37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 10:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe.exe
Size

705KB
MD5

8dd7f25cae8e447960fe66107f188245
SHA1

f26d4be011be6b6d54172fd9e2721280d852927d
SHA256

37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe
SHA512

059f9087369aa9e20008d4b100f437148a5469f50ab45b6f60cd8db77ce66369c24f59b144edd4262843371fca117680f2bbe7322eb61b70c9e9b2b37804c65d
SSDEEP

12288:HW9B+V/MTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:HW9BrSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4996	alg.exe
5020	elevation_service.exe
4104	elevation_service.exe
1524	maintenanceservice.exe
3804	OSE.EXE
1304	DiagnosticsHub.StandardCollector.Service.exe
3156	fxssvc.exe
1608	msdtc.exe
4136	PerceptionSimulationService.exe
4160	perfhost.exe
1084	locator.exe
2268	SensorDataService.exe
4960	snmptrap.exe
1468	spectrum.exe
992	ssh-agent.exe
4696	TieringEngineService.exe
4036	AgentService.exe
3464	vds.exe
3968	vssvc.exe
520	wbengine.exe
3836	WmiApSrv.exe
2288	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fa7fa77a990ca9c2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cda3af7f88bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aa958fbf88bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b58889f7f88bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de6144f7f88bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a394bef9f88bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000084e31f7f88bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042aedcfaf88bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3456	37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeTakeOwnershipPrivilege	5020	elevation_service.exe
Token: SeAuditPrivilege	3156	fxssvc.exe
Token: SeRestorePrivilege	4696	TieringEngineService.exe
Token: SeManageVolumePrivilege	4696	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4036	AgentService.exe
Token: SeBackupPrivilege	3968	vssvc.exe
Token: SeRestorePrivilege	3968	vssvc.exe
Token: SeAuditPrivilege	3968	vssvc.exe
Token: SeBackupPrivilege	520	wbengine.exe
Token: SeRestorePrivilege	520	wbengine.exe
Token: SeSecurityPrivilege	520	wbengine.exe
Token: 33	2288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeDebugPrivilege	5020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 5084	2288	SearchIndexer.exe	115
PID 2288 wrote to memory of 5084	2288	SearchIndexer.exe	115
PID 2288 wrote to memory of 776	2288	SearchIndexer.exe	116
PID 2288 wrote to memory of 776	2288	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe.exe
"C:\Users\Admin\AppData\Local\Temp\37a3fd24fc72cec59daf74837d9936b2bb94d69e49889b49bf94fc2824d73ebe.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1524

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1608

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2268

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0b1d6295e6d8d43da54145a3968368c8

SHA1
387e6858ccef8876619a99b26c6ef66f3562eab2

SHA256
c9639ec9f03813ddf56a816fe762caf956cfaf8088187d3713fc7f0426ad46cb

SHA512
8acd7738870883900c975827076be27d30fe1cfdc2a5743d8655f3ab02602f07dadebf4da067b6376d3aedc65f934c21e6b7b3cd46d02cc757ddec82c646c205

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0d715654261f552e23fe11298c045b63

SHA1
34e45fc3bcdec8b21a61377784c233b218a70763

SHA256
f3de47f98c0ae6735d95994b7792bd2edcdb5eb768a9e7d9a2f70ca178951927

SHA512
e4fa099aa6084b514cf349f35222cfd635bec6753f4d19b45943bb0ebc6e3e0b4c242fb1282334df97d39877e697f495bae828ae72a099d04540c9e01fbd58ed

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d6c1d33837662a7d00d7361703760c34

SHA1
0e223f51013d0eada6581077f711fc312caac657

SHA256
16e395f21e8ca96a125f1f0283e634920dc24a2d73890cdb10753c02af701c92

SHA512
daf4a09e803c4ba560adf8d66fa2458e1f7e36185db05dbb39910b275a8ae78518f0af57557807e69c31ca5b8aff4734b1adf2e9fb25b0cff5c7022a5b060ae0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
79866b268d54ae4cdabe6d9029ee43bf

