538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exe
Size

1.1MB
MD5

46b237c45102d1577fba46c9c4949c25
SHA1

317d79acdf14cd1b8a3fc4b4f69309c285033036
SHA256

538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd
SHA512

c9c223e88f8bc4309373ff5bb04224cd7795cb755f1c5bbcffa3819e5884d907ba08a671c2500436b10371cf4dc61e6d7c2260e36cc6a1584cc43cc2d2212708
SSDEEP

24576:09Ivyc5faM9e2UkY3JsqjnhMgeiCl7G0nehbGZpbD:09IfHUkY3NDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1776	alg.exe
2360	elevation_service.exe
5096	elevation_service.exe
1884	maintenanceservice.exe
4312	OSE.EXE
3784	DiagnosticsHub.StandardCollector.Service.exe
864	fxssvc.exe
2648	msdtc.exe
4296	PerceptionSimulationService.exe
316	perfhost.exe
2996	locator.exe
2580	SensorDataService.exe
1344	snmptrap.exe
1632	spectrum.exe
3584	ssh-agent.exe
5068	TieringEngineService.exe
1172	AgentService.exe
2948	vds.exe
3772	vssvc.exe
3248	wbengine.exe
2264	WmiApSrv.exe
4084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1a07f9585ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000691fd3867799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034e5b8867799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e847bb867799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006adf34877799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cce87a867799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022c092867799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2360	elevation_service.exe
2360	elevation_service.exe
2360	elevation_service.exe
2360	elevation_service.exe
2360	elevation_service.exe
2360	elevation_service.exe
2360	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3432	538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeTakeOwnershipPrivilege	2360	elevation_service.exe
Token: SeAuditPrivilege	864	fxssvc.exe
Token: SeRestorePrivilege	5068	TieringEngineService.exe
Token: SeManageVolumePrivilege	5068	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1172	AgentService.exe
Token: SeBackupPrivilege	3772	vssvc.exe
Token: SeRestorePrivilege	3772	vssvc.exe
Token: SeAuditPrivilege	3772	vssvc.exe
Token: SeBackupPrivilege	3248	wbengine.exe
Token: SeRestorePrivilege	3248	wbengine.exe
Token: SeSecurityPrivilege	3248	wbengine.exe
Token: 33	4084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeDebugPrivilege	2360	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4084 wrote to memory of 4924	4084	SearchIndexer.exe	SearchProtocolHost.exe
PID 4084 wrote to memory of 4924	4084	SearchIndexer.exe	SearchProtocolHost.exe
PID 4084 wrote to memory of 2852	4084	SearchIndexer.exe	SearchFilterHost.exe
PID 4084 wrote to memory of 2852	4084	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exe
"C:\Users\Admin\AppData\Local\Temp\538e13290295c54d8d60daf76cad458851abc7b24124ba254e2a1bb18b1b3cfd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1884

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3776

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4924

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0dd0f5239fc356ee1b8b01678ad21091

SHA1
f6c4f6644a9aa0584256a505801060bc553a8745

SHA256
fe0930baa185b955b587ec2ea01d49b84dde2c0d5c7bf547877b71df487d254e

SHA512
4200ac1dbdb11a4ed874a3c3f809438ccc0000dd64c0d454a6322875a7d707c3854af3e285e0b07177c7be90486ffc6a62bb877aa99612d9233e9490b6ee822a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
a6964a66c11b06f1323e986131d2bfb2

SHA1
809a555fa62c2407815b857d4c0d8c67c5e5419c

SHA256
694fe5b430c75558dab8c29d9048d826f302bc3c958afade22daa3a1abbf87fa

SHA512
8f70c962e955f15fc7b91ab8b338a655d7730c74fcf9ccca198765077ac7b7b89f09655ac85747d3565b0cd2909e8378e501ecb0fb4af69c748942002faea560

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
785701e4cbfd3f9e7c3ec6b95e96f83b

SHA1
3b8f8aa4ce65dd8b9f4ee61591f7008e1e107c29

SHA256
6e20edce09fa0cdbe4d443e713389e52c87bff9c892b77b4d313c0730e42d478

SHA512
b0868487b414a23d7517aba50dfd2bddf1fca1d228b0bb2bc14a30adc848267bf74e93c5648b477a0b44862d14f4cb79b512079bab3219af03fdfeffa4bf39cf

