5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a.exe
Size

1.6MB
MD5

9179f91d6579af6f84e3927ab55b055e
SHA1

5026d786d81afd5431294805be2fd64f1b1e36e5
SHA256

5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a
SHA512

a4b4cc8a1d0b36afa009ff55c818f3276cc7d3948a4efc81b3cf183a6a62b95b9dea8e8eb92f6e19b98dbbde8ac615ad30297f442e9aa5946a4e8ee57b3eaed8
SSDEEP

24576:O49BL8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:OYLgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1436	alg.exe
440	elevation_service.exe
2028	elevation_service.exe
3552	maintenanceservice.exe
1664	OSE.EXE
3560	DiagnosticsHub.StandardCollector.Service.exe
752	fxssvc.exe
3696	msdtc.exe
4464	PerceptionSimulationService.exe
3060	perfhost.exe
2556	locator.exe
4540	SensorDataService.exe
380	snmptrap.exe
1568	spectrum.exe
1540	ssh-agent.exe
4476	TieringEngineService.exe
2616	AgentService.exe
2444	vds.exe
5000	vssvc.exe
3408	wbengine.exe
1336	WmiApSrv.exe
2452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\59b3ad5246f975ab.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb94f81a6073da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6090e1b6073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e16fd21a6073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a32f61a6073da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f86b101b6073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019de821b6073da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
440	elevation_service.exe
440	elevation_service.exe
440	elevation_service.exe
440	elevation_service.exe
440	elevation_service.exe
440	elevation_service.exe
440	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3104	5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a.exe
Token: SeDebugPrivilege	1436	alg.exe
Token: SeDebugPrivilege	1436	alg.exe
Token: SeDebugPrivilege	1436	alg.exe
Token: SeTakeOwnershipPrivilege	440	elevation_service.exe
Token: SeAuditPrivilege	752	fxssvc.exe
Token: SeRestorePrivilege	4476	TieringEngineService.exe
Token: SeManageVolumePrivilege	4476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2616	AgentService.exe
Token: SeBackupPrivilege	5000	vssvc.exe
Token: SeRestorePrivilege	5000	vssvc.exe
Token: SeAuditPrivilege	5000	vssvc.exe
Token: SeBackupPrivilege	3408	wbengine.exe
Token: SeRestorePrivilege	3408	wbengine.exe
Token: SeSecurityPrivilege	3408	wbengine.exe
Token: 33	2452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeDebugPrivilege	440	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 5436	2452	SearchIndexer.exe	127
PID 2452 wrote to memory of 5436	2452	SearchIndexer.exe	127
PID 2452 wrote to memory of 5460	2452	SearchIndexer.exe	128
PID 2452 wrote to memory of 5460	2452	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a.exe
"C:\Users\Admin\AppData\Local\Temp\5f7fc0539ae91bd88cb9e830312faceb8f14c6ce51c1c945c596f0104bf44d7a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
15KB

MD5
04ceca649e5c279a0c9adcaa84030897

SHA1
53bd843219f79fd2a90d006b2ace512dc1db3680

SHA256
0eabe4e7623d5767d0046a922f81f3ae97923861b91b0e47a84923ec1535ac34

SHA512
858017320104d51a1c88a9555a56c2ad1cb666d34d9217aeb434835b1b75dd8a73bff613db77ce6498bca5693ec6dff1450b8e21280e64550d6b22c3afbec761

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
784KB

MD5
e38b1c065482c028d69ba4b2e63f9088

SHA1
d1dbcb47212644af59a6c330c416bce6c0f9b5f0

SHA256
d789566da2e8cf5174680ecf47a296d02207c717d40be338b997f8c4d80dc579

SHA512
66110ba0905a75db03bf286fba88de0d7c1026ddfd4c0335ac7d5970f00f2ae0b66c1718e21d747ff0c1d6d343b98a149b40aeec3f0750109f65e072f88be61d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
629KB

MD5
26ba08a503bf2f150eb477783f71f63f

SHA1
041706201a9a60ad694ed0d82e03d8565f91d6ed

SHA256
5581d49fbbbf573626688e7066ef52cff8e3d3fd98ee82e40dd391bf7aa77312

SHA512
d821701a5d306fe08431374ed9d7dca9b39e9933cc8cab3e5936790d2a38bd6f794f14870d994f8bbcab06aa8220993238ab55641e6fdb475736db80d846327b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
747KB