SHA1
47589a7ac978a6fa917b471aaeabf1c691cf68c8

SHA256
8eca1313157673ef9202ef4c04de0f4f8778099e4dc7de0ab545e25675201bc0

SHA512
a3109e2a29b9cbdb64d03fd11b7c94e84edf62fab06f8b847f99778432aec7b431aa8d4ccabaa12d8e95420503ce7fcf51aac065c5f4bb214d55bcd2916e6bcc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
14766b8589ed38a5aa0a72b76e5edc6e

SHA1
ea3b67af8d21a5409661c07685d5d23e0464e303

SHA256
5e741b26c0f065e27957e1be96eb064d0402ca9b0fe484ae8d5c9e2b16e1428f

SHA512
82eac50fa5783ebf35ff5913de711b86b2c7f327ceefbd561af05be1d1be9242003ff02bf479241b67680b3155355c58376360d038f237aa5421e6634d69ddad

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
eda504c0403492af31a3d79fc3dc1d71

SHA1
fc5eb749a77976c848731880365d6eb785ccf9ed

SHA256
b81a03f296676ed8c043471ea6ada77be92243912a149146f4e171d5ec02d9a8

SHA512
5e3a31743629165deaf77b5c449071842280b7f2a304d95514667e46ee551f101963f3e5d72399c0a1de41db8506ab8acd2df6f49669e01fc223dbd12e6f0572

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bda4cc5ec710aa5665466befa2654d2a

SHA1
e069be876b9e98b8a41ed31b354976f8e406004b

SHA256
0e2d489831431e8b11b6801cd96d79ca881ed1cbb7b22c13cc73b7dce05e0da8

SHA512
4ddec05a56e87df103a3e992062fa73505e849750502ac1dd06c09430e88982d9b05a03d190564ccd8efb8327b901e12b6e93be751fe9d1a5117205e39d3bba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
56ea7f6fadd8d6e159e769f2b81e3fa2

SHA1
e6536423665308de76a2b795238dfd23883345d7

SHA256
a5c953184128e688b684b1e3aa64dd56d1a61efcb4c55da0b5180d88d6f55ffe

SHA512
a86b7b6745c7ee466d5126f6db739952a699081161e506f058ba8a27a31e22ec4e857f31e3f58b5e37cbfd9703b4199857ecb526b2d4f31778d78773d8e0745f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f2d1df2f93289bc28a14811076c89b33

SHA1
7349c5e9cb7031ae4ce7c38b154d832d9b6131fb

SHA256
b78c77b6c75af280c1e4e886fe28766fb8c7314cf3a4f3a4603c20ca95cc5c7f

SHA512
7d039408f6e3c4ac6eb529f98211c2ac6c86445cd77588de8b29ca3eb08aeb6ce73671ab5bc00fd698ca095d705803fe50731b88a8b1611881f55c083470fad3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ab51b5e45cddee36551192d37de735bf

SHA1
cf79ad7db61a4a554a44bd10e28fd22898f557d4

SHA256
7839171644de0a46ba186adf0492c0138d9a4e5439090dc8922e94226ad1af8e

SHA512
ed85a76f3550f9640daaf9f687217b36ffb9126fcfa02d725d7d594cd8b732258b6f7d7f80a1e0ca4dd0dd1418009aea69b001deef76aad7004507ec5b2528c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d2219d32d991f5b09208aa84c37e89db

SHA1
53c3d88bba8851be306c5185af45b092592aaf39

SHA256
54f29ab41c14eee0aeacf428d4602f5f22ca25d49a4f3c4e3608f253bad0e674

SHA512
9508a316f8842a0a7cf441c2cd99083c003144a994df9bae28a44e44df3c4d05f4d6e5b6b452f090e337014ddd97ab212c3446a9ccfe1e245bf1079b0aca2a4b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
046a4adee9ca945cf878df8ae8ab3eec

SHA1
4c62bbc837410789c17ff4012aac17bd44b5cd66

SHA256
76ba66e0fe092f1105f116718e01ad4410ad01062a52bb5793f11b668eca7d2e

SHA512
b5060ac0835c05d840afc1f41db1b2561f85e689ab05c6758e0419009e566252aa36c9cfd7f7070f70242ff955a0ef3ed1c0aa0f5db4ebdd27001a6ed0c15aea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fe32c6b68ddc265009086ee794b43792