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
aa65f7485325a48c6c4466224fa8aaa9

SHA1
4392258f4169c4d8ee6a8e5d1f6b1139a7e08f8a

SHA256
c9bffdfff6e6f01fff6eecbc4314f80089067a82c5594f622837f645ac266696

SHA512
87bd6e6706c0b0b28b9eba27d85a699f381a860f96baf7c12303d18fb1a22d846fc5c762285b549b3ec106f4aa395dbfb316463decbce16691db7c9fc804780e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d9ccb732e3633935a20e8138f4e8f6af

SHA1
d1217ca5aee6dcd784a8b5fa05e2d73ffdd4a630

SHA256
32d1c018f2518cf6e16d0be744e8f7f50f43db1606a78aefb70beede19ef0162

SHA512
ef80e930dda2dc6d2b41be0a2028f2376a5f87bff9ef3a75831ed0b98ac24871725056c8e727925429b61e48b220f2de6a17abb3224b8daeaeb9fb9199341c5d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
1fe043b0afc32b6c8275716b7186c153

SHA1
fbe986bfe5335eda8b555a3251ea264da19106a9

SHA256
ac03a0b5183db7f498bce39e55cb621b01816035b036bfa59bd8c527a6c25356

SHA512
be59a682ae641e6194ebb51f13e4f0963b240a21715124aeea2f508b042b85eda5457f875a76e92aa0ccfb7812590af5d70cb48cd7da5dc36105855b4ae3c299

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
0a4dcd54045b29831a4d3f71bf048ca9

SHA1
0d357e0a61e63b9960245ccc953f3a4761743c98

SHA256
29a649ba6272a607af979d8d433c7c03e9a57ee2a849bd5dcc0234924a4b0fa6

SHA512
51ffdf7a0fcabe34cdc4bbae38df53d67d9cbcf71fd2085866a299807dce8fb752415eaddc7ec72fe589daea101e11282ff93df010bfe58c2492454a4cc2e17b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5f63950dd3741b98a8be936b44679c38

SHA1
68429110d8d092498ad7aea33d8c7c02e40eed5e

SHA256
4ddb372442f1c2394fd1f94970e0be2ba651724e2fbf831700350938864eb67c

SHA512
d9cf5390281db9b359021b7b47a17967aabddd3b42233526ac68c72f32663b3f4f23feeedffb5d4cf1a9c7e125b55f36e8e06fd369f654554fb4b3f90a64ae63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
8004dc0d9e6ac2e78d9faef76220ec29

SHA1
f37bcf9e5815723044138019751e796b0aa1ec8a

SHA256
58fde9ae4f05e6d444c975bfd8be26029dbde0783a970fee8f779d4e7fec7d9a

SHA512
f1c0ffa143fb9ee6141ab5fe5c5aa4be8dc24b8487b0f37dc0c7d47a99a28b360e9202817ee2c680375a794df5d2b17ef0c6fae11a4a847b0e8dbc298851a65c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
d4c88bcb26402bd767904c2e162ed528

SHA1
ee7edf503472f02a3a8d7c6f176e8c9b86e17e39

SHA256
e3b3c85507fc07c9b12daa2111649f640624f39368d6293d4310c8874d9b17b5

SHA512
1c0dd343253935a0df07d16ce1dd54c2477dab738dd01b9fcf560d21dda5a5ed50a20b6784d241ce46f17699d8660adccac91866bf6d965b97efaaff7c81b5f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7fc85a53996edfaad26dea7bddee2eb6

SHA1
c51c9c99fe7a50645c3d6939736f523440bd4d39

SHA256
7d4ff9760776592135ad1ec04dfc1a02f1acae3e74dbb6dbb3f3de803bb1052a

SHA512
0979be6c11205987b6f1b7f0b456c1d918d2b4a2bf916ffd13e8c1f9973f40c836dc5eb4c1e43ab3935382ed2a9484c718020e772cc3f4d3413aaca71869bf26

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
26b7cd3a7a34fc7d2d23132b03defb30

