218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
Size

1.4MB
MD5

fda63f8ce5cc64feef81239791743f4a
SHA1

d9ac74529ef1ac438659f2a9defecf27b7e062e9
SHA256

218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e
SHA512

ff2e0da0337c992e75619a6db72e579208dcdd066e479831787d8f272f0b123865c3a7133c94618e0b9a3e0023ac53346fe2d15818c833b59cadfd1e6bdf8fe2
SSDEEP

24576:e7zNkhm5PBXlnkTqudMKBTvhinEeUUq5Uqs:+NEm5ZXGqebBr2EZUGU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2252	alg.exe
4696	elevation_service.exe
464	elevation_service.exe
3384	maintenanceservice.exe
3640	OSE.EXE
1732	DiagnosticsHub.StandardCollector.Service.exe
4044	fxssvc.exe
2816	msdtc.exe
4668	PerceptionSimulationService.exe
4116	perfhost.exe
772	locator.exe
3552	SensorDataService.exe
868	snmptrap.exe
2372	spectrum.exe
1752	ssh-agent.exe
1340	TieringEngineService.exe
2128	AgentService.exe
4504	vds.exe
1704	vssvc.exe
2560	wbengine.exe
456	WmiApSrv.exe
4608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dd69bc77c92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0f012578b4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069c2e1558b4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f75fdf558b4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000476039548b4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4056	218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
Token: SeDebugPrivilege	2252	alg.exe
Token: SeDebugPrivilege	2252	alg.exe
Token: SeDebugPrivilege	2252	alg.exe
Token: SeTakeOwnershipPrivilege	4696	elevation_service.exe
Token: SeAuditPrivilege	4044	fxssvc.exe
Token: SeRestorePrivilege	1340	TieringEngineService.exe
Token: SeManageVolumePrivilege	1340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2128	AgentService.exe
Token: SeBackupPrivilege	1704	vssvc.exe
Token: SeRestorePrivilege	1704	vssvc.exe
Token: SeAuditPrivilege	1704	vssvc.exe
Token: SeBackupPrivilege	2560	wbengine.exe
Token: SeRestorePrivilege	2560	wbengine.exe
Token: SeSecurityPrivilege	2560	wbengine.exe
Token: 33	4608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeDebugPrivilege	4696	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 1636	4608	SearchIndexer.exe	121
PID 4608 wrote to memory of 1636	4608	SearchIndexer.exe	121
PID 4608 wrote to memory of 4456	4608	SearchIndexer.exe	122
PID 4608 wrote to memory of 4456	4608	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe
"C:\Users\Admin\AppData\Local\Temp\218c7e6fe2951508cc55a0e83c7b88458a9bffa239b3d225c726ecc42cc5fc9e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3384

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2732

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6dd7a435b8f516f99761685ee8bd5dba

SHA1
5621564609b1bb644792b9d70b62e35aec0b7b06

SHA256
bdeeb1f38ab6b9ba4de27f14ea7fe3a4d05355adbc4474b47898984392bb76ec

SHA512
6a80336c59ae36be9a852f8c3f441781721e71ea222e1598907e8c7beec7af0bd9f04ffab5ade2ecad3aa0b0e409d9b8fe6e1a94a6f4f2f8e833f78462d35c50

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c063f46bb2e01b1a7094d1ebba8a4a8e

SHA1
a382f79ef70e5487dd6df589ea10aa5ba79dcb12

SHA256
f70680ddf8572fa1532bdb77702fc12713b1670daf191dafd47b9adc8b658437

SHA512
ca22d41dd3755998f249ee22c6dc40c31a429c3fa26e5f7858e1853f543ea556c37ea31423eb2ad9a2dafd34d462e275cafebf47c1a6c9f411f0782fa506522d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
db2f85eb6e4055c3ff84d7c0541d8422

SHA1
cc5cdb0c94462d1d83eee95a7e7f0697b3666b8e

SHA256
1b433d08a4d5ace70a2c2ec27629a8f2078ae444312d893cbb262b6cf4956598

SHA512
c7de700b14fb89243840a337f4a44e131f02eafb0131e0b7d1390cd7f9f4ff6d00adcbc43bfc3d1ce1e9258faf925dc4d6d14c77952d01c75953eb9deb9a4bce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c5956d571fa09b431974af1c019446fc

