744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exe
Size

2.1MB
MD5

6d4217a703f6233c48a0c0e29caa3b85
SHA1

f7213ac0114e967161e15737d224a68155e2d1fa
SHA256

744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb
SHA512

b7cb90de403f980f93ba18b74e5a61f6a835c21c25ffb820227b12ba7a7af1f5a5bdb8609b6227a17bbeb54fde4d1d9f0aee040305839b9ecde37650173debbe
SSDEEP

49152:MAaimdzYtiKX9G4i0awIlrrE5T+FrfPOkhqvq:MAav2lX8VDgeOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4320	alg.exe
1628	elevation_service.exe
2932	elevation_service.exe
2268	maintenanceservice.exe
1704	OSE.EXE
404	DiagnosticsHub.StandardCollector.Service.exe
3668	fxssvc.exe
4440	msdtc.exe
2884	PerceptionSimulationService.exe
4944	perfhost.exe
1920	locator.exe
3396	SensorDataService.exe
4928	snmptrap.exe
2372	spectrum.exe
2496	ssh-agent.exe
220	TieringEngineService.exe
4112	AgentService.exe
4400	vds.exe
3736	vssvc.exe
4488	wbengine.exe
428	WmiApSrv.exe
1856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

msdtc.exeelevation_service.exealg.exe744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e3b7a97aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f4e6501bd99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004eff7501bd99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4433e02bd99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d557002bd99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a879e01bd99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd058102bd99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4433e02bd99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2276	744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exe
Token: SeDebugPrivilege	4320	alg.exe
Token: SeDebugPrivilege	4320	alg.exe
Token: SeDebugPrivilege	4320	alg.exe
Token: SeTakeOwnershipPrivilege	1628	elevation_service.exe
Token: SeAuditPrivilege	3668	fxssvc.exe
Token: SeRestorePrivilege	220	TieringEngineService.exe
Token: SeManageVolumePrivilege	220	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4112	AgentService.exe
Token: SeBackupPrivilege	3736	vssvc.exe
Token: SeRestorePrivilege	3736	vssvc.exe
Token: SeAuditPrivilege	3736	vssvc.exe
Token: SeBackupPrivilege	4488	wbengine.exe
Token: SeRestorePrivilege	4488	wbengine.exe
Token: SeSecurityPrivilege	4488	wbengine.exe
Token: 33	1856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeDebugPrivilege	1628	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1856 wrote to memory of 1160	1856	SearchIndexer.exe	SearchProtocolHost.exe
PID 1856 wrote to memory of 1160	1856	SearchIndexer.exe	SearchProtocolHost.exe
PID 1856 wrote to memory of 4428	1856	SearchIndexer.exe	SearchFilterHost.exe
PID 1856 wrote to memory of 4428	1856	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exe
"C:\Users\Admin\AppData\Local\Temp\744f97ed17f2c4a145a58b1a3da3f4d2accf0c8654eeb9d159d41f48d75e22cb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2268

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3928

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1160

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
4a301f9d6c67723c5847103c0c467ebc

SHA1
db45faabcad50e4a734aae1dd15113424d646465

SHA256
99d18c245bebeb56b672bd882a371c65e8f8f877813714129e28c6f83e9b8484

SHA512
fb2ca4bbbad4785667293ea45d857fff053806d3e3f461afc8c2d48ea222cad858e932791b126272413da53e8db230c973e429aaffb580cd0f41be67de66fa12

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
e0b1ef9b10bf099dab5f5816b4dfa257

SHA1
4ee376b36d3950d27120c23d6ed251530c030d0f

SHA256
cc7ac7d99bbad0ced5e82296a1e424a320e7a993e85a0d8985ee52684a343685

SHA512
43e1e91f0dbc41f8ab1129eadcd6ccd068f469deeaa586dd9c90d3801715f326a98b44760e5ac4305556c0dfde7c24ad4081798fdae8509cc94136b52cf9e313

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
fe5396ff2625a563a89adeb3e2c906d6

SHA1
4a75bd32ad42cc985aee4b082968c745efd2494e

SHA256
6645d7658e4a19fad7ac1387c1d71f3a37fc01f1b9784f929db5375cd5fc2089

SHA512
0c2a81f75a7aec5f8fd3ed8f0868df38aae63a2a899d40b40ed1bb838fcf1283884d850b015aecd1edeb15f91a9502179088ab5a78794b8592aaf6ddf146dda2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
84d77bd159566411e1f84dd812681b2d