SHA1
707df0ed099b0bf75a1e469ff2ec4971caed7753

SHA256
75990b804b08d6044c5d7db01699ca578c7e94533fbea493c408364148ecb129

SHA512
20f69c699de41653b63c456b306b95e10e26290d59c7b72ac36891f8c8bff2c436c01c9cd9366d28bc026573ac51205c3c2814f21c8d82013caed2f017f06d76

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
2b5aa20a53f445a2735f90a43e01407a

SHA1
5230d1e4d002beb17e3e49934c5b58cceabf0627

SHA256
a68c402cd30e0db6ca6316b3381f48f86777a241ed0a40288ce9aebd7d43e068

SHA512
232e87d18dbb7c5c73bded824267d1c93de900bfe12fba853afec456b854f2246b0b748e87ae21cb4d694c5984203bf118a0867b2beb25925b8765c4ff812a05

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
7ab39af20b7159607a3fc33e31a125e5

SHA1
74a253c587ccc04ad6b9653d120e64da52e42e0b

SHA256
015118ae963fb168d09ce5fdd99a07803e02a6d7724073c7403a8df98ef5ea35

SHA512
b3b3888c03b1755994a7e4fe5ffade80fc79eb28fa12b3042743b4f1ff84d7e46e72abc9e9a8c3c60e18cff9dd577c6122d64db9ce6b55e270bb1ca8e5a53863

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
2ecb6850915954d1536c0f973b8cb4d4

SHA1
32e2cc90247fb508983bf61a4b13e7edc3adcad6

SHA256
5e0246976503f654a8c94cd6cec83a80af924e1e763eeddcda15ee9483df78ca

SHA512
b3e60da3317e734309122265f027e33474e990e3a40d57a42f3bfc4b9020f0cac28a0187380897fbd014cf595db3dfd52d29b67be513723c690da52692991288

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
591995b59760be8e0d60c7368f601543

SHA1
dfa8f4ecd2884ba9133edca1ec10d253c6502ba0

SHA256
946a04a013372fdffb20f387fce722edc3e65ec2b8e5eb1704b15f70225bc72c

SHA512
2c6a35e422278eec6662286c1e24a27e201596eadb8887a6229bc4322725de1acf906eff1b805748d0248508f1debf9e15e0775b81e10a26e20bd0087bf7915e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d4a5097108082b54c43da92f3da78dda

SHA1
4aa321c7a1cffca6bf95a9b5b78cc140dee7f40f

SHA256
75798120383f796c14b74bf7d1813dfc4896b88db445c8abd2e909c48feec4c8

SHA512
59bc87031accefafb66b5b500ba661fa60446539cbaccd2a64b923914413df37a9c6e9925448e63bbe116150a5da607a0c83bd11472b302a2c2c85e72b0e6009

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
745d2c45947aec3797cf3f74dfb5f1a6

SHA1
2e28678fffa8eff407104520061c057b8956cd3a

SHA256
a8b53f8ca9bb5f550cd15dbeb5a19c76b5e98e413c991f76abd82c68e2d238a2

SHA512
82de6ccb5a62a618f46e64db2c2fb692785f7691eb9a92081754165d656a56b7da0d8d238528bcf47e13720bb37768e60e260947b91d4e6fc4b467f80a078e16

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
f0f76ddcd027875a6257bf32bdac5ed2

SHA1
ef01efc6d397e7ff53d50b4d712b65b6ba38b1aa

SHA256
42b6d9211014e8a1ca5209333bfd88d6606bb2f127b2f8cbfe14d5ca93ff56c4

SHA512
fa1eff8120e8f752e172d49516906ef77de1bd52ee8f9531012b2c7a96090e748d6e8ee4c15d10c44d05af6121a067572ed969af6f6c043c3ccb144c00cdddeb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
66e5c8d498160a54cc6e2b97a476c9ba

SHA1
92f7713ae0e574cba3cfa5d0156acb975fa4ad02

SHA256
2a2662103c4d7aaa6aa7d883e523f36facbf71749a2c8fd0e7a0bdb97252bf46

SHA512
04296998d948dd7b3e8f09455a5360a7f6d5425036eecd30bcb8254ae39c05a94d30f0bb50908fd51bc88a95bb794942c01da1ad67a0e4e32eaf8fb497e10017

