1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe.exe
Size

716KB
MD5

44da4b8851139fca04cf67abbe9a2449
SHA1

febf59a80f78f13dd7370e35c71ee02f7faa1427
SHA256

1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe
SHA512

787fb591d843e615581e7bbf3a482b9f297e83ea198f855bafc6013ff231185ae3e2ef656c6280b55b93745837f79907e9ccb7465c768675f37f554044aa61f1
SSDEEP

12288:o3P/aK2vB+K3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:o/CKAB7Hofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2304	alg.exe
2344	elevation_service.exe
1936	elevation_service.exe
2296	maintenanceservice.exe
4224	OSE.EXE
4292	DiagnosticsHub.StandardCollector.Service.exe
3720	fxssvc.exe
3172	msdtc.exe
1100	PerceptionSimulationService.exe
3776	perfhost.exe
4832	locator.exe
5028	SensorDataService.exe
1220	snmptrap.exe
4392	spectrum.exe
2108	ssh-agent.exe
4080	TieringEngineService.exe
3480	AgentService.exe
4716	vds.exe
4416	vssvc.exe
3192	wbengine.exe
2800	WmiApSrv.exe
3680	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b2639a2512041754.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C46D29B7-FBFD-4C6D-8549-2E7FD76C9A02}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a58e91f8387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1db30208387da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e907bc1f8387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012c499208387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4ab02218387da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009abd34218387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000e6fd208387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2352	1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe.exe
Token: SeDebugPrivilege	2304	alg.exe
Token: SeDebugPrivilege	2304	alg.exe
Token: SeDebugPrivilege	2304	alg.exe
Token: SeTakeOwnershipPrivilege	2344	elevation_service.exe
Token: SeAuditPrivilege	3720	fxssvc.exe
Token: SeRestorePrivilege	4080	TieringEngineService.exe
Token: SeManageVolumePrivilege	4080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3480	AgentService.exe
Token: SeBackupPrivilege	4416	vssvc.exe
Token: SeRestorePrivilege	4416	vssvc.exe
Token: SeAuditPrivilege	4416	vssvc.exe
Token: SeBackupPrivilege	3192	wbengine.exe
Token: SeRestorePrivilege	3192	wbengine.exe
Token: SeSecurityPrivilege	3192	wbengine.exe
Token: 33	3680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeDebugPrivilege	2344	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4972	3680	SearchIndexer.exe	119
PID 3680 wrote to memory of 4972	3680	SearchIndexer.exe	119
PID 3680 wrote to memory of 4236	3680	SearchIndexer.exe	120
PID 3680 wrote to memory of 4236	3680	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe.exe
"C:\Users\Admin\AppData\Local\Temp\1243e1d85c80ae7a99531f625125528913f86956c3c630d39b87ad49ad2a8cbe.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2796

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4972
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
76c4a9d22f5a776f4feeadad134549f3

SHA1
2a66ab183036639c88505841090485162ca0bd1e

SHA256
efc63ce7951b7505d1f0c6249512fb5a34c779c2d79d1b5e418c1176655fc067

SHA512
412e36f68f83de75ef09a5e8a819e613fa594fc8ff4e53da0a890aa80686adaa8028c44d4f3976fc13cf2f791e9657b7189ff368088a7f5db52ea060f46cf651

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
bdbdc70ab5beec01a08790fe59ded5a7

SHA1
1a7434e515ea7c41fdcfeb2d30ecfb553d88f33a

SHA256
3bf0e2eb35f7d8ef753dec952cfd9cc0cbd61f4d4bb3147a5bef8c7b1bbd070a

SHA512
0fec7a65226efea388a4dda095e6321f0a9d95f2d0addf248949dc8256e1dee0ac59056af8b3950021d2e8a162b87d3bc748b0744f8809a78837a1f87035f035

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3f8fb4b66daff0c257ce87a95e7f5036

SHA1
ea08fb924862fec84698f9d1daa1bc056ce2602b

SHA256
cc670e996fb82a1e9d22b2611628a4f43a1b42a60a962d3ef8c15a8bb17c9447

SHA512
5206ba4be705aa0bf254ea1d046119402d67efeddb936967717cf406c389edeeca56c4a509c3de05c0bf87a8ede960ce000e8f3953b1cf5cbd2b62dca60552ed

