c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626.exe
Size

1.6MB
MD5

44e2f167f58964c3e72afd1eef693475
SHA1

4488c1e8e796886a0cfde598f1d89a2fa9c763ef
SHA256

c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626
SHA512

1017547a0405f614419264fd6bec8f6a13685ce499a32b9ea9a8250d1714a609db66d7ac06a6885295862b6882cbcf0be62d532283037b95e0942652ac668a47
SSDEEP

24576:Q4iB08NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:Qd0gDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1712	alg.exe
2520	elevation_service.exe
2724	elevation_service.exe
4692	maintenanceservice.exe
516	OSE.EXE
2232	DiagnosticsHub.StandardCollector.Service.exe
2464	fxssvc.exe
1956	msdtc.exe
1104	PerceptionSimulationService.exe
5068	perfhost.exe
3164	locator.exe
4648	SensorDataService.exe
4320	snmptrap.exe
3816	spectrum.exe
5072	ssh-agent.exe
1608	TieringEngineService.exe
2472	AgentService.exe
3480	vds.exe
3604	vssvc.exe
3496	wbengine.exe
3272	WmiApSrv.exe
1648	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8af4d052205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c00d8b1fe75da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000835289b1fe75da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfb2aab1fe75da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ef186b1fe75da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000838d84b1fe75da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d315adb1fe75da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054f367b1fe75da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb168eb1fe75da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2676	c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626.exe
Token: SeDebugPrivilege	1712	alg.exe
Token: SeDebugPrivilege	1712	alg.exe
Token: SeDebugPrivilege	1712	alg.exe
Token: SeTakeOwnershipPrivilege	2520	elevation_service.exe
Token: SeAuditPrivilege	2464	fxssvc.exe
Token: SeRestorePrivilege	1608	TieringEngineService.exe
Token: SeManageVolumePrivilege	1608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2472	AgentService.exe
Token: SeBackupPrivilege	3604	vssvc.exe
Token: SeRestorePrivilege	3604	vssvc.exe
Token: SeAuditPrivilege	3604	vssvc.exe
Token: SeBackupPrivilege	3496	wbengine.exe
Token: SeRestorePrivilege	3496	wbengine.exe
Token: SeSecurityPrivilege	3496	wbengine.exe
Token: 33	1648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeDebugPrivilege	2520	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4400	1648	SearchIndexer.exe	128
PID 1648 wrote to memory of 4400	1648	SearchIndexer.exe	128
PID 1648 wrote to memory of 3260	1648	SearchIndexer.exe	129
PID 1648 wrote to memory of 3260	1648	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626.exe
"C:\Users\Admin\AppData\Local\Temp\c26a03b4b44169beaebd8752039e6f56383d82d4f7cedc5e4e165f2443d41626.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4692

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3816

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.0MB

MD5
f4aab2e919377a4277e845c762db7681

SHA1
9c9caa2532884290c34d421929d7a48450c738bf

SHA256
4180ff1fc3e6a45fdfdf0ff2eefc07d4361c3b054fd6b1039e3f650fa0f9a5b4

SHA512
fd36d1026d9859e78498dde06f0c9dd3d419824f3d7f216e79c7d746fad65f0f77b1b5ae846c9484dd61afbb728454f07dcc1c946f0ec5cc26493b0af76ba090

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
365aa146cdf658685b5f1fdca0e560a8

SHA1
ff9ef101c6cd760c96177f13cd71c3a922df57a8

SHA256
7c7a229642a0fbc7a7c83b67c5928af1008a8c3467606705d545cdb6faf5f458

SHA512
95f93df30ce5df265d7e5560dc6cafe2fd1b5782789507277c19292fdc020e9f3341a031e1f6448f2446101ede4b904d15a034734a9c7ea38a4bc19269f7f7c5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
256KB

MD5
fcfca032e75cc757a9f6d604b6ed1f87

SHA1
705cbdf46e8d43da3ebc0fa6d5af99b9dfc2fec1

SHA256
ef0a6e4bf2ecdbf8456b42a96c4e724cce6b92bf4b2c980f0b2550c0c81a12db

SHA512
b8963226c5c43e521446cc9f06f4e8d60b4af032ada46fcd4c3424db5ecc96f366c58b43a864d535e7f2527a564e9bcd71353d100e6c689e8a66414ec70e5b18