SHA1
4f9a17cdce82b66226150549e3b7019ab2fcf960

SHA256
e149053e6c3a139ce1672dc7fb5ed003ba8cc2fa3d1c7b21123d59ad9f4b68df

SHA512
76bd72064582aadd507d883c299929807072cc271fc4954d11f091480fd854ec1bded9ad0358aed5c5c96343b0396bb2c8611bc0e40dd1203fbad56fb79a9927

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
b97814217e1a23675e63cb95439f23c8

SHA1
1cbb09e09126012f6411dd31a4b9b82488ac6579

SHA256
d16d5b9b447daceff88658e256775fda655c83a80075f69a928ddc70b66ed23c

SHA512
628b5d2fdd6ce288c89868114efe2c6901f6b89821b80620ba38a7edad0420958a9e3bcf0288289b06ac2e847554fa822e6c82cf3a832d1fb2ab1f335bf0a25a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
1b03a2d19334c002fb8695ede8bae078

SHA1
bcdaacb8e7d8c642eed85ef197a7a08c06930ba4

SHA256
0086b162719cf3b3fa28de8237fb901aca06fa2498e50f1bc831d8e277fcd8d3

SHA512
cb96ca364986bc47d08164c1aca986445ddefb84c51b8fa5f94062543864ebb14c4a1e84ac9926225ee43a5a22737dbfd2690686eadc3aa8d3b1de0b7c704fde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
84d96916ebaf42834449bf7c679c80b6

SHA1
3ffc38ffaca78489dbfd3f795a7e22de2860581c

SHA256
dab401e50e327160ee129235a36e21d83894e66e2cf82746bdc030c3124d7ec1

SHA512
a685679cca71d90b3d7b5770f3ba5ea9c14091703ee620b3612c751f8871acd09a19552e13f0aeb1b24d04697326aedd4b64f18561d935bccbef476cf66254f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
69e57c87b48705773aa6d305ae36a8f9

SHA1
8ed0004420349c33a5d8ae7ba4b5a1f50e7354cb

SHA256
95445848ded82e810f76ef873e8dc98125551ea5aa18c9faef54748680ba4762

SHA512
70e36c21c271d5f669ca57fa6d52ff0e580d18b04557369faa6236300cf7c2f642600762179be3ad6f9203eec3059f72bf5f2d2f3bbc3ea15c8b95c5a1b7a7b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
49eb37935cbe26e81d5493b3c0aaeca1

SHA1
e2f7897880ea26df37507d9864b37ca53d39a6de

SHA256
c23d5c54400f24cb05a755828ed9e86a99404f5b1fdb75a4f879d0e3e0c93897

SHA512
96c1fdbe4e49f15d7b7333d73c369a8ec99f8e97a7e1562cbe697ab7289add6687f4bb55aad701d12ec76d6bb2f9ebb286d1bac3adc86597db5e84dbea3966e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
abd4273af4ad853f5b114cede1c45075

SHA1
f7e8c47650464a7a058692aafd7a08f39f7896d7

SHA256
1a901668210c48c41dc8efaf01913e77c8c9327bd182ed9bff9d9f4729618600

SHA512
744f22dd7fff9348e6bb069f994626ba22e40a037a685142fbda7f7939ef984671618a74752ae5c7367c162e7bc768165d02903b928cd24ae16ce1e2a9e9ac8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8f39c499bf98f0595ba2310513d21cd8

SHA1
78af9af8e465c75c0408dd67556a55bb70101617

SHA256
893478869f1182820dfe818ee5bfc262e0d40d082476ad3391e9ddd6ff54a28e

SHA512
e0e56db5ebf47abcc14e275fde3973187c66454ceda579997396bc84aeb285362535d82dd37063dac6df58517c892d611421bb818772ba4735abc8de7cdcb64b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5f9086719c3d46ba37ac4b7cf0e098dd

