1b32a27ac7ce122c9c8352df0084cb082bbf5240aa53bcbb253a14b8abc6d86d

Analysis

max time kernel
130s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66afac6dfb5263exeexeexeex.exe
Size

886KB
MD5

66afac6dfb52638e47c6ef55f57b555c
SHA1

f87d4852714fc215cf5a76033d0fd1ee1fcceb22
SHA256

1b32a27ac7ce122c9c8352df0084cb082bbf5240aa53bcbb253a14b8abc6d86d
SHA512

d379453106abceb6b5579a1f5a34b372d603bad9cc56d7a740695710c78ddac2524e0ca4c3a3e37a1311d617366ca9ca41c71f1a0212f77f0761ccd06b99cd07
SSDEEP

24576:QEUEtXtBK+ij5mgcQtEgHodmysqhubRPHbalYm0c:53XtBKtNcQtdHoUPbR/gYc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4660	alg.exe
228	elevation_service.exe
2524	elevation_service.exe
4216	maintenanceservice.exe
2004	OSE.EXE
4552	DiagnosticsHub.StandardCollector.Service.exe
3804	fxssvc.exe
1776	msdtc.exe
4340	PerceptionSimulationService.exe
1820	perfhost.exe
3912	locator.exe
4252	SensorDataService.exe
4440	snmptrap.exe
4424	spectrum.exe
900	ssh-agent.exe
3044	TieringEngineService.exe
3824	AgentService.exe
772	vds.exe
3388	vssvc.exe
4272	wbengine.exe
2932	WmiApSrv.exe
2852	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	66afac6dfb5263exeexeexeex.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7835daed7176c85f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9878a0a7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a206c0c7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000335ae00a7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fbb200b7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bfe260c7fb1d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfa52c0b7fb1d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd94fa0a7fb1d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cbea70c7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002433f80a7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006882e70a7fb1d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
228	elevation_service.exe
228	elevation_service.exe
228	elevation_service.exe
228	elevation_service.exe
228	elevation_service.exe
228	elevation_service.exe
228	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1268	66afac6dfb5263exeexeexeex.exe
Token: SeDebugPrivilege	4660	alg.exe
Token: SeDebugPrivilege	4660	alg.exe
Token: SeDebugPrivilege	4660	alg.exe
Token: SeTakeOwnershipPrivilege	228	elevation_service.exe
Token: SeAuditPrivilege	3804	fxssvc.exe
Token: SeRestorePrivilege	3044	TieringEngineService.exe
Token: SeManageVolumePrivilege	3044	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3824	AgentService.exe
Token: SeBackupPrivilege	3388	vssvc.exe
Token: SeRestorePrivilege	3388	vssvc.exe
Token: SeAuditPrivilege	3388	vssvc.exe
Token: SeBackupPrivilege	4272	wbengine.exe
Token: SeRestorePrivilege	4272	wbengine.exe
Token: SeSecurityPrivilege	4272	wbengine.exe
Token: 33	2852	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeDebugPrivilege	228	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4684	2852	SearchIndexer.exe	112
PID 2852 wrote to memory of 4684	2852	SearchIndexer.exe	112
PID 2852 wrote to memory of 1340	2852	SearchIndexer.exe	113
PID 2852 wrote to memory of 1340	2852	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\66afac6dfb5263exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\66afac6dfb5263exeexeexeex.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1776

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
789c71b78246e5b6395d437a6878c6fa

SHA1
c24ecdae435b4e8ff5be14e7027787b928846b8f

SHA256
a6d7a29ab3de879d4ed809fee81745803335f9941697df3b138d3facd9880c9d

SHA512
75033a8c34932260a941c4ea1f65cc0929712af55ca39e9884a9345aaf099bf20bd8982eab18555651f06a280a996a4e946c570d3f182a603a893d6f8d2a9d91

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b8d88d647ac1385ae54df0c1d11163c9

SHA1
9b15bc77564eb231891e357119817d65755e052d

SHA256
7805b9eedfe222c2caa7e44565b39b6b9309b1db6e40b53a66202d3f7325b27a

SHA512
d10ac4907cd42c5707de6c2d0809ee15117c2f0bb242d1379b1ad5b92904c7d620144778cc05caee486301b065371fbaf17f87d23c36112b930a4f468b75dc6e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b8d88d647ac1385ae54df0c1d11163c9

