324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99

Analysis

max time kernel
81s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe
Size

2.1MB
MD5

f99a0aaa7d7cd3154c912efb12146f29
SHA1

42bc97dee6f121ef0e1071c36a50c198dec93fc8
SHA256

324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99
SHA512

12b9c58bf1b63d449d8f72ee78d5e796b9d6e418608b67a010ac5efc85c1c1ae56c1cd6d71444e16ff2696005db62c62870347424bb2101efc4dbc834aac8b70
SSDEEP

49152:NUgvZl/oWfOyt3rlPku6ZRAouDFMyDgkAPZNqPYayvYNhVes:mgvPnqAouDF9XAPWP9yvMVV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5044	alg.exe
2080	elevation_service.exe
3864	elevation_service.exe
4572	maintenanceservice.exe
628	OSE.EXE
2188	DiagnosticsHub.StandardCollector.Service.exe
4848	fxssvc.exe
3288	msdtc.exe
1436	PerceptionSimulationService.exe
3088	perfhost.exe
3552	locator.exe
3312	SensorDataService.exe
4060	snmptrap.exe
2200	spectrum.exe
4940	ssh-agent.exe
1708	TieringEngineService.exe
3848	AgentService.exe
4772	vds.exe
4144	vssvc.exe
4728	wbengine.exe
3416	WmiApSrv.exe
4996	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3b8ecc8b66ec4f27.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dd95b6d2147da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000983b5e6d2147da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b00ed36d2147da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5ee306d2147da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f00636d2147da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c876596d2147da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b99dc6d2147da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e265276d2147da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3820	324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe
3820	324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3820	324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe
Token: SeDebugPrivilege	5044	alg.exe
Token: SeDebugPrivilege	5044	alg.exe
Token: SeDebugPrivilege	5044	alg.exe
Token: SeTakeOwnershipPrivilege	2080	elevation_service.exe
Token: SeAuditPrivilege	4848	fxssvc.exe
Token: SeRestorePrivilege	1708	TieringEngineService.exe
Token: SeManageVolumePrivilege	1708	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3848	AgentService.exe
Token: SeBackupPrivilege	4144	vssvc.exe
Token: SeRestorePrivilege	4144	vssvc.exe
Token: SeAuditPrivilege	4144	vssvc.exe
Token: SeBackupPrivilege	4728	wbengine.exe
Token: SeRestorePrivilege	4728	wbengine.exe
Token: SeSecurityPrivilege	4728	wbengine.exe
Token: 33	4996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4708	4996	SearchIndexer.exe	109
PID 4996 wrote to memory of 4708	4996	SearchIndexer.exe	109
PID 4996 wrote to memory of 632	4996	SearchIndexer.exe	108
PID 4996 wrote to memory of 632	4996	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe
"C:\Users\Admin\AppData\Local\Temp\324d6abe1a283702d1295e34c181c0c688a2a789c5098b96e7702ff248ec5e99.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4572

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3288

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:632
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3312

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
207KB

MD5
373770bb0c5323294e2eb71c3d4e314c

SHA1
84de72e853ecb4916df0b00678022e63d4f98843

SHA256
2e60dd64c5fae4f10c87dd0766e2439ca36d341b711705e1581b48e8a47824df

SHA512
615075135c1d605e81d3ccc2b1bf9a4d0f0fe126249ec411ba87e3edb4446d65c1ba9d072fa4f9db4ff7b803c5fe2ec770e9dd2bff039ac48e1cf381ab57650e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
397KB

MD5
99bb4a425a79b1a50dc19f68e1b95205

SHA1
1aa87e43b23c96297c806c474edad06c590d3c76

SHA256
c0d36b8669fe6d19e625edae2e0cd5df00758a4c4a55eeeb834863a9128722e5

SHA512
e2fba749988f3cd80970454e4bf13be33f83014bc94e78fd7181f2996f4815db8b450f0223d45fb452289e413f7d5239b5d1abbe7c8bd555de14a8eaef2d3aaa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
248KB

MD5
6816340041d11015dce28c1467d6ebec

SHA1
012e3c840ba02880f5cd45cff6086e21c0ba1ddc

SHA256
807fecd188da8d82d65c8610f66a9cfc675173ebce6f25a3d7fe8a1ae8efab93

SHA512
0e4a46438ec8ecdcdfc8c1d08dc6df5cf280bdee6dc76b2ec15a84eb662c8a51502eeac688c086ed7354c5e213c137b1992487f18ad5e6d1a99f18f65247f080