SHA1
af840b84524fedcb8d48423be0457c5e1b46092f

SHA256
d1065308145ffd084417f405bec25ba565b051d5e8baaee545e72d9745d6e3ed

SHA512
e7a969f2a4b518f578f725274318f4df3ef531a600a1afc601cd9d08141a8e7b545d914fd24b60c7cc7e7b974d27c0d47b68028d7dddfac307b0a562efa591ed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
698a2c5deace332adeaf82bf53caca70

SHA1
b7b728c2e8ac63cd9bd2968642c3c627b38e04ec

SHA256
7015396f32656a2e0f74d67040dde5e9c2ade39670e43c7dab17039715581f9e

SHA512
8d889457c4c353b5e87517d4229c54a1b1212ea15820a34a7578e5db790ae25ba08c1946b2e9bdfed866d09704fd51be517f84829d70278eab240def99450558

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
448KB

MD5
8caec49eadbba5b334207f18a5bf0199

SHA1
be151428931a9e68af04d8b5a186bcc103192ab5

SHA256
13f76158d7f4cb61a12bd987b67a5e9d51692bcf25443568bb7a8a1f5a04324a

SHA512
2c719f9e5344a602b3db020352af4656c004cbfd428b21592c24f48b104b7802c3d1389149bd8b19238ae05780a55879599b2c3d291f0470fc7cf7547a343f34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
4eac49b2fa0321039c76c66ec2b6e022

SHA1
a3b588a92a565a1d560fb80fe8e87e11fb40a9ab

SHA256
cc578f0c0eb62435606cc971d62f48a4d3d6c7cc4ca8d97d4d1993a60ad0b2f6

SHA512
e5e44b039ff150454653908158d4cafe7eb7220e74496039a8d3fc0e1ee66cf54fbe761324a5d824d4903b6b8e3513762512771af2805d71d892a1b668f7826b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c8a4ad106803f3bc150cdaf56f529d96

SHA1
6a6b2fe705f7fb41d0f79d4436f267c11a36571d

SHA256
522333c4d0fc0b5439f3d24e5d3f32dad8f892903142e915e5fa0d4ddb614509

SHA512
64f6de62fb3312aac1f309208ea94f6050f17ce4a319696097f3cdd7c1dff9d0e93a30a473c12bbf03a98f16cf981131adb3d621d59020307b116c040401145b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4a9f3f689cb4cdea9bbe9c950bababcc

SHA1
83d7e87e5a827e5bd4dd3aca8be2ccf4d3e00a91

SHA256
25bbd93282e2e76785050175a1de2e4d5d4c63d0a6cb201a84c88e788be06d4b

SHA512
658ae8ea8e099a9edef062c0adcdf29cf77e187e9eedcda980ae8ec38bd3b25bdc1fb5b09fc942846ee0c9b7fc3e179b2e8073607690223570a626c305a024b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
128KB

MD5
e3ff7b8b95ea2dbb1fb4e50f386e3f80

SHA1
28c7a8db18e5df598c02da8601c705c095838d04

SHA256
99a044e0f99c7978e31b1c1e4e8a3bdc2d5f153222666210ecfd5ed9e59eeef3

SHA512
f455af51f80d91854696f42df5c17305827947da37e84b8713c846e20c5c4edd0043128256053413221e014403f7347cd595979a201a454096ea37f1e56788ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8676256cec8e00c9cfea7f0ab531d780

SHA1
f7081c218345941bdcc170c9373b7a8fa0e10d99

SHA256
a9d2ae1ac3f5a0c529bbe6b3d314c2d1a1e2d796385cb6034bf7c7bb55737636

SHA512
51ff3c522ba21b2bf2ec87026516549aa7d63d1d0031701d6a68622369eccf7ada5f623327077b4e4a236832527f9138b2fb233a8064a16b564cf72484e6d618

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
253031e6a685be98bc61fdafda7fca89

SHA1
408f248f18b9d03f829ea00b92f0890bbcb385c7

SHA256
a33f87bb220c4dcc05e1f96cc598ffd7e8418b4c33214d81c8dac0aac90c9136

SHA512
4b23d4e82b3b3e19656264360ec17b25d2422ab4dd95986cdda23d64b4f3781f40b73679e42ff7518926282f338dca5cfa40f514515330934baba459a2403b26