SHA1
9b15bc77564eb231891e357119817d65755e052d

SHA256
7805b9eedfe222c2caa7e44565b39b6b9309b1db6e40b53a66202d3f7325b27a

SHA512
d10ac4907cd42c5707de6c2d0809ee15117c2f0bb242d1379b1ad5b92904c7d620144778cc05caee486301b065371fbaf17f87d23c36112b930a4f468b75dc6e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.0MB

MD5
434d975bedb0c5e2d1f4386f8c34a7be

SHA1
5f75913f0ccc3cb881582af91288696dff993b09

SHA256
5407dc1d2457c8b2b7ce0b53080db1c58f183e6cb03bceec707b87a513047204

SHA512
cff0b9a9eb81baf5459f3034bfad63076a504dd82f54ee3d1173eb309e8133bbd97521a76abda792fe725c40112bff4fc376d2053e84f008d05a9c8fa8091259

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
b9ca11e841fde47643c6f180721f4c6f

SHA1
cb0041327b28dbeeb1beb5761f6144166d4fc111

SHA256
f873199a7dab240c4117133493bbeaa00ff7a508fab952a2ee35696ad252899f

SHA512
4c1b257b74d6072b0aeabd33bfc83fa59ade9b9b9280dbb4d0edf7c06ab237ec4acd91f8540755564d5ddcee7153f138bf199718e7e39acb998a58837f6bfa44

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
1e1ff4a842097722d19f6862d8654168

SHA1
bd3e8c672e34d128e3f5b1aa308ce66499c061c8

SHA256
91d35635d8807576f593dcb2b2bfc1f1d91a5151b37092471f7c78137c3f6ab7

SHA512
4e427a50fc808181c27a75b81ac864847812698fdce34fba1422338aa5410c0cecb3b05f2ed387f5d0eec80881ce882e187a3c4ecb1117cf9b12c6264990c7c4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
583KB

MD5
24ef09f5c85c505c0847c08a83a2d1a5

SHA1
6d95e33ed34241f9b1ffc630d69f8480d742bebb

SHA256
681fa5e5c827f410dcb21004c319bdabcbe63139b3b1fe3b9fe33fed1f823e70

SHA512
43bb27e0f890d55793d56e8293187b8b5b577ea626b2fab4e4668c5dc58b562665320dae7b2023cd5cc44072defd6626e71486fff2dee88032d38e01df94ebe2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
694fc8596b46325cde0c265a97906125

SHA1
b96e193bb3b00ae9c27e63cc76ad9453290f1308

SHA256
d0ed6c30b13a440d46282969e30afe3ec0975a144d32605931c08d455e8ab0ac

SHA512
c0951f059283bcc22b5183fb28d7a262540f7e8b33fce067683654b76d11527d0eceb99475ad69e2091df57194682c9223d440610e9f206bd7fc09869eb8c097

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
92dc9353ad67fa53574d07871d6d04b9

SHA1
8da7f2aaaa894df8e9b23e997b72d825a6e113da

SHA256
fb73b9d63a2d744e71ca3ac879aaad40e3713de3b6c6e0b44bcd9f58fc44a4bc

SHA512
717b24695a14d1129b09dc2f9ef103bef71f51afb99fb6a39459d16f2a5c596e810c62b44b9fe14a7a3edc54f50e96be75c40fe417695840a17c1d2263e70907

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f057dde95038066cb9234985611702cb

SHA1
89fddd8e52374d22455d8f8af4ddaec2c2e7b628

SHA256
47987fd0e6791a4f28a3c11ca36ef64fec0f5f64e253cb23c03af7f3f1ffa7cd

SHA512
afc1067a341741a0c1df9d179ee3bac7099c720875882ec79f46571935f26913c1fe11533a60e1ba318ce6cc4c38c19adf59a08e7120d41087966454c7c152fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f3f91ba2532ab09688c6ce7673cb9109

SHA1
46434d8812229f6118104016cc9dd515c9d68dc5

SHA256
2660860a00ceffd57aa7375ad605710e11667b7541024f7c1e22fd66d55026f3

SHA512
c7207ebbf8f88c6d205d863038b36dac961716dc54ed5349c8abc39fc03482de340e11520afc8976ebb061d8546c26a88e64d0f9dda73da7c97180ff7d063c69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0ceb4945e12fa0af04b326e00256dc11

SHA1
a6031e48257b875b3ef343e6aecd89859518ab75

SHA256
9e136afef430f8092b38b8effc5222337d99e48b8d0955cf3b3c6b135f479ed3

SHA512
7bba950e0e7bdda5aa9daf5fb7e15ebbb503d446997d1ac46baab5363712ae9ccc64c1ed4defdfba85387efc09ec2cb5c05fb687461b8ee023d2b3e5d1c9ed27