SHA1
a1a7794f56b7f6321ef41629f6e1a9683116a5ab

SHA256
9cbcc14c53dff2bdcd19cd07b8ec26b71c1f2db99c19a9aae82bd3aba263dc49

SHA512
a5e33ba694bc89819ea06ae7e0e6bb3e052ed591dea5a87415dede83dd66d776d2582fb53a6a843243aa04bba25d4b1753e59563aa3b1577e765b254cc7ab332

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
68ee16f816a9bb40287d4a167415c453

SHA1
0df77da6a715605e0853137c33baed8a44794644

SHA256
a04bd9efb083cf0f7804f5bdea8d5aaca322ef99a3ae35c896fc0c4030d1bda5

SHA512
9ba9986fb9f1addb66a21b9e9527be773f10659ac5bfb08b4547aefe3c585148e1e07c092a4cfab2eb1a93892a20637c10af57c0807db963f8452ca8da0fbde2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
66ea74033b21ec227405b98989f16beb

SHA1
ce3eec3e294fb9420f7809302a2bd0536a78c393

SHA256
158e68c4894e9b8e5e9971613d1e75c6467d5408a37015bc7ecb329c32e5a2a9

SHA512
c68a064ca423d9ba49f89044d79cd6e9fb022b14709cab4271be7324e0aaceb9c407434cabf3c773bdacb909cc461cb72fcf81c7cf1dbb8d7fcf3451422ec2d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
3e103043b142d335330cbb9504348219

SHA1
fed15bc5a2b52cdff5d63b908fedc2fc79173823

SHA256
b50b049ced252ae0eb1dbe47d36239686ba98db49ba60e5e355143cf7f449ad8

SHA512
8bd6958ede4b8574a3b747c77848e6aec1dd83cf7ddf0c1fc392c18f55e94bd34853aa6e0ec0f2fdb72b984edc1d9a786d020d35c9a0dff309df7d0a36a08d19

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
93892b6ec93ac1ae5f5eb8edf1b03af9

SHA1
570247ba414bc852647b2003998fec6a02f59ebd

SHA256
737dfc6849ba23da907f6f6561e0e9cbd8480f605ed73cb1fb59e37be14a4c4d

SHA512
f6dee790eab11f1db0dd63ab823c475a22dae616feda07e6dc9c045ee80ef5afb8ac9468bf281b6b351aac521da99c8d3f14b9a184c966478cb9da3ea72fb51d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0bc4c52f6177c6a138371266a220fd0f

SHA1
c063571572b32fb1c423a8719b93aeb9b15f367f

SHA256
036a2c1e7cd75df6f28369f41b8d8cafadf8f8cc69bc1b7b8b8275e6eb51d973

SHA512
5c9bdf0535c7a1b19afe5b93719cd70e456eb9b699244a1f38145ba3160d26299695748e346e9a0787f1d07cf209adef12390af106dc93e5cf654092151fe18a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ae8289f12f30548ccb6a8f64605bb3ce

SHA1
ad8ad57082cd729c2ab264393de6944f673d36b1

SHA256
e8d4d7304440ce8d096f93d01a467662c84d830e59aa13200950a1dcfd28c55a

SHA512
88ed0cc6928fa502ac9dd00ded0ae107378f94bf4c10e63482bb9cabdc6cd533e8f4a709e74863c30cb4658478fc3732c74c9dff2c8f37a1632600c2e365a12d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
249df4441a8aebc24aa33abba849a1c1

SHA1
1adfb3e760b1f230fea354db2300f1eeee319c35

SHA256
687aefef7e04f06d2b402cd5e3ec80eabc594e888d16c17349f22dc04b774c49

SHA512
783682fc9074f894e8aac1a2e0add755fb83c1ffb3114ce471a4787c08dda1d3bc9aa13d1ef78810dec7d2dfac50ddda38526b1c08591bd8628774bd5434594e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
17d933a943fc220aa4bdd387bdd31d8b

SHA1
4bcaea8af556fdfb4c323ea2dc6556076467b2c8

SHA256
337df4efb2cc9a0d5583e3cee81f91b0d944d00e62933ef87944e69122a1e1b1

SHA512
7be31e833fb1503cfe17ab8cf0469457ce4f2f9f8c1ff575f8e850670cec71f6a97b64d877c557544ccc21d36c261b0d1caa18c55f550fde053317c04e0a23da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
15adfa604cbc7dcdc34e6e144b791512