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c5af8619c4ba084ad89ce12686dab57b

SHA1
06a5ec60f592477a14783380536753f76b4026f0

SHA256
6a91cfab0786cd4aa83e0280f190ea8456ffd0d9945e351b27325549e388edb3

SHA512
da2c00d6efa70fe33d9969e5ea8edc30d0bf026382aff73d40bf8114c3b43de35222ad979fe5da36d12d97fb1c16d81287ba179bf83889c03be10b8e19a0dde9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a29f0365c27dd028230745967d7e7bd3

SHA1
b84547934c8af7e93127b38dfce32255ff23cb0a

SHA256
b31d4d5697c4582aa539054cf3597ec88355d3601be37cf17d841af4509c3a7b

SHA512
1d31d945f6dc579300b2e42960a6bf1907318744b769ff9acd043e1a6643677512300c58495dc8310991a71de0b48434149b677e28d715c31c8fb948f492a7f3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6e3ec0be8df4737d7ca0f0f41f916543

SHA1
0dcb65d135f32b10fb07f73cae68f90cf6000b0a

SHA256
a63558a99fb046d96b9c21ca563d44a4616c866c0bc51d804e9f54786e8926e9

SHA512
accef3ae2ed8816d595f7fe3e3d2820738d08dc6a128c6cab598fcc485f9f8ff30cfc06fdcfdb08514725722d3a32f2c723ef00cabfbe531bd86e8efa4763ab2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9106a55b52791c2e0909f8799ee59c05

SHA1
e7da5070deb21b4ae6e5488deb3c33a9ae2f66ad

SHA256
b7f4be4bf14f8fb5732f17fd57a55cf979d5f03fab0d01d3abf10cb1e56d47ac

SHA512
c9c0d2e84c15878d442db5baab88d4ad421e5b6839889b953a985607e0d8ee5863afc7a4d650c5db88d5959ebb3b3ba5402d800d9acba41b7276bef13733f40c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4eea490cca9773ab44bed2c9a5a78eb5

SHA1
42da8a7d2140df8cd006c51833858ff8f6ca00d4

SHA256
c3384558e1b0e9ed2e31e3da27e7b81c171b5126d7dc374a22fc55de1be07198

SHA512
dcada154f249fe5a4e1fc98bd5faa9a0275f9239bc18de22e08c7f1cb6980ca76fe4f96289de21126847c2755f0bc547125c0421d6e8a82ae40773b22f676fa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9968e32652d044bac095584cee213451

SHA1
4b15b2e533cb24781601df6707ff67fb21dc1fb5

SHA256
2db28d181bd56229f2ffecc802581f5ccbd57b5c8329eeff9f57ca9f6c92105f

SHA512
db230d0c825f41f978fbaa2f1ad5f3fd06acab9f52b9084744f8b0983ccc7164dd4a060f649a4bdf13cf87613dc5e6f50fb21686d6f6b5671f6306b2412c45a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6fa4eb7c01778e97c32a6242ff7e7f86

SHA1
91355cd2598f202e8f839dc1a122a43f3fab661a

SHA256
286cdd0d2475e0257c85249d63a6df18aabaaebca751c5a2421f81b7002ef1ef

SHA512
8f0fd6fe6f0771ecccee2223e5d7f23140f058d5e8596b4c32f2b6f74dc0e68235f26f099a2730e9ef7b4be61812a240d82b03aeeb1b3e5a5793b682153b3307

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
04a88ac092f823dfe29bf8de7c03ec10

SHA1
31768326ea95eaae92b5ef52948cd59133911899

SHA256
6b321ad793a3b4ecf047326080ae341abe4ab7c63bc85ca611833356fb595e1a

SHA512
68586edef0744c77f21a6c63b02a2386fee81a250f9c1e7db237a539edd1eb8a91e419b6ddde77bd3fed1e7846c5ad63678e9767d4cd2ac5f6cdc77741df79d1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7b934d9fb571dd059551509a8b8c2de4

SHA1
fbc7b5a69d596033331a15c4387c0fcbf718e30a

SHA256
21028bdb199ca98436d7de2ac0fd073895cd11813b818df2a3fc52081a0e65e2

SHA512
7511cbbd19654cc1b023f4f05e676cd97b9ed6942b8d3ab2a9c0f73172d9fab573b9cd40a36862a3bdc8cfd46b0189d0a4244afb4498ff1786d28bb686694a3c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b7180c0d1bbc956fc2e93032fd2776d3