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
799KB

MD5
6bbeb8fd6f39e2d79347689582f8d6a5

SHA1
2b5fde9466b94db78504d0a99c749c26e847c70c

SHA256
0eb331df0658385b34fa2cf5b2d329f754a6c6e47cb39d385674684ae4f716d0

SHA512
196539e090286105bb9d96a041f359b01cf47bbae284a71595a6ca69b7fce21a76b9dc8afca9b8de0de9f336659fd8837d048e5d86cf7bd6cf1927262410bdfe

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1017KB

MD5
7ee81625ad3881c00f696aa0199fa9a8

SHA1
c253bda576157df19e23d78c0c4290620621e313

SHA256
8aecebebb25a98798542fffdeb38d47edc650c50aceacad5bc7ee51f2b81e234

SHA512
002c7838a71edc050029c07f78af0216d8dc563c69646b299b1c9e8905d66b726877e947c50800d10cf6f5fa01062936c589ab44cfe59bf61a2f0f9b585fa530

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
879KB

MD5
76d0af605010c8e3994230def8406428

SHA1
9db8fa99f0fd744ec99d34e141d5d4ff4e925ecd

SHA256
a3a9fb4e132c11e75c7f721ad7a9e9ebf3858a34ac74c1bfe77ade2a1b1cc4aa

SHA512
d8dc706899e2211e8d00d260e4bd8bb1ad32563996a8a9417336230482f44790efd3417748ccf8c60086ea4bf5694e268566529c4fdc6846d4ce893225dea641

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
915KB

MD5
aef2f7d09a97dd21284193ebbce8c742

SHA1
5496a01d2decccb13e8cfc8d3fc2f4900308debd

SHA256
97b96ec969d859a1a7e3c255b417d6c3f067f1ef1ef9a47ea6a6ada6c453acfc

SHA512
cea988aa29bc1f214b65ade2fbd5ceca69247da0fc2a8eabebb346a17a4dc90661e09eb0676e97fe219d91a6d007ea207ade21edc4c999c2e2efa0ca9369ad04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
816KB

MD5
61b5002756a9c47e060f8f33a4fb6ed1

SHA1
cb625dfeafee6263211d4fa2dfcde70c1b6a6836

SHA256
dbb923f3d38368b941d0f81597bdcbf9c4b337bfade4eed5bf232d5aa9277c5a

SHA512
001e43f8bb1cd476faa62e566e2003c3456d6cb63a6d918b55bb2b4e1164fc0471a3a93c132555d76d6e08235802f2b8522dbc530722ae220a3901a1864d9a50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
897KB

MD5
961ffda70ca2432a17194871deedfa6a

SHA1
5aa08bcf104b88b53806d5f39b9e6d0cdd6b29ce

SHA256
3febca002b1f035e02f059e3c26b30467f3257cf5e9d907c24b589c1cfe8f3af

SHA512
f184dfd225f3d51aae691a37e82add2024e5bafc7b56a798a263d7b136e8ff724311952471c2f4fd60cc82a87bc20fe4dbdf0b8394a5c7972c3a54705937eced

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
809KB

MD5
b6bba1548f8f62b9d2d7ec56d68ec70d

SHA1
24e360c34739e62270227af9977e2ebd89cec066

SHA256
dc6bcbb812cc57f1ae617b0be6cfff6fe3eed0c6e51cb005f5042df7505554dd

SHA512
889d6fc611472037902f41be806b45718fbc594a1c875d03c0fda5edaeea237111d3b0ad53e9010385d8bdac93184404f304093eb5463f78a39c27a1b8b7c9dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
653KB

MD5
df5b2903d6d213254ee6ad0eeb8708f9

SHA1
0316d99997220cb8d524aa125e7c5e9856e3b0fd

SHA256
b3b0dd45dc2d2179a2787b4b9c9d3bdd8cfa3d9c9060a897da4caf2610084246

SHA512
16c0d0b5cb14928bdb2edd8c2e7e30c03c9485ceef98823fae1b35728ba1b45ce22e8ab32dfae3749cb74d83c61fa4e6643062acc703f280ae0098f5a5b46770

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
511KB

MD5
f46ee5c4a462cb0797ab41d0d3620780

SHA1
97926960a63165bf5df5c165766a8a4211e4948b

SHA256
300a95c1ea7013c6f563eab65c2dc3ea4b2daa729b60c7eca304ee7fdc3b32bb

SHA512
e4f35ce4ee41ad147665fdd8760edca8e8f069aa23f97dbfd807c79da2910679ccda51c7ad634891dfb81e925052aeb9d89d166b0ff0ba8f5d51fdb74cef1013

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
870b45571610614bac878367d8ba47c2