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
93KB

MD5
6dd7c7223d91baddb5efa8fe51292923

SHA1
c660e0fa51e8b4a6bfcf4077761875da98200c5f

SHA256
d0205d2c55f32e167d8cd53713733ae55099c92f92f6aecae1ea16e89b7e64b2

SHA512
87166ced53e2231b9bf904424edd112f82881c8d8df038e2c10fc211c0ac9ea1e83712d4e16cc1d9b47a773028227618bc6fe18a2e1b80addd01b44f6d88063c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
112KB

MD5
6ae0fe0a7ad7d24a2d07427454718f32

SHA1
e4028df9cd96738de91d94ab3764f0b0ecd5fc36

SHA256
c885fcb76ac046dfd393b87e3b4047035fc6ad9f9c7e8d28e0b4fb912011ebd6

SHA512
dd6812bb907e6adfe585f892849b43161db3f2825e6c4672fceca9e3a0b6cf4e5565c74e6d52d3f6dbe2f6e3a3576c3f69353cb3f6a0affe126883501339fe41

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
208KB

MD5
cf883e086bc73988388b59a2af2649e9

SHA1
6d18fe1032aaba7d19c2bf55cd985765061238a3

SHA256
1bb7f926c8969dea7a503a28f43aafa24cd6a723049a4df14f0bb4e7ccd386ec

SHA512
ff777d87e43225c4971f4b82f13c53c2beb0e15cbe0d285f678390886bdea3f09b563d7a9734f959cd24091c0d6c236dd338fcb322ef92c6707c9a459080350e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
160KB

MD5
14f263592197e28f27acdf451a41c376

SHA1
5bdb0f45274458844757f0cba95d887982c02e59

SHA256
5da4f4101b4d9288fa0c4bcba4a38c2c86e4c596161d681e1a0423ab3580d8dc

SHA512
47a46aaeb801d9b09d0fe76d857985b112f78bb7a43cf322e15f283cde0ef64c51eac172b036520c6c8c8225f9947d1b37d5436b28e81e1b149d6e889f41bcda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
79KB

MD5
c679622130bcdc2589478e36e9b2a4a0

SHA1
273b91038bc6db04207b627fef28cd1534c1513f

SHA256
39bf62fb3aad7439a6a16c5710503a15027944a80e276fb6f59d58e871c33f4e

SHA512
e418e7334fd60c756bbf33c5172c005c8f28cd0127059f537bfb76d7aaf9b1b05d568956461a66d0d77348ccc63c60416739142e5265056a927eecf3fe6913d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
157KB

MD5
75a58d1d86d93a9b49e4ffaf1bb58f67

SHA1
1c6b098e6768a555b8656fab534f05f99bcfdc5b

SHA256
36a57c06ec0f088705dca3dd22f9c6b4a56ded0a19a0d1ace49b26341609a360

SHA512
70cf12f777c747a20ce162627428c56f9877bd922ab92f6c5810923279099cf41de0fe38515aa86452d541b8f6fdcb0cf32b40ab5d34cdd2ae32183f638927ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
93KB

MD5
59c845f31977a7312a302b0239818226

SHA1
c76c5af747d7bce49944e1cd3f131112818eff60

SHA256
d394acd3abdced11e1f698a55b45ba9af1848400347174851f9268185823b0e3

SHA512
f3640ff03a9b810b93b3aa3845f411ca2fb1dfd5eac9a5463fa967f9527b5ca27189eb19f71df54845cd6b4bde25b4d7966fb5a6366c0cff66e7f9104a04ee4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
68KB

MD5
a681eb21d025f6badcfadbb662648ced

SHA1
a327b073ab141f9d6d160c0f0b9e1e5a487f0ff4

SHA256
009e7d4635c8ff5156c4849ac4f69c110693249145ef14dfa046d663d474d0d7

SHA512
eebbf0fb0d7870936964e1ccd3126d4e126144820c656fc27211b4c874710380385140dda4d88d481fbb640815c10b9c0ceb44aacbd122b29a979c79406cb0cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
171KB

MD5
957769cbe757dca772b8cb5cdcb48aa0

SHA1
f4db29c409d1307f0cc45ac1e31c0b5d42d6f498

SHA256
96679c0c24e038febfac39fc56cc327e3a89f3af0bddec73abca076ab0644b67

SHA512
5d614937714154bb13d6a7407dae8dad21fe8ff1efaa3dcaec04a96298985e58a5f779643d00e320a710668784ad90a234d398037b6a3263588a7843d1fc3b72