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bacac7a6f1dba06d0134953df57f8ff1

SHA1
d33fc52470f0ed8d3a18a13e29bd95d4edc7076b

SHA256
fafd78cbb8f6bc5f03466de1e6869c4e97b98365f383ab0881bbf011d703801c

SHA512
e109cee55281747aa971c02ebea94e666934068608916e3569bd64c48f08f9cc211a57308b8e179f25150fc6ad0b353ed0c0b3d1842015f78f3a25f2fc205cdd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9515d7746e874339ba3dc4d15f3dcbed

SHA1
efb4acf3fe2392c0bb21755b29cca43afa5459d2

SHA256
d5cd7115767ebc2af11e5cd7072843874f9bcc0064489f7004188f68962c6c32

SHA512
34b8c014acd2139f53a8c5949b8ebb9e588e3690796cabd46f4135b3e18d6ac080c9d899f17bd11799532eb396a216248ec76a52c1292b15349b81211a8fa07e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fa6435f7e0e2ec487400db0f20ed6310

SHA1
2540dfbc59db9eb1f30ac96c5f9a8492168d38a2

SHA256
dc935d6e2a19f1ad7351d601963daf3157080492c1c4c5a28238d3b45ebcef3b

SHA512
aaf03eb9304e9c094326d76f3221c5cc7d8334ecf036f755dc3fca57e090c8e64a459a3e401791f92706c9d44d43d1a942ac053b11deab96c7c3128743f101be

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0e6af350e2ff82fa6ff7a59476723c83

SHA1
cf65b0369a11d327bb2e23ae8d1f0142773fc65b

SHA256
c6584e5d8a9dc7949fef80182cdd7c37b2f767e9a7a64e7f4a05b3aa0d4f820d

SHA512
48b27476932f58bc99217394c7edf65bd4f01d33097cbed6da7e2d686d88226c54a1f56310443ae58c195d6c09b2f059e2b5d2b1e7b1deb78b1bd70bac4c843c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
e77fa775e26cb9d4e3243265ce0a1e90

SHA1
5ec7d69d84aed7b1a9718f8336bff30c8cd60775

SHA256
ff5dca35701c98be5294cc68216a59b3369d52a5a1aa34e57c850bebf2f1fab2

SHA512
c9bffc3738ee5ca14351dd53e1da79c91cb702e1cd6d9f9380d057eb09506605539c78d882097d8b67848cfa37e497bd3f2ec290c91bfb57e7c74b901f0e34c3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0ff119d65e265dd693fbc3dd0e2adc64

SHA1
593163404583bde94dcbcd818d501726dfb6cc5f

SHA256
62bd5af600ff989fefd3cdfc9d2f7dc85c092ce1b18e966a335c4294c1e1d76d

SHA512
e9c6756d0ba28f436086e1f1245220ad0e3d4d97b7383ede333ed2a072291746d447d6a10a0cbbfceae20bb6b6bf9542cb8bc9fe11f1a8867219ff1b5f4a99ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
438c16f1bffd4e24cce0bb392e259bcb

SHA1
e4da958f0eacfb4c21292bccb3f10b934ea9285e

SHA256
36d15105b5e42b4266205924c8b49b3a2e60aada315028973a7ef46a041be481

SHA512
4414836688d50a61039544d39ecba095ecd58e911eea24cbf15ac6ec9ff8c9346f94cc0f601d3ddfa719fc0719f728a40a4f19693555ba1878ec682591ee4f38

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
023ada39a6f42eccd93f11a2043479ef

SHA1
879d27d8348d02706a9596312363178b16883d74

SHA256
8ae0f31481f83683d4e6e94a36e9da3247df28f692346c343791807bbc90e4e0

SHA512
18c5778c6dd7e9ff948abe4eaecdc0f8908805c576c31670db4fc88c4d7400401467c299d189869383dfee8e56a4db5bf2f9c98e61c872f7d3842d56f1fbc760

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
452aacb8573030aaccd78a0185878e68

SHA1
53ccd9663cf1510d0f0dde9bc853baa6f37403d4

SHA256
90ac7c907a7fe57a3ce20d86522f102aa3e82a27a1758712560756e9f247a25e

SHA512
206f4c0d0f2b67021eeba8ad50ff3df5a096e93b0eb11e02a01b49dc7f8f9f24f5eb3f81703f734ee82216e573fcb3efc076ed7e5acb443b1dcc1db7d76e5b87