MD5
a4df8112a8d770194c72354d10ccd3a8

SHA1
c23b976238290782cd1f36f785e95c815514debb

SHA256
437635bb46f683da5a2125e252453b178a3a2ffcb401bdb980751b1d7368d76b

SHA512
16259a34fd0c3b587ee943c3447198a8dcdafadda983a863e42e01f555bdf1987feb6d2dd7e695c8b477d1752e7eaf2167d4038fd2be05aadebacd0c3e9e75a9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
67KB

MD5
ec2e1426a3bcfeca6316685ea04b6f1f

SHA1
4d0a7cdc83faf240ecee6aeda313be886b441f68

SHA256
417f08bc70e6fdd3e08d642e7d03057ffcc0ca6eaf979d2568a6558c98c7678d

SHA512
3c4a6098ed6c5f3f9108c2d9f008ac4a0de34d0c6c020f063660e803b6d4da379264f1062ed780b37b4d701405def989d951c49e333f42cfb597dd6908580404

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
203KB

MD5
39031ce8d30244b1eb6aed59b325ff63

SHA1
5e9a6d13e7adc9e14d1af3acbc0e468c7347c0c0

SHA256
363e41fc681f878ba4ab646fc2d976bc8990c7fe33763fed97a892dc2a791a56

SHA512
d8f9e31aa255dc4727b50272b7bb16bebe03900091b922c637657b50c4da4e91c45a302bf06976055048602c75ed382593397724999b1d1cf286833d53b5ec30

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
64KB

MD5
aaf7ea63d874aae147aa131ffa3bad49

SHA1
d66faf0704c3de03a97c5b446fa7ef5ef9d90805

SHA256
628a72e4f97286034414de62b677186bd6965be5d33cccbc1818c5a2adf5ca76

SHA512
7b1278dc220931c6054686638eb4c3e90b5933b78bef5d25714055f089e69e2f2b090d2208ac8cc8ad6567cc70ebaa42c9cf6a0ed3890ac72815bf95948c6181

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
117KB

MD5
4bdc03fdd49086ca899d8d49e645d7f1

SHA1
38695d7184149ede174bc083f4becbdbc9e56034

SHA256
604141e79e7c3fd7b8fa0148dd3d49e294c1192b1a4e70a3e8275483ac9a2487

SHA512
7f8bb3d1e30c7b9ee2ed66b02ee3b050f676cb89ba2df3d2a9f551c6a3e08cd87b274eebc135d8251f7424417aaf056af574867cd4bfcf5bae1820382df46070

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
127KB

MD5
182e392fec968e0387b5fc01cf01885e

SHA1
d9592aa015bdee89092913c3ea49131cf3ed2939

SHA256
b231714ebceaa22c64738ab300370e7e83b1d554f18d4d7566e06f5a2234846c

SHA512
5e493049bbbd9ef525288725c898a7afc9250507743c0e1274a563217592e9e6b2dd4e00c50a568ce0bf1d37255d75c35a4c12765c903b65f775c3a691a7b099

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
16KB

MD5
f4ae38c603ff9ac0862dc008f8f8c4a0

SHA1
7ca3c35fc5b7ff6063d1612d8818f9dfb2712539

SHA256
dd53c8105e3b074f7dc986b9865f39ab5abcb2637f41589a29cdd20a27d20f75

SHA512
483e4294062bc69e7306334456738098360810dafb9f7d46dbbdbeada7be23e5315e4064fbc093bef3fa882c831341589b7fe7cb1ed9d2bbd833b76c50e1464f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1KB

MD5
c2b8fc8310748a7c6ff9f74e81b4ea51

SHA1
98a14af7e87beb8f1fe14a99d8ab15395548661d

SHA256
ab6472bf2cea4875060be36e395f1dbda5315818bf2c8b7a87fdf80c1c638c1f

SHA512
3eccf2534de59449381ba2e3ab30ab61e0d2dfde6bb51134b525d5b15d3d686bdef81db584c436e0dc7e8e3c65a85fd19385a73e4497268d14046198d41ac57b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
517KB

MD5
32e63b9a2a226f2011214136e40a94d6

SHA1
1d917c7d3fa1272b92e40f3845a6d6d3cdb1616f

SHA256
61d08caeb6dcfc82fa28899a2fb0a1fed10b230b84c55ba3a0ac37c06836310a

SHA512
c55625af5738df857574d7260ff7ea1430ae6f2b238ac9bfdb6d805b999f710ac57ccad34372c9c02900d15d44aa5194ae410f051b0ca3245d792e09ce1b42a1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
544KB

