c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907.exe
Size

716KB
MD5

c93f92444bbaf89739fb9e3edf7537de
SHA1

46c4a9f3466f9bcf90695b8f3373c12e9832f904
SHA256

c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907
SHA512

2e00eeff517398596553448181746de840e437b1973f3cbc5638e47b795be1d790e301f1ed6838445330c9ae006364696496ad981c1d939dd3d16732d84eff2b
SSDEEP

12288:D0P/aK2vB+uiUMtwlCULjI0FCyqsdmGljrkZTrmNWOWiuxM:DkCKABZMtwlCULKyqsdm2MnBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3920	alg.exe
4924	elevation_service.exe
1840	elevation_service.exe
1136	maintenanceservice.exe
3908	OSE.EXE
3592	DiagnosticsHub.StandardCollector.Service.exe
4108	fxssvc.exe
3624	msdtc.exe
4996	PerceptionSimulationService.exe
4120	perfhost.exe
3736	locator.exe
3276	SensorDataService.exe
3812	snmptrap.exe
4608	spectrum.exe
4696	ssh-agent.exe
1576	TieringEngineService.exe
1224	AgentService.exe
3200	vds.exe
3756	vssvc.exe
3860	wbengine.exe
2400	WmiApSrv.exe
2320	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a9424c174f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000415f94f42f95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000361186f42f95da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe14eef52f95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000999c16f62f95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e8cc5f52f95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7b76ff52f95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5e97ef42f95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4924	elevation_service.exe
4924	elevation_service.exe
4924	elevation_service.exe
4924	elevation_service.exe
4924	elevation_service.exe
4924	elevation_service.exe
4924	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3268	c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeDebugPrivilege	3920	alg.exe
Token: SeTakeOwnershipPrivilege	4924	elevation_service.exe
Token: SeAuditPrivilege	4108	fxssvc.exe
Token: SeRestorePrivilege	1576	TieringEngineService.exe
Token: SeManageVolumePrivilege	1576	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1224	AgentService.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeBackupPrivilege	3860	wbengine.exe
Token: SeRestorePrivilege	3860	wbengine.exe
Token: SeSecurityPrivilege	3860	wbengine.exe
Token: 33	2320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeDebugPrivilege	4924	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1556	2320	SearchIndexer.exe	134
PID 2320 wrote to memory of 1556	2320	SearchIndexer.exe	134
PID 2320 wrote to memory of 508	2320	SearchIndexer.exe	135
PID 2320 wrote to memory of 508	2320	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907.exe
"C:\Users\Admin\AppData\Local\Temp\c4e296eba330cc856393da7d43b1185e44aed386513795642446f96f94346907.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2500

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1556
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d53347054d87d4ac2da2c6670750cf36

SHA1
2cce2b846d49cb5a822246e3e68fe4f5ed2af45e

SHA256
97328d9c55ce18f836f46bd8f2f57778e9b2134cc54ca198d000f77e7bcaead9

SHA512
80de3779c34e4dc84a9cedc0ea8f93d2ce106a14b77d7b68eb94e4600a05b22445a9ec1cb8de9d3854a08a5cab2acda3cb4e84f241827dc22fff2c152c14b433

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4e61b0029737328c42e4f3e18f0b00a3

SHA1
9a98f716f34feda377fe5286764f7dd4dcdfac38

SHA256
cb11501626317554568bf3d9a378869f2825db393777ce55e33100d67514de5e

SHA512
7756d46725d71112ebae295ae00d1ad0ced8520ca2840735f3377c271e5a92ce7c07c89bdad5d1cbdc65b3256af432d6a000039949fc0f2c8f1ba5c0e27c756c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
38b3014080d1562faef439b1977581bd

SHA1
7b80e6e1307cbfca42b463595590cd195a8a3f8a

SHA256
4607a7574199ef3d032f70d4eb36675accc1af17891e10e37d9763341222c5bb

SHA512
77c93a939592a16a1fa9f60b602dc78d0aa24a2689f5ba238787e70c0d353f047f7f78963646727770d0260265b628068b4fd7b32e81fc0e26d7e2f48abd6782

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e00d27934ddec136bd9ff0268fd80799