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
577KB

MD5
26043dbaf059bb74377003942e867c7c

SHA1
bc6511bfd4ab791da6d9333238a0c0269315f2bb

SHA256
286197f734c374eb3beee761c5d037b4aad33268a5000571278f182053d7a812

SHA512
a5127c1baa79f4ff058499dff19e5bdc36bb3a047cc25885157173b93b95923e78a88295c6e41750583931b4c5c6984c32cea82f93549c41318ffcc14e94c583

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
577KB

MD5
0b5699f2e41ea71a105b42cb7d933b07

SHA1
93a429d0ee5bccb06591c28625fb7ca0cf9d960e

SHA256
c944cad1182be8a52537a7435bdff7714b2eb51ef869fe54d149cc66d1bc846e

SHA512
db4c1d081531ca623f7f4b881d85866bb98b11384eb8554fd8b24662c6703784405bef9dfd6377f0308fa4ad84889d7b819d113158b922cc5a51cfbc1541c06f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
577KB

MD5
5f598cd75fc82308d7b3ae0108b34ae9

SHA1
70714f73f477ef1f184530099aa3a7bb86b176d0

SHA256
ea2c2238e7c1052ad9ea3b1f2bd31d5ba0fa711bc6fe1f289d969d9ff78d5c39

SHA512
f9e593cce854aeacac217b18d894891aa3098da33417b4c551b8422e482bd0d0e200f2386a568b1784b8b529398f3b9a802d3852bd1f5cc265d6d5540111b618

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
595KB

MD5
79419c7addacc42809c72570d6e3af2d

SHA1
55bbae9d3f1e0b17abec39a46f9e6c4fc44e5a4b

SHA256
7d0a49f8f6e6b29b7149968e627ff60157a2de59089178873f7e5e1a2152d633

SHA512
a066df0e68500c392870a5829ecfdc82a0ab661afff9e876905ea7a74244efc61ce5b5130e5c7b8b3cd03c6a72b46f2f6531a6f1812873433db9e07cf30bacef

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
577KB

MD5
893f93fb0b1bac531e5bf476984b2e1e

SHA1
daf2bb13e890631df4bfcc4bc1c99fcdfca1230f

SHA256
63d53b5226ea9c4ad522e474340b9834a808881cd6f1ebade2cc14e253817bc2

SHA512
ffeaffefa5dd45f6da611abad8ce39e46daa3751726e18f9bd57d4406efa465e308f1dc05a94f91338278e53af0d20d48501b4b6bea74ba76029366748bcf24b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
577KB

MD5
9397fa0fa22997c8d866fca9077b7794

SHA1
4ef255640bf9b65f331eaede4a1070683b197d84

SHA256
770013af09acffedfac554e8f2e87c8fc0c9cd23af1e2777c1bfffee29ef6c3a

SHA512
5b47959857333dd3ca0f10951175cbb700e8a827d1a7f41000517d2c00a6bd3574dfa9cee5f497c22734a3dde50d7b17c04a725e0e5d081fd04fb159f1466c70

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
577KB

MD5
fab0a871b1a36b56f79e9b22f10339b1

SHA1
79d1978ee9007e8712afdcc609118b3dc1304720

SHA256
4959cf425269e7b1ae7b9e109576df82e5f69dd2065d8b61cdd324a9e53fb97c

SHA512
363e4e845c845062e691abb1dceee5a3c156effb83da0722f5c55d7697f5e3afcbbc71dea8116a15257eeeb741e01274540deb09846763f0e84abbb71dce07aa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
762KB

MD5
13995d28a8b74ab02b071f2b572f2074

SHA1
96c3a909238f959a530b33a3b6769e05e54717fb

SHA256
837b9ae2692ef813938aff9a25483d157bfef5329fe4a3df7d48af8623a99008

SHA512
f391b553c6476aef4287da11f3b6a54acd67bd48386aa385ca3a3a0759867f484dc955a0d786dfddef4e90ffa272422230a50fe794e053a8ff47b866599d6432

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
577KB

MD5
afad0d48b16dc55b3f60c9d7e193a0d7

SHA1
607e11e619d8a86d49f4755ad70094ce48d73b87

SHA256
41dbf09561a72ef5bd65e538ae4a7a08f5a54ff323d26b55b896a8c5cc7796da

SHA512
0f522b6e37cb2d6622d12b15b4bd9e5206c5d1782f772ed15a1c369e40807af654e02d7641a29d6e7d60679eeaa86111940626e66fdbaa6c588e6edc08dcae82