MD5
ca732f771bbd48e21acd8d3268d3ad39

SHA1
155f6ed1e16346871d2de50fff6300dab8ec8fd2

SHA256
1f3a535d0ee3ad4bc4abd4b443d0c2e093850c9eea25f0277f5fb0573e842205

SHA512
4ab11c9ceaf80f2f85326aa4523e7d3afac809d83e650f2d649bd03ce6c7aceb65875b6df332fd3fdcda75e06117b9f73a635c3dc663a251496ae250824a3756

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
547KB

MD5
1881b6f9364047e35921d10f0c8b00bb

SHA1
4440491a979d35d16464935d0172daa6087852a0

SHA256
06db4857d19b0b704a887f20c788fa41a6e19d087493c8607110115fde49e990

SHA512
528608bda4ebe78771f296780585b33db571be22612ca87a8192899d34912f29d0b6ee958ccd00dff205d075ec7216a62e65ce6a0955703ecb500ef447d179cb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
35KB

MD5
4aae8a716a15ed2836002f180af62bf1

SHA1
0c77c53f32f40fa083e7b569a97a033313a9d09e

SHA256
4c73d4da70d56f39217dfd0de3cb71efe2ab7d830dd6c2396802cb0d8bd967dc

SHA512
10ecf52b37ce1546d1ba07a64fe3a4250e573349dd6af196fb41cc7b01e62dab5b5278ad58d563a6fd430c698e3ec862d7714bbac3502cf9113eb58c44b1e2af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
260KB

MD5
0ea83dcb10889699ed993d7b386e281c

SHA1
0ab44b2afa097da60f38175eb5477bd6b66e47ab

SHA256
bc594a1b9c398bb0090472e2e7cd3fb5b66ad47961f05fc5397cd916822b81b3

SHA512
26ddff79741353b5e319b5f21c301a160954f2ac537a8ea0d3afa493369f490d7d8e5ae9ab7be54998543496195a22958948646a89a3f0331be045d981603377

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
411KB

MD5
4f976b5a5efc55b9bbf924766de3c7e1

SHA1
fa0c902d89a42c3e790272f83f5cc4e6d5a37ad0

SHA256
ac3e29b55443a65bd8f5df8b687fd25750828fd4ca74458314e51c8fdda7750a

SHA512
a9fc779172e7d86daecd07373b10ffda0b6f012a12c363481ddfc18c00fdf8a997c657d77b7c86590ddc6bdcac1f8d24d655209c9a57dbac5cc87730fd9f8bab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
201KB

MD5
d737008bb861b6fd47bb9495cfee8a08

SHA1
759e4dba5ffa6427744da505dd34eea65c6e95d4

SHA256
51833c8b8738f1a8f68593605957bd12c9faf25f663645429272f6d04c3650f7

SHA512
319c16bfdbfa62b4b5740865f8a712a19ad79d8b178b035907e6d45e1711a795ae8e37bd537d2fb6c45cc103d774af2091d6069e8b717546da459cf890fdbbdf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
54KB

MD5
a321f639dda2a85e3ece3644ae4c544e

SHA1
7c73ebc2e51f6b8b63f503bd09fb30bdb8a432d9

SHA256
d08e6ed273cb6675452dedfd1c872340fe4fcfca560d5b6e694f4b584b9be26b

SHA512
b7d808a1f35b702c855799873189c1852880580d1d1103359c14dd36ba34d8176f55b155127347d24266593b8fd2bedfa94bdf46595e85a1a686319d700e20a3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
127KB

MD5
fca93ab2d41bfc2a5f60bf05ed240763

SHA1
8df924bd26d57e081d0a3e6184d44d4c5cc208db

SHA256
4cbdde1cdf053c93bec7751a43d3f0e7985778ae90ff76f47b500e7780f33524

SHA512
3e49ef38dd857f50516f157ce964bdae73ec426892225a1709367e34d19862391dce3ab8a4f9f039d9918b53da5d795dac466e3194af21ccf925f4d4c6f61350

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
103KB

MD5
078b5af565e15ea8308b97cd07f55863

SHA1
7edfac7ef49b51ffd0e3ecd201057bffda2c236e

SHA256
c68b560c07460642cffef1683df6df32a272ac8020c6bea608fbaa7ee0be162e

SHA512
3926eae554fa943ab8ebaaea3a4c9b7db39206ac201a020b7ab0c5cecd3f3bfb6749f5ec765e3d9481a6495af314fca1eccd6fd7791d59464a3b9361429f3b41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
92KB

MD5
7c8d359d56b778e6d086e3c06f69345b

SHA1
9d4799fb7fbc9cb570a45661b5f3b2b5bcdbaea0

SHA256
dfa516e1197534f7f888fbcd82ac0a7412be5c602aa94543ab0d5f72999995de

SHA512
adf2f5d678c393e73f268540c2cee074f373316b6158c741a54282808325187c6b067e315abfef7009ba289dae85ed7931927c92bad37b084562d6617a8984c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
251KB

