e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c.exe
Size

705KB
MD5

bee6594cfd06abbd590db0e1e88f27e3
SHA1

1c731a71b6039af6eb15dbfcd2cdaf3d282f8b1d
SHA256

e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c
SHA512

4f33c91176349605391d6275b8bf7a08ce278096169a9c056bd8238e4bde8647c7d6e86f181a4ed5ea78232c8e0cceb6885884d4ff18bdfc235044bd0d8de2d7
SSDEEP

12288:GW9B+VKMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:GW9BwSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3232	alg.exe
4436	elevation_service.exe
3952	elevation_service.exe
2664	maintenanceservice.exe
5116	OSE.EXE
2220	DiagnosticsHub.StandardCollector.Service.exe
3592	fxssvc.exe
4364	msdtc.exe
712	PerceptionSimulationService.exe
1040	perfhost.exe
2244	locator.exe
4784	SensorDataService.exe
2512	snmptrap.exe
2616	spectrum.exe
2880	ssh-agent.exe
4792	TieringEngineService.exe
1396	AgentService.exe
3848	vds.exe
3456	vssvc.exe
5092	wbengine.exe
3488	WmiApSrv.exe
3672	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18c4479d822cf6b9.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f4326b72a88da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d79ce2b72a88da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d5639b72a88da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fd8ddb72a88da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8a890b82a88da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001115bab72a88da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004277bcb72a88da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4940	e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c.exe
Token: SeDebugPrivilege	3232	alg.exe
Token: SeDebugPrivilege	3232	alg.exe
Token: SeDebugPrivilege	3232	alg.exe
Token: SeTakeOwnershipPrivilege	4436	elevation_service.exe
Token: SeAuditPrivilege	3592	fxssvc.exe
Token: SeRestorePrivilege	4792	TieringEngineService.exe
Token: SeManageVolumePrivilege	4792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1396	AgentService.exe
Token: SeBackupPrivilege	3456	vssvc.exe
Token: SeRestorePrivilege	3456	vssvc.exe
Token: SeAuditPrivilege	3456	vssvc.exe
Token: SeBackupPrivilege	5092	wbengine.exe
Token: SeRestorePrivilege	5092	wbengine.exe
Token: SeSecurityPrivilege	5092	wbengine.exe
Token: 33	3672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeDebugPrivilege	4436	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4048	3672	SearchIndexer.exe	121
PID 3672 wrote to memory of 4048	3672	SearchIndexer.exe	121
PID 3672 wrote to memory of 2572	3672	SearchIndexer.exe	122
PID 3672 wrote to memory of 2572	3672	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c.exe
"C:\Users\Admin\AppData\Local\Temp\e41d508e9746cb241b4b826315cc7d27518a043049602e2eb7f5a4bcec31257c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4364

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4784

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2616

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4048
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
41bae8dce93911343581770e51e09ac9

SHA1
c2d5f8d1afdbac23e6d6c5798891a1352b7375eb

SHA256
44147ea0be6a87842a5ebcf058b4659f55b4190ce37c2dec965b2516cb42b518

SHA512
5e242065da8cc234b39c49fba2941cbcc5580ee8bc5ee38593a2a04a927f85d67f80bae795eca97645d6acadf4d6de276058be5efee73ccdb013f1b0c69595c5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b26eb71479ff4e9032213cc919f40551

SHA1
450b6c0e9602040d2aa4bf8eacb9d8b339731b62

SHA256
a4e347b5f8b5dd3ecd2ab34f0d079524903e1a813a29f8f48548982aa62ebb33

SHA512
6a8189199902bd512a593df0e0f91b7f478445834fa0179593a3f4143dd8e1b58826c491207f654701c92bff23e5e37c63cbd2a7ab58006ebd3fb242d963f956

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e189f4c7e0c60cdc1ac7b2b5f260f904

SHA1
754fb56e10b1fc593dc107131b969f2b3908ac78

SHA256
331db9bf58edec3c5afca34bc9525abcc6dcb498e1b4e2971dc3f8bf2adacd7a

SHA512
761312a46b2e575c3b8f043495363406c25f4086d9636bbb714594214eb05b24db87d0220611a8839077bf4ab61c0c03a2dfb7f017c562e1fc4d56137f72f3c5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
81a3b226fde3de25636bffbffe4d8834