SHA1
ea5d7286b0b454b3da7fc92d081b240283bad4cd

SHA256
0dfc7cfa1269d8d2e742bc73aed9dcd187170f15fb6c34a53c8b6aa14ca0f68f

SHA512
e7f09a95f70b58839db09cd3fee7ee1d35c6d2d6f4f623124476a6e18c60dbbb798677cf415b4c1adb249626bba46e07e26d7b48a3bbbf33db16a87094132d5a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8be62fdaa56f3c8f71ca9c67c5363385

SHA1
2816624adc71bf0b949554938f8b5594e5d4af71

SHA256
9975288b19f6c8fad3b881b484c3e099cf2d6cf9c3c4e24d4907da693ad18ba7

SHA512
ba1add9c69efeb86d6c08cc8d1b1b7062d5dfc7c54f43e0cff783cb5c84f86ad477f6b80f9c1857103d21545277d2aeb0ef9c8f73efc7a9c796d2f198925c8b9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
4870dd48ee98aa044702c71e5dddbe90

SHA1
1ca5cde384c3d318561c0b537d199727da111d23

SHA256
7587af59872268b6193a50fc2d34b74313e84e173388626de215355dd04c3329

SHA512
e1e58cd4011d9aba270e93d56ddd58463f430df5560c73cc65c8d03e1069d956100a7ae646ce2dc46931fab849b634cea9ec8fdde8c86449b942580c42d46fad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a6e964c1c22986d8899596f3a0769216

SHA1
6182f252c9103d64f0af51069e9baec0dbbc878f

SHA256
00f1e2b40d2e1fb8dab87da9dfe2387479c320662778621d7de09786b4c5df85

SHA512
a10f04757c10e66a28c82e37d619880c192450cd058ff3fb52a78b27db82e8889d58d316b50d9c7e61676a159d33a9c24f009e1c77dbdb0327c6c0010e9a753f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
806e3bc0a7401de766a3d8119da1e65b

SHA1
ca7623458906b713ec7a2da13dcd9903c2b7249e

SHA256
3f363fc7922e9809a3dc3328a474c3a40acc07e34575c61b199b17d0867778bc

SHA512
353f78a93f2f6b1746e67be200e77ae528fd1037d772e27956a36fb6e2c3e8a9809d3b586f4dcfc8c683008451910f687b070840f9c173201e3abd63a3ac7373

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3f8140c27b98ab14122f45161baea805

SHA1
77bae5ecb1a6aa297d2fbae10c449698d48b035c

SHA256
73b72a1551038fc1b8824853e34cc7e15a6a189f8b9c8d5c1140e6a51dfdc814

SHA512
6c7dbc6d498a20eb7d0a6f3137e1e03b3bbca1f9b0055a2fadd5eaa68d406d17321d0b400b1e7b966bca2274ae2023d44f6c99726c711e3c9719fb35ee938684

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
74a5addf6a32cc1b2418d151ad9a00ad

SHA1
e9dc36b484d9f30f7773570ce37f554732ab22e4

SHA256
73cbd8a02bd4e48c66c5be777e627d6c4a760f4961350c5c76bf3a97bd9c8be4

SHA512
f046633e2a94df9c6db066560685bb1b718ff47c2c793dac70ed7851566a009a24dd2b235d0caaa86a4a84f15c920308a6edb79b4171cd17a48f3fd593b04b4c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8793188cc6a1ebc7dfcf07cffc26fe43

SHA1
fe66becf8f5b0cc559c71a1443eabce6aa2808ed

SHA256
37319d5b3987866d6fb95ab2077d19414c790b9d18ce7a1d2888519a29c57a85

SHA512
399f85bfe5ce5fb0376702ddf7579bccfb45c9d1123160d0eb8876fc515d59ba09ef866c2ebcaa0e308e190742b6e3f18d78583c46c0db2547836bd1a7c7294a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
73e28cee2499f660ac76623ded1b13b6