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
107KB

MD5
4b67995c1384ac9b742d81346e3b0d2d

SHA1
663b9c5692760bc1ce8ad4b2a67e346938df3a41

SHA256
eb062be62f86e11d114f7778e6021699803ea20e0d603e8d45a586d0c1d69b5a

SHA512
6a633c98400900b8a030554f4710ddf46d2954071c2d7a6b63799f58bc37d8cbd30f2c9c62cd6163b952ae05b1be72c106c91a50913f3840df04662a5c84e1cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
89KB

MD5
7bdbd77a867b0e1bf7a9fe45ece484e8

SHA1
6423c849aca26e67ed3c70233323089d02029ac0

SHA256
18fdd80aabe6551e973f7d02317af1bd2ab13230d4c1b191253676f1e0d8fb62

SHA512
be9079ebe6326698fe39089baf89be45b594659288348f3b15563baa507ae9e995a20457f7df4a380535ca14177fa3bb21b667b6c68daf97632ee6486a34ae02

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
65KB

MD5
ca3df23dc0dbe48c4b0abf11eb14b1a6

SHA1
73a585102e33e8617bd75c0d5659e5fa23a2e405

SHA256
2e70f6f6011af9faa596876bca166a347d0eab48a654b2e9de6513f38efd2a68

SHA512
c53d5b2a302150c9d1bb3688c12c1a8e454ffeca08ac5e59aff02f72f74423b99dd019c34b5d5cfc198db5bb0bd683c97843c49ece82be87638c22020e876559

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
151KB

MD5
1abd9408c100e6829d638e78cf5418aa

SHA1
9fb4546f46501e204fadb1c65a6183688070ee7e

SHA256
d268e79c6baff0a6863c254ee52f8515bade67c73e786697ab4dfa2c51149aed

SHA512
ddd0ee5b1152ac10075b7ada2e3ecfd3a2ec7091be5fe1c38bdbcd3291600e2389d780075a0b0b082a7e41a4785a076e65bc64b7c5639b32ae964bdadc85718f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2KB

MD5
12ab94a41119079a525cdcd1123231f9

SHA1
09f78bf42d8f7694105d705a6d193ea1a894bae2

SHA256
07b8b4b3ecf0f509a93d7aaf0f068666bf3cca8f4ae612dfb29c69cfa3ed8ea5

SHA512
a492d355309fff59ece3f2156903c88397ad28d99d9b48b81180e7866dbc3d108e82f0bcad5c610f5e9da76a68948dfc9d37575d959d9fbaf0051068e9b746f5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
158KB

MD5
285f72f490fdec3b8f115e7ea7eca3aa

SHA1
e00c8aed0f6a6645be33cffd8b3c8e0dda3bac85

SHA256
117b8c2a7ec916942e0a5bac45e7a12c02efccd34d5d670afdd5226b53a4e6af

SHA512
75f9d0937c72cb983ecddeeaec50a968eeb4ca015cce2e0469ac520a0e5c4e11a4ecbb7625bb31401938d914c8d9488f92db5dac299f2bb1925d6e6782cec010

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
213KB

MD5
bb7555ce492e2a5b30ec36084f504f3f

SHA1
454fa6dbb023ecdb951ead53e830399f794648c6

SHA256
a58c73c0577116796620de3825a65dd55cd6a2d1a071c9fc6118db327359e1a8

SHA512
7b8353a53de3eb4464ee682074c296588d201e26e35e5fa6fdffa3a6e6be3ae6dc27b4841337a46f853a98d8d9d884b039a11549ea116dbb598838092d6863f5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
183KB

MD5
ef523aefeec3b159df86306fadcdc61b

SHA1
d8522f0854c4441fbd128b3d9a592423541b6ecd

SHA256
3b043775c6bc40a59726ba3eef279c722171dc91f3d49b01c6d689a46cb4e744

SHA512
e67acffd716b42818baa3a85244a0d917e9bdee0067a20dd34f1347360ebee2e2372863bb55f0a0ce8e70c0b07118d6af9f7d9f81cdd9d880f6935731070888a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
162KB

MD5
3035e13ec6c4ef030b6519890a79a8e1

SHA1
dc4d096a6ba3ec1752f79583fbe245b8b7e3ee42

SHA256
f5ccb81d1802c043e77844e6183dfd684ff84dff33126fc064d524e59a9f74bf

SHA512
99130ffd59714d64631f8ec98d75297540c9f10e53ef9e0c456b81de9caea42a91224a0c225a52b5c55974e8d1b12627806968adc169d37c9ad591535e57caeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
140KB

MD5
383fabc29ae64a0c7864c71fba4c30a8

SHA1
d2d9d3912a3884ba6665b9ec0e16578575801771

SHA256
a4be4442e3d85f88c344909b3dacaf45a2613c1a738524713ecfb5ca4fa0ccb7

SHA512
6ef9712f8a8010a7b2bf4460656e173b57f4d909e3063e31003abea526779361d969206635e2bcebc6c79d4da9710d133bd04465b2d737a56c68d5a788c1f068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
108KB

