dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0.exe
Size

705KB
MD5

cefbc9828391831ee6fe9d83dc4cfcb5
SHA1

81c6008a8070a47bd02623b256996029d6fd240a
SHA256

dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0
SHA512

e0e52411717b40c044ef10dc64faebec3654424882cfd2fa6a3615219050a30f5eb9bf240670f544a290314d8c315b2e6908d44d9774e1efcf721c9f90f92e88
SSDEEP

12288:xF9B+VvUIaTyTTMhPTvBDJQAoJujTogLmcIXNp9oqTNGp3E3Ed36/oauG:xF9BOaaItDJ+JujTyhTop3+EdWoauG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3368	alg.exe
3312	elevation_service.exe
4248	elevation_service.exe
4424	maintenanceservice.exe
4100	OSE.EXE
3148	DiagnosticsHub.StandardCollector.Service.exe
2360	fxssvc.exe
1772	msdtc.exe
1108	PerceptionSimulationService.exe
4568	perfhost.exe
2936	locator.exe
3944	SensorDataService.exe
3244	snmptrap.exe
3024	spectrum.exe
1808	ssh-agent.exe
4448	TieringEngineService.exe
2052	AgentService.exe
4424	vds.exe
940	vssvc.exe
4972	wbengine.exe
2272	WmiApSrv.exe
1028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\546d1610c92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3b691c9f751da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba7750caf751da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007204a0c9f751da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bba94eccf751da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066e4a3caf751da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051e5b1c5f751da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cfb86c5f751da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b4130c6f751da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d5c7bcaf751da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac0087cdf751da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3312	elevation_service.exe
3312	elevation_service.exe
3312	elevation_service.exe
3312	elevation_service.exe
3312	elevation_service.exe
3312	elevation_service.exe
3312	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3976	dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeTakeOwnershipPrivilege	3312	elevation_service.exe
Token: SeAuditPrivilege	2360	fxssvc.exe
Token: SeRestorePrivilege	4448	TieringEngineService.exe
Token: SeManageVolumePrivilege	4448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2052	AgentService.exe
Token: SeBackupPrivilege	940	vssvc.exe
Token: SeRestorePrivilege	940	vssvc.exe
Token: SeAuditPrivilege	940	vssvc.exe
Token: SeBackupPrivilege	4972	wbengine.exe
Token: SeRestorePrivilege	4972	wbengine.exe
Token: SeSecurityPrivilege	4972	wbengine.exe
Token: 33	1028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeDebugPrivilege	3312	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4632	1028	SearchIndexer.exe	116
PID 1028 wrote to memory of 4632	1028	SearchIndexer.exe	116
PID 1028 wrote to memory of 1956	1028	SearchIndexer.exe	117
PID 1028 wrote to memory of 1956	1028	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0.exe
"C:\Users\Admin\AppData\Local\Temp\dae422136c056bed9b561123db0eb1a3a0986d05a2ad4befc4828ac438b7eeb0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4424

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1772

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1592

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
95cf33b981e81417df1d2c16718a10e7

SHA1
4fd42d249dd5867405996368295190bc1f3cf677

SHA256
e15914ec1c66a2c0300765ebdaf8e52dfa9cff16a18a11f2cc53f504741c65ad

SHA512
943a4b667efe064ad0b47f110dbc1685306c3d85df9ed47aaa1309a09c1abfe8827047c3224ea1d76c1120da072c8e4cb0f3166ac8fac72e534f9357542dfcf9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
727c4da6b0ad0d63102846285ed108f6

SHA1
1f12fef12e0181b4b9970dcbc73d0e9e52106778

SHA256
6504745609b5c7a6257ec1e8f4c6fe5cf181a6691dbb4f0a6d47b2488badb07c

SHA512
b333ef54cb613805a3312f90bf39789f2c56b218df64dffacfd66901755bd292e5ec25f841695c05c73c54adc783f4f6d7c51dd949666136f42379a561bd012c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
af7e84e84bd0bf2fa6dce9418d07460d