SHA1
3137ab29c68c1482c325facf9c68e990168946a6

SHA256
a55df976dbe9558a64ea7d201b779715da68fa4077d43acd93b459969229e11a

SHA512
2b12bf4440fdcf14f8a7d26eaf0ba21c8cc20b3ff2ac0e47bd2e819216c7c6f0a19d3536387293c7f4c4cb0145fe11e4d553721713418ab840d8a59db83515b2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
201KB

MD5
8358dd3718cdaee3343f2e5c5d759292

SHA1
caf25676cb9127dcf0ee69ec04c8e4ad75849022

SHA256
b8476ef47f2dd8faa24825bbfba98a98b00ea4d7dc998d16bd15ac424fd9c6ec

SHA512
390c9f299d27af52d797ed90fb1518529887216dc9fa3919b8532df49bfab794b6dbbcecf3c8695c9aad4886f0f362656162b87683a467aa4bfe05403d8996bd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
542KB

MD5
3d11efee9498c953a5ddf245d64b7220

SHA1
2685e314685d4582ed7a7d760db48b6ea2445459

SHA256
1d1236d45454c2cc6ef6a366f7e80530d459a3df6c68b5fb2a0ffa03845d2236

SHA512
f5a79da72177c699dba74a621b969679a5da837d90660a927907b9b10fdfa8ac5636c3051d5caa8d8eb3281213b1e078a826e14cb6784d905c5f9e74c8c6ea47

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
503KB

MD5
c0570e0113e34f6068627fb0a94cbadf

SHA1
fe010f6bd69a262fcfcb9f666820a19c262f4ae4

SHA256
1c06b8ba427ecc42f7d19bd105455bc7f66a2c4dcd7af2da6049fb6386e074fc

SHA512
cde2b8601b44580324c7be2ce1546bff37953cd765af0aa4c1b62ed49919da21a2b2222d75dfb074cbe4c46087bdf93d42d74965b33eb6fb2589e7e0e10ef669

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
840KB

MD5
f4d25ef69e9fada38794de87ed19137d

SHA1
1a5bcf40749d92181bb5da0623caaeb8a9f206e9

SHA256
dbaa481c3ae0c32012be1f3d9beec9c44b72b0b0cebb2299889a4c849b0b376b

SHA512
75cde47a5ec92e7335558cc50c97c4bada3bd203317188ef1bc83e787b2db44a77a5c7972cb56b48778789474e5a3808fea597004e3c4ec3648800043a4427af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8f525e4a5a81ce259271468ce6b1815d

SHA1
19b6a7f161aac1492a06c2e189ee0275b4701321

SHA256
22652846c56cdd94118c4d12f43966643c5e211c71e2a3c4117f45af0e96fabc

SHA512
69fa4cd00e4dbe0afd53a97973c90678ac7c52541f092ef5e897483ebf2c5c472f394ec2e74f4956af1c7ceeca17366584cba4d622706eb8f063a9a8f77d0aac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
796KB

MD5
ededce5118d95bfc6dca686833c99f65

SHA1
a741a42921996d7e89e462c351b2d812846ed1c4

SHA256
3b4621673a972bb3b7cffcedfc8140b4fd00134d1041fe456f2c26c731d3cb9c

SHA512
c2c183ba3dd399e832bdbfceca20c33b7667c1e4e7d77a85baa5620355c6c21d6fedef107333d63f6def1112f1cd1cdb11d33df6016c753d20f553b8cae246b1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
606KB

MD5
2993afabc5344e39bc7cadbab6e1499b

SHA1
58a420f976ddeb288ced1d33bb6d95f98ac340ac

SHA256
f46469dc28685061cba4cb25d1bc0d8eeb847117da968066ffecf00275e1cf41

SHA512
38962b1655243fb64596015f11a4c9a0eeffc87d504fb84ae204ef9c6e30fa5a7cd877e0ac1c181a82d52ff7524ec23a4c75c8f59a44042652404a05c845bbd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
351KB

MD5
1cd5691031c6488a77d19729c91741c1

SHA1
df3f311640685fb515da96022f8b4d389bec7cf5

SHA256
34dc0a9fbff41fe2855c440dc8f9ecb58a38d0e7a710f783d2e59bdb7c314d05

SHA512
e8bb99ef0af635948ccf07b350b81ebdfdfd89ad683a1b99f3018362cf30015e208c935b57f42fd42dee374c5767cf67c3676cb12cd64f7fc2904b7215968932