MD5
a93621e34c13fa64da66908ce1176a3b

SHA1
e1e8a1732989dab6a8efd5f45460fbdca6de0464

SHA256
9a6564273b863c47b80223f99a1e7469cebbd14f8e04e4b624bd4653545efb3e

SHA512
d3bd3542de3a6783f8e515d6efa2a6556abccdb35c0fbbad8e4a2bc2a7dcb7af107e65c7b8c95bf494292e3e621e9b6be5d8de03a9e59adb232ce5010787c6ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
157KB

MD5
d4833fb99051c508e8292eee765ca347

SHA1
e845df09d09995b86143ed8ea0da679d3718b0c4

SHA256
05fa6add6dcf3a69f6d6df5589739eeb224d06583e2ad362c9ed3b576c32ccdf

SHA512
5ecfbb539e8d0b464455449dee32ba394675495e6c7f51b0908b6cab50b529efd0b8390568dd78a466145b04fb0c3dce61215e2a7d60b3fb67be80f814b25393

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
79KB

MD5
dc36a07cf2b3f1aea284a8e4a06230f5

SHA1
29afa7181153bed41e3a0034560085a7d16d7000

SHA256
861c9e84e58abaab8b2c3ee67da7795a237e34a867fad59970c6eeb867f65734

SHA512
58a58259ae56eb19f44922204dc48e6a348f54bdf56276441a31355bb78af8390ecc8aadb5e8cd71d7853e2ac63080d775312bee39452888cba902bd51cb0052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
149KB

MD5
1ce4d7eaa6a97a1ce75c5b10e67556c9

SHA1
b8249264ade985f5cb1f387659234f6a75182767

SHA256
23d0efc2f82af4fbf1a72f84f86a8ffa69f13c01256eb04740849208e441bef7

SHA512
7c4bbcfd0533bb0476db9914250a9897dbbd097bff3aa11ece5261fe27c29de31120c79267d1967d36dbdaaee17c294063e1483512f4f8e6112cabe052410edd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
148KB

MD5
157cf2e15acbd7fc074ef6c3b0df9989

SHA1
c3a6af50194e58bb51cd03228da43129087c7733

SHA256
a2ee73ac8382ef9d560a126ee511ebec50484ab4595381915113425c1385fc10

SHA512
cfe74319b168bfdc54c2793f8a99c43a9206dda85f46e444a06f75a3f1f13fa2b9e3b940159589d049fc2b32a0114f0b17a49234afca40911ac5dd07972b1ddb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
57KB

MD5
8391031bf4e5e2bd0fd9615e834ffd49

SHA1
b716766f703f0842874abeddfeff7a9cee050693

SHA256
7880505109f7319d8694c60afc3a457aeef50ad7abc4b8d06422b77bbcd5aa8a

SHA512
15ddd24a7973bd51a1f701914310110d299ec98c51f7ccf3e54879f64407e833d70a4438f8efdaaa05ff6d66dfe4b9b4a2377a3f310e09d99a0dca07ad4d3f99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
97KB

MD5
dd1f0dc6ff924958af901118d8dfa29e

SHA1
7c5e2561d9b61b4e8d7adc14420c34f3cc238e34

SHA256
e3f039936ab3902d9ea33ff5afb026089bc8678a5ddc9fe95dd808fa2f8f8cbf

SHA512
3d8198fa0602dfafaa5ad62cee670265810af727eb7afafb6dab727ebc93d464a7b3e99010606768dbecfb65beabf161f41cb5d181927dc9c154c0270a96fe1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
69KB

MD5
f3712854bb2d9a5ce992ea8cd5d6d13f

SHA1
10e0d1258ba40a3ebe500e1c1b58c8e12b36b7b0

SHA256
e4ba80d37faec603c93c97dbfeea682169dee8c3ee21b4ce67001c4c55b2a608

SHA512
acf3c458db7ced1d9eeb3e5577c39c5af307d7d496e9084d80d440c486057af9999358bc5c3884e5d1ebcf9a83d7713029f12913c0aab074d5a83c3d5fbdae48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
112KB

MD5
001e3385d5beec60a371b358c71f09cc

SHA1
189722d26d6ca4bc7e27654d124c58658a4183ca

SHA256
8d0f4c9fe38902ed7ce61250bb6fb4e06cf7258de5c0feb25e22e434f618b6a7

SHA512
db589a96d4590be1a7254bf2108f48f48fb039913f94a92f6c7f77a204b57beac005d0b27f2436cba1a9287837d4cb348f917c3a14c0f08743b0a210dcf45dbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
81KB