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7cacded527e78e7166ff38850c68c5d0

SHA1
1c7e7bebcec96c0d0557aa7079d9b26485ac6204

SHA256
6490797eafc4c71b229311f31d2b6e344aecdbf926c1db6fdd991fac42ae5151

SHA512
cc139e2f2c6848f6deea331a54cc4ca20b3d232c4fd93e4f82b058a1b0424c657e41d97d0d12c84afe5f21ab67778d8b8bddc9c4b1d77e82c000db007b597152

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3760338bce59ec446436587accb55ab2

SHA1
208871780b61c70eb14f88c34545fe11c450edde

SHA256
6448ccab1e5d889bc24ff2eac3968916352f00318e99f14a517315114bbe86aa

SHA512
0cfb3fd7dcb82d3dee2ee1f67102849a06a71f1443bf025e67164e3d5fec6ace6d920c8d15633a652c2c84e6038d85f40220366f8cdd31f476a7b582bedd6d98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
04a1a77e50ca487157d4981a63585a71

SHA1
d9abfce2c85ea5f7b2bda9af1dcb52f1b7f12e5a

SHA256
026f8fdd5e6c1d4f4d4c303e61a207c8fd06a7a4dbc4560a18662ab6b76899b1

SHA512
5885d4fce9b05eca94a7cea4a9d4eaa163e3875935dcabb1ead22d4b5a8701ece6a080764efdafe4593cdd2cc03a7d9eadd6a9cadba348300e7a7c58fd242f5e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ac6906c2f750e6eb55c6301362a0133e

SHA1
1fecff43d5851789ff678cd22517844f2e13970f

SHA256
8dadd44f4d0005f6d77e620161e0c74a4eff1e17b71c027103db9860850ab7cf

SHA512
10a78cabe2f8c3f2800028de10eff4a52bb7d1316a4d2b258ece0ed13bc6a05e784bae13bcea360a8a647d19309653b444a7b23c8c67acc1bf5a7596edefc1c7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
6334ccf22c0d2f3bc43faa330fd59e84

SHA1
1a3129b06a0aad82e3604535a7e0377583a1e3d9

SHA256
d57e01efead4bd725481d130f7321c49105462ca04db06b3b63cac26d584add7

SHA512
23ba58980f658ce839b081f60579e0ce1ca334d65e6e93dbbe2afd9cfdb86d73b35d25e31c1e45ade705fa81f2d64f4e09905353a08737e25b1f8b117aad3399

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
960KB

MD5
1d6fc01665ea8eb13e2b3ed7d0e280b3

SHA1
0427af1afa504ac86efeed185bf678f9268a5063

SHA256
b76ece3cd07b09fc4afacf80fa985a1f902657727957dacd67eb263a7cb57896

SHA512
d923af6edab5308af3d280a1418ab153b8a66cba1dbf17328f61aa8bbc3ae27fa40515afce45708bbca10d277e323c999311ef9396d05ad8823830fcae3690a7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
53cb8dd8547b5c923ccd543334a84dbb

SHA1
92262d8ebd8bc8874065000bec1e2e02eada454d

SHA256
5a7312db2015c13132c057c6bd91bffc831143b2614cc45c08f44f9702a88d98

SHA512
e1570cb4fccc946f825765dca96982515d768a2a9881d5d1fbac8f2a66e9a74126118d20579beb13b9fae5f75d45a3049758c360fc947cd95d2738ff0fb40f19

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
e5a1c326e55f0512505218f02f829817

SHA1
ef8c2f7eccc189fe0efd8b881acfdfc9f94be2a8

SHA256
3942d3f26507af461c8413ef6e6206fc7835f96027581a4ae3bc06c5480da2e5

SHA512
309ace31879373ead47ececaebbd08a0e9889d71645c1d5433ad033f64f7beb54331ea937db167ee0cc4612782585589042e0fa18724aaabd8749fc51c34258b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ee1fa15832d8a61763aef7bb538ba914