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
577KB

MD5
c28b6c2f0ae5ea0bcafa99b17cb30c80

SHA1
80b1a1d97142ebd2a6e9aba8f1ae4782666c1701

SHA256
61b0f44ad83d2f4e4023890c5ae979327d1a3286500bc20a876311d6538989c0

SHA512
fee3fd5812155f9f39ec9cafe1737d58fff4c156f162bad6b1ab4ca98d88dc088769937f22a0a7155d1495998084b26b62be98f337a558c6cd7a49c752b8912f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
690KB

MD5
2c9ff1a0ce4ce3653a21090957d576a2

SHA1
e5bdc108a5879ea30357835af4bdd729a57d6d97

SHA256
6c55aed511742f0c1741e53ec16872c88a3d938bb8fe1ced004087dc4d6f7211

SHA512
64a32755d0f9882dd9ad8f907aabb0b0679da7665fe3619dc4a5be3069967eb0082332c4b76129b453968f05627148b0f3f1bfdb9f54958bfd307ec328a7b537

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
577KB

MD5
e640b212a6d7412784e7c6d08b93f906

SHA1
24b4caf236e564b9d96c45c62c3d9393535fa00c

SHA256
ad7f53a200676ec2b3a71c81116cd597c0b6c60c78abc12b3608bf9a32593114

SHA512
2b9f870487950c66414b16fe63483d6b83cb33139f33aed296ef859a48a34784d6c018336728567d4cde060ef88f63b35ff5d419783b26c9499419b9c90600f8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
577KB

MD5
3c222d960eace71d6d79b536d11dee64

SHA1
8789d11cba01b9525cc15d14825a536adda4989a

SHA256
7a598f3badad22760aa4d65727f88401e765f15a9f08adbb8ab7ad8046135d1f

SHA512
c4b6eb47d710539edd7291c20ba058c6a378b423c689bdb9559003fe8cef3e84308a6d416272420a2d7713bd360d6686b277d4b36450fa66ec06182e5668b6cd

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
690KB

MD5
63c7552b2525ed88d2c7401e29751951

SHA1
128c419f45e98596b42db253e70b94f462bb0e73

SHA256
ea02095eba47dc5349e773d903428eeb67ad836c2f950ac8ed47b608d05a92cd

SHA512
80ef70341e662e3e012d06f708efdfcea9dcecda26fe9fb7a09a79432a5d0a635b8be63c31d738f1e8e49da6639cd4b68ce4f82e6d2a493a77f9d550aedf0903

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
762KB

MD5
c01b0b9a7d28d5d52c24bbb48b7f8321

SHA1
ad15ed42548c5687af85e993bb7f39352802a8d6

SHA256
442ad245f52c8e60df368dae5622a986c9e45af6c972555811bbacfc5913adfd

SHA512
07741d80b48dd3b636ea69c5bf4014a046243b1022916e65fcf982d0356fe40dbc5aa45db6939cb9890741c0edb66c85e9b98ebfa4d4067063bbc03597024b1c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
878KB

MD5
419d802f1f370491a77257e3147d26b0

SHA1
e4856d8f08f448bd30f6e863c68cd7a66eacd9ff

SHA256
c5b3c3add2efa4a6ce3262583a9523ac197bf76688131729257107d36e1fdc7d

SHA512
4b6e898f0f3a53bd6257c14bdc198dcd0ca724d00422d51f06e7b4f84bee8e4a310628cc9de286e1926bc39d178de00cbb4324ee4ab48041a50eb25b6e77c707

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
577KB

MD5
705abefc129f746ca0514e3d78ef2ac9

SHA1
be2db28953e8d4b50ff555d3fa73a2a7f2a89195

SHA256
57331c07fb1c48a3f67ce06e556d2ab9e6aaddd94a5ab900d1a45333bdb2466a

SHA512
a108231530b13e6c4e5f5f8eefd18b46de3a59f8026aff30f475eb790db0af97f0b75cc39e111c8f20646c64458051af546c0c4486a45015097088aec8530c6c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe

Filesize
578KB

MD5
b0904cfd710b7b851de9a990ed96c675

SHA1
1f44e86f78077d992392dd8214c1fcc5b1f1e956

SHA256
b2e749c0b6b732d07644b1f40eed34c92bd9e515c50deba8e73694d01fbfd7dd

SHA512
1daafb433fe0801b5dd6fdafada890a0508daea00e15f97b3bf8fc6e0ffa9f027e6ebd9efcf435816d5db722ab1c9f722c51d0dae184ba59afde8b5eac1293de