MD5
38aa09a05ec20209691102ac4879ad6c

SHA1
1c7892f4aea9136a279f07b8ed2bed8a1ef0b795

SHA256
47351d925461897d04db37c0b1b968798a5dc16d93da920847731b5ad86637a9

SHA512
206153c58dbcd98775372ec8fd94ceb4e6f16b389a931649ff28f7a92572f56df422e70fda6793057cff3d998afe00a0c0f4c88ef87a48a37a245189ad3cb1c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
196KB

MD5
8f6021ed002eab1db8454e656a54e0de

SHA1
a4e65c8c2f100976e16b936050953c92b853f976

SHA256
67b9a6cc2027640bfc17df6791bf0b0c30783f7b2fe795c69284435633dba0fd

SHA512
983d518c2c1421ff509e78e96fef94a2791061905f3a8dc8044af4d3c050d3d86b9b2ba36cd8479327865adba637ec5136033c3783faa0ed304f2c9a9d6fcc17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
364KB

MD5
89b692b8d06e2f6b42e683a860bb2391

SHA1
4ca1c311af0c596d933da5443105607295a09283

SHA256
40d3ba4df3c013d54d0b9199eec28a4471b247c7cae52092cab873d872a23026

SHA512
e7fb3f5e21edfb459254bdf76cd106e28309484042f0cc816c497324724d70e74f67ea500c81f1c2e182ee72cf086ef9c12b22b580edfe7b11d3ca615b434053

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
188KB

MD5
85a838e5a8fdd78c3bdde1a088de019a

SHA1
16312333ba8774f608aca79b95c43bd8f0ac47a5

SHA256
8304f6b0ab3dbb0394ba20644f836d19533be2d9bc40b8fc635e315c49b6f55f

SHA512
05c72ab5afe3a6b2ca5f39dec54f232ada40b9274a153d15c2815cceefd88f477c654bd27b0951f61610dc62f094b8aa0e9a9fedc2d940900f3f97320d502208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
411KB

MD5
0a631e97e02e90d54c5fc58d28fcb800

SHA1
79c77c058c57a1a691512c1fc68e197113eae638

SHA256
f2febf0cef3d36842b462b6751e8dab483b49c7a5599aad9c6edc4a785c44a33

SHA512
58cf9b7894021093cf2eb92bdeb0b1c12c20efddd01609992825df312499e2f7c21eeff1de303910406083aaf8b0dc1abaf1f836785629624927d848691f3ccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1KB

MD5
20561822fd44fcb5cb1e911ecd8bfec7

SHA1
9220a32a88dff53c6956663330affc8049307904

SHA256
4d024318917c118ca77ec9ae83a38d1e2f8a4816e9e74440b125ae9b7e2c9716

SHA512
cd7d3c82ad1d86085abd3c763d1e5dfb237b7c94aaecca889652e752ebc1b070d8a6d3289e6edccb35aa2c0070559d80e9ac13d61302ec560b631cb275044445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
156KB

MD5
d145c2ae22f3f144dec8864eb7069d9c

SHA1
6c5f6e44cdc499283229618389190fc785a19aa5

SHA256
29a7bc7e96a408f2a85029837e8e804397bcf33d103f7f480827540f7b27f506

SHA512
9e542b1792bb544c8abcfa548dcc975d3fffad331463e00155e73db147a85f5018ead237d6897357315304ac918c3fed79047d7874071bf01c0e198667ff3cfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
336KB

MD5
4a09c69c7a40f34a644dbc45fcbd908b

SHA1
b7e9839dee3eb10d85b44c21660e20ba4e086ad5

SHA256
f94d91796af528a4151700b8aa1db14d8b504f3d8578a579db7a6979d73b1a16

SHA512
bbb64e983db9fea7ee4739df6955fc61ae53c621ff8dfb15ce669733262323eacf4b9abecf4ce163477844f0168f9a40e6f2c9df1ad2cafd58e75d33e184a5ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
73KB

MD5
c1f146ffa25ce4a324626e195fddbd0e

SHA1
a81e65adbe44cb3672930b7f06c5842fc30cf698

SHA256
6d8eb0f2154bc3521fc5b8e8ee0a7712556b84aa419259ba8d970ff41c022c74

SHA512
2679c5d8318c65c4179a8e9518188b3a03e94ce1ca9eb0d28973b08ea7b91fb78ae4900cb9d1292aa565eb4deaf73fb4a5521c5d407611ad8c85a35eb075db44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
188KB

