d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe
Size

1.3MB
MD5

2cf9cc70ccaca2f4e8f65115eb3b485a
SHA1

6db46e7235461331b00910cfc6a19c0e4d2be0fb
SHA256

d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd
SHA512

e88f5c7b8e3b8f4c334c6f8ef5c3d17699702c9380c6721e0b0c2211ed8d6d4c17dd8313f2df56680d6159ad8dac70a9fb7487a57f937d930c29e7d909a27331
SSDEEP

24576:M2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedoqMrfUgYbkhqfj8uqw:MPtjtQiIhUyQd1SkFd0rfPOkhqvq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
768	alg.exe
3396	elevation_service.exe
2992	elevation_service.exe
1496	maintenanceservice.exe
964	OSE.EXE
464	DiagnosticsHub.StandardCollector.Service.exe
2264	fxssvc.exe
2716	msdtc.exe
4808	PerceptionSimulationService.exe
1944	perfhost.exe
212	locator.exe
4852	SensorDataService.exe
536	snmptrap.exe
2572	spectrum.exe
4052	ssh-agent.exe
2492	TieringEngineService.exe
1068	AgentService.exe
2344	vds.exe
2040	vssvc.exe
2292	wbengine.exe
4712	WmiApSrv.exe
956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd0e5a60c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099d2a41fe3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f528720e3afda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d70f811fe3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7a7fa1fe3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020a53820e3afda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be81d41fe3afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3396	elevation_service.exe
3396	elevation_service.exe
3396	elevation_service.exe
3396	elevation_service.exe
3396	elevation_service.exe
3396	elevation_service.exe
3396	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1296	d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe
Token: SeDebugPrivilege	768	alg.exe
Token: SeDebugPrivilege	768	alg.exe
Token: SeDebugPrivilege	768	alg.exe
Token: SeTakeOwnershipPrivilege	3396	elevation_service.exe
Token: SeAuditPrivilege	2264	fxssvc.exe
Token: SeRestorePrivilege	2492	TieringEngineService.exe
Token: SeManageVolumePrivilege	2492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1068	AgentService.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	2292	wbengine.exe
Token: SeRestorePrivilege	2292	wbengine.exe
Token: SeSecurityPrivilege	2292	wbengine.exe
Token: 33	956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeDebugPrivilege	3396	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 5408	956	SearchIndexer.exe	135
PID 956 wrote to memory of 5408	956	SearchIndexer.exe	135
PID 956 wrote to memory of 5432	956	SearchIndexer.exe	136
PID 956 wrote to memory of 5432	956	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe
"C:\Users\Admin\AppData\Local\Temp\d475403d96a2eced1c4267530bd7a9aa727cf973c03de95dbdda02284ad22dbd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4532,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:2844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2572

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5408
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
939f076f9e47549997dbc417aabb5c5a

SHA1
000d744e2d6fca7bf2be7f713cdc6d98f7392e60

SHA256
38588419e3e3e042cfcb2a59bb395dae7c0c50824dbb9f89194139dba84c5910

SHA512
dee6140fc7c58275a772b6db16a65c945ef8f6fb773c7cb23b10ac3a75305d42af847d4574074e31d6f376e9ab268fdea0370957f6efcc87ab678102b6cc915b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
1c442164a0271634980cdb197ad6e8be

SHA1
0d1d5907022ad61c0ea681e3a145c41e68148e73

SHA256
23a6b19ccf957782b2234d50b1b07501c4e5a671cb167937630f61b19133f233

SHA512
5e66b7c4293c17dd078eb7b9cf1df9a7bc97dcf322d652887d4ec929187d91b976f7558cbb78ac0cea16572aac8a3032f206196eeda22f3154ce98b19244e829

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8f3bdd7d29d035b8fded3b8631402f5e

SHA1
960c1f39d6d1078daec5021075e4718269485746

SHA256
320c6747d57b28eed54f2ed1f163c7bd3f431e900d93df252b8ee2d20c445669

SHA512
8e3983efa6cbc8202ed1eb8352c304c7e11f958c28982407da598fccccae60b395cbaac53c49f33f58b71043298f717258ad1af0ceee755996512df91d517c59

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7660e45135a734f156f3b953345cac6b