SHA1
e31442ffb2299347965d3635c194542e6abd65ed

SHA256
e7bd408acafc9c4bfafb26c1cc08e4a0d61540ee18ccdb1b819f04a1e932d1c8

SHA512
7fc7dabd14ec658bf797ba0e716940786b570ce03d5fd081a1a407c022bf6a0e9febf5c4aea30e3d03d062a7896db5f10fb8527bcc9c59857bbf5de525884b13

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fc84d317ed69150d9ad1c10c10db2db1

SHA1
f8d46dad192ba1907bf076749ff5502d0b59789d

SHA256
6c1602b2ac135f42a27068efbdfa0899c942c280f8c520e9af169de81e893c2e

SHA512
7411e7551cfaef1ad308f510689e41c98e1b151a4bea9e2c49ecdc4120a0d368790593160831ffa251d09638f73368e3b5734354206b5850c223a4c2d753b4c1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
03c170136e2a65d9c0cc9e5f516f5f3f

SHA1
498b32fc32e60267a1d118c2e62cbe2e5184f6ba

SHA256
d7175f3d57d57b8bbc195202ce9c708c5db65733038c8b2804bed60b0aee7dda

SHA512
1f0a2ea653648a9b1a7823d2e9710a76b177ec0c40df8fc7d198c6bb9a1b050ac0023c4513b8a1d2f12a29978eae0232a27edbf3539399d414aa0cf5042a7003

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2c2771cd714f00d867c4b1dcf3523adc

SHA1
14a1e5b7ac60f44ff84be8759ec95404776e06a6

SHA256
599b5d7d0dfc831abfa783e99df161fe1c7ae093d9c8fdc93a1f1193def4d1de

SHA512
0369692db523f21b56d6012bd88982b5683d02ff2f16c2de40543446e1f33fabc74ccf4f3bd9a627827d91e154cd14c4c6769361873401d3d25248ad5056e2fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3d7c63887bf417580b7ed5c0bbe0d968

SHA1
75fbb08d01aee36a9bc4387afa5c19c36de15c6d

SHA256
444be2ae8ea5b94a95429269d0db733c871e28e0d0d524dbc2c5cb11c1f57226

SHA512
6f0f3cc546971fd5031c5e47b3e83a20ad60ff17f76118a5658163115a6f3c026640898614e7b7959eba152fd9b89181ebf9105e66487e3f02e4a431819a2885

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f243b0ec2f4ff9d548afa8578d4ca16e

SHA1
85be394e5914c4886578afc7bfc7ae07400e7206

SHA256
902e4bd5077885ea3376fe6b2070799900c9f4435f5892b3b8b9b6f6e44391b6

SHA512
6e5465f650d333a234cbd369c2e812aae00595bea58e82a78a741b14c2d4cabb3d984e1460d47ce137026ac3d1035f160d2b012487968dd426dc0b7f93323a37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bf010897535e7e3342a7b9e052ade97b

SHA1
0c7883a5a973c811d34f49f9bd74f1acdf5f6f96

SHA256
53a1fee6f55a44b9f921d6d4bb9833363d873c7c8214478d08b3e67412de8516

SHA512
658dc18f3be3ead157065329e6cf652851730eb985afd4638bc305c28dcd518dcd99beb1177f73f09c95818ce28264efe99fb84b51359c5e0f343cbcd02ff52d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
efe6cda75a7d54ddd673e8c83012fe1d

SHA1
80ae15510e351db2bfe72a593e228852bebcff53

SHA256
2e7b6af97ace7a291876ff32d7a6a5c1c8c6f24bee34a5e82fa72cf01668e593

SHA512
6a64262a661f7576935ea29bbae9b008bb2da5fa6834348d2b726b70e8e6cbc9006986640689267587c932af8c279f39af3c0a05fb5b14d19a79f805983a429e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b57e884c216921591c9f79f2ecaaad3c

SHA1
79c83b6c4a0bd9e2ad9e538f382930fef96768d5

SHA256
137f9d6ed972bf85ffd4f2312444b3ae9e91f7798ec9ce29b9bc885b6e53d50e

SHA512
8f7b04082362611c4dc141424312596fecc6c9da8fce0513a70668f23ac45a2e8115f5bc7a7185382cfd2208a6f043dd070798392e7dbeb1aa8343ff399bb6d6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a41c54986789151a539327e710b5acfc