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe

Filesize
577KB

MD5
6e9cbb3e0b972dfc3101bcbd03381526

SHA1
e262f465e91ed7e9587dc4e29f3d3e56385c23d1

SHA256
71488e8d453267c1c1a5e0649c861a9c9f5c461560628e72bf829a0ed499017f

SHA512
ee55bccd1167d96e8d027d6cd95661d4872d4a4b7a7e571f7ea93b530049dc69315348b87b273934166feccca516ec91cfecb7cb53c7c7052d8cb78dd1bc20c7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe

Filesize
577KB

MD5
656f9b489d12627d74a049be82c70847

SHA1
ff3532f08fb6f0c25da5194fba89ae4d81c5ec46

SHA256
9c38a816ecc2ba858be2e711512b56d8afbaff9389acba8c37af1d2a75af4528

SHA512
742ebfbb5563d47a0fe8945980da81b000ae9233f63558bb7e0f7c799bf9fdda827ced22d06e566b047f82b3ec21feaf7dd11a807b4c3a9887271cd5a05bbb4e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe

Filesize
577KB

MD5
09bc9a2718b4664015f3e545aab48114

SHA1
6a3be59054e9eb7d56ba37244ad97a6f7c87da67

SHA256
5460d00335f1f4650a3990dd77c32b03b1eec162d680af03a384e09bb1a17db5

SHA512
0fc2e0ad381b58dcbf1adba8d119cd68cc73705dfa6498785c856cb9263f4c112c9684a1a711f790135ac04c4a9a855b0df0b4c3033752cd4bcc872d0d2e5185

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe

Filesize
577KB

MD5
da8b0c653bb3f09e75eab270840b33d2

SHA1
72f2d6b948aca9460138b15413809890803fa892

SHA256
368af52dcd6f4d52ee6856a32aa0a8d70db4b5eb9276359d9b872244ea2268f6

SHA512
ebda5a13c97574c3e15b85828a144d10bf89338e609dc362ab654581eb61002a192221f058af0fcf2c53ba830301dd57ba1a0674702ea0aa8cccf78ff6e6c6d3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe

Filesize
577KB

MD5
9821e42b162f06b7edaaac3d2c5e04d7

SHA1
ae85aa16e32a502c6d1418dcf1cbd4019b7d8d2a

SHA256
6695fffc21407cfb4502179db51bcc7132605444a7b7a5bbdff0811f5b498e04

SHA512
ea3520ec09d58c4ce834c8978bb16d040a91431e454ca35d34c2f3096a3b8828ab21e4f3284874a0be0611270deaa3a2160824878de4773bb3c22fc72214c30f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d4652fd2602da25490b36c03306a5e54

SHA1
d97c5ec0e01de299947940986d099a642811c6b5

SHA256
54b9e98b1c569c48afa692ceed7b239f62000207cbbb7cfae7d284eb807a6d4d

SHA512
c3548ea12ef50f79f989b832b01c9ee3b646dd8d9a5bfe9458a46b3023a863ff9165bf0558c0d0af22601a71945c588f9ba33ea6b95c6c5c2e226032d9dd7e29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ee9b5c6276ce590c0e3f27c848a45ec2

SHA1
3e536082f683831e3804e3e16191b71bc73edb7c

SHA256
f2d8c446cc8401aab7a68241b7549612ff4d401d894288c184a93d31b24e69a3

SHA512
c19038b5fb70861a8f112d6ae6eb62fa01715edb06fb417e50238a9d05a6d2cff253dd1fc393597954d584d464738363e4b6dd25cddb80b432dba5b6cc7e0fb9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e785db58a6a16d6431a8f87ab7431d86

SHA1
1ec534718a566869a2d730bbdd05399eb2185900

SHA256
b7a23cc00a248f3fffeff3ddf6bd3dde4c132f6499317a0d1750702c36044612

SHA512
8716f532a1db6fbf98784e44cc699de9eee6f8cf67c5a18df7820957a06306fe09f81db628c7e4ca2f82b1e4bcbaead3fb6799f47a066ccb4a515896b73c0868

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a323e75e0abfab048a69636f4ae8143e

SHA1
db2b39a1d9734816e4bb34e2ef43630973dd14c6

SHA256
3e19ba9a1859932173a50eef401e8ced18d01246ecfdcdfb90c22eacf0736524

SHA512
0cab0c0cf18ee05cc917bc66c868dc680b2ec1eb9e0773a57d19d0af266fc9aaacec6362cfc25d526662669a124a9bcda5331aee489f974aef501e992720197f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8906b4cb623891bc056096132ff36190