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
660KB

MD5
68e73706ad67cfc9ad142670bd4bd7bd

SHA1
b25d0a2e89d5b7982c55824a99ff31e783da070a

SHA256
41e3c0eb5ddb5fc220374cb3e8a53612dbc8f8f94c41cafbc49f2e2253e407c7

SHA512
0125ca748d87493225ad172315ef6d80f7b9e2a26ff1c6a47799208c425d44c7ea393c93e0bbc9194297e9b774a44f6ab018cda5b6d7601fdadef23407ba2e7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
566KB

MD5
f2ca2e2eb986787d9c1973000f7cd31a

SHA1
cdea5aead8c8b19ff357702703d3a43585514251

SHA256
6e6f0d48c1de754a196ab9fe40fc5135094fbe2d88db231b024c5524694f6bda

SHA512
a01aa94984dafc1c51a81d8290df30e378a303d45b2825836546e43f901b270785e014cb80ea1c7501f1c889fca6cf6e8f17838c0fa8e781257306487f096d04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
735KB

MD5
c0968b1227a83bebd61b06807e184b3e

SHA1
f8e9aa9530143b7908cca781266d31057f612dce

SHA256
9ab0f32d560e48936140d014862d30ac682633820fa468b77af056dd23f75a8a

SHA512
c74c5f82bf6831266f0b014adf055590bc854e90153c6d2cf78720d0f740db7538cb48a6cd9398c0033b0eec039b16be6de11724c71de8a4b169744b7895eea2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
567KB

MD5
692f3705d054a4e0d6f2f3a0ab85c055

SHA1
217f5e2f4d54b54f6a8922a781d8ae00047e160c

SHA256
1359e0ee366906430d86922e680909c15692f4f7b98606dcec34096be2598425

SHA512
dc9f8770a44f0c94ff56d1ef6d164d67c35db2491c7067d3b8cf2afea0dbf9d3a1cea5c19b69dcca7de0bb03616727428d7811d774d5c639d2f41eb4dce22303

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
576KB

MD5
8e49156da4f89a1d7179b756fb2d80ea

SHA1
5d32f5d6299526023515de010f6136ff9c13e346

SHA256
489e4332c811df6e7f7bac5066911d3e4226eac127c17bee1fcfc22e00fcb1ec

SHA512
54eb9df36c652a8a9880cdfb018df662cefea6b85770502aa902910039f8e31cd5466824086a95b18651c06e88cf7335064372b42b047410b1e7fc99ad0c2858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
637KB

MD5
4e2b15c85cde938be4fe29248b06be8f

SHA1
4ee86e8fe9dff10a2f1c8a0af47f6336f60275a2

SHA256
b8ec27aaf3d33db4019f8a99b97b45aca758d51cf2859f4fa71f37fe19c39a99

SHA512
73b8d4014b692528c0c8ac3f182722eadc795335684df071819d79a9913d6da84db3ad44be18f24e322fef8a45c1e86e62e429e14ee869db3831009ef8fc80f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
742KB

MD5
0317c82c18f24531ea3cef24f521c591

SHA1
f72344c930333d90c11e0b2cb900624f65cbb4a9

SHA256
ebaf7028e63e4b46efc63b38ff875e4fd7eaa2a71137148d7a181d8c985ae683

SHA512
1d9d7bf4dc0c9ac749d437a496d5e7b9d70eb22a66690cba7aa1d2a8c6f126bc25a579dac21d212338e939918d070b2effc1ecbff66b30db89e85933e1fa752a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
525KB

MD5
1881069d83d3247cadcf365eeee7d4e3

SHA1
58d31ccb8b055b0efe0be53fb232f9aecead45e8

SHA256
b846710ccfb4217a674e2da0818b5728b9643b1179b1687c0e3b782134031b8e

SHA512
b1ab5f914c6743afb133fc4e3f871f1a06cec7d0f841741b2a7baa6e7f920eba9af1ab3dd20d619143d4a808881a416b2bd1f6e3b96c44655b4da790605d3600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
445KB

MD5
b8f3b6659c1621910cda10417bce9dfe

SHA1
5ef4342b449518e14c46bdc3f67a98bcfe7b3c08

SHA256
a42ca9c18ee30e320ebe8cc529476df5c6517b999fe9eeba93626db90420e743

SHA512
5bb8439c322cd963344301617744332a099e6b7710cb8296d3dae446dce4206e033a79662d00e33e3090e6fde73cc71890937b94242ad2967229fac09f542360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
532KB