SHA1
b12d90243e5f41a37e92eb882226117d2f3412a4

SHA256
88c99628d451e94faf852c722d3cdc366404691678d9c28d1babd69b0dd60c8a

SHA512
04c54f6699ade3b5ce71288b940175503a2541d61e112bbac797934a0227487344027e1d6a4771277467a5818eba308683fa7a8e97685592a448af792f07714d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b4d87047d2805b6e09e4189a6196cc33

SHA1
abf8f8437d01b22a60941efb2ce4b4995d8a9bab

SHA256
078c84142e36a9ad0442126a157493f8cee0e93d1a0452a6a88e12f4108f0b2c

SHA512
398b8b081d6de5a9d97f056ecf490212bf58211f924021fa3b65ca4f5e213122b694ac9629034e61d30b1fe47c4429a8ff06066b68d1732883df30b64fc91188

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
b439932e63c29cfe9a9ebd4b3f3e702c

SHA1
8a3df34705e7f617236e0e3f1f253daaf99267dc

SHA256
ce96fb705f517aa18ad6cd9e034868ea00d54e73745cad9a85e1a4343413e473

SHA512
f6f3f5a657687257bb1ff39939ad48f75fd95a64b2078f1eb3c6428843bdfe465b40c448409fae2b6c6482319fbd46dfc50ce299ea5312ae30ab6a8ffd5293cf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5bdea2d92c8975bd0e6882b81407831d

SHA1
a52ea72a58212b7cd3dd5c22f61d3e44acffa4d1

SHA256
feee0961752848cbdef928f80615ff46599f9f450a8956dc33cfb66a8b4a7c6c

SHA512
b4bd4a84085999bf5a2225fce711544dcab816c5f9857d4f8e90108f365847e5f42f9c49ca4cda25810ba06709e44df2630b09a6ab627e8b054a20577fe12047

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0c4b26af2b593b8c4c38e8c66f3a2d84

SHA1
c675294fbda1ab7b3b3f4f139d6bc435ce318f72

SHA256
2ed0089257f513a068af99d2d6c04fe68da8f0edfc2455a10770f79296a1e2a4

SHA512
df5c56c4305384a243a64e0493eaf4c520f47688f89aeb70175de59590efa9b623f4c42b019594b5b80de798e9d52282d5cccf509b6f7da747408f011fb7b661

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5cc5a35a46954da47b064ecb9f127499

SHA1
c02b70885734fc4f226b1c14a70a343491001703

SHA256
f592dc63b3d2bc702bc1de5085cd2e0929d0eac6b9604d18ce8be2cdad170884

SHA512
2a93918f8702ce47971235f57b57c533917a9b338f7df0ee68ee1d8bde2c0882d9db78a721797b06a8c7ef583ccd142f7bf3a81b2b6fcacde96593be36c5d85a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
4623c2b140f3b5d7e8c118004ec1262f

SHA1
0907b6b2fddf75eac9804312ba215195bf65b532

SHA256
9ec3ca4c53417df40d4586197b0591f91793b5849d9eee8e4d3b5bd680ada893

SHA512
c4863fda53d3544fbc5590644d9a173aced1cec2771331d2d4df917f518659f7362f11d59dbba457e0f0e620e92f52183f6cf354650779002b77bf7018b3dcdd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c15835724f0b70967fbc8307e7081630

SHA1
6dcc5d46efabf634d0a8dc56ebdc5f8799e19eaf

SHA256
5b5b59b7765c47e0a77d0c996b1ffbb670b445263a8191df87957aaedb1e62e4

SHA512
4658061641d36a82e7342e1396bc6007ed54f7947177c9b165b306e026466af2492557ba64413555d25f6028696f436e04c7fb11a25aa0dd2bc4d6f95d8acf5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
143246e3579567f3c92666995516b94e

SHA1
e6934bd53b78b3cd465deda8ea1a92f8a01481a3

SHA256
d479b3eb475665da607c574581589ef1bb67d915f7cdf32a054f8e545296b90b

SHA512
62601c197f13e2ea7e5c3ea6431ff3ad44b7035ed19ba654e5d2eb6c62149b6df9d3deea24e063dabeb3a3064ec6ba40523fcf734d69c0d73b95f28202bf7913