MD5
35cda3cbb212371125f98145fd34abb5

SHA1
6ac45cbc3f2b94a7ecd7b1cdebfa7d2f35760d6d

SHA256
f3d13b44d0228f2fd8dbb3d6309018da5d1aee1e59db44c89952853569e43be4

SHA512
7fcba66df239030688a7a4f8d02b8e6ba90f9163da89cb2add34cc007eaceeb41b6f0c66cfc114455283163dc59c0f22c91603455094818eacc37cb95e324ecb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1KB

MD5
04579987c5a5937ed79cb5ebdd3c4a7b

SHA1
c0d498e840ad7babf1d9877dd5783e25e5c01b7e

SHA256
6c93f777896f3e6c70538b5a967e03c956d23c934375bcccc9a473d078da409a

SHA512
416f8284ca7d2463d009a2558a6517a7001013670f5a4f6da28b63e445f1e7c533930a336ed59835f976d27c9763c9b8bb772745e585f66b70966e9544d3a739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1KB

MD5
bce3d95037b83ee93538b69e3f4021a8

SHA1
fbd4b6179e37390600655dbdf2b35620f2aef23b

SHA256
5d595071cc71a8c872613a533101d8d16b4c97597f38d0549eeec8d6b71c0e60

SHA512
58e554e48d77d8ddfb50e70bf451e7ca1c1639082150c450cc1cbdaf63d922fb838031086876aa0dc6405832b14bc5ae931a52c68d2d8efafdbe8169f0c4e5c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
33KB

MD5
c83121eb913e43abfe25cadfe6a2ad9c

SHA1
d3aa86f04f1b06efa51ade8d2aa3bc69fde8ae03

SHA256
c7a2b3ba87c7cab41ba007d8590c7e3db898884ba70a905f25d0dcf048eec9c3

SHA512
5bd780b3a9b80749b77b557291fb14bd816588b35eb59b0aea6f21e955a27a2dbe466253f5dc2ebfe22449565c1d476fc63b86d5796fd465bc5a02e0ee0ac84d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
60KB

MD5
5b7f232916d11ea977d3815d0fe20eb6

SHA1
a5299f0e6faa4814cb3ed6953beefb5ed8ae582a

SHA256
8d17d28bbabcf309be35145cf52ca1526f398aa8e1e13987a91ddae8dba8a009

SHA512
acbdd67374866d8592426400b3cc14b914432862eac5a06cac14877221ff6447d7fb0acf4df4270449b54cc719056c2589fdee12ba4bf31a871b6c65a6a961dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1KB

MD5
4e0e47e11baa63f828bb64eeb70612be

SHA1
d6f5126fb9e21828738954d4da13611819dc4f76

SHA256
5c40ba4deb52f3dc3f2477163ac1c5925dd281e626189a177efb01166984208c

SHA512
9cb82945116d1fb79d09cbcf6b4cff99a0ddfb8934bfda66ed1473e9f269651515ce18ea4f8f57bf322b370c65dbee50cbecb1e7e18d980baac0267be47c4e0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
102KB

MD5
022790b57d35d2a0826b71fc77154606

SHA1
6e95c5bcb137c6461dee1a6a644868fa91e06e71

SHA256
1bcff5424f8597378f6a32fe0ba660ad89e47dfb1639ad91740b9c4f3daa6be0

SHA512
d99f4b179bf417f1dbb7a92f68e21249efacbb01166298860fbc093d99983060892ebc05e959251ce65a882bad7cf462bbaacb9a98ad3c2107352fa63182327a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1KB

MD5
46fd9df16571fd4e02859d4bb3ba3af5

SHA1
306834154b4c84cfe15c139fc8e43f2dcd0224ad

SHA256
c836ec39b79f6ff51960da8b724bdccca277bc555f6c131a8de2b0d8468b150f

SHA512
62f93020c2e80673a50651af169a92c0caf08f60edd142d76ae7ff9d01bfc69d4fe5159932df3e15a1848f58ff6effc3fb3bf1ae5970b07625ad1e714bbb3039

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
11KB

MD5
c85b1ce1d0c5a221b1457db2af4f19dd

SHA1
7f81ccc3122f0ad6a60399060de00f67939a3128

SHA256
d5cbb16f95aabb9dc7d755b52344b586488cb59bc5e9e98be194bb754baa4d15

SHA512
ff162682a3e03010f7806bb2f26f7e705fb0b6d09af011beee2c1ccf71689fafc882d93cc0dbc4aab3cc09c8204a01209f63fc1d82f6b521b462d492fac16f26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
9KB