SHA1
fcf30860653ef9f67e8a948897fffa28f35acc09

SHA256
d2900298e4dbd7e45808e6b16a585a4964b870a97b63812bbc40ebcfb6f41cbd

SHA512
5ca14e0d9436bd17f9f0d48cc68a06a7dd9d97118494b3390cce43f35a47c1063ccd28632afa3faa6f535aa189bdfd144c619b97c1f2c35d988ac08e4ef7c448

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2f6124478a5ede62147088f504bd0ee8

SHA1
4fa85c2c2f7dc526a204693a596d259fb7aede13

SHA256
008911f2c2c8920d4dde0e7721a6daed3d0d669bafa5f9f89151b048cd4c7622

SHA512
6debcbc51ea2816532b42d1af831120f6d32f508c01970586bfe3ec672dda926fb6888ec642d86ef78751e88fcad4bdd46de6cc10f473025589ac139ec9d6125

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
21d0c6a7f6d0cc0695e226a46c5bb82b

SHA1
b8f9093de941be6d1a891fe1365fb45e14781013

SHA256
1eca425015716b59cad4afd2153c0e8fe8ce3e7dedd2421d85528fa29d2bf5d4

SHA512
00bae231b8efbaefcb09fd9b0c8771a70f7afb7eaa5f276dee06e5d79d642961bcc9f686a3bf1c1df446cd4870ff2340369c57e6aacadfd9dfdf7ebc44804ca6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7324ae20908a907e2faa2998cd25d6d0

SHA1
4e1a423d1acd4d971b6be26dc6d4446d82d79bd9

SHA256
4d1e16d356fd64bd70bcaebbfb80cdbd755381e01e26f8f3cb8effea2bb8f4b9

SHA512
0abc74eb82df3039a058283b0642bd75a102f9d51e9b1979754871378cc975f9d322e62f2cdd2562c70df4d3a68e2517d9dcb03e1d5318aaaac872a048e5fcbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
18a1957c2b7181c7abf82df69d154f06

SHA1
4506444c8554ab1e61b5d5777a2fb22266bcf47a

SHA256
47170b7b536b69ce5cdc96a2c4c6382c829b6663a6a4e90f964dc39b7dffc3b7

SHA512
9e7e7f3c5ea1e80791f7fab39a097f6f9d5b3ac84b1714c4ae85d13195b2e474dccb552541cc39a3b9f322bb75b4509608a5638465735233829f8a77dc5455ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fd107503d2f96e78eaa81b58672e75f7

SHA1
bd7a306a2a59ef911eca89701fec1c2cbe691614

SHA256
bcf31c6b2b876f8398f5e1a403c9ce4a89dd0bde47d839b28b474830d4214fb3

SHA512
8aa62c9a44c49850e646797081805c475f877ed9408995c25c7e50b2700fda68ec729197eaad2b2a021965cd4952ca14b6d8789dc27ae2e6a1bf1a21d5ad6945

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
04f1979eb6a0a41545e81f504cc87a90

SHA1
d4eaeccf59c901fb5193b14e237058a6175aaf34

SHA256
607a1f740d4c1304d3b540ca90fb8889f1125969e09778545c668bfcad21c301

SHA512
4248f387fd9be1d97e4f25aeb50dfc7af859dc49c810ed45f8b608386988aca1057471b59cf1fef899e957f6010b9f65b4ffc6af52eef410d5a82d866420f114

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
08590e782cb7592a2483d3eb8bc65811

SHA1
fb0bcd11ca7fd66ce1ce723b3dad1422be7a2092

SHA256
923f079ed60613332c93698bd1b84f0b022d2fdfeb0797e68918507261099c77

SHA512
533c2aa670b68b9afea56ed5ac29199a920c95b265f8153f538a1f450c5602e6ee478dd41213773480b2776909cc39fe95a5142ec7b9ff269226d463be6581b7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
13fee2e831a4c60f101ed37c7f486475

SHA1
747bdfd3d83a53c5e86e38fb00b1494161ae011c

SHA256
e4a089cdf1729e93ccb8422b7f374007099ad41984f71ba83635ff13044b2bb4

SHA512
10ae09bf298ef5abfcfd73f8d0c2b1b08e28ceffaa98eebf15787701d1324f5c41b24ee32a2a5e819978aae2825fe043c2d6da1f340933acf2fbe0556021220c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a4f2dd24db2f56d0836d23265e079c15