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ffe833f36f8f3fdf32915a981d597b2f

SHA1
f3bd3b17bada2c0078d561f81ec52a14d30ff766

SHA256
76be85a385c690290bbc4258e669ac6b6b7739fdcef09fcc37f8d9b876ab221f

SHA512
95c6eeb037c5f9a10c5c373b554cc9091253e76a6343bc870a7d5c589f274a61e9254b3e66424e2f7f7e03b37271eaa0a94a5d3aa0e34e56fe29a55333adf320

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6d59a60194e2babe7e590a695e861cd0

SHA1
291f436c2df813b0bdfc5ea6c8d11b45c493c9d1

SHA256
c4e5cf7671bb04984347ae5aa1181c660f6f26dd97f511a4eb4cc5cce69d25fd

SHA512
0a9e79a0c00ba8f3fd2e72b97db83869c1d8cd8e1f9359beae1279db72e7d8f656aabd6f5cc4eecad5a90e2943fcce1ac9f1cc494d3ebd625511d2e1b2751d70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
582151a5628ef882b0d8eab53e4a56cc

SHA1
8423a2cb0d5a5a10a746b0846276ef31fbbd4e48

SHA256
d1facb29a6052d3b48c211b21fa926619da697a26d9854f259360b98434ec1f6

SHA512
94cc48cd11d07aa9388b0799fd8b6b5baa7384b0a9d1d4c43f7e07b0ce4d028b50f81286397cf008bf3858fb5b6ba0b64204a2ce6de4ea2a8c0514dbe751fdb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d6ab04b70d63ff6ea079e3a3ce299798

SHA1
9bb05fa8c3576935ecfb592acd6515100145b8e0

SHA256
e3072c2d1ee84433479e725ffbfee27e775f2efe141928f985dca2a361278b20

SHA512
122cd2d8ec833e2d4d9a063b91cc4e8fcfc94ab444328c966efb96c02ba267c9067db0409e0d3b79c0f90d28100d40e2e6a1d3a314900fb51360690d3f17f2b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5bc6ee1e1f56810f0d1c166f4e42a386

SHA1
ee9e20d3d6fb13f6df00ecd0c6e62eff7fb75ac7

SHA256
c0e990f06f3449f64686d6c3942a7e082cc9110798db71839bb3ec357fbc16aa

SHA512
bfdda569c15cb2d0fc9a82f91e80739298d250f35d693b5a5b7544616e4a1564b568d23498b0d7064cb79a607f9c2ec9fc426fc33f8f09f01aa680d58908c3c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4cb909afe71a31d61b3b20c90878301e

SHA1
e385667372f99bc2c6baba5c64f4c7be00d33628

SHA256
16de76cee8d314f6af5c76b8b0ab88aa2dad03727275ebb37e46e624e5713a84

SHA512
3a651eb4a45993e5dfbb30658e4afe7c23da06469ea738a23e47f05a4fbecee99d05ff6584d3e4a43e649236e7964f3d8c1b152d99b136a601bfe2bd3ddfcff5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8a77c545bdded5921f8cc6cf75d73fbb

SHA1
09ba735e866bdc9aacd914b88e26c8d402a53089

SHA256
29f9a929f7ab0a7e7145f4e976643da42b57d2058e36bbff08de03e75a335f59

SHA512
3ba6f89a712d04320e898e857f3ea8e9ff8de6e58cd404219b52f30825c48cc70a1a52ed00beaffb84cab037d68794d2a56c96c3560f51c7755dcf86ccb46bde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8fc306d6625578b45e9b02f8b50913e3

SHA1
a1ea651f09caca300e74557269714d7c834baec0

SHA256
4daa0540be3fa98de88a2ff02e4390028ef087542f89dc22e72670d30aff148e

SHA512
b411e01e06ec3fd943d65ecbaaa621d98407e16f374838c8d59c64ba1c4807c4faaa965ffd90bdae9fbbe23cd2bea9464ff0637dad9dff8d258a8783533cbb5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
29b0fba6931c59a76804abe99b488e90