SHA1
c42e56228a6d86028681d0e79350d8441506e50a

SHA256
2e5d78633cf1beb5920bc7a7a3afb3333594cb1318494e7a644204a9d77cbf5f

SHA512
979ea103c7278cc8ecc9a2871e1f342039f4fe8a9557dcbbbb28926bde1eb2dd4b6791fc735534ae8b70f05bdeb28ea309723e25b59b7affc1806c70db198f8b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4f72fe9bb44f454560287efac50bac7e

SHA1
a8b82b6c659dfa5ed5b4723c0c79ae72e171be81

SHA256
ceaf09779e496575fc685951674f662002fc08b889f361b64270c35729a6faac

SHA512
6d271739f7b476ffea4e46f781349657f8fa36742fbc8ccbf66ffa214ae9150429074271e4ecdd7f764b7eae338fe0cf94be89049515edd595e3d13704aec29a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b83bed2ced824741b6f98ee3acc623fd

SHA1
c0967bb145b2bec915e505c32dc6fa8540ede8a1

SHA256
92d5eee73f10ff33da042730afb9d057c292eec5940c47a337859c41e4ab7340

SHA512
04d382fe2d200eb09a8c3a6d347575ace67538fa59806fe343e3deeb8e37628156c4a63c32cc485a9d31b827cfa28b6682701c7e41cb50dbacbc9b40db0dc50e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
9b510025ca8ddf24822e34fe5fab5eab

SHA1
dc2d82ddff6aef010315eb7af58df1f357445c36

SHA256
6a5b282e848dc68a221c7449acf7bd8b0a3e610ea30d481175d37bffd9023412

SHA512
ae0b92ebd90d4a34fa72fdf17f2012b45187727bc38b643cfa7ef45382a0a0111c184a4795d8355f416e3c6f58a50819a71d9592196c54d00c5cad5f0f658ba9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
40cc3221e1b02e009d103d85cd581189

SHA1
f4f8e4495fc7e8197a7c796a1f62a123b0a728fe

SHA256
907ed5818138b50343db08a24067d05f65856132af1bdba64616695b1d637e39

SHA512
e4ca2a07801902b69148ec80ff4fccdb4a91b4a28b4fb04e221ef7016eb0851e6e48686f6c87d8b2f63e0672c47790ea42c2c3f2ab906272c0aa46c4f93c2a79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
54ac839f9101048cd7d24baa70bfc2ca

SHA1
e47760e660be58934b57fe47517e30b1f125c293

SHA256
78b6fc1e0efac53eb05f8271cfa2a779c67041d17591813e7a99162405f9cec7

SHA512
d843384f1d2e15ce06b40cfdd08059eb1e77f4623eb01d22e3b011d823b34ee58238ceffd6c044367e1ef7d6da778242916402232edee18492abc9c684a97bef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
12ae1cbcab96a398311a6e2e904a13a5

SHA1
ef45d4093330cddc418cce0c49687f89bacc45fa

SHA256
bc585cef4a1605421a83aceee44ecc33978c710dd208c97d8c85e2cedc23ef86

SHA512
324b98d5ba3f2d8dcb5b386fd124771d4fd32815c7150d447e52ca6c761db37706980420d491d26432bf4ff9401c4aed7733b53185d4fc1735e7023ea4f51633

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
51371126c7afe3154706da85a9276788

SHA1
b3d242fce7668c85142082978e4b0a9332a3844c

SHA256
4e5172b0d17f6f9eea1a39e71816bd3e89d18d9ca9d58cb8bce518a173423674

SHA512
35ac7787037172944727e46e9cf10cca72e625da0dc3ad656f28bcf1bb67a9f66c222256d71ea1496227ec5799b6ecc2330619c520f5b66e35f835dc186d4ecf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
18cbe4607f1af92c63b676b521917e60

SHA1
4c935c71d3fca5ff8ec9472c83ce8e4d90bf6e50

SHA256
2889047db43dbb200d874e77c279318d7c9f5bb44480994d35b2ff1095c62525

SHA512
9eb2ce3b67dbd209bcf4740be4864b8fbb56e6e69334ff1a23317c4bf13ca9762106db86c7b23bb3f23b4bbb75e194207ebda038b6de0e6ac2b285517c236e92