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
f9e1911918c4fc9741d2e8dda1d3caa1

SHA1
0ec5fd43af89866e675e32e2840f55387f777f28

SHA256
1be7cde0f07a73d8b9dc1b28850d6933fa7ba3444088a87fcc8f575970ba8c05

SHA512
02b175eeea9934d46d109224a47d553a639f3e65dc290dbfb0560041407e2500ebc922ded6766779ead8e6088d49f2e9ed4a1ca71d0dfcc8ea4d6e4652353b01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
08be5d3e7e75e5ac269075debba8c7d8

SHA1
8910297f92a7fd1868a349802fd098d9163825b8

SHA256
7dfdaa7cfbd5b21308871adaa96e18d8702a5726818bf6a34c07fd4586a1bd87

SHA512
89057dbdd2cadcb439535886494ff6b919c5aaece64b17ad777d3fd8eac4aac6a1c1732bb8204469e7bfdb5f761a5a5c728758f8dc7eace3b88dc47defb972a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
5a6383c863ce6bd7e8fae60b47763b09

SHA1
6e4011e810feae9954016a1288a116b0fbf2a587

SHA256
41138dd25387090d449aac767721a7abdc07a2bd8df5ee9c09481fcfc0f73c74

SHA512
88deddeb823f3ea10d1ee8b9ed90dd5c8ca8d5dce9002f1f1e3053b9bbdb9475a82c428aac4ebb6a24f5b8b3ffa744be63188a8c4e7acdde922d4aab68958b5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
389a9689ba7239da3d8bd2bb76d667c4

SHA1
109ce9d418124d49e381002bef135d3d0f97939f

SHA256
02ebd9849f53517ede6019bfba5631fe1ca80ad4ac6503031ef2754da22635a5

SHA512
86133d90222672662cd1e343a73d5125aa46eee5c8d6d919a5562bafeac831f980e7452e07cf7e6cde7130a8a453fef36cff9523d009726211dfeaafa1637a45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
270950eae4085a4e4d8e4fd40ec2d7c8

SHA1
8259fbf044090a44c045532122f90df6a4a84b74

SHA256
6cabf3696d30dc0f90891c74ef84bce84e5a55689492c5ef275a7d6be8d9ba52

SHA512
fdfaf619c4b4e7f56dfc42962e832fcfded53591ecb0c911f69cf060295b195ba1d91fa74bbb16a3e04fd088c41c56d39e25048401aa2b3e1bafe8d0e8b51e34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
3edc3f477c81225ba7ab8e2d657001ce

SHA1
0a9c131a79d2b2978246f448356d96f7a391e326

SHA256
999a6f5f6577114fa230efbd6e83ac021d5a05525f6bf3f1d0af92e0177f161e

SHA512
8e25a371f69b400434d8bbd1e6399c87bb2ca92bf97a7791addccea2a2631eae27d1c04e5b468b7e374a93add8265b39d74353029d32274b84ddb95c7817e0b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
e68b163e4fcd13145bfb1bf52323bb51

SHA1
5d111be8655e8ec98c58fcf663d0e77e956e15a3

SHA256
f89afebcc5407e7f9f004863ba07fad8f114d95fc9088587050ad32222b2ed4d

SHA512
3d738943ab6312cb10efe5aeba0227763dbcefad4bf8574d0c2a1f6c91441b9034169a7afc0fb832e6bd1599648a283a69bec5499b4ec42e6cb24738a15ae042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
e17b248f3217eb76d78908fe7b07be5d

SHA1
3ea7cb57e1668edcdf2c0bead9cbdc6d0fe38b65

SHA256
4530a2e6f4b76fbc9661408d9240c339e87ac2849271079dcd4f3b50ef1725b5

SHA512
0ec607c64fde34176e11899655b8375e1789440ce383aa4f8213ef986a4c1621d29b043a256887317b605e5d390925e76044d6798a8cb0bdd619e1f764f3423c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
cafb40ba2627ae6ee5ac64debee59118

SHA1
7dedaba873eab7e4ac363a50dccc5ca11959d9a3

SHA256
133720928041323f03f7ccc80f43c60343e7909a696d5794631520e024dea6d7

SHA512
64884c3dead57a6964fae68f2c7d402ceaae593338183f8fa6750e399550847eabd94335817426e5ce70d3f2e8c18a23b68313afaa21bb975eac558d19362d3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
011dfff31a24f6849689ebea24ad54f6