SHA1
408248d3c648118b6b4245a50bd2dd26351dcd8f

SHA256
a5c9afda77435c34478e12bea6468b25484224c70a9bd510c06e788895332222

SHA512
18972b73357f6475abac7f9b332bbf9c4a2c7caba7d05147f5ebddb9cf3f68336c34236ea80ba2a9cdab30b0bfe60f56f8507f1e49baac6fead3f15425aa00f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f707cac21950148c850c1320f82fb3c2

SHA1
8e41c1341f82400ee74293d54625d6072a879bde

SHA256
ed997da6864457397598c020b10eddf9fa516e1742074e646d8523da9c5f9f95

SHA512
1e904feaaac4616fe4c472ab622b3856ba3bbfa17ca84b80bea6215c4e987a3e930bf924ade4d39b63c823fe033231b8319a7a65915bdd3df3afcaa5840b1482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
84d27d585850682308c6d832a62241f5

SHA1
f9f8daf83df6248becc91b2980a3e555428086e3

SHA256
c99550e2c23adc8589a80b4f6451f54c26f95c9d3648456cae9156257eb0da60

SHA512
9eb3cced7268f7909496fab51a085552f88ab94d4171d91400f404f8b2919bcf69b67677ea5e3884c4b7c9e68ff82cb77ba8e6405075bc5bddfc7cf225806eba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
62d211f3bf633fd744ec6ac57859477b

SHA1
c5cfe823c37777aa9579314b047034359a96cc8e

SHA256
896644afc341d941d3452c0855439514f6400d5e845224874b151ad589e070de

SHA512
ba5701aedee8650b2a998d0d29d296f4337b2cc6ee0165860094cc7241bc321d94fbc2bd71514c706ab0d3f3a8354dbaf464b883f7795218cce8ef99f3196d6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7dcd1ca91fce736536a2be04715ff4dd

SHA1
8a3b22f27f6995fc2b22aea1839cafb0a76a375b

SHA256
38167d888140a3128166fc387707c5cdf58a32c3753583aae16d63db726903ed

SHA512
68c1fdbc8a16e64262dc3ef7acd8fe97f29dfd87919fc295d17121a75ceed8aa9296d3442c80478296b5f3d8e1daed538caccfbefb596dd8fd4c3fdf84747dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a1f2a2c0a9b8ce4e31240492db6b3a49

SHA1
ed26b9573aa614f142903f6df7bb2222d90c08b9

SHA256
666305918f4031279f5af422abbe51b2be1669f93759e18cba237b50f9047b0b

SHA512
ba4309e1383505861c837ae5535a640509608ea820fdfa69d3b4047cbc45486b223f4d8ebf12149031fbb85fe3993cdb98d8516d98554425501bac7c7523690a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ece5f22048ba3e625ff44183f36c7cb9

SHA1
c9d0e35df4ae9738f980a0d838bc18d4d8fc49f0

SHA256
13488278dc009753a1cb10af92afae06f9f70316415b275674eb7c5e04562a6c

SHA512
d0b6ce4741f31a8eb607f8b727d2aa9325f49a1aa4279fec786aa2f918d5fbeb299107b74a42db36fe51febc14608b921c090954e36ac42afa7d7c975ac6b13d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
069f15e28e04ed625813fe2afa9c8d99

SHA1
db2161d25647fc6b33de705b79a41faca924a2ea

SHA256
3a4b1074663dc0f4f6f69c5f30a56f3399dbcc1e149485c0d25cf86de7a78d32

SHA512
8aeaaf2bca648d038e42f51f33a9f455873fe204adbbfbd401a39039752a445bafb753226197c30b0281d6fbb53e90975456ae236d82ba4113759e7ecee92e38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
1c3ee8ebe9a42580d308519b2dc76a46

SHA1
897868dcb6b8e5b7c6cb5a2f79be023eb6364d39

SHA256
4ad6ec61e57c7e68f01ec4385d295b136732519a3b12c634f93caeddc29b9cfa

SHA512
ae22ec731f28572c055175a03885d254e4102c00ee5c30bd8fedeb0d74a559e313957f833d905ed5ef84a4c468b251f8866f3bea9d17e81a8339a6a04850216e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
1a40ce2fa452c7f0b1fdb6ff0636bc39