SHA1
ba0b4e68cf80220cd67f5d12870a16cf7f5b733f

SHA256
7c2690a082316b7dfa13aab0be1c06985d878d911b4864041c3274963d1c173b

SHA512
9b452dc66fbc19dc91cc206f2fda2d2b8a44e7194ecdef28e38b891c3e81e032769d793d6afd39f4bd5a77f898ae72a19e218c6ed8df2c1d643d079f927b83d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d7223610758a17247598f3b36ba1b4c1

SHA1
2da5f3515c706e53b1632a6a77fa9f5db5244c03

SHA256
890df5e27afb63145ba101656e93b8f4d3725134704f35d547fe89108af82b4f

SHA512
817ab5f1dd5a03a857aa43af3c5ef984fc3b46e7f74ecd9d496494460e9943e6260dfab97e60d288538a7d220c51bd02e521faf2a5be198ec042c1dd983655c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a64947e6cd0bd788792cc61d1d307ea7

SHA1
64698050073269633f8e85ca2abb27ed88c6c3ca

SHA256
b8845801e93c53e3595c7aa3e2389f7fa084d6a2b37e5736af0ea7ffd382fe84

SHA512
396019b880defe7f25831b1e2bd13551e862f6f0171997f3ef63f3e903baef7c909e99753d8223489518d69d89e2706ac6843dc5afecf2cd763f8268afb80991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
a3e0a372053964368a7c07cd46007533

SHA1
50851761f55eaa9339fb26126604e7fac2e746a0

SHA256
94a69b931ea82cfcf5b444a992a94e0289e828b7bab1405d9d6a481706dcb815

SHA512
611b305a5eca7beb02ba6b03836519981fcbb49d1cf316751e554830f8ed3304470b5327dcc31607e7b1d742e8be13016049df6aeaef1b4fc2c916e1a2a7b84d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3cf10a147a1b48743187c2c4356ba6e2

SHA1
6c5747455b2f0dbb3fec94a3d04f40df85c69c3d

SHA256
4e1156168a7e4a65f2efbc1c28cd4d02bf1a140cd503bc938a531cc0b475b978

SHA512
11520d8325d21c747ac0c3c10a6effdee6daf2910ebf902fcf792084622fa58359917db5e5249375dd41c7ebab78911e60ec4aea6b9bdcdaf2b953c57c9ddb57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
803feacffe3cceb34a3e9521f078994a

SHA1
904b3d3723241e08556d8a831c0312adf44ce701

SHA256
76a9901a0be8a9a775d9e13cccfb342f57ad0f379595f5cb54b7dd4b3f077b27

SHA512
0159ac4cd9a6dfe9b8659ac2bb49dea017f9f4e3ed3ef8d5fd72712a98710f6eb3d2d7a51d1a975348d7aacaae04c2e8656d960e2301ec7a48433b52894210d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
6faf01bfd6c541c10022eff132e856db

SHA1
f8d3effaec4a35d5e082bc531cd4d8f630e51fef

SHA256
abffce5e001ffc13f5f3315dde7a057c3e90b6ebd1d6cd3334d2805d51b0a962

SHA512
2f21b8663b5bc2a19f68e45df029956d6260ce4e60cd087896bf9889ad20d0608ba21e18959099491687706fbe0cd434432d56b1600c1d0aa11876b64d3179d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ce0bee87bbe722cde3eefe57da3bdfc3

SHA1
669bffb52d0a33e2aabace1a119f311a1d7f68ef

SHA256
8814f704a25d6f937dc690e5d9038c89ae0db568c754956d7870166bb8433ffa

SHA512
1b3fdd6e3a5bfdd17ba002e810ee7af98c03e5246c96e4fa4bc60b0f1707634375a63cef9fabc40ac82bcf0e743bb33d687cb0708e2963aed7b0e3364beb2980

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d894e3cd1c5a5d3e19e7cfc3251491a0

SHA1
3745d6725aa472fd3c2f18cdf4f24e72658d596b

SHA256
4e2edcc6e38b382bc5492de89c5713e3a69439458f1955ce790b63433c18ee5e

SHA512
0049fa2de9f29495120d7214490db2c9ec3a7f7cc5d5a5691210f9dab7e0c249c36e5bda1b1a7d55233d74672634304302b0e5c4768e0952e02145723a8d9a97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
bc7a0e083557223fe5abbfb4b86bed50