SHA1
c5916b315a53b5fefea100c3d96978c634f287aa

SHA256
a7b77529cf5e313f09f7d2c5203291a4e9f6f81f482fa8b7bad893bed07b3988

SHA512
2eca0eb48572691cf4d7c502639d9a9983601425415c53d5926df6797afdb02d543c81d5327d1695d36e4438d2730edbf2f33123c9fcf9225c1873b1d5e4943b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1f3e009ea18ff56701a1a96815f203c4

SHA1
708a49adeb82a0114cdd816ab91d1f822d177a2f

SHA256
2ab9838bc54382374bcd5562f7ba13cacdfc7b25a5015fb57fe767ffd1d27904

SHA512
7eb2374a3e042363c1d179cdf65160ce3925dc4a5fad419cf5983e2dd8a1be1d919ee258bdf6b192a8ec9b75b41c89593d4317cbaee7b95a761bb0ac8d34409c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5bd517054ba033e384c38e7b49888f63

SHA1
468c5f8407eba6f14c44764296886899cd76cb86

SHA256
e9b5b8b56863e94c10b74b1ee430136d6b79dfd12d21b48585009602af8c547f

SHA512
189b303739a6d8eb53552b1a39b3c22a2a47d93828092caf4e2ce326e24e3f728293e5d426fdda8a162358324d37f1275c2ce960670f088d0cb870b24e894aa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
32fc8b992e3f8e5e40dfb94838e69a36

SHA1
6bd56d7deffd8f206eca33252a8b0f67dedee14d

SHA256
133fecfb3f0606189e71aa094af1210b1348b867d474c11d7eec98f1797fe9da

SHA512
926fcbac55913872891a24de1e5b6a9bf86068ebb0ea90944f6f28992732978c30c6f3723cbf86546b9139604b9920177c4c981a1228822912691a9262cb2b17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
25456849ab98c62ff00bd5d0abf00e48

SHA1
0f02312203fa1cee021c605af5c5cbb92ad5fd6f

SHA256
588560c98072a0a4d6b3c631d3349d405d1d617d0081e2af3fe1f5af057e89c6

SHA512
a3a015c85b10ae0c07f463e11977482c174781c049bd3cfee063ce1ecedc1b669cf1d3e907e0f0cf07648b80c461f49e1a71d0a07ba8fab5916b2a402b799771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
2375669add16313d98c23fa349b3008a

SHA1
792fca429dfb9bb5211fc57f8e2967b655ee008f

SHA256
ece78a0e620859acfcddb1f586f6cda21999d8c182ce200495a3595348136372

SHA512
dcfffcf85779c3c4299c49951a628607d93e875fb65e70e8854194020790a84ee890d4d36078213fd67e978358aca16284bd00e6f1f6a9375168aa1a4df94a3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
24af34a0ba4d7f7107806ee011790ff6

SHA1
8f072c39b896011f064c2576bb55930454d13df6

SHA256
d0345c4b4683b68f368ed067d708fff9d1f86c569a27e81c1a4f622320473019

SHA512
9fce5f1964149125a9252780f4e6c0bbb438798d5914cb97fd52d2ef2fbffdb34e62790ba4952a3d61d4bd27a38bc8b5cbea7ceab32daa921182df6a436fc2bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
0753a39375ab46ad1b3d87e2a394e210

SHA1
b707b67439b40982c54c9338211d1cdeb0f1bd91

SHA256
67982fa8678b50ab7a87025776d37c0521131ea7bb16415190a00b21d02efbb1

SHA512
f1f842b2087476d8748d4e6aaccd3015748441d4f312c44c1802bc5aa7aaa36df7d79b735dd98fef32bae7122544dfb1c1a794a9296c5e529cfdc6d92d89a4a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
3e9308e652fcde695228f417b2adeb0a