SHA1
6e5e567042a2b04006de5bd2c1341cfa339a4ed6

SHA256
824ebbb50144c27eda0d7c677a022f85233b6ddaf5c4a82f262d0ff4430ecef2

SHA512
4f234d9b17a5d7eb4328a901d1199d10f57b7f1fd3f2a18e0b4a6ff05c5e791eb43c24c0667457e6102a28abe11668ef920c44f6ca4c779883d645db8953c740

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
928c6189f411c39c416237223650badf

SHA1
5fa5391cb6167f906456e8e47e7ac44cc5b094aa

SHA256
e10f3fd7a90f08fba16a9c039487f8140bfd381fff9f05dbd1056ed9eb528794

SHA512
496a005e40f8363ac2d91943e4e6a7e5e3a794b042c2454f46983aa57e5d26c97afb2955c4905830eb7260a4be1b6cc05c7c97a6973bbeecb5ac792e20dfb98b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
997e9a827fc3011c344d89a18c316bc6

SHA1
13af6846565930e98ccd070dfb9f989d1e738782

SHA256
3ddebe2dac91bd87d14bf9acafc7aa3355c8bb172e737fa36473fa5193be5320

SHA512
99b628861965f35896653bde53b0d392f84b3841ca00cf1339d70b91f341daac49299c14b7abcf4f425fed1c1b1996cc66accec899b7152f98f613de191b6eb2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
e168e552cae6d6e064522fc45e79aded

SHA1
ac7a08e4b9556df43d514285a74208e07b4d6abf

SHA256
507a96cd313d4455b18d3ee1c0f80f90928c5c55599d9238923a5e06a564720b

SHA512
364bb081ec35a1dc8249ddb1823caf00af4e9a1dc278b56a7cfe39af6de553d00166778df9ba6f82e827fee836e3ed9d34f26a42b339af0fa1a8e15ba858994d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d8d78d14619bc08c41fe6d594bf4f79f

SHA1
72907239d0b73f1ab289192f35ecdde60a47d674

SHA256
04a47e6afa39b57f416f3dd7a7ceaaf09cc1330927ec721b7ef15c12186741f1

SHA512
664a758eaa2016a1047670162bd529371526eed74d73cb8b69581ad626b3ba3339d7c43aba1ae588c9c803fbac581f3e632bc02b9e4e01a4f249feef05ab7eae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f11f4be98f466a6ea34f0b89e299e473

SHA1
57d74a5f0b44084682504fbee13d5d8d533aa4d5

SHA256
4f82e670a9d366ee4757cc3128d00ed9c555da7b29a7163bbe160a1d1261b55a

SHA512
158947ea2193f8f8e1c14dd1b1cd88821cfa16ce5228d631769b8a41a2236efdb48b2d922cadd08f1554e2ebafdab1e2e099c097eaccc37ec0d998eadcd47c65

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2e6dd46dcc6d72bcff35e81efe485b87

SHA1
f7d7b48ccbc2a16300a1ee1f2d365f6d5b197e9b

SHA256
8fe73acb769d376fed53649d6fb097a0ceba3eb18659c621a95e6f497927c452

SHA512
ea51173e24e801ddfaf33dd5ae3cc1a94e29573c71c832d7e1929c1cc70216e2754bf5f2163625fb017e279f98ac4d1254360cbacfab7c3dddd3275b35708eff

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
54981aa460b5a0aadf1848b6eda52da2

SHA1
fda30abfb03a025e51283e04a5ecabd15c62e322

SHA256
260c5f8d8bf50deb32fa40003a4cae6488a711afb1310596a70586592e3fc986

SHA512
fcfae414f40f463022fb396d2a28e04a469ac70bff550f9ef385f63ce448f6050b2bee080e8eae06850596994f32f40c419588b2b69081556e268436b3a1a570

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a7065753fb7b5991b57c0c276f3a0f7c

SHA1
7bd8c7c1a7d29903e40bedf9e0f37adc18874da7

SHA256
8f4e0d434d1bf3e1f71a3a4bf1b8dfa35ef49040ce65d0eb1644ab3d0a385895

SHA512
8f77316497f7d01b5e669db5c61f3f0f25231007a763cfec5e3d1c4a6bbae73a35c4d8da1d77977e315ea7a33f414ab4294ad2c3327a942cf7469e87f8a63051

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4153690fb96516b2563ef8e9a6877998