SHA1
777b0e4ba8fc0e9b8c7a4e6fcdef8204eaf70303

SHA256
0b3f39ad6e3412fd4cb851a13d592c86ca1a61c63dd20057d0d616a2cf360c44

SHA512
e6582c0402a1a04e3b1591d656b9bb13f11f3511012ff1594177bd23f94058a4cdb7b144c83fe7784daad4b2852d54f1d30ecca24b4de9eeac5c2ad4f7b3c67e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2ac833231991d118192971c59f5eebd2

SHA1
0201e45b85855576c2174f7ff0a7ffb49a9ebbff

SHA256
57ab722c4d7e0f2541fc3b5f68e60081f99b72fd611f54e0f177bce45a18cc90

SHA512
04cfd543f2d28b00d6b77dcb9fa0f4ef2925895e836ddab11812e90b5329aa8c5c9a251e6f5283da82ebd3d2edba451ea6906d9fdb2273986464fb2b3cc44ab6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f275d7b330e0b33c1d4f1c8b82c7dbf9

SHA1
f287b1314fd99671acd725df28b8f787f8b9784a

SHA256
c443e7736175927c9ab8ff0161415fb24a964cb722f83c3cdf284ebeec5b6d37

SHA512
5c69d8b0b858763cc03df7247325d3bbb7cc7e14cc7564f8ff4535f2825d8e8940d8c70b8c6830f22761c28c488a08d699bd37b84136940ebe8b75327ffc8806

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
012b6f7574fa2892fa2f5a3e0e728a3a

SHA1
59d038e005e76d3d7f5729c76772f765cbe2d8e4

SHA256
26b33f32d619bb772a6770f161b5be2a716c83aa8bde9ad52dca1641110ea38a

SHA512
e89e51ee7f4bef384a5d9f8fadace06fd4b3c540ee0e86596a5a454a5730855b607f023a4f700df0836413efe4a1c697bb50d53bd2c669ae5cc6144df642f36a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
420b884ec337c8fe4b9f684e05585d5e

SHA1
8417f7d2a5142e04ecb6baab9546cc79f7a9d973

SHA256
c14193029f0ddbce6fa4b5e808050dadaa50600a25191ade67c0611c7c2e0373

SHA512
ca7c8959ccf1cdd3c90435a3e8af2c8a730ae9bf62c9fb257844e83dd1a54bf0339b4bef1d6ff7de2688be0731d764a0bc0744c222a4d6ef25b6e667f6c756f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5c6451e92b1b57adcbb5192a201bf489

SHA1
613e6a58fe1e95e7013156267124e8a7ee620775

SHA256
d7beaaad8fc1762ac1daf56ea90f1a226d1ad12d8e0ee788ab2a62645c7e91d8

SHA512
953f21a07f7a576a35baa9697a50aa0b4fc47d16e5e6e25aeffcf42cad21d40c25f771d1364dcec5a5497408ae7b4eeb53344c406cbfee361ca835a3ac6b2815

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
886a5bbe3aad0a902c3c4163a2e71932

SHA1
8a338115a2cd0d6ac9f321d310931c061b51bbee

SHA256
62a7fe8e2fea00e062beb4e01111e383111cc1b434afa6749a0bbd1aac831d75

SHA512
64b955ceb7e2fa0147dae259b927b920c0d3de5fd2ded0ae6cf369150f166616c40f25abae155056acc1d9c71f16479b78c6b777be9bc90a2ef5eb9bb8ea414d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0daa7682a4f8513c3579de2b2f746355

SHA1
4c17cb7d68e434c08abfad420b2adb36dedfc2f3

SHA256
3949eb305789d2fe59795a89fda0cb0e89aa34edae683db1388c0f7c17efe0d1

SHA512
73cffe7e0d255a88e0f96f11547c064e54d01fbf4513c42bea196a768eeff6cca6747730d265f2306d880c8898523e024f8510dd3986d306d47210d82068c69d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7edbef5fb51741f0cd0f8c1fa98b8ab7

SHA1
1cf494ed8538215513a3cab47e5d386297e65a00

SHA256
cb628575a5c85abf954e58966a599b5604816541bdb1e3d8545d13bc89b759da

SHA512
705785bd6b0e00c3b4d8b89745038c2509a6510bb2863cad8db9f7deb59d7c72b96ede7af66afafd0de4a0d758ee53e51f47e7d4bb40ed6a8d8e2eeb423257e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4f4fc35168f99f6c3188d8e4808c9fcb