SHA1
12800ac16ffe822f4e7b38db6f2774fc70653714

SHA256
e50467b4986505ab19c599d848bc9266221b62fe6a9e4586df829eb8a992f3ab

SHA512
6b757129b6b80acfd4c2c298ab3a8677cea7094464b4ff5f2b8b7250a33d58e4c4e2cf01f2ed14e764130203fea0b6c1b06714f88cf877cba2071a59792d89a5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
f547232dca0e38d58f30dad231be909f

SHA1
17c2f61919e60f1a74826a6c78ed707bd508e002

SHA256
a3da7b86f99232e9f2b9889730ef799487715d60b0f6bf8c0256c65295ef7ed5

SHA512
842d0662021859f2f08d998e480cd7314450c9eecbd674ef89e784c765c9be9ccf5557c4fff25b34e324e46653b8039c9d24f25096037a666429541d2d019f41

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
92d6fdc2cac30db86b5e72d490ce3248

SHA1
f1501c9acf13cb8448cd08cc02e822c4ab2461f3

SHA256
f22aa3ef236cec274e40832ed18fb9c6d551dd6bf17f0b41754e5aba009c2ba7

SHA512
a0c8f9012137b3cfdba3bc390ba925bd7f7b599c3c3b0eebb0d0fd7c8cef15e952ed0c9ad933ef737ae6a9d765b7fbfc48894727959841a4e3afb453c5d3e4f6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
a425e4e979fabcd87b9f1ecca31645fe

SHA1
45ffdc824e4a78efd6995905f11c1f2b2b79a13e

SHA256
c3bb9ec43b9c4444cf521ec1b8e18dd0425a11889e0b25c574e2f80826314618

SHA512
980ac5e93cd22aaf892c14782239f6e8e8d14e59074c49c49a5df311699e900b71dae2f65c50543d6c260c3c061a7d5954e5fb9f785983d6bcab362ca87eb179

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
3e90c20f1f493bc16693e9419e613015

SHA1
d5ce46a67127bde76e6bc2c197bffdb1df5b4b60

SHA256
442519bcfe5c81946f2bc2886185a021264e6110b0cc663b96c7b445b65e38a5

SHA512
312b716165caf01b150f5c3513500cd786cce130585237627b1301602759297c840389281016519a22cf0d325fa028dcc038c1904597c3ebf2bd26eccee48666

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
7d3b9fa8468dc507ef1b50f93fa53de7

SHA1
08097bd0bbea6fe68f4b8a14d2cbbe7c5e6c79c8

SHA256
49821513ad04ddb517930c1395e133a8f75b578986abee535d747050c3f4f7df

SHA512
73af4372d281e16b1ff6212a7770538a1d1c5774246ca987a3061e4e7977fed9f8224396aa6701a27a53da701fb4850108a0260e64b3e905ccee01a83cdecc8c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
d745643942c1137e60585a45c8943510

SHA1
4146977d181f72962008e1786b83726d69d3bc7f

SHA256
c0530d4fca6a57f1311ca14fe452279e55db7760b21a23d5a6e0a20ff9803750

SHA512
a56d6d6838c327ff88dba332b6569b7627615d53af55463f6b526ea1698b7f9adb9cc5416646def6ff48059fe074c1ac7d043a3f3d4cbe65011614c51498f6ff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
351092f0f4214b18fdde3da8006ed240

SHA1
73d24beabb6ded2832c0450550ac56e51f6495b5

SHA256
239e3c51d93387efa17e2b7f570697e7dc59a8557692da623a8a6d7f8dc6a972

SHA512
4ed980a12cd20eb0cd179db4098112a48c8a7039308cd04e6eec4f143df1566f51c9b23f23783a7e9bbe98a9e1a691d5814e7ab85aba9aeb8c7a1f79ebdda2b0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
462f4fa927c71393733b7429019b9a59

SHA1
62d3bf1b4d54dd6c1c6b180a9d6a5ea18f15c90d

SHA256
d13ed1bb6b39b9f497a7b6ac355f8025f504cd32518a78569d60c499d4273117

SHA512
48e2cf8be39a17cda5dc3d39b21673a23812d897d8f5c21dd81acf88dded8ba31b983c4e379d8e4788009c888590f649f61ab01e9fcb98375505c888b179477a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
66383208d88361264e48e2247b169419