SHA1
c685279f1f12d1729af8c64c10f4b011eea2fb16

SHA256
aa716e70ee78cd430ac4d90953e55383c178f12e4edd83db2dab7044154a9dfc

SHA512
d800f30b597889dc18e6a0b2f0962843efb9a409a7a680af7a9f682e92d2a8eeeb15ea5dcc68fa79a6d56d167fe022c9fb9ece777dd1647305eadbd1ef9a7c45

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7b65168bd55eff67e48c92f0e4fb9a21

SHA1
8fba2ae41878e7ada1b0ab6252a95433f15419f2

SHA256
33f5f10d6d5e8ab24e7b8eec7929ac5f34ac9abc24e186382f3b7099186516c7

SHA512
bead42d9b8d9043c341830d2fdb0f6cb6e56bf1d4962d651551fcb772f08b6c71b84222ac6aae7b6dff656b06a9ad656c08162d208c6bebd629d9144902319fc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ee1c575911a2adb170f9ace770468b5b

SHA1
ffef5b26665901eaa068988eec649435287a88b9

SHA256
8b9e01de5a0c8f51ee3597b03e84f71727bc52fa948364b888c4b22b275ea48d

SHA512
551130636bbffebef393b17f8f92af6616128e7fffcfafe50e9f9aa9af8bfac83ae20ffbbec7426cd0b98b92b7228d736d226a3b16ee421a334a5134fe9c6046

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f226e7cc9a9422f74402d86e82bc1e00

SHA1
fad35f07d386269c6e132e17f37fa1cc02182495

SHA256
43f4d7a0bd0cb858865702c438198ce8297efd96a7114cce2e0d9fd044577988

SHA512
81f68089249dd9b7aec3fb4e0a2012718d8b4206fbeb0f01f74d95f802cd3d33684bb261ae85d91185ad4ddddf57e5a8aee79df778937848b7eb21040ec68aa2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
afdf4902ac04c7295175e5a711f8a2c1

SHA1
995134012eeaa2a1244724cb8812cbaedaa2b01c

SHA256
532a9742b8472758bf2a2233bc983bc6c5992bd403aec186c734b4f3bed5c398

SHA512
11ac7f558adfb7aa77a74cbe1481e1570dd3b2649da6de6b49be8f627b2449195942ae2e4844a11b62a8bc1c35b1c0ec335de2d5ca62e0350eb63489bb33cf61

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9101e10167e724e2c2b6f2e259a2b1e4

SHA1
dba5a46693a12ffc93e3394b393aab1acce40446

SHA256
c0d7981dd6074b7e1f867e3e1de9e3482d953874a01aa1028fba5bd51bb24a3e

SHA512
fa26d2cec264ea340353fa71d8a958f5818361b558587facf382766e6d53e88a18358f8a987102f42d6fb5a9b2c1b9bdfb9bbad34921e6034f6dfdebbdb5ac3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
190d091fa5001c3c4eed45c442a577a6

SHA1
235b25dbb62122a0dffe06ecb6373074e3a4c5af

SHA256
9bf84e3447c3130178b15d3978489fbce09b7fe32b5db38d6c8b3970812a8e49

SHA512
591fcd8043c8a8d0f2d1674f83fe265b1ee0e3a3217b0e84b043ec556e9aa988c6604044a5e6066d91355fb18aebd565718bddaecbca0b704c8f5f9822a5d47e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e8b8ae67d4f8608fdbe7fb69034dc515

SHA1
36d131107320abea60be93ca17e8cb5687f1dc28

SHA256
91b8a9693aa33dc95d8fb8592acb69f19ab2db0f9a9e1c5a929f6edbcaed3b51

SHA512
951e0e4316178e60a56ef5e109a7507e81606363b710f1a34558627c9126bd556b79acb71d235a6d99ee7136838320d186c7731a1e07338aefacc3f071658e35

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
889cb2e7c6866c9fbea53ae4fe1baaba

SHA1
2edefaff559752c0e0b4b96165217977747721c9

SHA256
da7c422d8bc397b320105af46016d64d212780fb89e9753b11a8ad71c3f234b8

SHA512
cf4e4abbeaa2f8b5f2430d9eb11f9e0873da4b1709d98f995122c56f06ffa3c25cd038d8cf9f838cf11217fad5c2695b2473370283c46d9c9477964796f48375