SHA1
bf8f9239c411649da5c2fdac978300f36ec50ae4

SHA256
fe7faef896132f76e7a77f1b59a63040ecf651ce055cabf4df232650050ae700

SHA512
6bc770b2ad8c46fb311c2b5ad83e5120fa49953214c000df65451c79bdb7af0e0e6e699273061570d8e2da61cfca42f4c0151286bb9bdbe3ec3d74e5c75b346d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
89f728d47668b3975819f0847cfdad54

SHA1
75de508b02c6535b45537a7840b28b33cf047178

SHA256
5942e113663160272e271c255663a089b58f536db2a99aae5fb7a4d3f272cafe

SHA512
1a066fcfa20b1aeb0a0dae70f6f8f77b3f649394678e0b0c4b79a84261834699516543c2dec05e47be522ca9db61d9e54201da841d0b28271c12080bcfb61533

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
89f728d47668b3975819f0847cfdad54

SHA1
75de508b02c6535b45537a7840b28b33cf047178

SHA256
5942e113663160272e271c255663a089b58f536db2a99aae5fb7a4d3f272cafe

SHA512
1a066fcfa20b1aeb0a0dae70f6f8f77b3f649394678e0b0c4b79a84261834699516543c2dec05e47be522ca9db61d9e54201da841d0b28271c12080bcfb61533

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
291deb70c86d61b49a15281b60485104

SHA1
dd583663b9a414d0ecc7736359192d0a051b2313

SHA256
f29c1c88629f930e8de511b559855d5b1554aaf0b1ab23ff9d16b3befff727b6

SHA512
67c169d45562a7b783f5c5539b58a6723a48cbceadf2dc68942120b790b7c4e9f3753b985e9c8f284a81f6f748b706100adfdca16e1a08720007fb5f4eed7dbd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
893526d510edb4fa139ce5c3044d4cc3

SHA1
a1b8d9fe964e5012fbff9c094c5af4a4b04d4ceb

SHA256
2016b3562fe3821c4ec335cc94c07bdd3eac5b5b568e65e2ef1a6df511f56754

SHA512
ec8fec9557071af590a29073bd5c329065d10c1d575be974a7d3d12940998f01f857d562ff8d80dbf5a47b31919ba13bc4be273adbc948f25ae96e33704b2127

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
811e7debcd2b35a90cfc175c5a2494bc

SHA1
a2aab62ce95138aa47feb460a1699b02c100ee24

SHA256
25d78258d014cd43de55e0ad9e7a909f15bc169986791581198c3cf836dabd37

SHA512
26f82d262097abc469dec7a6523e0ae8ededcde2b68d72f655ee398134446061e54c9d77079f3b71537b4a4d8e2674f016131cfb0160fe69101459438d70d06a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ad2c209af7f3a1dd6e1a8db423995c12

SHA1
539ea1255c1deace41a79ae628005c93705cf851

SHA256
746e593541e02d4e8fdd99e21d60eb5f81efa531f026fbf579ab9764f9371b7d

SHA512
f2128e214be41986d832a274caffe919ca7befea9e155b5ca6455530f3e8baa0cd50d585f43da4ff4828a1e9894c8b618e1eb78a52bab7a53c8e55fe03ac93bc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e8d980b1b20f275f322c512bb5e86752

SHA1
f222c251ef08761d6ef121d52f7c765391dacb27

SHA256
bcdc3ead0dcc38e91e7c004bcda9d5d5b4571e2601d0341b5fd55e2a9ed68ac8

SHA512
97e3326b99e1ea14f3dc2ca98bbff6ceaa8c1b84ea470ad836c7a181a69a7373e809858f76cc4bee0171d6caa34daebf2e647d147739600982484527dcbc99d0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d3a578cb5bbf197ed75b1254b49b5de

SHA1
0177c5bb145541342cfe4075c8234a7f7e254686

SHA256
0f483a3c793c639e8a8505589f6cf78584c3ac4a9d6f591e8ed8048d8d1c6c7e

SHA512
4920cc95dfb7a35a8f67afe3dfc014e408c995e5815b069d37daa56751d2c8e77e8deaf68129051d41a5e398f2b1ab94de348e516fe2ca759902b4d55820a4ee

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b9524c0bdd107c9b3c68e4020d37963e

SHA1
386ec0d237039bcef0c31bd616475daca9b82a12

SHA256
cce41206c72812c1dc9949784414ca2be3f4c696e394ee20711c9d5eaedf430a

SHA512
232aa7377e51153ee87fa3882f4ecde3aa7dd7f0916c06969c1eea2ec162f67f31364fce5ae2ddd9ee051cd40074f0360c3d7c50018069f4aef8dcec082d5335