SHA1
ce9cf7aa9982508cc04c53e78adcbc2ccc3959f4

SHA256
5d9884608500f99ba3722f4d10ebb963979a251b3ff9034ec86c05fda683df2f

SHA512
04c1086b002ed7e925f281585b53305c8fb66c70fb17993bafc8829ad56e61d3dede99a6ee950b200f610d6aa2d7eda791b57e2e3ebc2c61d089327ee218c407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f4a1fba5bd1b489fc76f53d74c0967d1

SHA1
f248e71954a1bed776d31bf81c1855bd36d02481

SHA256
a9fc9d17ec4622e9e125acd57676406937cd10e31744c55c65521be9b14bc09a

SHA512
7cf4deb1cc563e347c904636fd70d50609da027436902d28a20ca9e5614a7c0472a8384220541566a73294fa912773fb60072c601401f7e3bf59529f5e5fdebc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
25c9dba4ef96f76c1812c5189ffed96f

SHA1
21c89c1c3e318a59b12d1ba591e455537078bfa7

SHA256
2a6728e541fad05e65ceca7ee77333ccbe2caf6f7c2c08867b1cc6b4c57b922a

SHA512
f8c85fddb6f3a291f015a2a6561c1fb6ac9e2c25dbd92e49bc198b3513d59d7abe8768c630746729351d55fb68f907d91801bca3556cdf5a2ae3c30e85f6d3f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a256e3ca83dbd71ebc4d269e56597763

SHA1
68916b990fa952695808f1c21510da296556d443

SHA256
2cce41e1260e8926c77bc6407859f4f380ef643730beafd6744c023a2611c0b8

SHA512
9a9fccc20ab4010ae65dd3edcf376dab5d641d1dc591dd9583cbbba8adcc526e153cc7fd32e707f3ed8c2606714253843ce013a5fd4e7c90e2e61f764b4a30fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b920c0026a9d06261cdded23da5c5cf8

SHA1
17ee960f2c443c3a484ee76af7f8294283a43c13

SHA256
06047e523a1bf22608e6d67d2d05f42af0f4909533c27011a6190c2ed7e61675

SHA512
588faeff0ccefa4fc1d0622b1dc37fec8ecaef19f07f5f41864337278ea94d95d64c5221396921d336a9488f2687ba26a11196acf66e2fbec83ec6cbf096945c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
082b71b922f6280eaa1bc2fc7ff01214

SHA1
470b4fad53fb83b347d9d0621000cc60009d88b5

SHA256
e06e82760eb46ee3eba9675521e2254e2ada1a9fdd640728c1451906a049c22f

SHA512
ca976b0b41cb7fff9da11dc893a6c3eb9a8fd835190ac86a3bcc7fe5f7a78e055c1995250b8b5211fb6030387fae460fa4c5ab48ecaefd429844b1640b19e4a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a9ff7bc0eb8f24c7eedbf266a50e2ccc

SHA1
0a93aa4cf014bc95ec3cf586be4d9aee0f015117

SHA256
403b53e87621083e843605ce2263d238bacebe26e538c2ab3eeea41bd0c1c113

SHA512
6419d74690192749b1323ca08e9cfccb23a8d92d90f5c78bce33eca7bed5a67e3eee24b8527efb7ec8b5dd8238e6b6e505f7a309c0f46409e2b146e77a559a1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e2737998d126bc9c05923a0101ffd368

SHA1
38d3dc17ef7bd8bbf9d0d4d8c53071a4d9225641

SHA256
782566805892e39310a4f6ba0372b30581bc38b3acc3a8d9ce5e1f012abd3202

SHA512
cac3def3cb5cd3f2c27a83f06f863f10f3628e12652c8e06ecb04bff73b6e70587c7bd082b7a35479b933d11d2d6df4ef4a344bd0ab7233fdd107fa98d1019c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
75ecbc8c706596ed6aaf3270dd0c3ba3

SHA1
e3f82b55f39d04b4d8d14793adafbb2435dd4480

SHA256
6839d3601ba070fa16ceb18c5471977d7f6e93f324bf03aeea891b43e3cac1c8

SHA512
5d76ae7ddb202aaffc7c811755477f065c511b0b2008ddc9d42139ee26dfcce0e446b0a1ab0039214cb0e3701f2463090386aec9d5ba7cc6f5275637bb5eb1f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
54066b4a9e49203e29840b85fead3128

