ae7

SHA1
a43a835af35dbc822018768f96507b133073846b

SHA256
5d8579de97d5317cd2cde9d370e0d4597cafb4eacd3d9539f206360bd933a09a

SHA512
9649f84a1b1f313f3980c7420df6b85f3e42c578b83f781f60963ee294270b5cb132c4312f19dcb42f3aff25edea2ea6e81b92a22fa16d5f93a81958925f15dd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
595KB

MD5
0829f0ff032410cda9285861e8fc45cd

SHA1
28e36fa4bfd9d97330e20edb5809adbf8c5a6bc0

SHA256
c280e9ac851761c1fc82c984d8f2b4e5c5150e23319f6c001f14af7571a61b86

SHA512
3c83556bd351dda355706183b9033e9aeeeae313b8c7df71f8ef46e8355d10320bb6d9990e6f1afae72f23335bcd314c07f3a2ef327b024bc4a6a032ab0e6d73

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
561KB

MD5
2209aa757ab7c04abee589deb558940b

SHA1
fc32343ed88fb5fbbed6c62ddc44fd88e4b1b088

SHA256
1f4ca3cf91d966901ba16186ae93a9cdf30e067bc6fb7bdee33d4ff51c667dde

SHA512
2528a97fd4d0eb070b988605aadc8334af7c1e2a5d1e2a5f09f37178026966a4ae777a17d29432b6727d6fd94eda6d59e10e9fd42c78b0f512d3a071f6c1eb14

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
790KB

MD5
82d0a1eb569639c19a774f70ad525b0a

SHA1
f0b5fae71f0e8b8c1b0181cf69b34bcb2f0bcd05

SHA256
2b79752e6c6eb30dcd670d4e74627650074d6f1e106e1eea7e3ec40c4906d519

SHA512
b4281f709100c7e8869fad11df9936d81cbcfbfdc109b22520291a9344b0bfb76955f27f3b0f058ac66ee2cc495d19a36f54c9324d177746328c12046ac67e37

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
105KB

MD5
1abd8b6baa282f272b02ce3c63d17a3c

SHA1
a63c158f7286479e51069db095873885b4fab598

SHA256
ea5d571a6c658751e9d82f4869498df034a07d80d6b5acba94015aade9484dd6

SHA512
279986e1110df35dbfe7c8dc68213cec798d283cff59468238fc193a166b573ec8bd855d0b1526b5321fd4a5bb4a45a0928f5965fba05210f0fe00b907219a50

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
253KB

MD5
8cb677523edc136896fd093b7f6cae92

SHA1
7a23c5f394d60c6754b5c0db5949be195cd0165e

SHA256
ccaa638631750c66a4ed1d89fcf0080f8a2f8641bfb8da66b4b2521fb8f883a6

SHA512
692ed2ac26d6cde71da8b5dc0b14f7172fd1b7b2c76287b5a5544aca13d2e452ca569ff587447d07eca37126b0abe97f334f80500e715dccd5dd03ac957efe4f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
496KB

MD5
4e2b4a90f5edcddc9d40b4f6aee3a74f

SHA1
47f7b3891cf5b0668eab00241956f6f3b243206c

SHA256
91f0293c2eee6d0e0058abf7793c163f8766fcfc82db47d8cdaec7789953722e

SHA512
5700ad46bb57dd17f76921bb123fa69dc71ecf433a216637f5985993c887d7a356588c778d0d6a488f1908c17aafdf5f640f85ad96d4d08e41602bb4749646c2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
369KB

MD5
5763be0e3100300cbecbd67e9f85ec04

SHA1
55e97ef19a6e991aed38466b406b5b357557a4d7

SHA256
529432632c6a36f16e6aa57acf62ea9e6c12f079badb9cb27033cb532d1362d2

SHA512
a9a426e77a30747ec9af316559bf14b45039448dc0bd8841034c34d04601361dd4af83a1425a2291d258b48b90c70c6ade2711ce91789d3371560f330611e6c2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
97KB

MD5
9d86cccb822d73b0f7512de7653652f0

SHA1
02ddbf7cdf6cf3eb83e87186a2dcd2c95acfef96

SHA256
e2bc517dd9f336778f5e4dbce3305ecfa765a9aa44d57093c70bea638406f24c

SHA512
1e4b31748f966a2c9cf192b64453df51334244c28610b4eb6db26fc0f9f394ac51a37de786ef84bef9779be6a807d29074fd825f9171c9f0a837b56ac4f1bf4c

Download Submit
C:\Windows\System32\alg.exe

Filesize
777KB

MD5
708e9ab750f4ff3e2160df75768f68e4

SHA1
2a053bda3895cf8a10e53bcf919afee1e2552fb8

SHA256
9203eb9d583e68c589fb3dc19861e292548504b2ceffee67d392f28db4b27564

SHA512
275d337d6df30b6fb496ed7487c234763ac790b0e52f25a646ec6ed396a536abed9bee042dd5dc40f83aef4b4baf1e9b72fcd2f0d433c48c7bf433892ea4e7cf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
764KB