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
23dc9a4e2201ba1eac7bb75164b4c680

SHA1
1f18733586e82e5208b4ec914fd1609002574655

SHA256
74641c577bd45f04c7998ab8528304089aaa8cff1572761d4908effd24ae9a7c

SHA512
70f786d1500297d65c20ae0e420d5377f532c1515cf3d64a45ea654d93a1b708dfec5753af6a07f91f657349c1f811122f3f9c5e5356a663c6f089a1f6ad5b8c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
499a733bda911fec1c87051e9446b7c7

SHA1
17cfd8545470457438535318e2aae45186f3ee69

SHA256
21950dfb8844878e4b9176b45a1ebd5e8cdd2c4b9ea907c4e528d2173eee50ef

SHA512
d5079229226e24268a4ac2e4704d5d37c06e90306a884c94eed2c3bd836c9834ca889db37141e5c91a6afbe728ffc2c9c3c9b1e4e529e138d17437d55e8759d0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ee5514bffda0b1ddd104eb712c35274f

SHA1
9e3ad9b211d5a7547d9f7da4a96c9b7bbd6180ed

SHA256
09cf5b7382679cfe2e4129d7c9d348a11da1fa797ef296ca50553b3659c4297b

SHA512
67fa1a636c374ddc36d34dc4453d6c993871cf89193c99f20f242fc995cb20e3f1c07eb407b55aa40f9456e5403f9b9f47084110f456138247e6462cc7df756b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2b3b4ca982d89753838ddfa0146e0090

SHA1
5bc786d1966386a8e0637491ac8f9897e69312aa

SHA256
39eab62fc7c5a0f46138eef3c50dad387b8f7bb3ab11b810715439ab2eb427a8

SHA512
d1270b8634c9093ad83ecb08f5a197b5801a9beb4b01dfed9f6d6065cb039f72bb14d1fc297d9b16aa2ad8375f83c15fc9339de86191c24596e20838b14173c1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
487b54b7a5db00ce390101e3b11bb4de

SHA1
5062bfb4ee45289d43a0d9c767dab26d972ed74e

SHA256
1cee108fd89dae3202141e0293613c7c29a564b3a8eff2a678f30c16b46bc740

SHA512
b66fbf8ea7a6a1a4e6605222a05bde641ed6a1730365d11fcfe5ad65d23d8d58ce1001060511ac1f5419aaa50f93ac2073002c2fdfe2fc00a8b7bc733f8744d5

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
77190a467569de0300ba383103eca2d4

SHA1
024e5f6254adcf43aec836af1aaba7865a63d88e

SHA256
37c1b9f674952af3c0e29fcb783708d6191542b16682d8e6159859c9cb4c75d3

SHA512
b9c027beb3a4e0a7fb89b38224bb54ce8767e83dbf084d459a434bba55e1939ff8dcb828b03bcd92c57b8c5c9c8aa766d5e5792e0aacff5d37af28790769ffaf

Download Submit
memory/228-158-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/228-164-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/228-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/228-363-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/772-527-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/900-492-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1268-133-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1268-151-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1268-134-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/1268-139-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/1340-660-0x0000025A99FE0000-0x0000025A99FF0000-memory.dmp

Filesize
64KB

Download
memory/1340-692-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-662-0x0000025A9A000000-0x0000025A9A010000-memory.dmp

Filesize
64KB

Download
memory/1340-687-0x0000025A9A000000-0x0000025A9A010000-memory.dmp

Filesize
64KB

Download
memory/1340-684-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-683-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-688-0x0000025A9A000000-0x0000025A9A010000-memory.dmp

Filesize
64KB

Download
memory/1340-682-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-681-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-690-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-691-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-689-0x0000025A9A000000-0x0000025A9A200000-memory.dmp

Filesize
2.0MB

Download
memory/1340-661-0x0000025A9A000000-0x0000025A9A010000-memory.dmp

Filesize
64KB

Download
memory/1776-429-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1820-432-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2004-365-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2004-203-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2004-200-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2004-194-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2524-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2524-364-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2524-176-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2524-170-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2852-553-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2852-680-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2932-679-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2932-552-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3044-494-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3388-659-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3388-528-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3804-393-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3804-397-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3804-382-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3824-506-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3912-434-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3912-641-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4216-193-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4216-180-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4216-186-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4216-190-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4252-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4252-640-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4272-551-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4340-428-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4424-642-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4424-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4440-469-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4552-392-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4552-378-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4552-372-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4660-144-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/4660-168-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4660-153-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download