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
3a5048fd3366d82ee97ec50bee35042c

SHA1
699c74d74cb6497f718a2e411e491a3b23bb3731

SHA256
618cfedf8027a74f803d5104e3fb66b264ea28b81e8320c5a19d14d87ac8e6af

SHA512
d1296e5d087aa21df8235ed539364307528e190efb0e54145ecb66cbe531bb0b7dd74e6b7079f085ffff1cb2e663b748b07a9df608d585b6e4d17b2e9e5d075c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
405b5e2bb208dd731a96f62d0babf3b1

SHA1
3a706e7b8fb1255933e142d572daf8279c68eb7f

SHA256
bd0b717b853a2248fb9fb8de24beddc6f2f3f6ce707b382ac0c68714c359ff1e

SHA512
392e8361020e16cffef4fcf51b21e41b7446f34dfe2fcb62fedc36a27a87da7d6927f0906937cd54851efd04cb27e07137d44181475ab4b034196a5251b0d71d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c57a62c2f994919445fa336223e994ff

SHA1
c5f9c4c010c41c8b39430d060e1085da3efc29b9

SHA256
c5b815da76757b346a2e189a789e8d15f8a6cb129efc5bbec4e8566758b3f79f

SHA512
0775642fef1d54a022b030057f4d9deedd5f38459839e951a228e8a9593562fd98ee46369bf1c7f47ba0d5942dfde1214b1946135f93fbfcdeec309980c28d09

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
11ebc104538ea5fe5f3c73f481d2bb0d

SHA1
be9092935463b1d65838408950496a7f36c9f42c

SHA256
3e21c27ba345a70c048c397aa5e2d125fb86555ad2f83e1cc58c7af254e13ed2

SHA512
f688cf7a2c996d7ff2c5f46aa9d8ad56ef4e148f940b52dea1befabafa4409559776887cda411a5dc54309612b6151921ce2ed094a389920eff5752523fbe5f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8de0376c09eb9b4190ce5307ccc623aa

SHA1
4a75c97bc84c0df327e69cac5c9f3da3f68a9f97

SHA256
1ffe07fb80ffd758347bc15f48939d3fc1566028642e6d005f3996e72fb6a058

SHA512
8b4f0aef00d73a0182691171319fe4718f149bcb761cec59591392aa5c729007f1a0d74c7d5800d0f12c70ff904a2780a364e7bff707e936beac392747532253

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a9ce821a960c4c3e9c85fde5e0d5b784

SHA1
2c696eb05ddee9c5c8f0b1ac9e61c19986783d9b

SHA256
7b0951fe7821ddc5e73d8ca47ffe30859409f7a41782a9475dbef793359362ca

SHA512
5c84b82973057a0a4742e0692a86d8b6c208154dcf9356fe6f2fc14ddadda4a9be768ca72c4c960d9894a3524d4e3da159d966bae435a7eda0995c0253c3dc43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
82523e54300a0fb4cd4fecb0e7c99242

SHA1
fe305d95f1b1672b02773d63474be2d874a4622f

SHA256
676cb7356471f7b3162de36c85b365f63bf6b8ac9a484fb1d9965ad4445bf899

SHA512
862d19bb1f3de6787ef861873a1ed911880ddcbb18adc0c1243d1e8e7e807cda7d069006fcdc52d6195d3881db304a7f34a43b02d0c3586c404c249938a8c8a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
75727a11e781dd93c74f856d99b89156

SHA1
762add4c23a7aa0c3f7227755d90b323a97a8520

SHA256
d9b45ddcbd55cbba3974a82168d89f2c779af1b35c5014979473d06d6daa6d36

SHA512
f8c2974e4ed60630d5ac0636789beb5a01c8b566ca0866983f5c336230a268fcd3f6323869626f8f7d593318d17ecf2781e193ed4821a5baddb04ea40b481af2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
b7c29f569f417c2b14b889e208e1789d

SHA1
6737a6fe34ba646c9960a2c72a649e463f20a218

SHA256
e0f1ef2bc43aad3019086ceddcb5aa0753f68927343ffb742dbe6b5a6a2c69e3

SHA512
0d1e53d2313024cdbc3989e5639b9196397aa9c84d9da278a016db5199634562ff35b403d1c91c767815005e88e10a6c83df432571e1612ab690cb070fe80bce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
eac149adb894e4ae3eff9a79c970222f