SHA1
9bc52fbf89e3041aba4873ee99de23cf7b26e589

SHA256
14b468275bc215c75c27d9df1cb6cc142f390b6c7fa4ddb3930a3f40ca87d466

SHA512
7ce83ce9f569a1d71c398b485af002af758b409b98d2bfc676b4d070e60d815aaa04967843a38ab2962b4395ac100bff0c12bcea5a2f003fdb62185ab92f7ebc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
de502ebc2b1eee8d185f184c28c01c8c

SHA1
d97045faa6a803cd9746ac0fdbc3bb47f7221f88

SHA256
7557ceecd77093db9540f62548764a7ece4b31e73bffe5dba4bc2369fa7a5c34

SHA512
2a9729b628637746bb26d1b8bd809007d0674ab29c84e8f80f392135e2b97848cd638d90a5a0ae0c423694cdf32f405134a118f4c9fcd2f6ecd709af05590e47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
c67130c318d200869305fff5fd827298

SHA1
53b331c0d83a8b58c2d5ceac394cb5a2e67c97cc

SHA256
3a2e9c91bbe46f69cf49e668715641406d000e30d88c2f8c0e8f6c93375b3544

SHA512
f593dafb9730e1cf5d7c0d58f9c8dfb87c2351734ee7f5bab59004b6312e00633d79ee8b333224c6073f4f69d888027a0dd8490d4c66b0a0fcf12bb0ed2f052d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
e3e145a813888ea32b9fdd651eb83a08

SHA1
467b4bb32232591522f4f2649e66c7f1d8cf8cf8

SHA256
b5783e76e64249c7bd6a88fa49b0f5e65b103fbf91afc66f0e71615a388e83cc

SHA512
54a5496d6d1f39e95a869c494b46e6e5233506385e1ec9e400440e8fe9e9c8ad79a9c9006d18d99b88aeebb0acf5fcb9e7d960aac906b7e8a9929bef3a0a1adc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
e01bc0fb471ff29decd734c30dffef7f

SHA1
136c0f5085afce4d50339292de3a726006710874

SHA256
de34ee70aa88dd5d406e3d8b7420f7c8aafd7c94c23d9321ea603a548248c6a5

SHA512
c8d8ca1b449b6cde35f0c0d12742e97e01a32df493620dac76a9db5df58537805e8b840c4fd2513e5520f0cb4e585f26014db4ffb24cea6c2adb20bf5be92778

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a43da8dd6e319a86fa95a5889d8181dd

SHA1
a4f7e813171991945f46d5df9ff320d5732dd708

SHA256
f8d3d9b6232a11cd4a4d98ed172aef09040efe3e64f63c98ea9f08f578939e3f

SHA512
8e11cdf683b2296cfe16c152debfd8be044086df3821d2c3c0f1fe670c5675767f95f2d61b6fa96f99340dbd4540cf2fd630526ed2e2f0995cc41e404e7264dd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5d8031f87b31cce6ccf4624192181cad

SHA1
3f09f50130575f39e936de17e2e7da187d822758

SHA256
5d8877d89dd086451c527bd7ba5ae5117d993c62872b341c5b5c6acd35978b12

SHA512
92ff9f4299be87689dc6c1f88e32f3ff9d8c7daee9da9b49b641be7be0640f63cc7a5a5775a951145fea7ba2c0738415a0975670152b607569d31d2586272a41

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1234346eebfe23d6d94eddea701adfc3

SHA1
82e55ab73e5ff158fa771a00ef0e67fc0538d9b4

SHA256
d64d86413df2727a8694a17d08b3f76e78fcee2cb2e844461e1e317ee4ea1b80

SHA512
8fa4cd8bfe598e2b9cddb4a3caabef2cf4ae58e04be63f40f59f9a25641e56304c750d695878817ffa79d5501bdc630cacecf6a26fe807b59a987b04261c3d5b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
28c121a93efead59c3412b935607462b