SHA1
8c4225c19ff82b04555dd9c132f8d57e86c4a54f

SHA256
bce79a162068d0c5e7265bced4672aa1dc4c111f57218eafa86f60f07d1afc8c

SHA512
20c27851717e296bef85027d2a8255961a26fa1c53f966e1fb7924acdaa9277a9051476bb32370920558fdef077d0eb85f4d42a93dd8448f4ed87428a0f5cda4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d93907065985af0a6f0fd5ffda7f3971

SHA1
e7356608b49b252e626e25b9f17458dc57aa8baa

SHA256
63f64b3c6fd0c42fcf4645d469c3a0b07257275d0b64b079e7689b21b1a3c1cd

SHA512
65418329d0b19d84ca647e9740129b7859b6d91073384ac12db20d1038253cb0e4d9683c325045f530a9a7e8b2cdf62d0622d014a1477076894e93086a89c3d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
128KB

MD5
000c2902bed1f04f2da0c1d11a9d9544

SHA1
6534deff32ad65baab335dfcdf1a0c2fe1208281

SHA256
3f97ed9c4b468753f4175295ffea7e93d3c615ac4b681fb3fcc3e48fa99fa554

SHA512
a6d41f7c0d92a39851f79e1d98fe88dc85409b040e8b8941cb250fbd2bec2a83bb620b3820a7488eadc5bd10b8fd9b01b03d9c7fa4a778d2ca50d1b3fc0ebad5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
07616f886ff03e85c440e1acb011f9e8

SHA1
8d2838221642c36c609a46c7c97981ddb9188ad6

SHA256
747bd0fdc9f169b45149dfffc983dfabb5e8ee7277b553beadae9846b779944f

SHA512
d0683abd568a210d4a2f3b9895235589c98f3b7704eb2bc9b8094eeeb6b3c0e6252d2d152e12ba2784404db9f7104f764d8b62c284487b864520095be323ada8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a46d32fd001757be82b4d19bcbe4159b

SHA1
db56ae68b10d9c3e57858edea830267116763098

SHA256
24bdddb09216e719073225de052fa4d498d49116671eb5ecca295be690803cdf

SHA512
79e03aa5844dfe51c965f4c716d51fbb80c577d14752ab449422eeb0df921d833d3ccc4cd64163d99d947e74525f2b408b9c673664e41e3583cd040d5618ace4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a1166ffc295f61b9333ded0620deb60

SHA1
7cf4a280e66e578666e942859ed99f6c6867cb3a

SHA256
ac7d0bf11718812e01ee0957b7be3b71b1bef3316f9ad4d54d7b15ea857df1e8

SHA512
5dcbb560edb7e58e4bf03cd8d92f5fe1c8616c664624b351762c4fbd1fe9df0934089781c5273c2f4251b84729b104a77afa9e8274602b02e91d095500749c70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
2d54d6215023b13f68000c044bf6099f

SHA1
946be67c09461b6090a5db94066598f142456749

SHA256
0eb151da3ac0d7bb01734aaf8c3b9d4c93a70c3a60cdb2a82aaf5131cf4c5b59

SHA512
030dd4d2c1eb269b916a890a25d361e897325e1e61f351501f973e4e9c359a936a3a2c0cd62f958fb2de0db320bd528c0b670030bd8d438026d7733c207db53c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
64KB

MD5
c8f8eafb68b9c59b924bde131a77d3ad

SHA1
e9e3e1e24c2e63271678a4013c429862b9b1868d

SHA256
5886c382b7687c6a897316d9cf65ddcf0f099c31ee506907d44679f1b306fa63

SHA512
caf34760997ad26b9327a351e3be3e740599426cb211bfb528691943c362f958ea78f22116241a1bce70239cbb02be6227f2d95ccd0055708b6fe3f2f6695011

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e32112d0c8e4a74de0c0ebd8b7eb32c1