MD5
cca700a9ce183e77fdc63983006336a4

SHA1
b36d24cc1dce6006736d5be360728ea92e9bd932

SHA256
4d1448fcbdcd5054edf3b8778e7534dff0fa820ed8397c85d9f0a140d0824b7f

SHA512
c5f8722d31f0f44077e73bee289678a16727d996fbc2bc5c213e62e17aebaeb542c82beaba116c256fa62dce79d0a0f3147c2629815bac3148bb3a43d7fe3554

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
590KB

MD5
f2d50581691d788b214e8b2ce92cc0d6

SHA1
6e83e80041db7728c25eac82cd99bcd72530b127

SHA256
97660b2b832ec1869bdd506edc582397ab00dee351b25ace0eb7f1097027dd09

SHA512
217d8331cfda2250784342c66e2bfcfa6e690c5789152ae49784de021c5e88b94df0b1bfc8f0e699bfeffb7ba3481cfa18ed65026a6923eefd125e7f7bf703db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
686KB

MD5
0a88d86a44d059c1e7e5361a2ee675bc

SHA1
ba8b49f55fee27d2d7749a774560f1ac57d3c3bd

SHA256
c057b824dbcae01bc800382fd561aa84085c000d43b8bcd2c54f4049f87a275e

SHA512
831b6b93145d72f7012baaa7a9f890259d9c8a6bf3b24b8fd5a5067df309665f41cf8bb5a174e7727326efec2ca7e9aac126b38b0673f523399080d1a295dc04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
170KB

MD5
142d60a120f496d41d21da0894d4a554

SHA1
b55390603fb321514763b2c5c9a52d54de8ce0a3

SHA256
33fd652cb933888d4b073a3f9f8694c849459517b9d0610b1d3483ac3550d212

SHA512
9b91a999db59b1933a2ad88f9b2eb90f1d0eac21dc5a5854fa257e673da11f923f0efd7f97638ade82fa381bdace6edd1572db89cc641ccdfff178c81db4e51e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
121KB

MD5
698f6edd0023a48a933331f2a091f92c

SHA1
64ba36c3197c41917090c4cc209f1eb3b355a62e

SHA256
b8fc9f3161f7419390d6a0f75971a745d6eabe6ba7fce9a56a018f8cb0e1e9be

SHA512
c8abb256043813406601018cc7ba8670d934df5e417b5ecea609df02d2aef5c95cc2e178419a78ea2eabb4bc0fbc808c65fc45131f4cfb0e4316254b385cc221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
251KB

MD5
c3f98cc334930fcf811b17f2287d6f89

SHA1
ad3b417fd28428e223ec3e9af456bc715a58e4e6

SHA256
a39fea347b7d1975986621d143399c72b65c8ceae35e0fbaf432e68a1e934372

SHA512
d18e16e8a40bedfc367628b4133cd32a0431bc262b90a54552f1dc49396f2b859740d7b80b6f073548e58bf4062e5e94a24cfb1874d045d512217f83ffcbc339

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
157KB

MD5
4f02ce92601072428b51720702569024

SHA1
50422c8eb0a7e817513480ab35d8114e92fc4df7

SHA256
f988335a2d73b43310851d83e11c9e6f5df610430c04d5aa5319801f2152172d

SHA512
e459564097d6bae92781cdefa13131dab9af46a6e7ac769d559a568ad18acc9c3aebcce09a679e667fb0c26ecef57a480624677415298fc275f849949edbe1c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
122KB

MD5
5177fea7e4e977d3e6997670adbbad13

SHA1
0c399f78ce7498083f9ea802ca1267117a7905bd

SHA256
e5dd64dff955a272c9dab99007749614fe7b16f19533eae83b3fa0f9cccb8288

SHA512
38b79b3d4da886793cfe85072b1abe52d3f3bca55e8de01e7229691f71cfd89da1cd7d6abd244943a10e3d1d798f9905a7a187d8ce9edb2f37a59cccd477d430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
182KB

MD5
159561660a2ee8edb54df82caee18efa

SHA1
c5380ab80afd60222cce582c38c3767b3cf5d16b

SHA256
2d211c6853c1d51ea2f5ba055ddbfdfe288d5a22858c50e1912c236090a88bae

SHA512
cd5df6971d131bd1f78841ed0ef0405574fc0602b15336d2c16afda7194801c51b6cb96573ef8a00ebee4ef7ac4fa2ccfd16b3844bad5fd220f3f493c7066d49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
179KB

MD5
363a0327b5b0faf317bdd7f717758b80

SHA1
884aeb666ee997a64053028108e5a7f68d1e3b74

SHA256
7b2b9ba30d8d07156487cefa20c5665dc4bd761b2ec025abd2b0939c8a822c4d

SHA512
7356437060fc7f9dacac6d0a1ff31734895e339dab4047ac398d608eebe57e0ed8aaca5119f9c60072c0b146ac3406b378587bae5f83bf24ec5c2724c2c91b1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
235KB