SHA1
8b2daec6393b0491bd7eade550d4228ed6ee0266

SHA256
69dcf39f99979fe15dfc523b0d7137e6adce90adc56320b3582cb1db2bcbd508

SHA512
8cc1ae0eca646497961bfd9ca5efcba77fa865b9534a5dc24c54e999db2fafa39634f0e1618f9f8681a039f31cccb8a9f862e8a56e2fd0dbbddedfc4864e716c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
dd760812f396e046696972f2d65deb50

SHA1
dc5067fa187ac3ae331372d98d4b6d954a101e29

SHA256
08100aeceb7e8b1a20fe4ce6f5b3e4a5117c3f372b1ae610cf855c6725a80831

SHA512
07519dfd9354b22b3e3a6ba0b7afa6e010c85f06b7bc29f712c3b1bc81b4fb4cea822423f4b51edd8bb31a2d2fbd2529159e48b76511f004f2a2fb58a8d04163

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
25dcee9845a918ee89885e36c2271cc9

SHA1
dd117d556a43c6f4cec152b57effcd9db8d3d63e

SHA256
998825f8855fbc2c0ac6d3843388cfb76e138829501763455849a3f00a7820fa

SHA512
b487071acb96be23f30a38b3e82ca6d592d58cfb9ded3110ed36d68aa9212eb1421841ac1842c1b13f88f2519b931c0fc659cc18f431120b9f560890d12ef1d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
150d5e3cfe48490201bccb2a00bfd331

SHA1
5c0eda0840f3bff144d17eb4e142c5a9e2f4d553

SHA256
ae8532c79811e6578ee3999f5a20d2e2968e8f4aa1fdb4260968107e9c3fa1f6

SHA512
8b8ad25eaf798fd713c6c6e0197d1b142b7634b0c98f2e4314ec8231f4ffe3b7dabe387eb97819d32481eeaf439b7b3552bb5cd5e08c2f69fcf5969c805a27ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
91ec8a83a2527688d3fc109e3914b82c

SHA1
e8c6afa110833f806c6af08d83401f183b862a9b

SHA256
ac8a51a6e7aa1f1904f1089e5b52afbe66e82518df4c510c8812e1b6a029e7b2

SHA512
e83b07ec1741dceb04db774ebb92ed9fab70e0f4a6984a07b326a1a44555998326c35ddf6d4c9efa9a4f6b25ec3ba19ffc0a18fec7a6af3303d60c47d19523d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b96c3cf0c5e2d5c4c8ad0beb6e3bd728

SHA1
e84bd070f0e97308cc691716e2a243d4088518ea

SHA256
029400be130d3fc0e44cd03ceb039f763426001e612326926e0ce4dce2b667c6

SHA512
e6acd6013a73df32354e0425ea1f3d4faf01f168ff7451706c58d0351499f410108544675c92697c8949cc95fed5323943d24683acce5a627f88bfd93a8ce166

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c0ca9e20ac6faf3820f149063012ef14

SHA1
c40e5867fc3bcabaf48bf11893f67b0f390378c4

SHA256
8d69e0c68714f004ae1f42b182a008aa01cc6b8c365e7fd821fe30d53aca9c51

SHA512
e889afb83ebe493ed6d7688c322bb6bd4c1b3f9ca41e019966153405e2d022b02e701072f68c22e72a6a3734658577737932937c6e71a28638b50d6b1c55c31e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5b6d8e3c0140902eb28257b40000d7a2

SHA1
6d72333feb503638b972171dc87b45771ef4b26b

SHA256
220b54d95f6e5fbfba53572ef35c3958d43feb1b5769051afea329450e40a0b3

SHA512
6b27304649e6ce219cd36b392820e0adbc34491fc884520985bb2877730a5f3fd6ec7bd074ad5deddcca4c2eb96acbe4229d51550965817e5571ca0fd1365e4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7ab2a6a8fc67de0401624e8cde0d348f

SHA1
f320d3ac5556ac70d58cf5beb3d2259b99559b58

SHA256
6132c56043fb2591b6744f346ee9fef176e212659936c5b724d5b941d1ed086b

SHA512
60f9d60114b69f185849863426b76cddc37149c566b7df508c4ae35a35c4e9a74552aa150fc0789dfbc4cde37edfd4084dcd8ee7ec10742430ad606e1289a4f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f1167354ee040b235a69df542b740048