SHA1
ce3879cd658ad30c4bf4020c97284ff812349458

SHA256
1bea49861bc66e77dcc76db74227344cb44b6cb0b93550b0e50c39c75565b190

SHA512
b46983f309f2623f988878275ac879397fcf20265a33d8f37b44ab42f97ee9acab9294860682b0b8ac6874cd2bc010ec90b41df294bbd8458cf300ff81dd2deb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b08d5f035a9aa0338a9ccbde7b46dbb9

SHA1
00e8254ac16a4301bf0f4c518c2c22357d968c69

SHA256
29e847c4aba6e6338ffe11eedf3b46570a19c57f128949e17a0c437cb4c345b5

SHA512
dbad53edc7651228a4dfd033e988b760f4bb6dde1f02de57bf0096c8649f6802309255362e0af42322ec5bb504b21eb32e479b46b16852a6bbd5ab3382bb6d71

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fc87c566752532eb69b983bc21ecc225

SHA1
5121083859fdadda8c899c406d32acc5690b8eb1

SHA256
998211aa110b89c2fb7c357ed1e7a8474b06f3b3ddee031a5e753da57cb4fb13

SHA512
df81748aa4cef10b1f149ea625136710484e1f113ce56d89df39322476f85da72433454aa8caf09b83351354e2d3013f3bd42d9758423b07c35544942e66275d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a738de81147cde39ba9366d1d656c971

SHA1
7ce6cbe841938faae9ad414e095bb90f0e124478

SHA256
b1135d6726993b5e3ab9709d9e6fb40e3d6d0679b734945fba1f2c1de52f26f7

SHA512
7e00480cbade9fd3c86bc5694e23e02ff84945a34d9e20ed4635f14fc5961c37046012bc9743530b130ab3b6d97f62f5aaa043cd4f45eed0fb9d5b2e2416227e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
278498feaa3e2d85d0f2aca1cc2177b9

SHA1
4f7cadeda5dffcb8f54aff1ce1c0438861518465

SHA256
183b5ea6428f28833cde7b473942acabf20782ec7e63df98e6e924f04756abaa

SHA512
cba29137e5acdbea7dc8ef5c15ed638e17fbe1af29d0efbd75ceb37635398c60d5050a5a4bd06dfe107fb9457784aff0f082c20482aaf9113dbad1aefe5e8bfa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
753479cccb7da131fd172183bd82a85c

SHA1
670eb2c2b2ebf5a72a28c7b4e2c88203251443c0

SHA256
a3084675d053473c3268a73a479b4ca800a1ecb1dd967eb6fad885ba4f029f74

SHA512
ba4bf339bc4e0d8cb0a28ae48de38f0dceee3443dd6087d60580dd2d6373ca9c3aefa16fbcf97a67d87c4ee8d0ddc0ce216052f9e94009f0be1f59964e664a58

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0327589288a2c1c7bc8ca9cd1d90d0c4

SHA1
c801d18f9d8ecb1f2bd0b3cd610e3262a66f9f17

SHA256
2e1d425a8aa6966f7ccded7d2bdb004dc064aad47e56e7f9f160aee4def4e1d8

SHA512
d57c415601610b79a2c02bf1b0d27ddf0007d1bce0f4ba1c21b476e45eb5b467fb82849f5b1d94ec68931f0b0196dd97585ffa36941c98fdb6927bf9804ff3ac

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1714fc210de7a0314cadf5a4ef2dd4a8

SHA1
796179baf4f321b2c829694dc82470544ed57c28

SHA256
5007241f4d400c6e18fe811f7b3c6caf3b8a4d0521442d6dcf97060f1f36a68b

SHA512
2e0e033a252fec98d34ce4c4516d60995a2a66ff1efcbde4eb2d32897c37598d03aebf3fb0296de5a0a187d0fdba61616da8fe330903208378134c1d6aaff992

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5118a9eb7cde33fd0fe9a267d5f3a607

SHA1
feab12f334acc78a26798b01b75b8ab4caf15804

SHA256
896d6533114d60abfd62e8ab3a2b45760dea9a6ed2afb98835c785bbbc5f55f3

SHA512
7cb8d03dd5cca107307220978670f222f186830f5827abfd17814625e78334733bf4ecaad059913f6c75ea6723fd8ba345ff80103319d15e60b5a6eea2c68abe

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
96b34efebec0a71428d6168393f9523e