SHA1
fe72a1bba3be2f3b451c2fc02ff9d89c7d7199f9

SHA256
f499de96073a9d8a58d95d2f4cc5b39ea1c0ef6f8cda802d6a197fb1a9c72c3d

SHA512
0905b34ae0a4d6fdf9c2f4e529bfc9f4dbf3ff1a206c38c5df6fdffffc14ea038181553b0bdd8baa443a0b7bf144019f1bea76c038a4d4456431a19021b16c0f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cf254e2e96f9ccf0c17b4201c6c950ea

SHA1
61de0183a9fc47016394c94ec117a7c43736b4ca

SHA256
54f5794534f0844b928491cd66de8051d8befbe40d9e54cb0ba264b4ea56a5e5

SHA512
cb03efe8c4da0e4c6e3fb29be83495d183e465bf9c9de2ae38da97efd51ed0c2a49bb5a2b52b135b97d30c7a4a7935f126843df2948414ed57d54897788c9635

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2274619abaa781881570b5bbfb796d78

SHA1
8f20dde4db0b35bb659743be9c0c0f1e1a9f1fa4

SHA256
23a992bf36b29ee14500201d2fbe5b5b35ebed1b586860ae03c5229b13118d0a

SHA512
07555bbca6441d4069b578a670c66c8423b7bb14e369d82b7c211a9f941837c085f4c30276a367a504443cc97a893f9420e7a152930f3358874881acf343509a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c24d4e52b21c31fd249b6cc07081d039

SHA1
ca7ba6864505f1bde5a463a279f8bcc58d124d1d

SHA256
9effb1fd4e59615514d7c0d878c619b7286918005819225613eb26c974962b53

SHA512
b55d0b6481864b2b608c07008df5ce381bb5874341030bf61a47f9cc3b6d85fde4113ee1461a74fe753e1dda898faaeba56e0781be0f6b974d7426b4676282d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f4a744395514ca7f0821124012ea545e

SHA1
c895fb0485d961d2e991be49918aa8a77cf4ceb0

SHA256
4aa9336dedfc615eac260257d05fe644c01d88dc905d8fef552f1319485b21ce

SHA512
55fa704d5b1efdf8b4adb5b6e59bcd98ed39bdd45b7983a63ae43c1681a3b8de20a63a256a947b0dd84a842912e9b8ba142cd5d9c591f875ab8c8df1d0d56071

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
559759b9fd96c63244fb803b8fe80810

SHA1
f96f5c23f848d8f351467b272ed3b7c4a917574d

SHA256
5c8e4c290daa5c655ceec4a36fc419392abe76e376aa1fa8bc9f11ae59ae4e53

SHA512
e9cb14bf6fa51cf7cb471aa8be4d12266b7faddbcd047d445dbf0b2a886f47abcbb1dbde64cd7b1c21a00c44032ee9093571f795a36c455eda31ff01a359b539

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a525e57305cb94d0323980a5c8a5e538

SHA1
48e16944742195679d89c72a31f5c83ebd8a13a8

SHA256
42712c9f96cb8bc822d4d43fcf27fca63ec09d5a5306296ba15de29fdd6c91b4

SHA512
f440ea93a921182145d8296c47cb516fea047ea243cb4b5448dd44283d66e43c3b07b4116ee0574d146da543fd2f5ece84beaf1d8be7d4f72e2b488b3471feac

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7edce3d477b2a9ad8e32c23e75fb3d1c

SHA1
a68bab0928aad6ddec2f7b0a5d33b305cee42ce1

SHA256
e8a8575f54bcd56109ab9dd11cc706fc56f9671650e0ae4d7a530d57ccb499c8

SHA512
a9429c689a1a377869e3b81fe97f3cc59a01d82c7031e666036043ef22453bdde89880a2fcf5978e2c4f51a26facb852976420300b2dac31b9696ba12261f710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6dce5fcb59aa250a2f30b98801610664