SHA1
bbb96fd93a7f0129d42cb34c9ab925c286382bb5

SHA256
14dc3ed394c33de7bf69a5a7fb2a7c117ecd4bd42de7b97cac37788e67aa12db

SHA512
bf1cf8c2d379298c62454694b3ccb10ff9575abe05540895deebea435d132f09d66b59973af0a92dc23cf1f32114f9d1ef41ad7e081be7b92a72f221eebcaf52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f10e2ee939b4be45d9d98a83358b663d

SHA1
668f6cb01545a5a1b7ced63f71403d9440e01b47

SHA256
41bce611e6c3889f12d76821f74f70f9cfbcb88da3acfdc74e1c75dbeafff23e

SHA512
c02d522a2f0870eae08fe1f6b9273b04cea5e11745439461a9ea38b825665ce641540fb0231c790baa49ff748142e379855b28a34bc296d530529fe31abf2e2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e18f4e9bb1cc0a6eacbbe5344ffac933

SHA1
120541759dcf6560569c928e76ae1944057a2442

SHA256
09b5d5fc0a57c1a626d0b37d4d490edde873fbbb68222bd6c9ed678bf11bc17b

SHA512
ed1c5b145071cc869ce18a34472affbf9966623581205ff6192ec2bfa6e91d72832af7fabbcf895e5513f366503eeea33c29046e4b9048d47e6c94913040408e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
23c5482edd220d0dcd36d672625735bc

SHA1
b0a5bc66aa8f7551d1fa80efb637a1a774097335

SHA256
1aa9f1fec9bb52c0a3f83d140f1acf2169174a27edc95fcd945993dcbe6dae18

SHA512
d98bb80e9a57ad8596a4f3a09527f5d14ebb15a784153e4fcba2822c5d8c35c6721288e04191e7da350fdc632fc375705429faf268b2a3d149f6c29e92a72319

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1e1aa24031d7b8ea45327a730bb166e0

SHA1
41e467639381a19404f46ef18dc409dfa3fea47d

SHA256
43150032ce5cb66f0ea33e6fabb563e32e9b26b3503d792a3778cc56c03c84f2

SHA512
40a2414f9ee05edbd1ee135d34a4606c676ee99df2e2bbd504e0939b8c302d2ff1af9b5db5b1281200439501674ca1758fb5aef45fe1ff5e051ade14725ab479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
326660567763dc873640dfd2e724e9da

SHA1
78a171533e3c3c2180be5f00d46c027964bfb78c

SHA256
6ba0d1db33d85d1a91137bd4cc67e7f22047c3f2ed065c963014c65624b266b0

SHA512
7b385cfd7f41d426cc438131ddea5c152bbf36c18aa9feb43a12bc3232cb3e3a3ab50c75c3ccfe3efb727049d1289b951eaa473d2de56196fad4da077cbeb9f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
6ff60119266d691aa703e6d8dcc164c5

SHA1
25fd915f24b150128a6c6552d777c9433aa54f00

SHA256
f3b7ab139f0e058d99b5f834f4adb53e9916439d9520901df8452c5da674bbac

SHA512
e26bd1486588aac3860afeee16f096b53359b316028ddb944cf400d691975decb5eb8a677ec9750a58c37b7e5bf91d1f5d30ff86a118c7e3f3bb5c3e5b5c2f53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
cf7efc7252454b040f15d3e2a766e4da

SHA1
1e1b136e5e919bc45c3869a8a97e91d42c4d4e6b

SHA256
0fcbb74bd9618f8e402242cab117cccbc796d2c09501c98b92562d92c4bf025a

SHA512
4bf4c9f6d9df8fd9a6a2d69830458e7950584d40f955b245d2fa0c3d3e15a919b3140545c689eac10a12aace0e957393ecf6c194d9139f32750b964fc944998e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6342bd1ecd7801db6f20062fe45e2014

SHA1
2697f1cc269fac0b5e43da45588c87ab9818cf48

SHA256
3fce5a1e97ea1f59dbc3f54f66cc6f631f946456f0926710c4ac8a6c85d7f439

SHA512
b9973b96a7122ee1b68fcec5eccfc9757ddce52c6a82dfc7a6a67fdf2793b411ea60bf22bb9570ef57ecf2189d235a44b0e1e85ea1849465409289c25418e421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
c6fbd1aa6ea45f5d64669b485db15f03