SHA1
d6dbc75a16e16838cd4fba9e732f755ec9a6ea61

SHA256
6832c603689482f7a8db04d8429e7694fc48ce3bc45086a60044c0ceebbd83c9

SHA512
fe5ac714f8d45216bb05cce86d425a2ce97dccea9ed065aedc8a0cae31c995da4e3015bc298af876b8a2453b9a295fa48f7d3180c3f2480933aa49c3cc248ef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6e1b6f74720b3cd34ddb520f61369de4

SHA1
25cb8cb416cd8cc4da56b22ddf75e625bfba4544

SHA256
3c89c3674ceacf61dd7faa6c22f3666c3a30e6ed7b9d4447faee20ec4ece797b

SHA512
e60a7b43e89a5e14c493b83f8adf56d71371a63cabd9feec8efdab4116b72050b776df4f17e2d19bb713252597aa801a45c39cbd6104287ea6c17b8a97c052d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c0065e493dbb4d8812582bd9222c7e62

SHA1
65654e05c797bba2ae8e8ca8f53911ea9b5a2f0c

SHA256
b266179df5510c8b5196a5c9a816f08d3964a18bff77a3c21e35071170e81571

SHA512
1fdacb4078fe84cbca274b9ce7dc658a41096f26734abcb47dae2f2830f450dd880b9cceb8a0c15870a9a65c4930419bdb511cac1d237133f16ba19118e4e94a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
df5d451b1926963359d7c9b9a53a9e63

SHA1
992179d364049cd26be4774b240d469de77a9974

SHA256
f2642aa5560ecfc9e3db64df3155c4fceeb2aad639e5e7a1ba77c1705a31f5ce

SHA512
a2dfe86a1077e007f1b7e762391bdd94b03ae99866f7bb1c72e83c484715f61c47e71dac664128f272c611922359ff8f7cc5be16dd4b07afc6f095b3bdf1c22c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7086a6b32598ce42379fe0f8c9b1fe0f

SHA1
31800f2ce469a9c16ab898f083b22d4cf6431dc8

SHA256
f8c6dbe5c48d36cc538947db4a140bb2d0cf3d6fdac7842a45fdb9eb0c467ec2

SHA512
bc37df6af22e5d3757b82ce60722aa95695e3f8750996a52650f87c727eee705d2dc90a5e4fbb9659b5f352925e094ba0a6868350e20a7cd96ec600abb5daa92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
8125c441c6721e19d74ca12dca869197

SHA1
b86aec9d612fb9194cf676942d9f675317d44754

SHA256
7ecf1e6ad34f0e726c7da28dac2a9288311533ba8e40cd82f929b90d0764d621

SHA512
911bfb25dc273dbd2867bb855ee99b17c2269dd876729ec53f1452644761332ed592282821705bf0abef474bcf7abe994be4a3b924b10f3ac547a06876c1c2c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a4391232a74574c84543ac9696e61298

SHA1
f2d13c0339a2acb01ecd7887ab5230f445c358b4

SHA256
d071871ccba63d70defd202d395507e00bed5a44f647f81ac89b14a1f5088e92

SHA512
7510515a63f52805986ae5266f0316170f8427002b918c16845d6510831938e2609d57d61da03eb03cb66934bfb0f1c8e57b708ed51dc7bbff1103d83f9776c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7b16e4aa79b4c8229ab33db4cc18fa53

SHA1
bdf928c107c133cfc51c1a1ada6a4c3c1692bd5d

SHA256
7c6ce21e9052076c23159cab7bf8bdc74385aeff104b689d2a71ad1e0d0bb7d5

SHA512
19a9be738d0a65e645aef623da6a4f676e4b9cbcf9a21a633814b24ec777518f190fb1a4488c434a73528e308f4e94d5b9003daa3188c0eb8d46d6515d7bda65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
1f51dc9252098c875e5e1a20b30f23b5

SHA1
b3bab69e081e780716bf9e67e7541fb8aaff39e3

SHA256
6bd30545a57782ec1f0261b3bb822c732c24c23589041adb0489fa3a581b43b8

SHA512
7f24e4d29c8aadafa9bf83f2209d956ebc3ab7537001c40a64c86f671b752110c92b1e98da0ac4b8e20fa0852ebede4c27d99d609a628ec8fe55c4be31e698d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
7a0543f8b2d9d395a83847500eb5462f