SHA1
0c96f08dd2c014f7f914c01ee40718cfee65b55b

SHA256
2b3dd017b2c3ab7d4f814e4a7aedc03d66daca625b43120d8e0155db4873cf12

SHA512
17ab01687c3bad91f9d845cc6b29b1efb8a8a8beff8ae7f115e88aec402985acd902935fd5aa51a0ba7166499f63eb437dc9ea594dd437943a10d0c8164deb76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
4ea02ad1d3c4d23e0f1cc9ff4a7fa6df

SHA1
3dd4d5c088d9f7ae17bd56fe5964a13f8573a0b1

SHA256
d3a732f0d2afddcf58a8c3954d407dd54de977544f35b517d0775ab1d4c3d0c1

SHA512
47596bb9498d0592be7ba68903c53f2a211f56f0a9a118fbee87bfdfb50e59b4aef1826cac87e4c6f97979683bb97148124cc30d0c215094cb24a7ecbb515853

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
1df2c43e85b05f1e1cd41aeea4b9d122

SHA1
c7828a1cc91919aeb895527d8d4638e5d4558494

SHA256
886811eb3f3e6624089953477d60ab7c4eb6ccb9958f8438639ec8f2c81ce7dd

SHA512
bac67b62fee51ab698a5b8daab0c679f8573f014bf7bd77eec0bca5fe0a6565ab161cc61e1d560f20b1691602a32e25781d9d91d92500950618bf67bd1706fe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
e22d71f0597fda11253885111cdc9860

SHA1
e2c75f16aa6f522a55897b8865d4a204baf3d499

SHA256
e803a4738d982d0d53939ae91966c736f2d3b6d65d9a8d2142fccc5e252c2045

SHA512
6f2c5312bef929b361ffbc684aacb67bb5bc7b8465f7a1d1fb8e241b5adfeb4ea77244c3ee309357274f7674ead386b0d6510be35e9a624de2cd2ae6fa55d505

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
5111bc5ceeaeca51a4850d6c2ab07606

SHA1
bb3c32a27f4a1f65c90400047e199c33036132a2

SHA256
80bb4c987491f0b1aa01ae445f544de00dd4fb90cdf7bd2a07605a7a30b90387

SHA512
1e94d2b6ea6a6079bc74220abdcb18ad0221c67e19f33c701d295ce7bf3eb0b60c0d74b95ce9a7642ac2267c60fc3cc559fb61acd9d4f1002167c9ac6084819e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
a0a8283efb0f90c5e37860389c9f26d1

SHA1
0469502b71376242e55f19ee2411e084930d953b

SHA256
81242e9cc190944fa2dca973467bc297677221365e06da1453bea5ea3ae20e61

SHA512
3735281768bec7f493d721d08c2d8f830c98167c7efe21e93aaf3234868576f5bb06a5d4abc74a879abaad829c46d41676501e1f2290844f9b7aeba0bc5f9f14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
9c6d9555eaa18a3fed932d02157e4f37

SHA1
a98f0336c7b9c893ece4dc43c9c5ce6a25e6e95b

SHA256
6789cee4f833dbff111905a8c818eeec9e0d625e7ff93db6db50ade2f53793c8

SHA512
dc94c1a0ec1e14f5f36787f6ed7ce42dd7794a8456bf92708ad5fd6d5559dfffa592c867881d5d985104d3e1ac4036a2ec62e47ba19bc3b93b82a319e24fb9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
514dcaa97a54c0993cfc3a2156a26288

SHA1
c301f0dab014bf5fce2da581dc9e807fa48997c8

SHA256
a19456a24d02d02957237cc9d89cbf8bd27b355ec437c0ce8edebf378013de84

SHA512
cee8a2bd9c950973e28f864b9e96eed31b9b6ff537825e9ed377cada33fb87ffc7d870e4cb86eadbb464bd01b8f2c82ec8a7363ae7dacfc29bf3900da4a30e35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
28c334c4198c8e2e30e87bd6f2ff7cdc

SHA1
f35b6d6efed32057eed1f24e348d20369a28986b

SHA256
a4a2a0ccf2ce65510be60e0bad6805407ab1afb0f3fba877b28de197ac80b803

SHA512
8163d7446d61dca6ff36e1fcb6c8dc430aecba7149152d4d14c25a057f70b3ace0433ea0604da27511f2d65c3e2ec345ef8a6d9af3cc68cc7d5810453e184050