SHA1
e2714ad33f8f015ae6f025b76d709707afdb782c

SHA256
7838116bbfd4ab047d95cab3f0f193833bd8638902fbf94ee7b7195e65970a38

SHA512
f0bd9c7baab4ae47e7e75bb9e953fd3a3d6ecba820abebf17ccf1c0b1bea8b0ce18757c662d1c96d36dc6cd35b85f340693ef0ac7eae43e1efce131f6e0b8188

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
98483bfa1a0646e20824eb50bd57e141

SHA1
c6374a8df0c25edb273a6c527c001d2043d56635

SHA256
bef77b398e33ff9b79acbfe7fae8eaa2455957e485944bd7f868c6cdd9c9e0c7

SHA512
39abb707f8d96ab9761e5f97884e6496ad2ef0b73474f58c306bcf8f52ec239bc4b8579decafabae4976223774a4322479f3675b83035ee27bb8ff2317041f79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e6b7be3d17d5b13226e2e042a675f4c1

SHA1
a4742447daf3c82e123afd3a95ed05b85cda3bfc

SHA256
db938a0e5c9fcf99ef6bfd495f0bcf910b845be4caf0a8cdd30dad04bda55d51

SHA512
f1cd9372a532dd5238979bfafc69f5243760239f6c479bb10853217b10e67b1a35a6cea10ec81846782cfc61cb43b47c4a4e995c93873e11229f10329fe9a872

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a8bcd06eddb86dfa77e1e8f23442695f

SHA1
bcf0277b79e81ce537af4043b30f9fdc103479cc

SHA256
b0376bf126b439c40e441387340b84a5858cbadc789d25931f226fd0c8f65d4e

SHA512
c656f55a384766d037936e553be5ca773927f5b1060ab989b84ce5a2099c70cb31c4bee8189763e62b2d10c3dcdb58b44ac0c914bbe9de2c42ddaa05448aebd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8d3f2407d0886021e02190dbf65b565c

SHA1
0b14396e77c97c89edc0c7f92e42b8031dbddcac

SHA256
753e99289fcc18fcf58f4cd9d6a8a938ccc7444778f59a8e2585c7dc1a0cf547

SHA512
7e1eac5752b7321e42f98d76adc377ff7d1964a02b028cd16e6e5e66050a7bf893aaf5ea2a7bb4e22a948c691874bff3d81686b2948f15e20270f90c3e1d1247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7794dd8e6614e2ad4d517d01d1bfd87e

SHA1
893d5a7f2490f019cc8b5c60d15e987bb7c8b2ff

SHA256
c0e565c79f69036f5897395b81756b2636eefb3c37e6090eb7245859f24175e6

SHA512
ef716e90de5fa244d2ff770921293cc54353cb174777eafc031e8006d2259b4b0c486f34daa518f2ce8f78674f8ad6aff560d9b5cee97f40161c81f7ad3b72eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
df07ecd85a35276496956a8c5f9e538e

SHA1
98f9c568eab9b3c11e8a97cdc7c23aeb6ff5ff38

SHA256
9a1ea212317221cf41342879418b7c1d511df41ec4b0dda1ee28413f6d86b709

SHA512
a1655cfef0aa00d8845301278ee0a8b08bdad23b8ee5e5a57909d6a2e1bedcf8ebaec8bf95b31d6a6bc74bc1f33dfbface80eb49fabbc1b1bb4f6d83ed5de049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
90925fbfc2d552130a630eeade1b722c

SHA1
e61f781a2b3c8bbcedfd708e851c090b4d1a6a56

SHA256
1271a7281400c8a6639f0c9d81b4d7a86710e2b1fb5983718c88f7ff09e0eaef

SHA512
e5b7161885b31912955d44286369bf24a3c9188466defdbca17ea8d6659a044089e8db83b2695a754ee5c5e519d26cddcc205652697312365fc269999431a68f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e11313b1d481e9f1e3e09e220b6c073b

SHA1
06d71cd3c0f1398bb5b3bf4e268607f6fea28935

SHA256
f2bcbe44a7fc5dd4ba3ba9b740eb2521de818693371835515d2eac513b3657c2

SHA512
b17a371fdde2de4a47633083a793807ab63e9918e150eec4bef1b4e71f1160bde766ebd29442b19f78607b35296ff20b8d152db092dd948e0b31994e48aa3c37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d387a379db418948b33fbf5b195b2983