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e6bd5fb526fca2b0854ae22daa8b0b76

SHA1
68fea296dfe1f7ac1e8dfe9aa4ce1bef7d9a871e

SHA256
3ccec6636ae7e9f14c5214645ec3f780a9ac36d79427c74184332b7e816a4642

SHA512
827896fdbb6bc8bdb1c8518ae392582f15892babc80594f94c5551ad8ee0a9f6033fa3ff31e395fbb3990ca9e5cb72c0966456a2f17094c3e8cdbb3c90b45452

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
50221a7fc62e29caf2a8640b4bc3bde9

SHA1
1c0f5b5f077697219ed04c0e402c3bc7ba6b651c

SHA256
7a610797ce2ee1e4a9b532489ace18c47b834d79f82fb4905e78f00a81c274f3

SHA512
faa327b4f3decb3aae179614a6841f146f53cdffc7b0d412fd493a3702f7ad17311b837562697fbd86043cfb6c22bead9ab43ffd61c2ba25ff4a43e28e390d18

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4d15734b3f16398b5ce72d361264f78f

SHA1
9efa9c2d2972384e2cb0d5a5720f4a6e04c00310

SHA256
758bffa110d98f5cb252415c14fc9d41c3a73195ec619a5ef1ad668ef9d3c65e

SHA512
de0c6caa9a182410ef4bcab5eb0a8b8e3404389d65a2abe2594918672f0d0a86a191e4e10c99c4c5df5fa39a44273f86d5144c1871eded94af7dcb0dd90da3f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e243b54c80e56e3cfcc4c8d121d7cacb

SHA1
432e35de4355e0c1ea24b7294fbf67ce1285d661

SHA256
27f7c4bdf1e225dc47529c99a680cb287bd38ec0e26257c1810d9025d61a3fc6

SHA512
d74faf279d8f01f5d20e0bebf56b397acc26bbd40907086cad462a4e15926093f01459f637e9453418eb83a66598d27cc8ec8cd1fbfd2c1587f2fcbfcd74ec1b

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
01993742f311259128e1d8a857a684e4

SHA1
89e350865571df237c0f7d65c68bbe461e1987b4

SHA256
cc7324f02a18442cf2658735bb750de812d1fd16cf556b6606ce6f04e475eba1

SHA512
834be15642ee521d796fe0e1030c62a99ccd4e60150a23f0de3268175984dafdc74d04e8e8c10637f0292e8dd95848f4bd6be843b330e5a5ee31652024abcfb2

Download Submit
memory/712-296-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/712-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/712-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1040-306-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1040-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1040-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1396-403-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1396-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1396-397-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1396-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2220-249-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2220-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2220-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2220-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2244-319-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2244-375-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2244-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2512-337-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2512-405-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2512-344-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2572-553-0x000001B3D47F0000-0x000001B3D4800000-memory.dmp

Filesize
64KB

Download
memory/2572-547-0x000001B3D4800000-0x000001B3D4810000-memory.dmp

Filesize
64KB

Download
memory/2572-546-0x000001B3D47F0000-0x000001B3D4800000-memory.dmp

Filesize
64KB

Download
memory/2616-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2616-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2616-357-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2664-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2664-62-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2664-60-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2664-56-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2664-49-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2880-431-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2880-364-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2880-371-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3232-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3232-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3232-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3232-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3456-428-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3456-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3488-454-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3488-447-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3592-262-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3592-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3592-268-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3592-254-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3592-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3672-458-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3672-466-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3848-545-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3848-414-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3848-406-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3952-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3952-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3952-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3952-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4364-279-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4364-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4364-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4436-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4436-27-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4436-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4436-34-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4784-331-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4784-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4784-388-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-444-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4792-384-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4792-377-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4940-6-0x0000000002340000-0x00000000023A6000-memory.dmp

Filesize
408KB

Download
memory/4940-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4940-7-0x0000000002340000-0x00000000023A6000-memory.dmp

Filesize
408KB

Download
memory/4940-1-0x0000000002340000-0x00000000023A6000-memory.dmp

Filesize
408KB

Download
memory/4940-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5092-442-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5092-432-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5116-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5116-71-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5116-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5116-64-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download