MD5
776f8f53163b9fb6c8f9fd49f4bb87c2

SHA1
bd6023fb5d60e40967bb087a9c94ed4b21b1a539

SHA256
b1d72f19e860c1458b468fa9e9ec21f12e837da9e23df901c558a2073399d3c6

SHA512
46bf92db36c224a2cc99bac6a76ebf16e22251458d466746a5f515a71e4f2dc43c91da85b7b177cb48eca379c3b76f006beba8172d26f95af090d187c33329ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
411KB

MD5
cbde31e596e97aa19b1d09644019bd61

SHA1
4005f321ca1ae86daa00cd2f5716b61455c53761

SHA256
3ce05dcfbe7e1ac8831fe1789a13b79e4761f21526ce1c68742d201c8dd5a575

SHA512
5d3b92f68dce58b8e741a74a2aa61d5935a9d5ca56497d8a3df3e88b5acfb8e357c102186e47e67716f6b3b4041164e8a49929cb388f633c80a3153a434a8268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
92KB

MD5
4af75904e260728366897ccd0d83dfe5

SHA1
5d586b5c95fb5018f681a5e27465527eba1b305c

SHA256
9555df3eff3dd6c55bc9a22c9c677e4bf875d406dabf1673655719b9f0e4a52d

SHA512
30254fa04e59c85dc0eb53cf3c7a2fbdb6de8e8bef84bcff930e0d609099f1f4de2100b157ae2732cf1ce52c12f1cdce57e9d95d7a208f8f4d953045d5264b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
182KB

MD5
061ce9a9c60c240874673e1dec4a7a1f

SHA1
d5bf52257913c14b81b65070bff2148e3d300fc3

SHA256
5c5422f68892e7aa76adcce34ea48a9b65e47a3aa860567740e0f328171f8eea

SHA512
c85bcbe78d98a474e2b2aa48d136d4321816ffe40ced61d816a4aacc9f7bb688145647cfa6e436973ec346a1cd57d5cd0c8f74bb56090840a0ac0fdbdb298517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.0MB

MD5
b3a9017279648e1b3a739e06f168ba0d

SHA1
f1aaaeb4c698c399f96d29a9ae527eab3d152536

SHA256
f5bab95950dce4ffe16008a01960e31424e129308eb6d895ee65f2868aa82e93

SHA512
a4508d7663539ba47b7ca928740f8175c92a18697c2bcad526c5f5d5a1c17355bb72d7647f179179beb0c41c4ced131b383080d2024a2a18c2875c628d2e6eb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
81KB

MD5
1ce7d514f88ef1c43e0b99dcbf35fce3

SHA1
e02cef74f03216f171f3e8bfe5b62b4a3bf26eec

SHA256
1f2a0f52f61ab3e9ca4182d4a228a1ba5c62584c30761955b0bd3b3132da813e

SHA512
1768cffeff5cb71205273245df5e9090f09dd0e10e6471076b73c6a41f3f0ba97100a00cfcee48146c4f97c5fbc3c9a4ba80d8632424967423197f5dcaba8541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
100KB

MD5
ba4ef23c0f3b228bd1d33f16718cc0d3

SHA1
264c48ab9bf9cf653f43c40c7cf6fee13dc049d0

SHA256
4736ecf95ed5a4de3fa7b2151b8212afaca29a430f72cd56fd8da577da137e32

SHA512
05f3c78532bc58e3e55b04cb41cb75de5ed452f6f5f2732a5b83876fac9b0fc4bd4c818b64f19a88c64b65b556c26e3b8373e7a0e1ffd0584f956bde89667f44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
92KB

MD5
3fb75a2add852eaa9f4822a4875573ad

SHA1
7f663877f50eca81b34dfb51b2dbf7a02fe00377

SHA256
268c0e44410547d3de80d3f2bbd3497373926aeb1fba92c372e9234cb30b3a0a

SHA512
9298b5b355d889e5c7e01e5d1185aeca5c697fd3352e6ab4c0db297a805c9ead74d47afccd84363db50326608099a0d4eaa06cce2bfb52bd5156141e01fd6ab3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
218KB

MD5
18deb6639605df9713eb9a63d47fdda9

SHA1
5dcf57046d6586d2a2fe42aa215e1996ef8b96bb

SHA256
da562b9f7d3aab53600ea1a5ccf8302f842f2e71d7037ed3c25c67fadd85af5d

SHA512
ebfcec07bd4bb5e53797ecc2425471fb0a11e1597bc4f7fc546dd9c281c8ad66601a7f6e558b80c3da761f5bda2586f44ccc1114545dd3c20a2b696f9e5123e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
33KB