SHA1
25874c820d74cae4f4e5eab52b36cd093aa14c7c

SHA256
5a4ca6243db49e8df0f91fa4f8c1f2428010cefeadd138fa530aa852c8f467a6

SHA512
5f560f5376bfe16bb8f4d2344de000032af335b7b316efdbbbccd19d4f0916c0d02686dcdde9de4f5783f93760aa359932a9579fe9d0e846dd95f35c392afad4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
003681838d12ca19c90321b43ee46e0b

SHA1
4c80fce2bb85ab7c2545386de94830f8fdbec615

SHA256
8c49169d714f95d0dd22e2e9dd7bb21d8d4b5f8bdd0ace2cabc6842002a2d3f1

SHA512
16e1a54fd8fc41c85fc84747cb31e5bc758b20b72ebc115a169da9a857aea1ae7c11268501d78f8320e6a848e6f780660f3c55d164d23ffae9c43415ae77c5ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
de16944106ca3e19eeba63193fec250b

SHA1
da28c2e06dc4b99eacd44a3d456a90d05ab78d2f

SHA256
b02e1cf4a19bdcbbbdadd2542dcd1d6945fcd07b20be99c5965527f1071b88ca

SHA512
e29bbbefa5b7eefac17dbd2f2d148cce53e5fb6b60e7d908604be5d0850c0f8e8af6ec566852b958683d4ef3679b4cd76be90b0a360c7f16f908d8b876f46de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
de6321d29c66b1afa39d432a25aef293

SHA1
e08ac2796454ba12d61af4253b8ec0d2a15496cf

SHA256
c0ec428d07146d71cc6066fdb1a0e230f4c341590743fc6befaa463f29fddf7b

SHA512
118188fea7623f31a1816ad9897592316df4c8f4776ce1507cdfda0b95967b5827590ab3ab30cea9a556f159a4c464087e76d70b5057259bc89ae0f4c242df2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
ce71fe9aa4740af9c3d69f709db526bb

SHA1
eea590d0329f790cc50f693bdbcc84f96efa454b

SHA256
fd1bb1cc6eee2a1ffed794578206f663947072189835a2bcf64b5f494b586f10

SHA512
3260fa4be482169c2b035cb571a40bc054988d76855962c3243f9f6d29263e2246bda9c136f56d6b775b4ef1386a5a1b34be2d81c3a5cf38ef87c7c1e5fcaec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
fcb3b0332adc1d8a429a6d18fec26bf2

SHA1
27917d065095254f69b9758282565840e71b11be

SHA256
f8d36327160a449c2e10b8c41a2bdbb989d6d13d6ea874b0b61555866bd9fda0

SHA512
b77e3d8e8b137b9a6452f5a0a0e5e6d1cfb6d4e2c003b2ce10e7faa817dce0e863a546e40cf6a2dfcfa01c0c1cf665f5a00fa8df48359e475abf1cbd20e04fda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
7cda3ae5b1a31ff6ce58d3ad93975384

SHA1
c6422c3f2dcf55bf77cff5e2f91ab6db39478719

SHA256
85b450a167bea1fa2831e83d99b5d4054136fe7afd58b1410ffed24732a0721c

SHA512
292606a0bd39f940cbe07e468acf19578b8d9bb28983f1b70b86609eedcb28f6a08b4c32d5296e5103eab481899530460309d0b133c5a8f041c8301097fed6c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
5905c07633f6189541c62b476af05989

SHA1
4255e4eb24e9850544b5084379c7a4011fa5d3ba

SHA256
0af08ae8d798d8c862ac5a9d9484ab2aaf3a8e915a1d3a9a7278337468c95efe

SHA512
08d3d01b6735ba3eaa9cb2364fa6e605496da9710b2dc0021d7de25ba9c003fbe52285a8cf37bb62b860ae8bd17be0b3814785ea5ad0b75c32eb69bafdcc418c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a36c3ad9878394d7935b30e88197216a