SHA1
6fb61c19767fa2b1677b1b7e237ba7333a3bb9be

SHA256
8c0cfaad83e4c8fe2fcbd8585fe2efeddbc13791f256b9b81548903082f3dae4

SHA512
01b7f38d4d40a7790c30cfd17c3154fd2b23eaa91df97890f0a9112262a55c6bfae229613c22bb6fc57eb6996dfac4d1d55815fbf600bab654b970bd8d33d95c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
e0b6d4350890ee24d65daf7d1baf9679

SHA1
37915ef892c5c23c4aaa0067af112b0426f1d5c3

SHA256
ce0df0256c2918be317c6a0ac1aef856c4847443f5a403d237da9332b03554f8

SHA512
31484612fab6e5932e3383864422076a08c9303968deab6dba449319d91b9ea02ba6ba4b632b7b9fafd5760a60ac2f554cbb643d4f0f4f83d00ddc95c902e6b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
ea44070fcaa242a6fdcfe4556c4c6ea8

SHA1
f7d7335bb9d38a1fc8c3afc3fc6778873e21af4c

SHA256
1553f58f0fec83b96df3ac559de68f8941d3bda399bb09a845d1939413adf4c2

SHA512
14a6868e613a9c867107d3ba1b20211111e38213c23f8c9eb40cb11303129c156b5b16692f28bd44875c9414079733c763a4e3ea0160e6f5cf66ec5f7638d3a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
24ea130b3111e550588025fa3518fdb9

SHA1
bfee852ce96949bc571029a034c4700abfc18253

SHA256
99b0523966c4c4d9671044b2da93cb57b26037fcb7ffa0783667c522b15ad378

SHA512
bafd5517dbc96fb187b6dc372a46144bd82b6033c2a8a4deab6b958b0774a243349a92ab8f8229e5105794499f6387795dd5a09f1e9baa17d92c84ab2fd500d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
6b5062ccb6f00f392b99d23161415bd2

SHA1
e42b2626e722ff115c33cee41abd4b363f9cabc4

SHA256
8999a79ca307d5933565f51ceac3a6d32d4580a28a1c045d6b3ecd5cd59c93f8

SHA512
32e67267695dc883bbb35def4e2ca357723960defc928b596fa02e3971ea99cd151cde7916549de30d4dbf63c067d8c3f3fa25810f324e5ad6603a38f84404c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
4503c4b63bf7040598eab59ea72a2e2c

SHA1
e01ae57c5f3965998575f607a9f14f23e82c73bb

SHA256
f493593d10565db247ca576d859ca690284dfbd0c252f03bd1f4f1d9e80c6d74

SHA512
1859eb4b33bd6c0de77ac101ac3af70420053896e04476d77312299fb9b484cb1b84fabae7dcc8f44900f02522a0d1df71f887bc872b1a7ba5a0150116c3dd2f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
f454232cbd8defa89a96542130b145a7

SHA1
bae17aab39819a3d55d0c056db39ae8ed62bbe9f

SHA256
37e4dc2eeb4153330a6b51b058e95e0acf08a3f9bbe9c4e2482b9d9ec9d777af

SHA512
b497e2f6e6619932c8e784381b1dca385d6dc53883a3aebee96aa63c4c2525a7de8e91410509e08adacc3da2c3e56799fddd4ed7ee21ee4343ce85a6f84f594b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
34086972b0b8e89e724e16c2a624399d

SHA1
d09c4577d95ac2160afa0cb4d81e3060990b25df

SHA256
b7478e433a2dbcccdf381f482e673daf12997485b222e5051dca0daffaa24dc8

SHA512
a8c449131c11405496e59f00f2250617577ca660253b32cc6c10d94f4a9d11d6abc828bc8b617c34952d3c59664dc7a8fb8750eee8a601f8e0f01a6c537bacdc

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
16363518adffe2c7d458c271f21e2586

SHA1
1346fc4835448b6a5bddd938f84139c6b20f2be0

SHA256
d7663cd9037eb0e3ef23f7f2b8c04800549f144b7c1f4e3841ab11795b2816e8

SHA512
0c7f06162f957174179715d586043992285cdf5fde15727ef6b53bf8461e8e8e516f13b04619b899a62687bff1bf3f111c6e6a68d1d353a05d5cf2e211e67e9e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
56fbd983ce722914ab257499648da14c