MD5
3286136ba3ec1ca0e69585aad570f675

SHA1
0fdc7c2b5dbb5e8ebcf7509dedae6aae489b790a

SHA256
85da9006908a41c83abae3147017eebc646fab28dae53eb7fd3bab01881f4e83

SHA512
7b51973fb239df57855e0977e96c40b1a6ca6595d2e700bc2a90c0158bf01a18a2db5603ce40e34ac375992dde583795841b61d7b8f14c43e1571d021607b404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
242KB

MD5
e5d05b7d99a690a30257c7043197a46e

SHA1
f5fa6f4439712680f009c689506a44fac8a0a7d6

SHA256
8b7d171fc48fb670bcd7d7c5452309a5068ac00df0eb7fc670db308d89b21212

SHA512
ad522b67376715a8210d1d92a58269ae58d9a4dc53d92783626b942d5bd32baf7510976d871951b6a3ad318ebbc8d513bcb2718b734a725f2bf014cdc439d052

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
935KB

MD5
6659fb68a2767cdaa0845fdf9f9d82b8

SHA1
afc3f49209cb85c048f681a50e34ae81165fe9ba

SHA256
4ed77416db3772d72b13c170f74e7a1b8d4d2b04b1c4e723f1c482f711f66e1a

SHA512
2aaa71a3789e8145e7af865e1e557bea11862dabb4a62105c6bd71a8a5c136c4d8067d74f4df939d7262ebc7a626babd9c6fa0816cb4e1b4a6e498bf7f9652c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
561KB

MD5
c58430bc357240633feffb7c34f04d84

SHA1
994ebd2bbff6e4c1cf59b5e350d1a3279bc6db35

SHA256
c014db84f57f5f6fca0354ec8782832a05b4d72bda42cfdcf51f942ac7353867

SHA512
a985255eadd2adcfb8e2f654108a6fbb9ae337e374fd7e2fe16cf997758b721c1110872b38780256b9d44f7770371de04afd025f73a812fc21798eb8989a082c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
325KB

MD5
377f7112e1213aed84244bd5d822f799

SHA1
861e9e4e7adc2b1e94f06bcc4cdaaa756a4dab44

SHA256
403936cd4ac2f61ac3366770a828ef9947ee444411cd35236a3307756ab52b39

SHA512
a7ac3f8305d7b37531b241a89e6b046f8149ef05e7aabc243a3c9057e6f0f409adb2301f8fcc72bf452178009dd03f3eab707e79c73487c747958a51e0cd7f6f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
04f52289192d8f721621411097171a03

SHA1
eca555934b1d0b24def366dc2bfe0daedcb850b8

SHA256
4b9d3aeaa5e9237dbc5fa71a5aceccdadee84323973364ddde75aea33f0f3d1e

SHA512
906fb23787b8fa5bc13a02a5b5b244e82d8685a76881e23cdbf8c138722c88e0aa7b2c3b99febc22287bd29ca3a10c29a692c2541c2ef79be3368b21292913ec

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7feff87c7fdf49cace3623862177f9d7

SHA1
825967797dde2e9fdd6ddec0c560d4bb76e996a1

SHA256
27bf1ab2ff0226c7db1ee7371bc4197981fc786aca1311b785c632b8a30b3ec8

SHA512
301562acc325c2eb5c30b225c23b379d3a4cfc4065225150234288219bb76e80266537e0cdd554d487809ba77daef117851a26ba07e41653a4cb7c387c45b1ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
322KB

MD5
266d76aed82ef7e02226b88d331c7696

SHA1
a0ef02eafe7eee2e3206b147de48a61c2b44be85

SHA256
c846faae41f41ee9c604ec477d940fd97bfc28fb2b87a29b61e8012af465b215

SHA512
62eb024101abf1975cc03c0a0d4e1bfdb9ced012aa750f1d53503488cb20032b741ce0e3868db2beee01e423ae027247fa78a892df32789672602e7bafc64cb2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
929KB

MD5
aa2b54e4538edf863a69c55dbbd83a02

SHA1
3e286c7fef63d9d6532ba4eb905546fef0384cef

SHA256
6d8d3ebf6bae8c70d683a53664554a78b3ea995334ddcbd317be5233ce2bb927

SHA512
0a6b62abae232b4bdb75d9307cb4b77b5137cc66eece1a881e65b2d972b2f9e56d5016e0b46b1a1ad00fea9ef1e0bb7c27d1c1a4c8df9e504c6de8c14546f7ba