MD5
660c71b4777aabc0dc7f88f122435e55

SHA1
4bd48bf0a1cb7cfea3f62e72a4cfa64b95b705e9

SHA256
8117d3f4183351e5153e7ebfd111b3cb1d7e3ac745b2c4800278831aed0f79f4

SHA512
340ef40c713407a5f1a9d33395059a16fbbbff7d6d29fb0a2f12ae05be55e59f39590ad28de9f3d67ae0995854201fac48b4bf7522d14c5719f933dc763a6138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
48KB

MD5
8662931674b8d3c515bbd963446520ca

SHA1
5536239d63d4139c411875705ec7cbec6f0b36f2

SHA256
66adbd59c9a1b1b1bbee75f41ed3b9c577bbe570552c00c47c4451b10a68ddab

SHA512
8a35daa7c397d2948122bc37cc1c1aca8f7e27e526164a804aa3d2f123ebd339adab552ba41fa67494caf62bfb4e0d732a4a5203da08a2a49e498bf89090509e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
92KB

MD5
b2f82e518b1656c9d9cfd27351c0c746

SHA1
626ef46cc6309caa67e64fb669e4be4a0e795d00

SHA256
75610afee416e15199838799ba717c11531432fa5700cefb764418abc3e41fe4

SHA512
00e806b8f60ce633eebf6175a075f0a1c0398f25d9aedefdff12ff4861c460df8dd51771bc717aaa806e939d0e6cb7d082979fe849747ee321be57ff2ff78eec

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
197KB

MD5
8341d66956006cdb805cf4fde8066c71

SHA1
08153b270ca20c2b8291ee6f617b7c028351ee92

SHA256
03cd6fedd75df323cc0ac065c2cbbbd341f7ef49bab2bebb647f12f12cecc871

SHA512
a86209575dfdcf78cb21b50f72e03e7e5133c130060cabec1cfaa52dce85276b64a85e31adbce582792f974a8bf878affcfb7cf6d5a90794751b6af3ab7ab6ba

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1019KB

MD5
9b08784f636655f64f95d3caba30f4e7

SHA1
61dce1cb9bda32ce8dc3f3e2f1e2683cf1be0a60

SHA256
15dc3c6a63013bd7a4e19a7e2e6112ec111a6d99552f6464cd207174a9dd35a6

SHA512
5b38a1f760c9076a84d0ba41f46d93743d577a17d59a81f3b775ee78c899b879ae2488f6d0be3c810bffaaeb09b259ea2d182ef534cd68469da60343ce5ac5be

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
92KB

MD5
636022bffd2c321e6503ebef9f1e2b11

SHA1
cc47311d5ffc3a169b4282454f20de22a146e2e7

SHA256
e9574faf4fec1c4d06db0610e3f7c816db680f9984a2bbc83d80b110817d4d65

SHA512
aa5b38c2bf7ff85249d3bd8067d3735ebc58ec94cf8ffe31960535470e4810d8acb4d6f5e328fd35b1ed897ad7b3166bee845d29258b85c98241b543babebe65

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.0MB

MD5
9c43364cbbde08148881be37abe9cae8

SHA1
3ea65711e84beb58910540ce3a198345c9d1a896

SHA256
22990174a760cb780c64242b27ac145cfe4c2e9a1802814b0612e23c576e6f3e

SHA512
3504459876e9939512aa3c159e42dadef80450f0a392eae1be9c1f88b6da0005508c176ca95e854115545b0114c526942422c14c9b1f2770ba59c188b1abffab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
740KB

MD5
8b33189758921c20351e30cef4fe0e1f

SHA1
bd295beb08d24c7fa9e67451c516217a6c6b1a4e

SHA256
64f250cb7047f16ddb8f395d4942a066c47214d1e39fa5beb68de8663dda6ae2

SHA512
7c96a92c760c98ca4ebfffe3954909e79d332070279b108fc28e35eeab43923da81f750c71d135c9802be10d02fe2256c8d29e09c2efbc27815ac10c922dc215

Download Submit
C:\Windows\System32\Locator.exe

Filesize
435KB

MD5
3fd68d9ae574e4d75d4d20f6734b028f

SHA1
8a33e9c4e655e73e9b7b3cdbc8a7afc689bd213d

SHA256
25a2a025402c7a64fc59a5b80eac11441e4c8b47967629b3db1bb679c92fc54d

SHA512
eb527fdf3b6f4d9d13e6dd210b85f273f2860af9463cfc2a3efe80d56dde3b80fc93a15bca92e9dc7c4e79cdff4e1bb9d2e6aa04cdc1b8cfe5dacf6cd11e7b73