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
43424ed3233504e534bf7bd4c88bbfd3

SHA1
d1f6fe9f20852e5600ad354e978718442619f0ad

SHA256
ba44881be036e2b9029bbda84e78135c2683b5165b86cbea13a0a92526443ee0

SHA512
963f86bc5548f9522230d22ffc35317c59b2efd6fdd1ce80f702e70e5b95b151d42ebb595b361b7950eb47c1ade13105055bd186d13da89bbef4527d738ce229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
a53c582b096edc2dd5786623daf31587

SHA1
f502356b941feafd3cc123b5b53de278220ccc4b

SHA256
ebd03bd83b3d6c4487573fce4f326d5ab7abd2c0343ff4f2944a7b3124a42c2b

SHA512
1f10f219e2698cbe05c16cb93375aec5ac4988c654a8d99742a5ef9d8ebce9c2c94b451e735a0bcac71c132ef88e7f1d45ae78c3ddbf10d20af291377f862a40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
657c187583a0c647b77ccd4e750550ba

SHA1
40c0aa9103a114920aa76c2118a8c16191eeb5e5

SHA256
8939b814aa27ae9a5d1052df8dc7e43c32377b818a9b09b686333e8e8ca81a2c

SHA512
c44a470f9a54dc0eac681d1e0ee9348b62a7cebfb4f6b9c70b258d2217acc294f9622e25d4303d9d6464beb015c33e88a336a9b5ea0928e85de894fbbd0a7fc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
0e1f14d00c1a76f7e88288ff44b533dc

SHA1
5a365713a239ca8fa0555c973b39b3cfc2828e43

SHA256
b14172d76a082461d8b32db211cf4803c34ed4b166cb7fe6623af4482000759e

SHA512
ef9316c824495399548a5d95dfccc41d7b38418f998ba6ab4943bb66395a06ec508a2c431ee67ecd87d6fbf0631cbf6f4c31252054365b7a096dbba027b1015b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a4e0a161e2424aaa352e400540788e38

SHA1
3f704bc8d5497b57622c1bb23a853414a8041840

SHA256
b823ff2c27d626b48d5df76acc4b69578bf86a9a86fe13612046a5a6e70a63fc

SHA512
07c7234b00e87069c6fe0871dca05ee9c31e212097390f28bd390c13127ebfe6c7d448383e8e702d7675da0a242fc622d9a4b4a385fbcee7cbabed2d4ff86fb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
c6cf7ed8434f57118aa7222fb9fd5686

SHA1
75ed4c31af6935c864018b62cc8dd0b284f53a09

SHA256
d96b405ada7b52f78de6200d9db47652cb4668037889c18190dc2c92608cc0eb

SHA512
dacf809143fd3fae0f7e9e7c33cc209eaffe60b078978bd986c2c560237b8e3af3fac3cc3c33dc8045b520dc47b4f9c92ca4f48602d7744e6324698b4955e456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
26427f9236372ee0598e175a04235940

SHA1
473cf267e97278982792e17f1b3f72a0be38eff1

SHA256
712bb3d9fab277087629be089cbc550b0052a3ed23c007232e46b44cfc985dd7

SHA512
4a5bf4a57256eaae8b03f69172a40a983cfc2d855d837fc13733a67c813bcebdd93567911825658190c7060c421c038397721fe77288abb978ca37fe85ac947f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
f91e625d3ffcef0df71f171134157cab

SHA1
ac465baecd8a34a8eca37c025ff83a076358351d

SHA256
4c2355e44347a20b01f848d3f9800ad529a9c6ca036d020c74a28eca1eee0239

SHA512
eb063ed8190002ca2aaa4abafb1b9d0272663cd4fdc7a6a8ddea085dea9207cc0d5401ed9cda685655401826e0acfac45f61b9b2498983a32f417337db634c2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
3abb4c637f4480591e8fa80925c2716c

SHA1
5a2baa6cbfa960cef1a8b992675e170e95397313

SHA256
4373ff9eca9f85c929cc027a9e7b241eb40d58689029790e401d42b944310163

SHA512
647b5512c78d733492ca5d4e0dcddddd29ff203627ada072666b9880bbcbd5e1963bff6b73d5a1b6449128e353a149f1571403d7971d78e07d5dd5b027f6ab54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
74276e3750228ecb0b668cda473f64c2