SHA1
19ff5a61f61dfdfddc5c25fdedf9967190130f6f

SHA256
cb6b25a92756dee6f02ef49c3c5c7eacf03661dfe3bb45f5e9818560e9546070

SHA512
047c17c6b9c4adfdd4fb9ef235ca4fb056e1853a20e09c01c6601250bbb4a3a00dc83ec408957250beef0fe53aca43453b0905483b6097c382555c1c926e4907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
a817dfe040ffea42d6efaa95b1891285

SHA1
c8dc02068c4e5466e5d1f8749b2ed6c0a50c92ef

SHA256
8661e2dbd03ca0416debcf202a11d70dde0c0759e993cfcf62d4792fde0cdbc1

SHA512
43849c4b7da11659faca3d9657d4c83419db1f1113b2adfd31a8c04d5bbafbb4a68a1d19fa9fde0912d1e7849bc1f14601bb646694fd271454e828847647a239

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
9c711d79dae83f5cce3843efa59292c0

SHA1
dafb93dc38d1f4b8e2781065b531e0ecb5424c37

SHA256
ab78f9f8d522770398584bcf6ac2a92ec7e4b40fae7567945750c06651d08081

SHA512
6612befffbf2045df172d79a47bc878081647393ba2eddae2faace766d2bc5a2fc80cc2f8ec709ed06c3cdf25a57cb3391534b094c1eec0d7f7ec4bdeb58ebab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
8e94fbe4251e372f63b2bfb97f47aacd

SHA1
261d103216617b5b4f0cc9c5a846523784838d95

SHA256
57cdebf1e23a8c8e69623b1cc98de891444e7b09ba404764822454e548b5a675

SHA512
90093442e31271c260b51f75b02c4ddd104e31fedd19117f00ff154f28e15df6c05bd2550944cef7f0d010e9be19faaa2f88056178b628b0aadb0314403e7cb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
eaa509be27917fcdc5c06759b0a3552e

SHA1
7d9baca78d0e1755c4f38f4be1b1444b510bb994

SHA256
ac6083332d4368b166f8ca025c9221a5f724b9b3e37621d21ccc08a9bed09a23

SHA512
21de3ff871be783e816db5dfc4ceb102bd34c3a71e2c8fa51b1c2fcc8ef4f4a0054405f45ae8eb2416f77c2b44f601d15bcc42edfa088fdc563ce2a68a7156c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
2bd84eb09223b6d9678eed89991620c6

SHA1
d3d1c7111c60900ff28b5a8ac0f1748d15ee9544

SHA256
022587a54c49867f637a28a74cde6b5bf8091cd2acec4cc13ba1be74027f26f7

SHA512
8e2fa6d637c48509f1b3845c8b9b68c871c2f1d69e0f245b00a767d635b533ceac98fe06d4da5a64037a0d95bddc1c427c91ad3a13946464b504cdf812c306d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
62618c0e11ea9b5ecd2d857fdc68f2b9

SHA1
a9138d1bf9a3a0aa345668ebafcb11dc3ccb9e55

SHA256
4cc7d9a404da444cbbf8116f85236079e6b48a025b8691a4c56573e14d3ebb29

SHA512
b642dfa745161446d8c2f44f23a40c2f6e9b81782f76cdd9641afa86ac775636b187ddb952cc5e6297f2f949210392bf5fea3e6fb9b11d89ae37b28322802b2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
18259bf2715029af3c6fd1e0d08aa6d4

SHA1
073c07448f443608b6493f5d7c3426f912843bea

SHA256
070bed85d6fdbc8f5461c4536ccb4bd15284a8e92ce1e13dc94b19f458a12520

SHA512
6b63389df526779352790fb792200e3669fd646495d0f268c5e669e5d28063c44f3402daf0366be230a270df74979c39963bdf2f332d0e8e8ddbb4e9cbbd70f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
4cc59c8abf6da472375918e6e6d99a47

SHA1
f9f0e892131eb8e5c5401eddcf0a363516d25074

SHA256
c2877c0c6203fd39f3507d1cf63758408776d6d822c79ebb54644488af83bca6

SHA512
69c4fa5938c94b0a9ff815f61c166996534ca684fa76af0798e597d59a5f5b6168b9b35410bc35f435fbc204aa9df286c37daebdb9d83af0b07b70ca443e9dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
bc80e7778f01e4b7031af0cf5c8a1a5e