SHA1
02c44e598ea9e46b1ed86667c22ec9249546391e

SHA256
1694327666671f75a7c7408db663cec0c1989bd8fb308c698395c34e1e3949bb

SHA512
fef4ab63c3040e1375dc484e062aae1aaf000ff016c988119b287284a9e1ffe07dc1efd33402e66029daa1457b25a0ed981bb21175b0ba83ad610472fc657d3a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
dfdeeccb62f5a0c5611a1518137ca34f

SHA1
aa4ecec3ac4963d5581d2ea8577c31c9316b7329

SHA256
c0a5d2c70e65349df36f0ff01423d78e7c2399c546f76af65907076f9c7dfebd

SHA512
f3255544cd7812666c8d43a335d5a0535283ebafd197b319cd4b44988a4bf8a32a2ffce51bb64b02469a3aca8ad4b0c67cdef24d48f35df8a9595d3028aaa7a6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
501efb711a82549fdba5e638bbe0dfb9

SHA1
096bc5c60694c5dc20fb08cf5f5e0998295d291f

SHA256
765fff3a427f7e404b4f18e29f3c98c0cc886e4bb1fedecda807877d1a339994

SHA512
0df99176bc3e242600a3bb7a6faa4fa4d40ac49524424fa5ececd73e281aada99992cc43947338561453be663c58d02baf049c057a6de48eaa5090c02838ea9d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
48f25b3edc9e7cb6abbe4519470b92a5

SHA1
3d2c284911bf4dd0d4f9c506ac701d017e473c00

SHA256
f4a43dc6896f11828cb368d5575cc6ef5d17c17f19d91a66600a87fc3e0578b5

SHA512
d782a40814b4b9776ccf912c6b2b6034f07e786ec634d8badca2d627687ddcad86587f9f50717370f87d9fee3edfc0d8912ec75b7bee7938810f614d896e9e01

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
91bcbb41b3a29c9250cd10b95791d936

SHA1
938f6d468c5abcabecc09c90ea9ef496ca0202db

SHA256
9d932be777dab32c5dff1ee10e7fb0946daff25415a68554a12f3200f2e3228d

SHA512
06f2f6ea675de6695e852831ab957620a890765c72bb296071e26e2f21ba69c0fda9ba9f15b0c8bb4355dea49e9ca1c8c0aef202b094967aa4b3f9d97a1048af

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b5af5adbc51ad3f9bef4330c526a8a36

SHA1
68e0768b733ab5a074ea3dff82768da0e5cfa914

SHA256
36c9ccd17cc7a60d36d487cc3e93db3e8c162067d67ceb6242cab0f6e667a4f1

SHA512
5cde88c20d5ca29351d008216bfbb8d8ca999b4c73e50a37aeb400ca8a396bdcd46b16aac9919c4236796fdc769f2a342c264673265d6e8d6f8f1253042a6d61

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c4d9b5d06fa0ba88bfc84e5e951470c7

SHA1
523b9dccf8111335ee65876582514d7ab472db19

SHA256
2fc950c9cfc20f789e7c6b9cd2057e37f6a5f36396646c9e43be10009f369414

SHA512
15f7b384c35f8aa0c666590d794df5b96f105edee60221b1a820fb64a0810d40d2a0a4a2f6f27e8a164a56b1828d274cb306d6a709164e7e9d8e921bca72144e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
66468b9744288754ea9b1e0ff748ba03

SHA1
982628682545f96b9112aa827bc9c2a14b79925d

SHA256
3f6dbf5fccaa22a76d0e6daf269b0c68bb5911fef6b552e73789865ec3a90b46

SHA512
b8bca81b5085a7dc022931f3a7336d34b9d4b750de9aa385ce7798871c24d3235361bf01b79de008634e2ab4ffc3b248bbab7b1a1c8d1297b057fbf58bf678f9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
2ea61afd1bba63cbcca644936e0fe61e

SHA1
7a57c15fd875546b5c41f812153370de1673b6f5

SHA256
cef81c6a0024a7e7fd142b6642fe7474f2ee051ca4ac3f09af69f119e5f6e849

SHA512
19627d20f66e02bc60843da79f6cecc22cbba1c91d61fe82904cb42e4da3a25f13db0f7f954512d3266121440ba7acd0ff694f4374ffbc64507c25cbfea2c71f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
00fd5f05a87e8caade29f2b3aa4375f0