SHA1
b310c35c7f1dd8fdbd2158ab938fd7a6bd654174

SHA256
418ffda82e6151d0ab29e9fd45221586cebdf69e4c25c4b47bd791fb300db309

SHA512
61e292526f905b3e0979855b3ebbebb1e0b31429bca0c114c5db19cc3426b11685b4310c9549189554a7fe3d423d7ea6799f0f01b5af71eb64595fbed21b7225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
c80b04a15fcc0db424905c4cab7f4e1d

SHA1
e998ba9fccd369e3281484e02c0b1a790f4834fc

SHA256
05414d0c62c92099991f854d2e022da772547bf8f9e5fac20613f336c6c428bf

SHA512
00d03356e12d742a2e060fa35148f806dbed7dba41258c4c76530b0bff0ca21c65cceb7bade4fc86b140d31084140079fb665dd77c5b38066e6614417d096eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
4b0cac315141a3340fba8ad66ec5b6a8

SHA1
81b36f36d57f1ce1499d8f829ac1f16ce4a66777

SHA256
f9d16900e4ca7ea94e09726936068148ad4924b2bb5c10778d8b3728b770f20b

SHA512
2464fa691708111e30bdd5164ba67f47d2af0fd66690c3323f7d1071cff97fc5c2466ce700615a8a3de5828e80c3b00aa00116b7528bf79242a92c6d666b5edd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
6a11b4a4bd9dfbaec78c544719e3f7c1

SHA1
5f879e9acf4633565935b3bc49f928fad36cee60

SHA256
b14add701a471f6118483b101a4edaabdb6e6f01843de692b90cf81df448846e

SHA512
de79e166b49c65c3b44feca60b20b236447d446c224f56a74427018b47e7ba3ab6458f4b54d055ed5cd3e8b1dc4ed5bedf7e40901726c1ff1bc4046cbc997fb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
5568c09c0bbac69e0d6cb2b1b7c6de18

SHA1
318728685370ee88dbfcd0a586063e8f7fc4110f

SHA256
113719b122c731ca15e514bc18fba42fa8f980d4a3a2e575dd01d72500d872e8

SHA512
bf7d0b217ec41bb145002712650516782e5284335cdf0eded4d9a10e60baa6e0378458c5146adfeb5f53c98e0839d2e0ffb9b3c0681e28867145870fb14a337d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
8aefbc5be2c739845d79382d8e06b32a

SHA1
ac99b7f77b03123cf61e9f67424d0acd39830551

SHA256
becd5c8379e14302709a8eb724e5ba1117db8bde376ac87ff87342c81c9ffbe2

SHA512
85b2554c337d6d21e5c0407e9a93bbe4fa52a2b3ccd5d502ab6e5b6d10a386d683a2b9b222e141a7a62fcb6b7aafe501966aa43f03cfaaab4bf73f942e4bc7f5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
e96121f455db9baeea6b2863f884551f

SHA1
54e74433ce5f6a4589f0f6510deb0db3ddc6e88d

SHA256
bcb2df48f1ead0eada0f76982fd8c0d224fec7aa80b7074cd7dbd720c4ea4c52

SHA512
93ec7598da47d4b2b73add685a8e2503707eb05072898c86700be59c7f7f45667a4a4a0b0b234eb9faf0b52cfb0e7f9b51479c0d410e0562fd0cc9aaaad73835

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2cc056a42691316f98f21ee0e833b6e3

SHA1
4bb424ce216e247ddc99f58294fe30542a8f593f

SHA256
87b981397ff17f0e1504bdf74fcf8f37094561ca450779213fc0774c1106f6d3

SHA512
cb0fbbdd2707a7f19d8a83c5fce4f8d9c7c55cff533df7c90ffd4d1ad6096615e7b78926053edb8ecdb5b6069b3bc326e2b124d9e26cbd1269b0a6a4973a6353

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
08f76ed6da5f471d88694838d22263ca