SHA1
b1e8f61dfabf992df1ca032a05c8ba9c48301064

SHA256
9eeecb28bd4088ac10a34d339458f6d77d85a5220e01fe6786b2f8379038fb3e

SHA512
491573e80ce904791f04e750d9237509dca01eb14faead02f8991f23bd71ccdf5fd28b96304b74904f67a457b0679fe1c126cfc0eb04894ad476a880ea88534a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f22fa3438e66a9ef587eed03a19148ac

SHA1
396d4bd2a8eb0fe0ae669895c60ce21ad97354bb

SHA256
b392044465ad56bb4b15112351b0c6b83687d409f3d0b5aefec97b8c8664ea1e

SHA512
0e1445ff83bf94c235b8f6b49d15c9fdcf42e705f0599c27a1bf4fd88195ca9744c88447bdb3da9b7d6fdfad41cff09008f021ab22a3a6e92108abda6ca228f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
16f2d4763ccd90fd2d8e398e23d83e4f

SHA1
a89d2a273ef4cf31a4a6d7556f0096ecd8a093ea

SHA256
09a019e12674777117e90e3d5fe6cb935cf57339130bc43cd457c8f8321502aa

SHA512
96e3f36cffa5049750db8789e4157de4df2ebc59c1e2ab90dcd52fcc14c6f6b5291be3c3012d02853e5ff95282d935e2eeb034e223772608715ff3314829a681

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6e08a83a74d7c8d74fa7516fa21e5ab1

SHA1
12d01cb848d2e4db68c677483dff29540f660fac

SHA256
07eb68d5e579fb0e6a89cba9a6f0863fe2542b21e4dee3dee95e0b2a925b0ace

SHA512
a76601cf24e9a8bc5dde6ea9c5bbcdfa8f781be82b181bdfc527c75a3723a56c372951d706ad288acabb03271d95936df9719f42f2de350908bcb03a3061f24d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7575b58691b89e00592125b9dbf40447

SHA1
bea05aac069e2c3c96a6f74fefb74dfa45ae604a

SHA256
7d90ff9cae3a8eb5fb1052c000bb729ff1abcd80371f10a00af0dd3e0b48f7a0

SHA512
45369293c26929d5012198c3dc384deb3aa01e7a78aeb4fd53da8c8037e5d9ce96d76672f209993647fbc107dc22f0711cecefd26ad0ab25cb5bb6d7717f5344

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
83d3dec59130452129630ae4794b851f

SHA1
049a7182a1b408b94e846888998b7a87c1377594

SHA256
cdadb660e720288e83f859eee27fd0aa83734d780d283e558db785df5348bd4b

SHA512
1f357051b1170cedf36fd77d78956a1f0e0413c7e6a9771687bb3c83341515054b02ae79425f414248ae49604be0487038e038c63c1820ced9c75e84633a9d30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8ef673fd51d60cffffba3724527ffbde

SHA1
e039e9bb2fce9c123f8c5f2223654e4cc135a395

SHA256
d5f792a57fa9d166074bde7004d9b17590c9b33b11da72be70a7c4b3060770c2

SHA512
807988a8164422e63862897987e0d8ed23dd7171fdf9fb21cabdd6dbfdb59f6fd5a39f8b1401b142ff5fb566564a88130ec9e4fdce11d6de08d5de3288edd613

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c68fadfe4cbd2d5ea156007d5e7df82a

SHA1
55e2fda0dbf7a6f9c9f149d5ebf584481f51a1b4

SHA256
15f026fd7aea23875de38aae7a21d9599dc2f7980c2d08782f8994b13d9c2d31

SHA512
9808205e011b7f376098758617d2866bb110d2798792e5e56cc9857cd84bdfa345646ef48eb5ffe340cdcae4b572c82ee8fad58de38dddae6e0171342b23d6b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
ad441897ef66cef167ffd4b9be76d46a

SHA1
740b0049c7be04a16cb8bcda699a5ec985211c4a

SHA256
a395c42fac68c156e5ef868dfeeefb5b0c29cc53b49358f12e7aa529dd7f5329

SHA512
46d5ae8f567d751fc657ba36cea6d6b8dc1e0689c69386d4e2e439bd253efee5bdfbbc701897ae17279a1148e7b7713c4bc5602111979b080dccb5c4118d4f63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
f421fdf4663566c105b896a5887d82a3