SHA1
8a52ac94086e3df017d928abda80cb8bb5475c19

SHA256
da8d72d1a1e0317c83f7f89733a07512d1953c75009571a56c52dd62d9fb958c

SHA512
9fd4ffb6ca7bf15a9ca37050570c84e31bd6e863f98f65a512a33be2b95889f08a7ffabea42fc02f0d777108fe2857dd02ea1fb70b44b23daedc1836dac2a138

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
d65da337eae22e8a5401d712e9a89236

SHA1
c71a93ec78708eb5515b5d11a4b5327cb305027a

SHA256
5ae7602ece191766a244aab47189f292dda1ece8974d017c7801d53061850075

SHA512
ef1b1e529dd02137331200a1384da4e4a88ea55dde113deeede000cc1febe218bc3439222a583542bee73526a6504e82bd163765b97fbb57602f8910b8d058a1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
916f2e824e52e15e3a54e39ddd5b67c2

SHA1
cd4c9ae650d98d600f307984c13fa8da037b8662

SHA256
4454a9f26cb6d6c71627b487770b77f6ba04651949301f764e51211fdf17b4c6

SHA512
8782c1c5f3d3fcdaa8cfdd07e0331bb92df417e298ed203bde0d38f617ba9f3acb8843bd115ecf59af06670b9b487d7f3d020f094fe4a1dba15189fb22e669c8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
232468384a1731fcc0b69407768aa8b9

SHA1
c4442e69b9190fad67f9d891b85498fb68b125d0

SHA256
c7732ce8ce32a0e2d9b7c2ab8882018d737e731f661a8889c134cc178f10d164

SHA512
2960ff3ac681e3dff1e475a16031ec1a124353eb6a3054a6c2b9b101d07e12d20b4d5b5c5df013c11990ae9a9bf178d0d33d043a709ceb7c09bd0ffdf905da97

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c6a09ca3f59341474f4b451ffa1423cd

SHA1
cf0beaac703d3fa4a3ce703438b35b72a9d4513c

SHA256
6cc58614e5deb210746dcbeecfbcaf89a947662f789c45e46695c3f3c68f54a2

SHA512
e2684c8ba2f37108336f26df5a2e48a7b57f5309828d163dd81700c04baf02ef20ba6d3333789ac5557d226228fea8de3acb4d9533f0d0c19c00ae629b5323f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
77f0360863342d3a19f067ad683b24c7

SHA1
b35ad101922cb0c31c2bea79aac6995182fcbdcf

SHA256
d87e029e9d51b2d0dd1dba4ce328710054a06c3d2f340ea3ba3fa72ae1ea8404

SHA512
c239cf471a58d5c015d531c8902162e20621127e4e54523866b6baaea6dc014266ed5b7809ba8851e9286c442143fe99b200deac29121a041cb4384347280e2d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
df3ac07114608470281ab374c1ccd061

SHA1
c2da840f94be5c0059c4e1e3ff5bdb70eb7ef35b

SHA256
89baca1c98a617cdf176047521cf490bd75c04bc0cd8a7ca72bb7fb388f98c22

SHA512
4000036037f994af7bb828d2cddaef008405b66a583cbaa555ca05f5ff340f0c8c5328a77545a5ca36d94c6104951b515cc1f870dc7abeff645478e48a7920ec

Download Submit
memory/316-406-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/316-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/864-256-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/864-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/864-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1172-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1172-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1344-631-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1344-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1632-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1632-632-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1776-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1776-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1776-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1776-24-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1884-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1884-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1884-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1884-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1884-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2264-643-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2264-419-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2360-29-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2360-37-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2360-28-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2360-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2580-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2580-635-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2580-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2648-382-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2648-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2948-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2948-640-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2996-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2996-418-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3248-642-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3248-407-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3432-1-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/3432-11-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/3432-7-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/3432-14-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3432-0-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3584-636-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3584-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3772-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3772-641-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3784-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3784-356-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3784-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3784-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4084-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-645-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4296-394-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4296-290-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4312-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4312-73-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4312-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4312-65-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5068-637-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5068-357-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5096-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download