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.3MB

MD5
b46da0ce2bd7c91c3c2e0f5b9eb8410c

SHA1
834355efcb6e853c5d70e86697fb9abaf6d88659

SHA256
0eea6106d2616364101a9a0255c61dc3245af0cc77c4052712677ff0f876e525

SHA512
ad3ad150dc3004b9fed2d918f76f0bd5ae26700b46860bd9cdab18b02a657625d893e53c1b1cbb99e8e2e3d6e7c0010ed77abb6c2d3be1530bac9adee1a28682

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
765KB

MD5
9c046270a5dd4d183f09872b1e506a55

SHA1
5e748ad898447ae63335c067507955236c635115

SHA256
b115ef86e6c1a836d6eb23dfe9eb4b3c1583fc76f98f056a75d4d207d0509691

SHA512
e460e6ef924ec8bfd15004b76c02cccd78e257ccc531f872537c09763dcb0cf16a068a0ccb4a30b79f0f23535aed8c7e21389a6fa1dd448c930fd43e2293f9db

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
495KB

MD5
f6a5d94f6ada16eba6be636439344c7a

SHA1
15d0e0003f450de755af8f6b9fdfe6a148f8cbd6

SHA256
18ed03c24d7253f746bb14bd5d33d029cdc6fba85b2478c23631b6da7f775cc2

SHA512
197f3deb6217d68a894af7f3d8411d91fd4f29cfca3fe00ecbb374063ac6ee4c67cbe1c4803bbd87888f05125e2a0e4c87ca7607333acd8417b75c2e08a8c8d7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
47KB

MD5
ccdc153c37c1a13632d1df97211e952b

SHA1
f0269c03f96b039fca1592cf1521ef274289f073

SHA256
a921a874d8bbdcc78e2f272d19f19bcdeb8b3a629cbcdfa71499a89cfeba56ab

SHA512
03ba4cf8fbafd1ca3c30c3e654a8d4cf4951bbaeb72729c40e19cd6f76aa85769416673646b5b273a8ad4e6b1f3f8b9e5b3ca41442002ec000ded4a3b01a342f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.1MB

MD5
5567f355afc218072ae300cf3b2a16f5

SHA1
68d38fb5272ac788e5f6e2451046edb48332b010

SHA256
c518d9b9e4d13d81f2763e1088252252a807e9a018196c1fe4056c459be4ff40

SHA512
287a5b7261db8312c835143f01257899141b3a3300c6c82bb7268927c202b0c1910305ca4c5f6090936b342cd3c87b51560dc6cff26dfa260e2172563e801ab6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
734KB

MD5
dee2b5590759f314f1f7bad88bfdce61

SHA1
cfc1a33b3100f82f6671692ca53a5fdc2b658689

SHA256
35e459970849c646a62b5b479f4ee03f44244367a288c4e82b32235f04933920

SHA512
e2decf690898dc1e74f2677b5430d1f82575a6be354c7c4bf0b61762e7c32fa27442040331b5cf4f0c6d0e78bca20c2a13044371baad5a977a18e8b6c7860bf7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.0MB

MD5
c7a26b8ad4e638d3073441385290df3b

SHA1
965fcfcd2a7cb3dcc1656094b124473a08b5a15d

SHA256
398afa2d70257e9b922ec18deea11a24bba076122cc3a81cb55571864ea5602d

SHA512
8c39d3cc1864eb67ca6f719a8f46155cb2d2c0acaf9205890be74275ab08d29cf13c4e40995f907a8dc1e98b69e26ab3b5846450ebdc641c4581364d5f6172af

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a02c5625ed9c7c5ffe431119b9d81759

SHA1
6ae056c7a8d5983ca01c77f84f672ad5e20e89b5

SHA256
319260393989bf89160f6bd2b19bf92b6d0316fc39e8094a06cee4d16536290b

SHA512
727d71667c66b7a98e369a03041db29992789503c7e9bdd9a2132f30a133a9e32322d30af8f972d301be423d838756d7ccf394e218638a02321fea99189248b8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
e6930136053ab131d5bfd5d1836a32bf

SHA1
08939d331ae62c91e4469f14a4541d787e3608e9

SHA256
2f3ec2516f695915df9ed5b3228a84acadb97097e64b7a654dc416c715c57d78

SHA512
75f0b0539fd6697db3a28a78270359408ffcd82c61e30e98633c7f37d02e11a8c6d97ba7d6a8b22ac53cea56eb7f49905d9eb1853d5dc95a7896848c52035902