SHA1
d8d08729f4f8d7f94784a6ba40fdfb8396dbb2d4

SHA256
5c38a23a23b35d224eecc28d9e85e6781a5a44458a8b9931decaf9ea47b82317

SHA512
ae108bd0f4e2fd27343d1ee2c6eb37ac5fa683d14743671cf49e62e304f515ccdd93125b9f602c0884346ee8e0827ee3ab23c363470092afaf305221f7ebfb6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
90e57204f07c624b6524bcfe4ad03421

SHA1
d7b41ee9a301d24b0f2d1b7725ebd88fc375adb2

SHA256
a9e68c189083bd4d7add3193651d1f295cf308d590c16fe66f58d72cc315041a

SHA512
4b2ebab3946096741c0be9565499a91ff6c723d80e9e4b7b8fae169200eb16a16f8cc2906b161a1ef01fb5c01e597e4bbb8fc88d0dc6d1014e00cea6ccf001ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
042c515399616b040213cd46a8447772

SHA1
e41a880e45fa753e314ce84021a0b045323de86f

SHA256
6442ebff9d2a46b08165ef162f569f9fab66dc5c774fc10b91e796f05433a07f

SHA512
cc931c1fc52b2aa2598d2f7adcd97ef3cad23decde214af69290495a23f7727b629c77dbd682be9e6fc529e9e1d0efcdb292ab1a3f873f440f7be0a4ff43d4f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
e07350813ed72998757056476c7b7e9d

SHA1
d22e8d921d85de04b387afad1b286374831a755d

SHA256
45369a4543f3d849ccc05b059165b097f6ae51e532c731ac691136f42003a7ca

SHA512
38681bdb0dc74afa67a1fad65bb18ae0dd9129116597e35ea4cd3be494287f35e6143b88d4a61ce2e908463346a0999ae2604e6e0c2ff9684d240e14ea2aa702

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
e4de35f1a2196950b65adbfc525bc8a8

SHA1
a227f2397f92ee976e08edf77851a43d7274a559

SHA256
04ffef7fc4c8744f31a2379a90be83b0a0156a22fa35a80efc63cb8feb3097f8

SHA512
1de690428bddd1511bacc55278b8500a8e89ca49fde7e26150250eb7ee84069614e093c9fe152d51c5b2d39a73be5800d9d1ebaaef144c627ea9ef1b523413ef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0288796464ae168f09e4804693426ca6

SHA1
a34ea5e161ace9344bced45a88613de3b68c1177

SHA256
0de96774980fbba87df6f3a5db07f3298de13d22e61c02ba4707604a1c3f5fdf

SHA512
b56092f298c0bf6abd6cf614e4cba2f74827c7bbdee918c15fe23c5d2b282e69b6e585ce56ff96d7e4f14e98c77867fe4beb683330ce50100ad88310b24d5992

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ecc9b650c163000189b7743d15bc87a8

SHA1
1cf719f2151e4693bf348e32d5fa7f203c6898e9

SHA256
1a40a4b65257bc3713536441e978b8e22a99ed09913bcbfff5d70273f578598b

SHA512
80a5f0d6fc46e78ec93e5b5b6b949b64495e4a26dbbfdd14de781fd34910445e826bdabc304bd6363ca5bd5f8763a2c398b09443fe5d4dbddb260034712adc9f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d21ccb3aa48e2f74a53e645fb80a6ebe

SHA1
6d413b6735f3c0cc45c8e646cfb0902508a5f5f6

SHA256
8b827b061daf519a316f8957a4cab3ab77d007c1f2bc730623a2c9f6973e7dc2

SHA512
66c21acede273b488c6c643608f653c778dc027933d2105b97b64363c1c99031e3cd1caaff49342183a563eea12e989e050d21f0f2472e82e0aacc72a3e5c2a6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eb9841b7fe079830eaf08e30fb195cb2