SHA1
76979e807157bbe27292280cc2b83af47c085d94

SHA256
efd1fee1569ccfcaf9a634e426484e3817e0fbbaf5b506bc911a8a51c209c0b5

SHA512
7620b8b83ddd15d31424feb8c4eb93c09c0f22737863bdd5794ed790405e2898628d75f67c7f15688ebabb4bbf78e5e6c4156bd989566db88da08cf989c52781

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
777b5f6fcadb9f0968c44acdf042ed9f

SHA1
1ad9aa2a721b286f7496adb7310e1a6007628ffa

SHA256
8f57fd8cd921ded95e2d3439dfce9b15bca4460469a615f12305f6356c95f1fe

SHA512
502ec9af3d667b2f4198f53a29a52201c843735d6e6a02f75af363b55c1dd245f53af91e10d20d74dfec761353161b35d0aec99c63485a08fb22470e66489872

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
5611a4d4d34476ed8beea2670f73be7f

SHA1
543a4eb208339552a624588aeae6e3dde303d2c6

SHA256
030e6e8ddd8055ab3654ded3cfdd241b60bcd1d52301d0d3571657a711744dce

SHA512
ad78fa023a7a5e3b99d515c1ddf33e1cd8b98c023feb5dabedf2a7fa956f791b8fc885b2f3ee059e5f5f0678087a306f395e925615bdf697a41edbc717989a01

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
418221a6eeb3ebe8ea55e548b36347b1

SHA1
3b0b6049418306ca0e6e3195f4d61f857927fcbc

SHA256
532735a82ef84ff6af084d25f04e2531fed1ead3b3c90fb9a6270af984bb26a3

SHA512
c2914889d82650d621a8e134fb59825a9fb342861fc933dbde980a74b4377d0a0b84f329105d57af16dd9068a57f21c79c5d13ef7ff239b0b3470cd6eb380a19

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
3d11b7460ea8f33c6370311b6b1d6948

SHA1
dd63b0041e6eb087eb7b4f6f9215df2220cfd4f2

SHA256
9e35bb7a6bcbf93a54b894ca75e9d43d998f994252dcf921cda131d402e8b895

SHA512
a611ef10bdc0d6a74027bf88963f3e092b2007597665b8625f2ee3ea571b4e479a568c1c0bedfec374ff5d9f3b7d1ea4f622f216298d74572a497d3033be747b

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d7554fb48ceb91f0268078e420c9feed

SHA1
595a9ce633be038aa423f3e8989d680d7f42bb97

SHA256
24e0e4b087c4db6dcd87e846039ba5b7040c40a3c28daf8bee74c51a8422a971

SHA512
27322d112c1e971f7158202faf2d96167853e97f142b58a11056c875aae64b5c12dbac8a71fbc0ec6c48a16cd9dc51cf0520bdac0dffd1d0b4fc87e3e141f6e6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
27ca6de255f2110e94274c9fbe0a9035

SHA1
1df7ac67095c2c665534ebc566d7b5e9705146b5

SHA256
3612d44ce588374ec393baea80154fd7450ed1bf54b0a2f9c6a92320b0859f6e

SHA512
0321798c2704571296fe1aef2fff3c38a9d73030879dd565fe8a4545202588e97597c439c219b27cd65880f984d73e1f4184b06b23a8b2451e457bae9d41a926

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
29bb63b2a160ef87a5f27bcd476eda9c

SHA1
eda3f07ca878c44736063eb46f165c7fb5d90579

SHA256
8c3e510195b7a4e3e8b7d37b099e18e377aa375cbc1c1b1b01fbba3fcf10a10c

SHA512
4cdad5cb93c7c879b17fa09b2a8cdf79ddac87ae118be1e32ed537a005a68a72d0bd40cf7047e88974eea71b1c3545c1ecc3da896ff207dae14a83b48997c498

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
c24c807b62700db21a7b0c9e8f637b43

SHA1
fa1a8e35d6054c203e235c094933af59350430a4

SHA256
866690a93825915657c37fff22465385606616f4d6818dc6dd0de5ede0809aa5

SHA512
d43f1f292cb14b0b278041646f6b1ed8efa408a55af5da3c093f4560bf9e7a52ca94d0e1bd4e1e47bce3afac2635ec555dc03f3b681a924b5c686cf9821fc1e0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c5576fd63b12992ebcc0eb9271920f34