SHA1
6be64b640aa3bbfd91907988afed601b60df7f6b

SHA256
a3575eb305110e34d08643307549408d9be0adad6b6a1fdaa64e6c5ae134504d

SHA512
f6b7af8aa4678356a3ed7e3f535f0e35d4e470362c58590621305af1fccd4e020de907c8e4b82eab9a89d3d39ea7a7212323eb15fee6d9571bb416432a3c81e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
fb124291d46fd7d97fe35940c0ec12f8

SHA1
68ac5840c6971933808963872916e67fd23275d1

SHA256
487bec8e690011f66f85dd25f8fc5ce4c248a6ca07aedbcd282734db6b7e1d3b

SHA512
b9eac93fb300c2eefe5873db1a91ad64873ae7fc146ae07f388ac0c55f4bb879757be13282213973ab7ad2150398361dc9c9f69efa05007dae29e135e30ab36a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
061cf9cce14c5491cf68dcd5ca565446

SHA1
9ebb70edceefea4219823568bed97f0a5053d8e8

SHA256
6eff166162aba78d7c07c2c67fafdb2eac59a35c14de2740953baeb120170de2

SHA512
fd3ce0f3113e82a310e9dbe7ef451c22fdd91da61f3a96fbb5183c1c0ad17ea257d4d48a6ee08ab4901d9b214c22fdfe1327842993ccc58c6178ab160620e5c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
664a7c022cc078dc4654507f1db47b14

SHA1
f896868c0762f84e03326837a066326a52c5a5dc

SHA256
673b43592cdb5c29433063db98d45e7b072dc1244e216e2462a79b708f3b56ee

SHA512
833efa4e2313c8c60afb2d76ce9c6463ccedf7da99b2210e4e26ad5c85190c0cc56f6c9d2ab4fc337ee5f84e0312a3d7d4322aa42a6ace362b0743e079efe51c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
3c7f755682e97303edd463536fbd9eb2

SHA1
912a711a936d270fa956c0045d12b31fe15179c0

SHA256
2b0511e8e73c13d06b2765d77a45a0d437d77c4992f8c9c659b46b113676c693

SHA512
050343e999bece8f9ca15cc3c357749335ae1fdf8b264296398e1ec0e32759754cf4573959b0815c94afed3f4ccc54140528168dffd92d29fe9c164f6c514e83

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
01bd59b68274a9e6c3bbfa12c26ec28e

SHA1
6a4b2d05decc09f4968d606bf8df9abdf2a8793b

SHA256
7bff2cc2b1eda34f842a9c609f79804da2c1660e40ca22ebb6b0f003b9537055

SHA512
e0a4bb00f66b79877193924b7f7283176f259185741005fe5d8fcc3f62d888c89bb9b6f7b06ff39e4b6231fc52019a12644747a35e16232a982bc469a3fce238

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
01bc6bcc4903026156f6f0a5988a5949

SHA1
f7bd60e3f551593ec29c805f6816b475aa85a408

SHA256
8b1d5d7fc07cb6adffe569f5f77128f66667647f4cad7e722c5d3dbdecca6cc0

SHA512
bf4feed12054bc36045190c61411707908e5df4ecebbb51e797a9cbd427f034fdff18c65fe2d4d8cf4d0626a153487a400965693f294d51cab53dad78ba6f7c7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b0c8758adca52494856c7666fa3bcc7a

SHA1
de20de9a88a90abe1c3724c0e205fdabc43fe4df

SHA256
6f934e88935f6b775e8340edf8bc9a9039d63cac5d2edb20b7302e3366eccd8d

SHA512
64457c6a5d4fea2a354d4c2022ca24e7bb6870f1f72e9aecb81a6495bc7761d57ed5587f9550fa07f6168382d36e33575136a3433bb77a6b890a2ad3e816589a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
512625ccd0693dcb3d3fd8d27be2b0a8

SHA1
caa3e031b6020155fbe34c781553e836c97e6da2

SHA256
a8a35a336efa70458f8cf151a5f5d2a066e0f9831f07253bd1c452f983a4fee9

SHA512
2ffcc70d40d9ee2947fd55830efcf8171e6c87482e2573e4bb448c425f070e1402b0058e8d26186e323f64c418f4f6acb4df7f515aeacfeecb439d074a19ea9a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d017853a63e802fc409c2f7cfa6a5998