MD5
2fc73e8348d10873e3f305c18bd34d87

SHA1
5fcbc89ba6efb9812e7418aa0ceb21c458076561

SHA256
32c8adb0fdfa3c29dd6ca70debae481d70b5adca4595ccd0defabe1b39a2f6e1

SHA512
1f020c11ca56edb6021bd3c53b4eb9331831d10096398df0ff12c9e7c527c63408bf9fdfba4a7ba5df49e5462cbd5457bb88533c0ed0451f075a109500cd17e4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
70KB

MD5
cd43d8971f2ed0c00ea633bc557f5ab8

SHA1
20f4f3a6c8d3f51cf570dd366cb2a985e6bdaf5b

SHA256
ec88c24256af4259fc06774d5e3ded73777eecb3099b9bf6bb748f3156743101

SHA512
ae192a54c54030ced1bb803d8cd889e54b0925b8ef14b15a106d3df165d2c8045441f4bce8c5261f1532252e45874f09d2a8ef7be1962926e37004fbf9c1daa2

Download Submit
C:\Windows\System32\vds.exe

Filesize
57KB

MD5
3968d2b41302eb0caee26b6928e8999f

SHA1
629d6de63603e16855f8d0bd7008499b3f0a7c87

SHA256
851cb5994ca8930256dc74966898bd2de86fecb73cd707e5fe0713be904b5cbe

SHA512
0add016bedf910b13de2b7685d1ef9489354a1e3c3ccf3c9f693b926289091df0e11aa15a1ecfb79a0f767571d65b5cbce1ba18ea1e072167a89d72bff763d24

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
285KB

MD5
63d1f413884ca87e97afdf6e2705f9fe

SHA1
ea59d6ccc4aeecaf4627b0bf8cf8fcbf661a14a2

SHA256
6d5811da0086198d5749763e836bce54bf5637967bb2f6846a4389529dca9a4d

SHA512
dac3de04d3d44029c57bda7f8c4af6c06f5ec2b438eb7b3689df8db94f8aea28e8273ff647a3235ee06f9f7d01597323e65faa973cecc83bc7f657620e4320c6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
49KB

MD5
404514dcad1c383c7b2c6292f0ac7a59

SHA1
51e15b83f4471dd532f21d139c216c5f442b90fd

SHA256
6de06ef6ab8358ed07f3c603ec6309779bcbd0903618c50c6cb1ca6882b60b05

SHA512
3d747cac253576aa13eb14704a1be5e12e39f08892a4354da9e6218e5077f43c22664286fa9ff7faf0f7aef0fd3413fbf16148acf112e616fe422cd13ed2bc84

Download Submit
C:\odt\office2016setup.exe

Filesize
144KB

MD5
cf4918456b8e316f9646423b44c5b3de

SHA1
b6db032baee02be3044b73656e8c01715727fa1c

SHA256
b9ee00f43efa94056e5f6298e141637db6a06784c69dfbc033643ea106a111fc

SHA512
d8183f2dbf6c2fd9b1238e1f45a11e1feb04f1999aa6c65b17cb59fbc062f8f060f92bd95d8a111e1089bba59d7409dbbff10faf42400bd65d8defafb0045207

Download Submit
memory/1576-378-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1576-321-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1576-313-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1632-308-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/1632-365-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1632-301-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1804-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-333-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/1996-418-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1996-554-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1996-411-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2120-360-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2120-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2120-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2132-270-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2132-264-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2132-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2132-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2132-430-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2132-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2132-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-17-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-6-0x0000000000810000-0x0000000000876000-memory.dmp

Filesize
408KB

Download
memory/2296-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-1-0x0000000000810000-0x0000000000876000-memory.dmp

Filesize
408KB

Download
memory/2608-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2608-245-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2608-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2608-311-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2808-338-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2808-272-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2808-281-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2896-239-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2896-66-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2896-73-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2896-67-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2936-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2936-380-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2936-387-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3096-21-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3096-13-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3096-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3096-209-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3136-297-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3136-350-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3136-289-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3264-455-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3264-449-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3732-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3732-405-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3732-399-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3732-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3836-469-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3836-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3876-407-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3876-340-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3876-346-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3884-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3884-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3884-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3884-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3884-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4204-64-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4204-61-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4204-50-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4204-58-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4204-51-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4796-443-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4796-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4820-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4820-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4820-27-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4820-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4844-373-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4844-434-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4844-367-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5528-555-0x000001E494A30000-0x000001E494A40000-memory.dmp

Filesize
64KB

Download