SHA1
fe85228bf89ab77dc5ef3255247d5b8db8d6ee34

SHA256
e93180bcc5b036c5fbfbb1aba4cbb4de4e97b6e761c05f95a4ebb760b2366cf5

SHA512
e82a3b63e3d1a4f89dba3d078db44f3b290ccbfc361e0f5af7b4b99353ffe67b54fbd91749409a94490373bd35ce477879c0a3325f3b458487d9f8e8a6665cd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
6f9298d52f557ec4adb5c75301f6bc71

SHA1
ce91aead0532803e1c5eefaad43a95eebb3df933

SHA256
57978f2cf725c422e624a43b1953be10fce30a38d14f7903ba1fe000f0df1308

SHA512
11efd5503cd0417ddd7961946a35bf13afa5ce1c5744ac95dbf373fa2806690f7bb12973c6f27bda0ce5b2a2faa46fe1ccdfcca179daf865da707aecd3113971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
802a8dbffe02d0215a4c516363c742f6

SHA1
26fee5c439c3c906ffbe6974f531d532117b770c

SHA256
8c53590442b3a06c3046fff085aac0f93cdca6238eacfde12137b083755e6046

SHA512
2b3f6d782939223763bf333c02fd12e677fdcc66004877e1b7ae667b4c73895dc0f5fe4d498c1516bb16e3b4162d03e4e0d522e4205a63e3d38ecf8e2b8b6dc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
d2f7bbb3ecad5b01d0c4ea875c6cef91

SHA1
13139c74466edc5ca1c05755fecd91393f5717e5

SHA256
1214d1db4c540cc3004ce0a334fb0709ae4a83bc808411f834ab7c403c83f8ef

SHA512
7450c1ef7afc199739caf2b8b093e6ec23244d8d925bf75d045c8bb5070c45f8b2f5aa6b7fdbb400a8f4053ff5108bfb5c9860de33bc7deba6c57439c7662141

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
13dfe9d14322054b6c1012edd2091d47

SHA1
f32033f58d215e337e30911a48a7f55d2874d484

SHA256
aa2af08525d346c68fe639b9ce472c1484f7dccffdf5f84bfad8d1abccd2c7bc

SHA512
205efc675e7873ef5cce7c5649499d9c98192e139971d5decb9a4da9b1b1ab346a1c5b4a230671f7434df25a03f895d0ef92252b494209117e8ae093c26e5464

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
b6c7e7e4c355e3db06a1b138b1f54cfe

SHA1
6688d54f1da4aef9e633fb883bc85971c2b9ac44

SHA256
29e0fa66fc4df31aac38df7cffbc4a31a725852c59d0241c4c45034eed7f7599

SHA512
e5310c68125503a33fcf6b57c6fc7e064f17b6913f7ac81e5caa4bd76dbc65acf151bf429046ea9f64772dc02cfc824b3463b12e5cf770139b2221fc168922d7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b74ca7816caff7c8d5219aa993672172

SHA1
5f3c7583415abe44bb237ca6a23e940c76c67a66

SHA256
2a4ce85f2ef08a4a254e91c878596ae3605846cc5481e27a50aa5f2adc4427aa

SHA512
1150203e081581890db87e21791a0333255086f28a57846992857ad9a38ccb97bef1314b76ae9bfc9d2c2aefdcc47dd0fd2c8df14266ebcd402047f3ecd9a802

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
75dd20854e22236d3ab8701bd1aa9b1e

SHA1
b4afade4b57e7a214cb1e1fb4bd0c1b8d5b2f12a

SHA256
c42fdec6fc80ef6971a3fff4da55938d7545548bc834374bf2b9ed4a8c1aeed0

SHA512
f9375df213f5a8c5e0d7970bbdad26338814423f4450c8a874d458c32d6fa36f93ac2f5469329e1f706a487ff6a2bf2a61f83af760d8c6123ee9ba14eafe426f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
394e7970ddf98c0edb2971f3db5a3e50