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
cb4e03d08d09e98ea276bec486b49c8f

SHA1
8fa1f4e6a368908c6df01e41880f8ade197fd08e

SHA256
b80ac2ec1b5523f8121f428c06b3cec7b67ec92d168f32cc15405d4680ad3f13

SHA512
d736f44e2965522cc176a0c5806b5d7bb9fe8eb0e7d4e2b029b92e5691f2c85d76493d8b293ffc820415b94f6a5ec2be6e49d9f04790a8845b77b48239772c0f

Download Submit
C:\Windows\System32\vds.exe

Filesize
443KB

MD5
946705d31f06e000b7edb16b80dd0d4a

SHA1
b89a5c543d5112148ff4050d21e7c847a9c5d9b3

SHA256
63f8c942959f468adb0ab6deae114f68475424d93e2770142eff489728e180a4

SHA512
9c276696a83e80ef440d6125f9f66bc8e9888f974d2807ecd9779760202961690ae5fb52aa6df4c991cd0c59aaf8c5d811a93215ad0960a6b25b6ada818d8a50

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
538KB

MD5
459d685c86f4e6621b6e2c2ed48bb0e7

SHA1
43764ecee30baedef7ebd1ac584d7d8e3417f7f3

SHA256
4943c62514839bafa01f2a6af333b0e7dc7228f2adaa89129336bdc377f3ca7c

SHA512
d12c364313a8f4b0ede0e623e460a0a8a7e9791e15a9f35493029623f0d1fe6052565c3fd50616ad36c2dc5b58d45ee4d1aa22cc7f26709b7bf9959924cbab37

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
708KB

MD5
a590afadebac4191f32e7baa7f04a144

SHA1
0a5977675a9c279bc81e79de40746436eb2f2004

SHA256
b0a9ccbd5d063191f4a0c603ebc3831079357052fa739c9dfc2f37dbf1c00034

SHA512
135dedb17df6bda22a1877b5a7f7477a32c9be628b3d9ac2a0de22ac485bc0282ccef7ebe2a45b12572b2102017f77d3ab05e8e65b5455dd5689c3073f484429

Download Submit
C:\odt\office2016setup.exe

Filesize
291KB

MD5
8cb7f685aa2210aeee393f778163fc73

SHA1
90905307463ee556a05fa0dc1faa836d0e3963ca

SHA256
c577253a162259c5e89c85666cf0ca6c336a8d29649a9c494707aafc5c4404d1

SHA512
f888891997b5bcaa2e8ef6e5f9dc5fd10d3c584fcb9cdf2725e8888ff32aa1f8b82297c0b6bc6c0317131218844d92c92898536e24e4b1442d93027ff3d84739

Download Submit
memory/516-237-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/516-63-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/516-64-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/516-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/516-70-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1104-284-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1104-295-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1104-348-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1608-444-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1608-377-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1608-385-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1648-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1648-466-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1712-14-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1712-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1712-226-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1712-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1956-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1956-278-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1956-336-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2232-249-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2232-309-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2232-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2232-242-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2464-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2464-254-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2464-262-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2464-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2464-269-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2472-398-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2472-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2472-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2520-26-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2520-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2520-33-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2520-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2676-12-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2676-6-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2676-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2676-1-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2724-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2724-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2724-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2724-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3164-375-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3164-311-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3164-319-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3260-561-0x000001FEBB660000-0x000001FEBB670000-memory.dmp

Filesize
64KB

Download
memory/3260-548-0x000001FEBB660000-0x000001FEBB670000-memory.dmp

Filesize
64KB

Download
memory/3260-549-0x000001FEBB670000-0x000001FEBB680000-memory.dmp

Filesize
64KB

Download
memory/3272-452-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3272-446-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3480-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3480-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3480-413-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3496-439-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3496-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3604-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3604-560-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3604-427-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3816-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3816-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3816-358-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4320-338-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4320-345-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4320-405-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4648-331-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4648-388-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4648-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-55-0x0000000002A90000-0x0000000002AF0000-memory.dmp

Filesize
384KB

Download
memory/4692-48-0x0000000002A90000-0x0000000002AF0000-memory.dmp

Filesize
384KB

Download
memory/4692-51-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4692-58-0x0000000002A90000-0x0000000002AF0000-memory.dmp

Filesize
384KB

Download
memory/4692-61-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/5068-299-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5068-305-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/5068-362-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5072-365-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5072-372-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5072-430-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download