MD5
079d4975c2e934bc39f042ba788cca73

SHA1
c8e5cda56f6160e87839a9cade00176fddb80193

SHA256
7680dec6aa0dc14678fe45dccd56f453716054b0bb2c8fc12518beb256bccde0

SHA512
2349e10e6adefb6e0f152385956f77a3d83ee2a304335c4a21298d63fb109b630932310967b88f89da3292e83c6f733463949e5a30277b9c49e5ae36f7ee7a34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
92KB

MD5
1d06ef06f6a0f114aab894facb439083

SHA1
bd3020a9cbee286472d6265ce5e27e0a86a2b308

SHA256
7f46b615d6e632a0ea1035066214796bc2ababb2aff446775e1d460dd99c96f7

SHA512
e256dccb2c65accb5ed7e4bb6cb8839174028c520eae9207b0bb5574ac9332d5f2337fbeb39b9c8bd23d6180daef15b9ae710f70eaf4b423a67d95b1b98325de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
9KB

MD5
0f836c479e56c6aceffc048830ed4e0f

SHA1
9853224aa650e2e623ab1dcff9fe3694094609de

SHA256
afa533124d51a45f25e755407e58cfb5cb409f07a4a1b2f6e9e3d647ec58f1e0

SHA512
74c814278a90867e917df7226a84a2715b672b2d93c3d5c0592bf295124111c025d88c2ddd4312ada7aa534747cec96d80c306604c5d3895ff9c96eb9d15f1a0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
90KB

MD5
b047aa56e1251983390132f7927d605d

SHA1
1ac317e2ea36438ac409fcbf557b40dfdf831ec4

SHA256
f1b52138f557df16a8e37c2fd64236d6b3773f39f2da9f03dbcc4bf6d221ad4c

SHA512
d9a1d6309b62fa50dffd118dd00154db2fb7ea6ace818eec1c0b57ac5deb9f0b6b0f2c67e7e3f28b25abc7c59165d804e50da84fbc06bd48ad4ef4a0c8a49209

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
386KB

MD5
aaedf89fe281c99168b3a2315cf7e032

SHA1
c167e62e42d9cdeb1f8ade8aa1986b9fbb74f51a

SHA256
587a64bf3085eb3ecc8c6ce42a471d31c8e9ce97d376b67de4acd4a7b4b2e4b5

SHA512
68ec24e97ce4607b51457e81b895db9d2335a4a1209fcd32cb58135ae1c181e2d6ccb1e3ee385518af137da3ffb3724a0915d38e3c3762c3d3d6b84c8e3c987e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
41KB

MD5
1112dbcb17c2784ee435a2e4ed534806

SHA1
cc5358b64c809a7ffcd1d080f0b6141b20122c64

SHA256
a24aab7f6b1b3ff338aa397828555ede5d92edcc8b90c0a7ddd3f13442896584

SHA512
c4345160a6b3a9069bd3995b1ac93f65bbb18995ba1e39dedc0da0a830be50fb1f8d67e3e0b6cddf8ffc302bcccb803ce286eb6ac5a6360e0b4ddf7d803c0681

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9b6d458c62c72ece049e9d8e469b08bc

SHA1
1bc705d5bf5e2dc11ff342433966ac68cc5e07b7

SHA256
bc2078acc9843db3445f67d9ce97b9433032d0af7ad2fcaeca6277b53fa69f69

SHA512
6716212debaa40b5adda94e242747c6d75b74388dc0d5b75c74a2aad23eb3a0637453691944b03fbbf8a6eac7ee5b128224ffc118b5dd0d0021f602756f848f9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
443KB

MD5
eb91ef4a4072391c2b32dc361a956470

SHA1
77ce9f06d2a0ecf1243aac93a9b16533373017dd

SHA256
7f6d45480acc0cc08efc250481ee22468fc85bde20accfa0222cc7b331306130

SHA512
6cd31c8fb3162f6523912cab9e17a0a9c74269edabce3c3845fa383235292b46253093f5a24352987dce686be3cdc5f783ee1c953d1ba1911fcc02c4f00c603d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
123KB

MD5
74850e78f27075677ce0083612942eef

SHA1
5e9755aa8e331c7ff15cc03f5d6ade652e24d0fd

SHA256
5606cbebefcf25445f06b064daa1d04862be231dd00da57a9bd2b4dc8133afbc

SHA512
0efb4213b7f375d6bad5fbc02bdf82f829cba927beef5b57c1c14c1617c54901b046e1d95102edb3283e21934c8cd1c1f2e25bae4024db4c6dec3a69f2da6b86