SHA1
025081cdc1629d005a1765260f6ea236fc6dfe24

SHA256
11922905b453bfa149ff5e86e7306a76d951562dfa6a3aee21b33959a7121608

SHA512
ee3d7976b7d006c52e9b9f213812bcf4152639c2d030323bfdcdd9782246a58a14846a30096498f3bf22783c99415798070f0b7ad0eb73866c7d2ca23c77005c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
89c1100b8e361dec08e2d634e7bc76d8

SHA1
b54a5e5a507a768e7302b781d08137278322e745

SHA256
acb626b969e99082887cebbf1d483d4a30e8b9cc02d33b5ee0424e70f1e4b62d

SHA512
80b0840e85314ac88257b6d6227d00e7c2edc5a78eabdb25a849dda004329a59b222158814436ae6881d8798fad01d683834ade34e49c3006a5a60daf3633d85

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
deb43069b94cee3aacae9be84bce616a

SHA1
95ba9a61f8e500209541276f7d69e423218a3911

SHA256
e8eb478ad1bd668fb93422c3eed6b9f72fa64377123dd9cbcce704207d29a319

SHA512
b79bcbe36184e59eae671ce11bc20edfae3f88ecf67d6afa3b797a9c100f5abc9c03a6cd55fd130f21bbb76d9b4cfb385eee0f583cff3d7a57fb9bf20af2e963

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
102db37ad8f3aa37d3730af13bad4458

SHA1
7a005b1d9d7ffd4ea197a048fde92384f5e8dfc8

SHA256
98025ca1196b05fccbeb921c52229c853511a356373143f4956c043763bcbf88

SHA512
10c4f1d3d0f829e0c4d9f5b021725561e4ebb4e43116b4cce984d527f7ecd3745329cab6ee1b18cde79d45adf0de6139612da87ce82f72c2c5ba65359980c63c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1f03f7ef4a987df53df94b88a8fd83bb

SHA1
97bb4ca4f6df8597ed511bdfd918484924287e0b

SHA256
0d4fb70544cb566233de57fef8de55426cf546519e630efda7f463e330fe860b

SHA512
86169d59f32dae498e13721512a53b1ae2bb60a964cc28d9466e186ddcb6998ad9abe3b402c0abb1cbd31bb0f2cdb3e62c598ea03d0582aa32847f40cb77aa9f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
14c3fe1411cfead1946730b60183abe9

SHA1
84c04142b26687639f0e0732005018391ae31176

SHA256
d32a5fe5c97050118c3f34fa55691a3f404eaddc44089edc8c3a4e0e13c6d707

SHA512
82b612a6afc312529c215e7e5151b3f2898e04e8ff9a179925c9210134d72066e2b1632692fed0f41a8980ed1627d633f660b603b032127911d30c47c86f62a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0d932dc8f485f8ff9cf8563903f84f02

SHA1
11e853807d6a3ce58b38f49f8c2ad55fb364ae7e

SHA256
789643907db0762dab9d155294f2b23074818111476ec315afce282af05e28a8

SHA512
b46a19fe69ed6ffc4fa6c7b10b7fc3fc6c9c9d341b671c95b76a1d28667ef884f18edfeafd4ab9752718081cdbe6b1682f470dd04f9fd158337fbf15482be445

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c652b501a415e7909376027c58b8c159

SHA1
0c7b31de170c312f2da6511c98ed6f208881c81c

SHA256
b57d72454795565b8d05c3c8e6bf2f6c82043c1d7b8afeead5de174364cb7454

SHA512
0d8ae8b717db4ab867cdbe7319a43b4d2b9933985f41c151d8eccc61aab46c6c705a6cbf2fa57e31b72d6ff48e5ba676d97f43f4095a41aa03382c42214b798f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec40ecf0cc74823f51cc02452015b764