SHA1
fd1d648ba724e9ba3d43aacbf7c1bf2960c98a00

SHA256
fb0f351f72cb4ed3f7b00710c7e7c7a4dcc85972285bc0b7ed8b1266169c7e4a

SHA512
88fc5cb0e5a9545543da1a859ae6e2371e81ad0995100da7d2560c519e7a676fd9ba34c23b18cb0ad30b80e89175e9012bcc9841317cebcdf65c0c1513be6418

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
6e071572a7d4751ffbef350db47face0

SHA1
682a6ab2db8c5b4b5514bbfe431b411b688ec7ff

SHA256
7828dbd3481c8d8b3a89cdbdee1db141833c3c68bbc903d59ad25b65f5fef030

SHA512
7f48bfc545233e0028fba09ab89af26e26dffad6664c0a83ac1467a733cae1f94d2a0838c09116e9593820020791b08e09fb319764c5df84dac3972103bb034c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
a0079fdf7d336c6fbcd37d43313c7ccc

SHA1
18dfc4c0f81d8e8e458f57eab2a87d6a6aa35873

SHA256
9ada5a1b5b0585058401868eb35df9bb1db5f7d5d0a395771a54940749ddea32

SHA512
8bc66d891e202e6f34dd80aa76c49d44ff98b5589161c5f71b5c07a7251c2f54cd9ca9bdb80d092277c016c1b7dfede313b6962d3b687b24b22093d5d459331e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
489a147b4efd68102ab72057b0d919be

SHA1
83c0ee7843355c1171c1c9a6f363ad14d90f0367

SHA256
c72cae3aff4b8e9ad696c18f1f31305c74778bd5193c71c2c4e55c7f7adbfb6c

SHA512
dbb178acb138c245045ea96f290c05e410e3fb99295a594a4ccc925b9ecd76efbf6d1cbc4a52f4cff1f53f66e8d550a8967faae7015feb84ca4ffdc9be968763

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
98cddd0868763f2405369b221da6e76d

SHA1
0da62b977c86f6fc6dcf6bb6ab670a457a4f0477

SHA256
da239aaf3d297b4a842964ca77c807ee9cf10f1358c16733cba7b51195444f6c

SHA512
f6a495bae5ff34452061291b4e01f1ab2292d04b6049876ffcd38536e421864114cb713bca19f04ebe140fe7b4d0bd1b7c0e95c0139905fe967ab3bf21dd620a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f873dac148d764a91230528c0d4e87f0

SHA1
b737315a262d52750c9494f45467c41f477738d4

SHA256
8875aa59a1308ce1a4f125c9d087c42c67879b56c4c0e0491f1a29098572bb6a

SHA512
f6c2ca908bc444147d066afe5392c3dd3efe41ad88d0985c51af59b7e98fb60e718a531b0570ae94fa2438aa6acef92daae457646b2b08811ea1c87faf9b9031

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
80f5cda7cdbeb56e02a28eee6ddc05b6

SHA1
8a8f2a554cce5068740e9fc54f0c6bbd58e5eec2

SHA256
bfa4571bc82cf4d3a548eda231ac32f1355e202e31b937b801506b325cc22897

SHA512
378b7923d83df8cc3b248b34e80058f4c5283aba98f8deb454d5fed6c3eacd61fa362c2cbedeaae8b41872cfd2a5d3ed0424063167d09a5473ed949a3f0cd682

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
dadc431744e96bb36d8403f372e66493

SHA1
4d51445f928c8996535ab1284c3962af955f4512

SHA256
934627217bf2e4f4011d792e8eae5f43696305d234d0ba304f421cb8156cdfed

SHA512
3c55f872f1cb1348963e6adf00d31fd2349553d7fc4b0fdd2721edcb258f94db1ce4a8338a682ddb2d9463e6b3376a05b997590b005c1f92c0b00dd1cc3c72f0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
938fa60acebc040aefe240c41674847a

SHA1
00fcc758fc35753cae298ab97adb088a36ad9839

SHA256
c6de7f8b72c8c4d44d82ce000813273ce47d539678b248379c5d4dab112bc998

SHA512
a1b6e1b3c0bc9aa4229142cd6c14cc954e70117aab6433ec7ee765b2c415a2734c33698b30f9f05b463ef8be684cddf6f50286d6b5536dfc0c353ccf92e784fb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3371aa308980c6f710cb69d6b82a9d3e