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
190KB

MD5
f6cb64c7f8c6662cea375b16af666712

SHA1
db31e24d9f7da6769c7a5a539587daa3a20e62f1

SHA256
ea0335301fd7624ee38a1c27bb9337257a5e30d6af293df89ef73b3ad9083e8e

SHA512
baecfcca4f0ebb6c712e152b2850cff1ebef595bff2c8f4f1838aadfbeb944ba8a44fd16640a516838859176c8698cfa7aac2306acc4cd732d1fdfaf29656d72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
159KB

MD5
182a5054d3314410372cb00c88ad7a2f

SHA1
31cf1d80880b89efcd08c328fb31df2d1a5e113c

SHA256
dc7da1486bccac137a33f33dea7ee8a82d500c760800177bf687e955bd10da7c

SHA512
8dc20d8b3162005a5a8131d89e72b5d1bd2ecc47e9c45450a719c8311ce0933fc27d1ed678cec8ab95373aa91453f897fefbbc9576fb74ba34869da17d80225e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
46KB

MD5
5b20ace66262d2763ecc98f477914bb6

SHA1
9b269d61a3fdfe7475432d246e57693d96f8a101

SHA256
08eb7f2b4a66c97204eca46d9b1ab2b94f909bf001e59b677ee8b0057a48c5a8

SHA512
fd97f543047b703575c39db06a5b71b18870b8b24b76f619a8f0dbc6809f026c89426bd66da5dcba483f361d233d017caf52f4718d0f17417ad02575989880fd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
41KB

MD5
de59b4befefad2566f25c752fd15486b

SHA1
d3ae52529d6f0127d602a5a0c4de219acad90dfe

SHA256
c14148148a28adb83adbccc046e8ddb6b3a1e1577e6bb3cd2c65982c54c9e018

SHA512
0215a86a7511b8c5635f97284effbc72b5dc3b5d9c843e6a5751b2c59e8c8c26956aaf3fe7d2fa88d709b378ba22b0840ae4a5c9f56545b5cb119ce8937b8f76

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
33KB

MD5
bb542a64122e0afb0a1294476c0a26c6

SHA1
81e1803a6fd2b9fcc48db711d2caf2e054d54c87

SHA256
2f5cba73b6aae8dce68e0fd934515a175b43bb62c09d8bc2cab0e6e0cc3c2eba

SHA512
4e5317e099ae31e37b9e384a918979fd5764a2cf64c2848b7dfa2a653911131ce678116305f385a3ea123761d4e08a6fa02c5bf2eaac96aab4c6276a84b063df

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1KB

MD5
108cf4871986830988356d893fa23c9e

SHA1
253c90f4570909f8949aab732094f2667b0fe2eb

SHA256
8fde4e57837952044c1d385046be7002bdbead83679eb3304b66d7820fc77d78

SHA512
00b119bebccdfd4436fd726908976fad9c655b6e031b4c5fa4d052801c26da2d5355c9878666701bc4bf78430660d6555d84161ab9672ea7f0bdee51e307cc7e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
7KB

MD5
3ca59ed45808eb6c276c3c509871e9ad

SHA1
5b96479e3ed7dc49e206707b839a8fd27e13b228

SHA256
26cea82b02bb5ba6f1d4bff1a2a4ff7a348a12b33836af19a20575516350e4d7

SHA512
f1d178cb58297cacde2ac14cd95bf714f744355357e7f2aab03d04fbede064e9ec8b479ccc34ec8a9581ff52139fe918bcbe24ae363370669b1ae988a359ceaf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
168KB

MD5
1d6076af45289d90c5fdb7adf757f8ca

SHA1
31c1b0f527424642db74856176d2022a5bf525b3

SHA256
35e29703d11411321f0c0680b64d7ba48defac7750b1be50c39dc8e1b0f99cbe

SHA512
3a135f7124ebb9034b27fc2b37e65a104776afa9110c73d0cc9480f4d47b5967478560b2210211bc2236c7452d855bb41f56090b808dcd7df12349c9f7f13e8c

Download Submit
C:\Windows\System32\alg.exe

Filesize
336KB

MD5
e018cc3334d01770f29e4f1934b0098b

SHA1
4362d0554d5a691ec4cf6870407d9b1997214f0b

SHA256
4d3dc28fb41401c468e131d9344ff65985a2bf211a6f565f985c3a785fdb78d5

SHA512
d0b231cb2e7f426853d81401ca72007e14ae3bf442171e1f8f49658582b145f4b9faed2e132d16d7e486cf387c5e170263ad35feb510fd8642586acbc4bd22fd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
436KB