SHA1
1d8aa4d6c992f051ae727303962d4030639c2111

SHA256
a58d311459e3c2f34706b953091fc24f4e4fca31ddb5a51ef24030e17628302a

SHA512
18a9d143c5136eba0a959f4b02ffb2e155d663bb9f479aeb1628d08173a69a84ea075f219ba4e67cb0ecdc34eda22cf1b1aa0eafe1d69aaa7e298dc4fbae2800

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0b1eb5b7d13813c637fbaaf51ed5d78c

SHA1
5c1e9764eb4ddefdeb830d2c5964f1d441c11a95

SHA256
7984208b544e5e5d3bc9b0a1fddc6534692f78aec111b06888881266e4ef8076

SHA512
cef5c175af8d435e46294188717cc09002a512b3965331bc4208a57dbac34a030ea649df7350c89d725010a27a1955634ec9c45f50cbc7a663fe0fb5b6ecddb6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c1a17791773c4f9cef66c7ed53e056ef

SHA1
7993fd70e1be5785af0d6f8537a2728fac0a8108

SHA256
dea61694917d98287f59ea93b2a41bd67cb09108ca116cb02a0f8b7ccc06581b

SHA512
cc68b8f494e23fbf0c867d7ad5cead6890f6010c712ba7c2b319a0ac7c0714406f3eb65182c6a2692ff2065dd38c037d27b979e68bc2d69e4cfe8c35be7a25b1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
396f69b4584f7b2c54baa6ddf425dd77

SHA1
91f7bf590098fb1c22ae0f5bbab7b97bdc06f8d4

SHA256
9abffeffd0f4b70990aecd0e32295067e59314df616ee286375775e2cb5687ca

SHA512
d3a6661247f5b1cc95427897100b92d14210f764703b8930a329805be78c231dedcbdf3bd07b84260279ea92a210cc2c20bc5849c03379a060d21976d1997227

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e17b54df3d915dad3f9e7518c0502337

SHA1
77ce9a78f2dabb08f180fc57507a5658b93209f5

SHA256
e3f0e2df913e5e4fadc32662204739dcaf3ff306b6fda781a2ac16ab13b85c02

SHA512
5a5a20afa07f46dbdbc3dd1bb445e82d725858b00772fb712325aa9b96f835c31bca029f2aa24f30e61028018cf379741de0d18b40aaba10214a964ed8305aa3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
383bf18dc0cd656fedd8298f57f03817

SHA1
d2fd8f7f7a089a7eefbbbfe56e98c1170bae6da9

SHA256
fe29e23bda5d2ce4e51963c2a4a98fbcb47168110b650fa8a4032de2cea16a28

SHA512
b39d540d5b2bc6d492c16034bb80afedf306429bcf9d1d99f67af60ea06f6eca50c3bc0e2abdab3e60f6b5a15bbe13020ff9a7ce69160cc9cf93e6a0d2bc5228

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35a65af8f5607e0c5a879ef031bf9f82

SHA1
95a1ebf077cbad34c57d23b02cf7aa9dc29318e0

SHA256
90f3c0677b47b8d5ba66b881b742b95fa3c3693abe4e527d9d310bb9f15717f8

SHA512
a00e19a362c44f82d9d1dc14e42ea8a1f26ffc61cc939049b2f2a9f7d16c7889525a38ec4b58c89b0f20bb7abcde43680ba4d46cadd2838380b9bdac707e4cd6

Download Submit
memory/1136-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1136-50-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1136-57-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1136-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1136-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1224-398-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1224-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1224-393-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1224-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1576-439-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1576-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1576-379-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1840-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1840-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2320-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2320-462-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2400-440-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2400-448-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3200-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3200-410-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3200-545-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3268-6-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3268-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3268-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3268-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3268-7-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3276-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3276-323-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3276-390-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3276-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3592-250-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3592-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3592-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3592-249-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3592-243-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3624-279-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3624-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3624-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3624-341-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3736-369-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3736-312-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3736-302-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3756-422-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3756-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3812-400-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3812-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3812-339-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3860-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3860-435-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3908-66-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3908-72-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3908-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3908-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3920-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3920-11-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3920-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3920-22-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4108-263-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4108-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4108-274-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4108-255-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4108-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4120-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4120-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4608-352-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4608-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4608-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4696-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4696-366-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4696-426-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4924-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4924-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4924-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4924-27-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4996-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4996-296-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4996-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download