SHA1
346f7c67940a76ec5dd864df2f6ea33f95e5c738

SHA256
67116183c4011dab72f42578f0998ab642e9c59ffc5a60c08dd344ac4bca3e88

SHA512
d3a19523f5555572e6067d806cd9b746926ea05384674a2aee4ff6cbce1c9d75bfc924f3856f327e7da1cf9d1149c9a4b44eda9d2aa50ac245f3b8a587083dc4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3e8f0a5442d18e316798dac19b2b219a

SHA1
3ca6283f7d1ca882f0a58f08cdfca7bc5ca85e75

SHA256
26b88df6e972c51af7a4c8f60e7749d64aa1c84ae66fb3118530bebb2c32ca1a

SHA512
73e1ab544ac658359f3595939df75b6b98ff541576cd41a2c37ae7b5f6ed0d48d37971ec04cd498dac438d9bead47410f6a22d26af617605e6b2456f1166832e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b98a8cbd1a9e208e9587e42cfe793230

SHA1
42865c6da313342b02ddf135c61f8a1ef1a5bc6d

SHA256
8046e706e626666cc8927baf29025d675ff60933ccf3f4d74ee8ad2ac6bda7ac

SHA512
a97d5ec9b0e15885b8d6b0da36cf1117c99ec207561006ca6abb307bd9e6773802f81e997210c1ce9e80d998bfe8aa6793ec13fb7fe042deea4fe379ff2dc378

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
78117423598051f74d64efa562e59b00

SHA1
eeb209dd3d5431bde43ab3ade555b646805a4772

SHA256
167a4d73d7bc0a893a5878227fb4c32f23f43738c11d002f3501585db0177597

SHA512
c14aec1f17ebc93c6b131622c47dec2fbf2a7a7da97219b9f564c62e6b5eafcda745d06f37ed3c50ac9defe9eacf1482068148c9e942cc163237c4b67491a09c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
baa220119a81e931df42f9fb4ff9b714

SHA1
856d1e29a923452559165a01b20d586bebb37964

SHA256
f3bd1b23198d3c6a776db8bea379a0a7b91fb29350ba88820a52179887bec76b

SHA512
1546061a67e91fefdabb81d827e72d998a32981d6161c2b87cee4f3e41672fc735dbabcb84e54647e1727eda668be903e0989b129ec4a8d6d83cedbd13f7f26e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4be92048a48384a9d69a163f37d976f1

SHA1
e030d91c601131891afd178ed5a4dcc0e7bfe693

SHA256
cb73cf549099c6a2c9f54d3351190009c53cfa831ff69d9e598d5089ad3951a4

SHA512
eef097771797a3bac6a1c297474d36fb91fbcd84d7e8837efa11e6d36411ef21af7c22cd6c4a2ca0802c2aca5f7fa7cde5d54d6b80595b0359161e0bd8703fcf

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
e8e345fdad28f98721b885d531bc5754

SHA1
35a05e00ef3d225e159a39dc8513eea8cdcc1618

SHA256
013341378edc62d14f82c6d56c4dbdadeb8fee1957f645fed42718187eebd315

SHA512
8fb20eb116445e1ee36600b7bed7042556ef06cc821aff6d16e228690c1edb6ed499b57878af5a59304fdd3268fd38126061c81ea1704fc6dcdaa23caeab7018

Download Submit
memory/1100-299-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1100-353-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1100-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1220-342-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1220-402-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1220-333-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1936-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1936-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1936-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1936-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2108-369-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2108-359-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2108-428-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2296-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2296-62-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2296-59-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2296-52-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2296-51-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2304-129-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2304-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2304-16-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2304-23-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2344-35-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2344-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2344-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2344-28-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2352-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2352-6-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/2352-1-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/2352-7-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/2352-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2800-442-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2800-450-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3172-275-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-284-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3172-340-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3192-437-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3192-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3480-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3480-394-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3480-399-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3480-400-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3680-463-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3680-455-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3720-259-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3720-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3720-273-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3720-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3720-266-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3776-303-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3776-368-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4080-381-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4080-441-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4080-374-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4224-67-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4224-75-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4224-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4224-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4224-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4292-253-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4292-247-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4292-314-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4292-246-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4292-254-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4392-355-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4392-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4416-424-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4416-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-412-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4716-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4832-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4832-372-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4832-315-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5028-328-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5028-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5028-385-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download