SHA1
bcadc917bffaaf9f36f47ff24426e3b7a94af785

SHA256
3b6df63e4690a55d101fc87a5956e57423d5f66489c7a1d991c4198f91ed7c36

SHA512
cf7243668a7d77d99e698414c3caff7ba5cb8ebd0cd74017ebdf2aa345715764478a819d325655a591c880a4ea7d3e95d8e4fdf24ba0fe94d083b3bdee336bfd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9be70f56b5ff111d68bc9fd666124bcd

SHA1
bd40e8833a333cf12e827ce9f13c1d742cd7be81

SHA256
e0458d1f8e3031c5f5b165e39a59ac5aaa1ce7eca8ba75053f8724cfb6c23fc8

SHA512
6e8a5bc67ca1c0ee96e9845e9ee1f82cb6e919441c7bcd9e68915c74a7a3a18b2ecba41138aa29a69dfb613d0b23590f7436372b29e253d924e2c1dcec0f5919

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fdc8036bdbea8e978591932d773ac98d

SHA1
094744dd007da2affa362e526a95f4127bb51204

SHA256
bab23204c1636c3ca86f9b88f62480b9cf9f4dd21c8e1889b10a63c75c98abbc

SHA512
8f68bdc001d781646c918e1b27111a577611aebf0630bd5e6d7bca1a2728e7741ca62796faf2c9c4dd91227e7912534ea3a26e2b1ee376bf657712f351d84b18

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2f27ce9c568479380aeef207119b0f7c

SHA1
80aec7335e7e373c8cc8709b742e81e7605e2222

SHA256
f2c78b27b3d377d88911c074a04adc56eb4a8416da0391cca6728446a6c0cdda

SHA512
373f858b21284ae729895cca6d28eec2dea74f6d32f147f570ac5e987b86c0a1b9b465ccb8cde2f4ea044b5d4cb806520cd25e441723f9bc56d451dfb65ac52b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b989102c4ecd0aeb3e069c62645421bf

SHA1
78f52042ec55eaa3a004730dd4c9781ff98cd76a

SHA256
d2a769168307a891a0cae242d4b1b7caf9d8ad070c9bb633aa520694e7115855

SHA512
31d842a40d76bdb29c587e24f641730f6ca867237e995c4231b88c04e2960e20cefe7694014b7207e5bd0f14261c21dc5414ff55ba6774d6eefbc7cc57d70360

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dca274664fbc16f25e559a834d29e0d2

SHA1
b414d60f86fc7353756a4b6a0ea56a705e16d031

SHA256
46c1aa00c4f6767d16cccc660128d20c9452692b2af171348dd1416880fc37cb

SHA512
8f9029adbc157e663ac44496a7ba9eeb1932e268c13277a23f8da98914be54a31671d18a96f19ab493e43ff3d248a178ba89cb0c145b0b0673ff14117e494c99

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a4e4c6e5a62d6090e6b838723e03868d

SHA1
dfd02ca65df98d492e58886ec7d70e7d850552ca

SHA256
c91d8cc1515e48fadf9b2218946e302c9d21993d94732df9fec35e7b71f18251

SHA512
b81a989ca95dbe61401be4496a42fb0d2aff115e3bdcd98cac4aa2ad8eff4228b6d2f532ba36867b72f622d596290d6bb3cebdbbe8570ad1165c247d19589b43

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e8e03d38d1bc4c808feb7ddbae7caccc

SHA1
b1bda55ccde567cae96128421528d73b1b73b447

SHA256
50dee0d26e82a8f66ac96f103c878ffbf9fc5b35e959e1d8d18051b037504ad9

SHA512
88b7b71750a9a3b5eec45d9b2d15ae2ac2ad12fcc688815af3438f911d2746eb5302d0ae261b48c5db0b8ef4ba9dfeac44f361b6ab7f3d00b30956afe99b270a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
78a97e45fb87144f6a5be5ab0115ba1b

SHA1
8bbb808abc98aaf69f6973bda47eac143c922d54

SHA256
f495f2c672aa3201f13396c96b1b12a864e0ff564e11bc4a1724290a13a73b9e

SHA512
57218d23259f1e65e297d7d44da6a7ea697ecdebd006eca41e5c5a49eaaef282836287cfe3afbbb36c71f1f562257e5ca62ddef360a124760334d3101e820b82

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1c3bd31e1b14572f78defa23ec31d73e