SHA1
33d8dbde065cfed6149f24b4a6e3b2164d77f8b8

SHA256
5f68ed18332adb8389b435b56993d1d556743420031961cad73ede916087ab87

SHA512
c765e1651217ca1c61bd206586637b55966a780de0b3068ce59bf2781044f9f2f3279417688ecb5b4a1394e8f78f765aff0732ae462350cba77d36e3e1859fc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
2d08266891fbd024c5784e633ca96ea8

SHA1
c8deb4df8b7318ee1ae6ef631adc3ac12cee0975

SHA256
94bcae20567cb9a48b33501d26df1cf5b1417112009f10f6d6412c64cbaa73b3

SHA512
d8e70e15b4c554d50801cae81ab34be684c884c7457bef2788458db3292868d1f218ad25e6301cff590538a708c652fd388eb9572f6d289d645ffb0632805b7f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6533a3e7af353b4b65038d647f5b4dc0

SHA1
dbaa8fa1e47575fd42113fcdb9872775f774e096

SHA256
c9da4dce53aefc24f3dc552c5130a73df951596fc7aef1dc84cb4b8324988683

SHA512
f95aa436dc83e94a4f5c96ae8fcfb12b0da6264a490d88afd263a43c46f9dcf5e1d412a469ba2d88d12cd0ee8929e2f3e67abfc89305cfd41271a781f29cb9f9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
25543ee67ad5487b03ec77a683a1e02a

SHA1
4d4c1a28b7539e7dcff0a8e042e8a10b3eb958d4

SHA256
e803b7cbe79dde825f0773301a79c5670b83cecae2c3cc28950c031520986a07

SHA512
c7d5b034bc6b95942873de6cb613323f34d5d10d7d63269a50f8ae606fac1d54586a2162e5da79625a9fdb0215f146848bbe0546e382ec5aa6365fcc24949db2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e839cfac782df45e45a6429972806584

SHA1
4850de3e96b42556caabb1b0f6845c7d092467ba

SHA256
1eca3e0e3c9bc2e2b678c7564c66423e0a0d01f6b1e7b4928a3d1e36b0a02237

SHA512
c14b320a3f8229eeba82d6337449a6ce0b4643fa25a370615f6043baa70837a5065b74bb1751760d4761097d1cb2953bf65d88457709b11253ef2fa30a965d5e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.8MB

MD5
6e8990ffdf0063e8b62ffff39cfa9fad

SHA1
b89d5510e85f6ea993044f78dfd5f7f7ce599807

SHA256
c7745f0a63ae4c0614309a700b852aeec12106a2075b83c59f0010e523da075a

SHA512
2074789bb7561521e74456011de235e8e38f4cc7bdad0eea8c21f5ceb5f22eb738340db6542530a69cc30b28329dcf87c4c990543e6e51ed5468d07b7ac2452d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
63c02f8492b01452faf78a34e2497634

SHA1
8dad938c0a3169ae3d2d40c9c9c4c639b4fdc583

SHA256
525b07ce12e4189737b55df0d86768711d10916af4ef9e862249e441b9a91475

SHA512
d291ca3b47874413395c7d925ec8c8de5c2e18d8be6f9b7c813b8e27611a5936b6d8a4dc0a180c59cdf2b425480737572675a91e2101c1d60cd4d55d1508ec12

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e7f90e6af9298674ad7c61c0a6f4d43e

SHA1
e1957246016d4be79cf59bd73170a3282132ce2b

SHA256
396198a8fab8eb0f5073db6544f8bf54554fe11db0a08ec619d41cd40f9e7719

SHA512
a06ab6c0ae80607100a65ad500e73db653ba453d7ff077ef20c1f77d8f2964b46c8a9bfe5ff36f33f96ee41e597bd9f8845a19c637651201541fcc97a85fd957

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5d7da208207103426302bf93299982ec

SHA1
435ba675fb67c95275c7ac7cc354c6a76ee3660e

SHA256
f8ef822232bd3f397a888bd46241f1f7baced530c0aca76f609a286767e2a210

SHA512
1c0e4ea81bf93285776d033148a18302100a8d72782b4ee7c109f2cc8140d0dd7a936413028b5c97c8baa70a660e37616c33012e79c490d579c959fff5c0e14a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e6cf24614036b925553ad2c52db2a8a1