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
521KB

MD5
360a5d14b704c913c4bbb41e58b606b8

SHA1
edb4accfaaf2c42bd6c3a7a2c7c287dc1f945560

SHA256
09d7981cdd621721a35186dc44fe17edf1005b9aeeef9c6fa741cbd5aded5802

SHA512
e0e5ef7e9d358a5b866d5112142ca5c0288c411b7c8f059319ce261ddb9d51680611cbf8815c146a7abc54771d28813b49d3092039c71ff77b031127ee831a9d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
392KB

MD5
3c3da918aaf23dcb8d39d153c1b57a88

SHA1
0ae96befbc7c8b88ebd9367c5523a64e654b5770

SHA256
e3a1bc89841a26e905d989e1a272745d2c840c99c3564d25df3636366954f320

SHA512
e21b0574e978d30fc34117f2bd703967257fb40d8c58d5b64e8b8185685519cb5e9a54bfd43d4bd9bf711faa4478188174ad7f6a42f14d30c96c931f1cdec557

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
830KB

MD5
5181b3ead5390e22f09d9c729b70a14b

SHA1
8f61f955f7d40e76b7c27f33288efa0b4cb5cf7b

SHA256
8c1cace13a60aea83a1413cbac3e5c378de2bcacc255547df218e7ab2c972024

SHA512
3e9a55f5551ab12d8131095ee4cc8289df767d6a9b02d5c62148ed21867e7217c5a705277841a2beb5b89951118d2e7d2a64095c2ba8f97e0dce79b55c805776

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1KB

MD5
eed30d3a087cfb5f11a3ea151b92b80b

SHA1
d529c842fc34c2419e6ce835601b027c1d923a69

SHA256
998ca291e6d9ba853ea462a1e452d6f5b15a1f0ef2f4b58f12bf5f4194eedb63

SHA512
d4855607873a9355f28f7526004a332dff6b7ab58f124a2a76177cf94ca2d86fe506d69e42a9d58d47d364e14279517b5e10f740145f2b8c61380bbfe2a0be9a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
285KB

MD5
0c5a2aca9d56f0d02d7282fec44d9dfd

SHA1
24d8418594d8c570689962f681f7ebb5d3e79e04

SHA256
5796e8fa7ca9680c7d91957c455acfd9f89261608c9cea0cafe4e587c53cb4c2

SHA512
c994b0d9d5e7f8d0cfdb1ace814e95fdd56b62bf42efca7420eb36f76b2a1b45bbd9a8dc12d0ca305503e711e77cea61836928a55320bf4589886dd892f36776

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
29KB

MD5
9adc1d24023c591e8afac201970e2b90

SHA1
18a1ca60b584784f246b7a8b10c9812791c61921

SHA256
ce6247c88be244dc46fd5c6d63083bb8adb006e6b6d1b83d54dd367ded0b2f34

SHA512
3246f13d556cae0977c91fc9355944edbe78ee1f2304655afbb8145f3de2396e5d67580ca6b62e3d746a8a17fedb2a227f1a18e426ece58f787cb9caf4591748

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
143KB

MD5
4eab502a4be08b79a90afce0658f8e3a

SHA1
7e92f8ac23081c0d8371f67b8b4f7d652132fdce

SHA256
e2bbbf703bd73d900e9da2f5e337ef731cb7d87788623f4657ba622c3d0a1407

SHA512
138a9aa8abf874d64428f853f5e1ba2061e8f500037ce7eb3e86ec03aaf63daf5f16f9f2ea196993638f11e9c60db6f1b1ab6a4171a2a936a802cc3a56a06526

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
383KB

MD5
e84da9b4ead3cee8b9c857068e7f3133

SHA1
dfef31faa7be6e1b1a5ac2301a003d0f3badcc72

SHA256
efbc3dfa03fa3ef6d85a663aa162afcd42b65c91d1cb611339fbe5ebf81e5f3c

SHA512
31ca65c5af2af4e8fd81f85f963b51c456c1f6c076c60971d9c0eb3ad32ed68cae5cfa62db48bbd2f31bc5a8cea22cf88003f6b64b63e6b08ef87b3b457ffe4a