SHA1
7c1aa64af00f3d5079a476d2b6af1534614d7a6c

SHA256
b97bc372c7ac0ce5f0f7962833b8257473dc0d03742a04783d8e285b5b7a5d2f

SHA512
fd9990e44f2592e2bc0e1a77b2e69e37dc9b7bf9a254f7202d2a11d90ba734186f7d88a357081797fa6ab8c3a071beada87a86c7220041816b01584736d29153

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ea3d822328e9e502303c5cc4c0a79730

SHA1
6502ca3583d78d88ee1d6ba063cc02bfbb15196e

SHA256
a9451150b49307a76c8fd5feca9d7475ac7f572296af980b5fa63b08139be08d

SHA512
f421dfc4bf2f7225011f92d86fbfbc35522e929fe90df769072fc21e22403b03d24289f0221dbb7b6d7f9c303b7d6e3acda15655575dc2c7fd1b5efa241dbbf4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a149fbac9709d60ba3329a5d73607215

SHA1
768efb47791dfa4ec69e35d47601e85e449888ec

SHA256
e7981a48dfc6954aa1ae1ede7a8bba2c26ced828bce8e61e7c9b8bae6f0ba1c7

SHA512
ba6e0e1e80e07550445e499ba795bdff23da478f4d0c82456dd89666e06eee0fd44fb402edb2d256b3bec428c62ade9fb5fc9cce775d39d127ab198d2358672c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
304d1534a3e0604f589058a74e46ed9d

SHA1
3999b2f3c81d6a9ba0b1839313cea334e3360405

SHA256
08ad735955b857ed9c9138912c2587dba72ba6a633fb317d407d96f15d55e9ea

SHA512
68f3f383e0b36b1ffa0c3f583ee8176d474241697c73da31ae38b5d422cc4d3d01e7c04ef0a81342ecd2165a330eb973113c2c183dd362ad110b11548091d2e3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
79f55bb8cfb397de68d7558118790476

SHA1
15e6e33fd5439c4f16f084dbd5cd3cea29483601

SHA256
2533abddfdfa189e87c46e34334e8fc0a3e7484584a2abb56ef4bc0eb237b2da

SHA512
b3ef4141c3584dca912f4c9df8aa4d31af1fda267d169825476452fa2ff4fcf59dec35daca72aeb97b10c7bf8443010880b7ae0d7f8589e21b4f6541822704a9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8ff7a4469dbd2f1eb5c945db68ebc20d

SHA1
860f249e6a7915b8f4d8d839f38461007bcf8b4a

SHA256
4abb23ca56e863350942cdb0d2e250bc3a1858c8c61c2244052ebf5535267c78

SHA512
cb659f010b0b3007e96a4a812c9441f812a8b6a080bc7b876ff9a93f2368bc0215f030238f30d507cf1e59aa8976eead11a21d65aa4b49b9eee3d4bb36a88f2f

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
b0ad7cf51e1302c469e4292e5ea7623a

SHA1
602b6ca942db8c5d4f6e8db4e1e59e12bd214db0

SHA256
0abe5e4009e512beb6a9a99f365569ca1366472aeab77678df9b2d9dcbbcf0de

SHA512
600ebca6afd787c2d822957a5fa3e21936a7e07a9842f3ad8b2fe0d80ad64eb23730fcfbb4377c2ca9855ca416dd173a4734fd4f778c2e6e85fb835dab229be2

Download Submit
memory/520-439-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/520-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/992-437-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/992-366-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1084-314-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1084-322-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1084-381-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1304-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1304-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1304-245-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1304-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1304-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1468-362-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1468-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1468-424-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1524-61-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1524-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1524-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1524-57-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1524-51-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1608-282-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1608-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1608-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2268-333-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2268-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2268-402-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2268-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2288-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3156-276-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3156-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-263-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3156-257-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3456-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3456-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3456-6-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/3456-7-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/3456-1-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/3464-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3464-413-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3804-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3804-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3804-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3836-443-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3836-452-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3968-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3968-426-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4036-400-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4036-399-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4036-394-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4036-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4104-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4104-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4104-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4104-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4136-297-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4136-289-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4136-359-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4136-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4160-372-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/4160-307-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/4160-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4696-374-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4696-442-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4696-382-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4960-348-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4960-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4960-411-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4996-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4996-22-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4996-13-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4996-193-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5020-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5020-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5020-27-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5020-35-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download