SHA1
7019144e1e624f1bc7a307006499c77d7aff8aa5

SHA256
ec331efd8838d9197051ee651290566426def52ee05fc02e8b9369647a423bd2

SHA512
933223dceee4d48e96a1a08df7095cf1c1bfbf18583f345a8ccf74fec7fc841e8d4afaa27d2ffb3315190c36c59892d7926839997ebf232cee3292bfe823e5b2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c5d1f6c221d2c1e3b803340a17025d0b

SHA1
7674c4f03cc4f068366e6a2c6172ebfa6be75753

SHA256
52e080c60999e92cc95502f6589d2462d2aae26abf8788b9ccd91f4a833ccffa

SHA512
c5a937cbccaf50db27a329a1060c55f19956fb501a23644ea76aa9a893e825be443502aa41f3dee1164d5f9e0a6c99e8eb4e646dc432d9a2d6d527c500f916bd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
af24675e1270264999083fbe42e85870

SHA1
4dd04964f492ad5b46be97b2a28d2245bc6cbef2

SHA256
c2ff0573fcfca57bae068e8811e8b12507e624f0059c0d15f2272b6395770b2d

SHA512
9387215d7442e00f0fe6153142614035a0759411320ae89e31f866c08dd9bae897c2ba60a15d3360962514a422329747cfa06162c097b838d4eb50fd44319b32

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5070323404f67306b0dc710eb8f2b72c

SHA1
49d93cbd046b3b08f8e1f88890a9bdb95298060c

SHA256
6f3e243eacbb83c2182ac995b37c7835b26e621dcd61d126dce26a7a0a8c518e

SHA512
fd6349aaf6627bbc36811630f270fa5b01177cd137fd6061f931b618fd87568c5500ca4671e62753e719953cf31b9ef438e453a42313b1f850119793b168a355

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e103af81ae2b09cb3e8c1faf1fbb5833

SHA1
9a5962fbe8bfd183b1c1eb28d9ce02429e2a4950

SHA256
aa0ffc5cabc322b92690346fc0826115abb2fd090748b2300fc4826b181cdb66

SHA512
993886729cbf2de981c8fc4e462f3ddabb80da8838384b2dace5219f37a4d17e74f5513cedb1e4a08ab29d5d9f3350ca2085ed1dea330ed910412b2992d97c55

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b9dc6fd7f3feb70a845610c51be18922

SHA1
d054d13766675424da6df5dd17cd717d6a422e6f

SHA256
e93d91ef0262c0216d317f035b17aedf5b50e17dc8ffd9ba0561351239ba4657

SHA512
502be4c9795fcce2e96ea0c5b3f16d8713584dd6caa09db856343eb7dcd1f935bc046eff3997288129dabfca607ee3c51b110f8a99f56454fb3e23de6f9db8de

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
69fd6149b5ed82445708e37fcd9d63ac

SHA1
27a961433edb04cb9f00597ae7600a9a4b48dfde

SHA256
da5f9730f1191e3de72aa9e7b61e54d06b8c36219dfbdadc8bb4c1870f65dcc6

SHA512
a991626aea003549258483a5984f66e620e502e5ae64685d9a3946fa163fb7a43becc2e9cd54fe99958c0eb7c3183862f25a5ff2fe2e8775adb90efd38153f7f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
84d0be23e70fd3613ed9edfe1cc58aba

SHA1
544d0d328d2218c20dfc2395a59df82d510c336a

SHA256
4451f35fca22f318a6f5cff307849a8c27516c19010ef8a483dc6976a49066ee

SHA512
43d4b4c24648f90d8afd10506e27f5a2d84df3382ecc84a46a4a98a53b151b734c04298a357e56192e4b3cbbb2889f7b11adc93a7d0fda4876ccef8e3be2e3b2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8c5ac951f975574b5c995ba9aacbae00

SHA1
b14a567a45a99d19f0402e5ebc97c707ba156512

SHA256
2f0ccf9d6192e6d43fbefa56cf7935ab4d65af5bfef67aa8bcb357d9e5533171

SHA512
a466a33f8913323b7808a61fddffc27c0379681fda3c846ba7c43a319f21f7cf34a6f05e3aba01f458f30dbcef2ed6993f3bc531477b039e89a2ca6c208997bd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
77243eb1da19d0be7f4816c3d3417bbe