SHA1
ed34569bf57d6b3a35a0eb0647011074f3a79e40

SHA256
6126ab0a7ad40c14b48e61e2055895a0358923e4b5ccedb5a99286267485e976

SHA512
21fdd16b78b7943af120265cce26a7c4fdf3f1871a4b9fe50fa6bf0aeffbc2bf059aaaeca72a8378d02fea6e814e4015bb0b27602e076b11b1dbbfb554f506ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
3646a046f7f4df751c83380b4de7590f

SHA1
388d8a169b84b93a458d338bdfdaf93b70f1ea78

SHA256
014322051f31a8c81eb31116caa554ce9576d0688573f8b8a7cd4a54eafeb5fd

SHA512
9c797c660fafe174235500f424dcb858b4045565a3ffcd454eabec631a5cd2b5030a3e173c9ff450b84b51d102d81bf9ba57521f54e2db65ceab7c17177d68ae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
27a97506109e2e8963e52417ee5c15af

SHA1
8eec814fbec158cd88d691ae0e1f9842b2d1e498

SHA256
3e13f1d686713906934c27279b17716edd8a598408770d7bc80e33f434be1239

SHA512
5b7e8d4b36832c66f3be4708695fc03e5c090854029bc1e9228e50293009390f0b0ef79d30058b7e03103fffcf81a15ad4723445c495504745a5586aa0614b53

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
97f3c89d5eb3c48aa2fc09dec3b8b9f9

SHA1
0113343a68ee8c95e579ba03cbc05b8baa0f6e66

SHA256
fbf4860ab0dbf003268d435b4c3012b5cee05c263946f19a883bbd6237b432f3

SHA512
8ab04b03bfdc42fb62030f765a6231fae2211f8fc97fc3d2ea5ee1b364c5e37955f455674b1ad6694893d027becf1fd80f3672dc9cde1f216abd93edf0c11836

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9597d1d50fca74f43ef8d78286529df5

SHA1
4816a936c82bf06384e5adf04c38385c2276dd65

SHA256
5e23813b490f23c766820e438ae833463d43c421cc34f330ea55c0ab6f25c6cf

SHA512
2c9f8fe0bed70c9f176ad788baa6fa75ecedce49f3be5aad82b34dac119b5969b701814b2a5090bf97e5a4442c731f4d0408417da22850ef9c06d395474e4546

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6da76798311cf457325730bcca78280c

SHA1
a60033cf16c973d994bce5eefda390a9f84f77d2

SHA256
4ef9cee375000dbee969a41a71d5eba6accd40dd9cf6951b099fd604af478dbd

SHA512
4d7de0ba0ab5f655ad932b867365e4c1dba9d2348575ef2476de50a7551a3a62faf9880822e1568d8447715c88fea97e1ab30c65807de8c7d8f35521d5d20572

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1458cd2869e954024b6dae2fcf594171

SHA1
1989865a706ca542324f724f452ea2a1fdad5f95

SHA256
0849b48bed63a704a1292ab0280a7adae7008c60efdb85d3756b603d7dd829c6

SHA512
103d8526550b6c8543ed0bcd0ca3dd7f03979b570f38534e15363d97e1403c3a3d9f0d08b69d3ef7b7a9767608039023f086df0e06a3763af049e32f66e608bf

Download Submit
memory/212-306-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/212-425-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/464-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/464-369-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/464-245-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/464-251-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/536-621-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/536-335-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/768-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/768-22-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/768-16-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/768-236-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/956-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/956-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/964-77-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/964-75-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/964-69-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1068-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1068-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1296-1-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/1296-28-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1296-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1296-6-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/1496-67-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1496-65-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1496-54-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1496-62-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1496-60-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1944-413-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1944-296-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2040-647-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2040-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2264-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-256-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2292-648-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2292-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2344-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2344-646-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2492-372-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2492-643-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2572-641-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2572-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2716-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2716-389-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2992-52-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2992-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2992-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2992-240-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3396-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3396-39-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3396-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3396-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3396-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4052-642-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4052-352-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4712-426-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4712-649-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4808-285-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4808-401-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4852-640-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4852-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4852-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download