SHA1
5cc22aee7cc30b22128bb47892e3b0be9acae4db

SHA256
896ebd7fe600fbf4af290a838415fb0235b47c93b2f24f515404902d17a929b9

SHA512
119b0a3f5a228a81e0fe84645759c62bd42165c154c70fcd7b3d69b7dd2f2b7ee51fba52c9448e474b93e2fe5edd8ae109192baf26cfacbae60d5de116771737

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
506aecdfb62891f5c1cedd2f2e752807

SHA1
6b08bd037fc810c81c14bbb121fc089e3423a04d

SHA256
711743523ba3b338e1456a1dfa295efef211ea7adf0faa713371e6c0a2ff7afb

SHA512
caf23c98c6cb26fb3258a1dee8329995d66f2e931b665198c0ef1cfc71590e0c90581b73e988f84f66f0234b38a1a42bf754020051e8ef2dc2d78015f5ac6739

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
d7bb5f4c32177715305f29c85186fefa

SHA1
5d7f303e1a0ddef218adbfc07200d735a4e26571

SHA256
0e3ccb91fde43bc27d4c80d67e3511a2467c7c0f4accda30a4548aac9c733300

SHA512
677722441988ecb1f2d3a174d5fb2172e4c2ef455d0d7b636da0ad0dfe466491e80aa0290c0bca0aef274d5213dea9b611a9e9ee16dc652d0b05ad54b8560c8f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
46dfacf4ac2cfc146f14324894c66960

SHA1
5cb493c16848885a1f1c6b6055782628b1e597db

SHA256
7b976f002888e9b551779b648147aada37b4e199cd054c934a51578a82667cba

SHA512
73e6b9750bb71223d61b1d291d834ab6b61a79ac5c85622630013ae4a509477b73eda502ac51712bda4b6a2992b733a8044bdb5ce036a01077cc7f0434824dc1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
054cfab858b6c3ae4a38435343698f8e

SHA1
ba75e2c1c34f02eac6299f23cd689295ae7cd657

SHA256
3bf8f7f57cb59296f029254d1e39e1f735b429e4c2b9fee184d997bca2b81374

SHA512
f2fe392c2e9ee08ea52af4e63ae5d94b3426cc71a5a9797a6fcf49c4a21b51a38336694f1407a8b4ad7a4a7e6a175d2f06a0dad805b6434d7a1fc6a716421a2b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
8f97eb9b3d0e69bdfffa76885993044d

SHA1
aae4943016953c3a07ceb4c30fc4b57ab050671a

SHA256
5bc5cf8c5a5f46b8fc6f89f2a3179da74fabc1d83366c941f93b99b0c34ca7fb

SHA512
af7b3d671d4249f1339779bb8b674bc0c36ca44671546daf4286069810f2b3bb40b1822636ec932b954f0c34f1139fb8f3bb29c7264ed7ca2a50e85be9dba6ba

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
73545cace16854f400c1abb089d004d0

SHA1
4888f41e54e41a4851647505e0ddaac1ab5b732f

SHA256
c2b0796c1bf065f1382ca84100931663b4a5551cac5d46c5d0f351dda2e890bb

SHA512
e723f796e3b3f99f1a77788403e859bf548a1141a344347262c07f6f1db804805394162c9ac4f53b221272ae1b450cc35a8aaed80349fd1821c69c783a2f226a

Download Submit
memory/220-365-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/220-596-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/404-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/404-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/404-246-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/404-252-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/428-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/428-602-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1628-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1628-38-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1628-29-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1628-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1704-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1704-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1704-71-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1704-65-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1856-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1856-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1920-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1920-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2268-53-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2268-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2268-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2268-77-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2268-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2276-12-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2276-14-0x0000000180000000-0x0000000180228000-memory.dmp

Filesize
2.2MB

Download
memory/2276-0-0x0000000180000000-0x0000000180228000-memory.dmp

Filesize
2.2MB

Download
memory/2276-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2276-1-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2372-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2372-591-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2496-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2496-595-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2884-292-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2884-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2932-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2932-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2932-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2932-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3396-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-594-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3668-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3668-257-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/3668-281-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3736-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3736-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4112-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4112-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4320-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4320-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4320-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4320-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4400-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4400-599-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4440-276-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4488-601-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4488-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4928-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4928-524-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4944-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4944-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download