SHA1
c3f77cf871fc81ce48c66e89c3da98e1915c3345

SHA256
7b3f6be120bb641dc397e33e0ca07755ebb23f1814d9006fe52ed357a041d1ab

SHA512
93a24b87629022be61390237ed6ae2e9de0e10be635deb88387bf8f511b42cb44dde098e1f76fa7700a573c6a98faaf421197a749e30d568ace4c02d1a51dfac

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
34f9118f0d0b54a6083fc44b0784c251

SHA1
0791c7245019a5f87dd6389d42bcf0e1b2ab94c0

SHA256
080ea26395b77e381e8709200c3d37186867c9a6e9f3e12d91f82b497242c69f

SHA512
aab96fa5cde599dd0cd6c8c9960a14b813c9bc4047b1695041e45e8611e803e04b3c0b25325035ed1f564533fb826e94d076c8f7f1de4b32efcc3fc2830ba266

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
455032f35bca42bac72b87652a5bb819

SHA1
8e82c7549e2ec0c342b5750e72c14cb2dff0f407

SHA256
a7848c21fa48104b18e3e56109e50fe9005e2344abfd52f80770a9dc39175e2d

SHA512
925833fc302286017c45ee44caabe46a590dabb64f575be5a3a46bc4f113e440957451e4fc2d53c9b4e2f5247dbc38cc20ec6c3b443e479747cd29a6d47db6e8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dfeb834045f8e3d4179fdd1b79ef60f0

SHA1
abd4dd4694c9f942a695680f259c1e1d61b074d9

SHA256
362d1dcb132f4070deb593d53b3f838789deba44c9c6ede7c97ce75a89dfa372

SHA512
fa4b35377f159693dd36eb1cfdf84e336b890c8566ce06f1990f5a5159d416167bb1f5b645e1ba6041f9baa7a0a4d02aaad6c0aac136568bc02231bca1b4fa5f

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0f3c5f515d6a7ecdce9bab04d7dc7141

SHA1
819f8616905e0d3c4df98a04404cd68e9f6fef00

SHA256
82a8a899cdc649bc6a5b3ddbafe0973e9fd430921c365ea517e6ad27e18ad211

SHA512
164177b8f46a010affdf4f095b02382376b51255a91fe190d554cabab3639a1eaeb9c8d3cd5577c809c0f5e71408c47b7654b766d5c03299cb6a79ccdf1dcd23

Download Submit
C:\odt\office2016setup.exe

Filesize
1.3MB

MD5
463ee11f2afa748f0d6265b623346f9e

SHA1
58453ec411a1a6f17d6800b35a8830dcbb93bda9

SHA256
8a8c20a88292fe6ce9351dd33924f229e94526dd98d2c541e0cfbc45b0af8af6

SHA512
9dfadfb0bc230c67227e6faa85e7e53fd5b5d75d66a087eaca13010cbb6ecd18bade3fd29aa81826da75680963692135f7a72b324cdb7b3a182e90edc63deb64

Download Submit
memory/456-460-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/456-452-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/464-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/464-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/772-381-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/772-317-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/772-325-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/868-350-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/868-343-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/868-412-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1340-450-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1340-383-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1340-390-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1704-434-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1704-426-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1732-247-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1732-255-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1732-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-248-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1752-378-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1752-437-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1752-369-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2128-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2128-408-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2128-404-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2128-409-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2252-103-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2252-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2252-14-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2252-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2252-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2372-363-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2372-355-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2372-424-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2560-438-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2560-446-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2816-341-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2816-272-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2816-284-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3384-55-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3384-64-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3384-68-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3384-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3384-54-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3552-330-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3552-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3552-337-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3640-69-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3640-70-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3640-77-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3640-218-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4044-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4044-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4044-268-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4044-260-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4044-276-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4056-6-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4056-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4056-7-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4056-0-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/4056-32-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/4116-304-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4116-312-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4116-368-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4504-415-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-419-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4608-472-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4608-464-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4668-289-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4668-301-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4668-354-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4696-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4696-30-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4696-31-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4696-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download