Download Submit
C:\Windows\System32\alg.exe

Filesize
56KB

MD5
76a668aff2010d720729dffaf52b6707

SHA1
628911c44911cf54a80addd49708b0cfeed5d12b

SHA256
01266432b4144bbeae808f12a5ae7dc2b0e2d77deed07179e5ec77077900925d

SHA512
1b0825a4f965e133c2a5920aede427fcaffdd1061cbe6035e1a38b26929e6d960fb2288ac5fd7552c1ddb8165d3fb6a81fe78e5d8abac6a1b7a96710a254523d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.1MB

MD5
1a9014cc26c4c03e038bf14805e25409

SHA1
fffa59c2e97aad8c27b47093ee32d16b89d88e88

SHA256
640fd46e8584848161f127e851b1332d56a21fb6616a22cdc28bdb25f265ed31

SHA512
80090853d030c438ce30c2902dea6d8468aa851a1dfebf19a033a9a8e78cbf8fdc31a21d626ae90100000eea349e339695e21795b56975b61b6729e3a85f8d7a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
89KB

MD5
c31c9104b01b70f506b4e55a91a55248

SHA1
80a21c4e3c3dbe6b87e83a8374b53a18ecdbd1ef

SHA256
81f54f87b403b46521f8b7f692883f7dc2e7d078908cbc2d222d4176ea532688

SHA512
e9899663be49bb3e5444d470166537120ebfa2cd65ea072a62e897cd465999395c42c24d634847306cd678d0c70acdf9d160eb54585fe8adcca908f986f30e07

Download Submit
C:\Windows\System32\vds.exe

Filesize
607KB

MD5
ea6febb7a69eff8bc05c399282386671

SHA1
4ff8dd845017ca6706040bf688f3b97faa97827d

SHA256
2f827d515ad5caa988fbd45673107684e862a721a81efb0c9b4aeb1bd62520f1

SHA512
8f2565859e990da617f69603ea0ee87fa3b687f5146b796dcdbe92427befab07865f7636301e3a665c6f95b989ce5daa3300204e6a694eb5bddb7d917eb53f25

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
252KB

MD5
31334f223a3377492791ca2a383edaa2

SHA1
180ae6c477e585a4f23dc4c171bcb08c1b569011

SHA256
03570691024f848c2eeaf3f714c8e208b1ffb7e8a620f5fefe1e9f830e8002e9

SHA512
5163091abcde0b8440e420193adf717f6cca295fc634d16f620a6b2e4f28ed3eb8594f21c6d4f363030b898e9076cbc475ffd10a9649f4ba894bbd4abdd0a3df

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
188KB

MD5
f062afdc52bb220fb5d3936a97e40075

SHA1
155e648363c39048c1bfa64bec016a9a2a462139

SHA256
8ae1ae9ee84f405585dad4c3a248cdf656b94d788ef0f26f4e4e0b0e5317097f

SHA512
2af1ca24ac4b11c12d0225ccf0d4f915a8297bb1ccbb9109412ffa39bfa2d96eb22e09fed30069b068e3879003f26ca68f99d0daa1a5a5a027d6ca0c0bc50e2c

Download Submit
C:\odt\office2016setup.exe

Filesize
295KB

MD5
bd0428ec45703e6685d81c006c77b256

SHA1
4fc78a0ee21b636289a307d95f2e499a285b50bc

SHA256
0b3dc9cda47873bbe28fd6bf73207261dd75944c961188d86bf93ffadbd42315

SHA512
0188c37b4bdeef341371f510fbcd57a9b69ffa12b54aa109abf9faf21a9e568be3e750b9e49fddb784c9da0ade958c7ecb79472b73843abebc35955d74940f7f

Download Submit
memory/380-407-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/380-346-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/380-339-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/440-28-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/440-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/440-34-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/440-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/752-271-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/752-255-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/752-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/752-264-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/752-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1336-448-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1336-456-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1436-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1436-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1436-227-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1436-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1436-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1540-366-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1540-372-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1540-433-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1568-429-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1568-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1568-359-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1568-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1664-238-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1664-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1664-72-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1664-64-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2028-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2028-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2028-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2028-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2444-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2444-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2444-417-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2452-469-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2452-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2556-376-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2556-319-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2556-313-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2616-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2616-404-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2616-398-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2616-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-299-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3060-307-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3060-364-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3104-12-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3104-6-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3104-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3104-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3408-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3408-443-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3552-51-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3552-59-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3552-67-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3552-56-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3552-49-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3560-311-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3560-244-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3560-243-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3560-250-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3696-336-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3696-280-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3696-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4464-296-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4464-287-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4464-349-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4476-446-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4476-386-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4476-378-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4540-332-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4540-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-431-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/5000-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5460-553-0x000001B9B6AE0000-0x000001B9B6AF0000-memory.dmp

Filesize
64KB

Download