MD5
3822550118c6a0adb0274fc27409d273

SHA1
f3be346e52509cdc5842ec93b5946a19857e8120

SHA256
0c70ee0e3335bb0df82d006391abd59a8deb34afa6c4ef234892c4ec6e79a3e9

SHA512
3d2aab3a4cd2d531b0b2cd3d1b44374fa699335d1062539261270e7637e4426b533ac019b11ac74f0f9b994c63f80c2270430bbe167bb41cbc59a630b57cd508

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
48KB

MD5
01a5a11b5e9a94fa4f5045fd7d3bc808

SHA1
7079d59940bbd297eb03ecd123143b0a7aaf18d1

SHA256
004717e0716b89687e043eb130683ec27979d439d5bc541b038439d786742501

SHA512
9928295dc817a4a46dfa145e858cb448262d81f8cf93569875cecdf4095a85875f35c4b73a8207ce553e0ca3eeb8d4e81c9461a44f3784858c7a3d90859499e7

Download Submit
C:\Windows\System32\vds.exe

Filesize
92KB

MD5
2fcc751c1c08306770cc5868e197ff35

SHA1
3b429b6b25427ce2f855a48ccee8b463381e46fd

SHA256
8be10ff2b20569d99a3f1ceddcf40838edc13e3d84ccf7f1b342db893910745d

SHA512
f29481784a9c4e7a87fa6a93998e4eddf23c1633ba3c8fec1ff296d8952f2465b1f4855b1e14d92e23f4eaf275afed494a4cf0c46a8bc2fc2596f2c09da27771

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
102KB

MD5
2bd5fa997751ffcaf9e3425e6dcd6594

SHA1
1e4981179eb40544d04cdc66dab135a6ccd7e285

SHA256
c9049ce4580e9f2cc0d063502c17a8d9f3d169eb669bcc38f5b82bbd916d05b1

SHA512
f893a5730db37c972ad17bee0fb84b41d3ed82a1df1bfa697e8c96ce83ca3ccd2031edef59997588f222f46ea57dd597e69b43504b625b2459a9d7ca48e915ee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1KB

MD5
c1891f485e7229b5673ab79d428abcef

SHA1
d1d6f452180de1390cc95b759dd8d94d0414fea6

SHA256
fc9a9cb7289bd0eff2bb1a39c602d4f169558a07c2419f5b23c93331c1157963

SHA512
744e623dd8f3bef95b5a18d45d74bbf9087beb6e5c4972d04d24636748a6d58cce89ead7d4edd5c35e2ffb2df2db0491e86760387a5ee0745baf06f1a8e41643

Download Submit
C:\odt\office2016setup.exe

Filesize
97KB

MD5
f47321b468cd1e8f268e705cf2b77133

SHA1
a48e004c979ece6c2be6b8bdde6566fec8305030

SHA256
3c8d2b28c1c867ad59fd006566c1c7a600919c35a9329b22c50ee736b5e73506

SHA512
d56a2ae8c2aa85812e7eda29c8ae3abff4af55a97afc416d0b1b29252875ea43d60bfd44d732e87e4e71ad233b29019b2651310f6ddba99429f020d86df19342

Download Submit
memory/628-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/628-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/628-64-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/628-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/632-548-0x000002C707070000-0x000002C707080000-memory.dmp

Filesize
64KB

Download
memory/632-555-0x000002C707070000-0x000002C707080000-memory.dmp

Filesize
64KB

Download
memory/1436-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1436-295-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1436-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1708-444-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1708-384-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1708-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2080-27-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2080-33-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2080-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2080-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2188-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2188-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2188-249-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2188-242-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2200-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-358-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2200-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3088-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3088-306-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/3088-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3288-279-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3288-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3288-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3312-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3312-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3312-331-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3416-446-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3416-455-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3552-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3552-318-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3552-310-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3820-1-0x0000000000BF0000-0x0000000000C56000-memory.dmp

Filesize
408KB

Download
memory/3820-18-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3820-6-0x0000000000BF0000-0x0000000000C56000-memory.dmp

Filesize
408KB

Download
memory/3820-0-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3848-398-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3848-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3848-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3848-403-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3864-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3864-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3864-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3864-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4060-405-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4060-345-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4060-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4144-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4144-554-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4144-428-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4572-56-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4572-48-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4572-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4572-49-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4572-59-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4728-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4728-441-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4772-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-415-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4772-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-264-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4848-253-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4848-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4848-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4848-269-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4940-371-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/4940-431-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4940-364-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4996-467-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4996-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5044-21-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5044-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5044-11-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5044-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download