SHA1
a79f662cf49ac75c5723f4b18fb84e304de9076b

SHA256
8e89b1adee684aafe9124f5e681b4aa562d02b29b1aaf33f9fd2663a09a0372a

SHA512
2a5e5f31fac6f528928891c3a722e3e677db3738f0c37930af531436f15b67051030354ac92faaa55e22c95e75353b9d3264ac1c7d9aadbe9bfd93d4b55db1c4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fe930e4efbf5a38d8e97f21d45f6c9f1

SHA1
6e50cd47fe275e97eef182e69c400806db017657

SHA256
76e59fbf3c4e9c9d37131a0b033a9cf2150c8d039f8751d13e0b06980d18e82e

SHA512
ad65e6ebaf20f148a2ac44958332756852fa4358b8d0e510ed7f6f4592b7b6a8fa0f8aadaa28701db4ecab8f6c7f1c58fdce4b525682a375fd86db16565e5a62

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6cad088b1e06591d14bfec993ec90191

SHA1
e05d50659014c4f956906e6fd5ad61bbccfbe0e4

SHA256
fefef7a6772298691ca8991d0d7d4772a4b38f50f3f77eddeb5be94238ff6b72

SHA512
00cb32263778cf3dd5cd5e5892e2124285e2e01bb3beaffe32521564ef8df1b9427ce86b8c54944ba6d816e5f36c2c32f30776652c7a4610d4709b5c6c01cef4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ad533038b5c5a9e566a2926e35b34e74

SHA1
1b45b61bb8afe5e8f7e191392f18ee07207e076b

SHA256
32e47bf82a16784ec0f1272cf0c692aeab9f8a9b98c55d7bced001cf151fe1c4

SHA512
a18514b567b9c4a502b6e9ed3cae0e633985b520e18af477e2e39e22254836516d42fc234d9a1706b986b7a1970a79880f815b5df3a7964085f48ffe25014aa5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
ef9d68e4db93f331639a0725fe5e246b

SHA1
b3f09a74d2484f10468e8788aca391adcd1d8f48

SHA256
c669fe3229191b1f039db64b0c6065873371f9864b5be081efe00ef44e02b9eb

SHA512
623c0f6c9ff9877a238c14f948042d762983e9395709a4611680892548c8b9498f3aa45b21a215ca53ba80e5c48723c0c8d9e92e3b2d97110214ee1c563730cd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
cc34a649224299f93cc4b8a9329a5b3b

SHA1
d4d8184eb1c0481e0a4ddece74953a5e45f5a5d5

SHA256
b3e05282f60ad25509f68ad0bb1cc3929cd2083dd15148264ee78547e34380d1

SHA512
e49ccdc82721de4280163ff017f1d98489938614aa057e39f217a60dc9ca5fac7506f2260df722b700408786011cc949e010019cce1a89bc43a969a7fa1f8abc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
58b82f61e50db451d85d326f711686b6

SHA1
a73d57718b3b556125667263cabeee1eaec14eca

SHA256
2b8cb94f456763db5561be3684e31d0f5f6c9d145dfc2ecc71cb4ad5df0ea855

SHA512
3d8fb15bcaa848965a65d949f743af04bf72028e2d4d38008daa35f573cedc27727aba01bf0f4ce00c0da4d22a7441e3d7571b9c280c7b19f49a00478f3421ee

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
32642b4fb6555c1656d8ed455ab1dcda

SHA1
f1ade18c104d2e3b636903ad930becd125b52f46

SHA256
ff69260d38908640188775b1d2e34e09b9f05f8b7c552d23fe270f2017e85a6f

SHA512
24cb21ac3bf1039e5abef9164bc7c275c8fa4de3f9b818a2c7f12a408f461234422ac856935329acf6b215f9dd0eaee7ff0f627265e6ce63dc9b482bfe88fa3c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f9461f61d48675ae96f8f998a79e7908

SHA1
85567087474a3544e613507217dbcd01282a6712

SHA256
267738dda38755aa333537cbdf57c3892cee235034faddaaa2d857eb48e54766

SHA512
a98a1cc40a5ce6629fa71d6aaeb6b3ca6b9ceca07d0b57807ee02ead5f043a81c4311df0cc9532467c6723db1aac2e4e6e4b9cef03e66566228321750b53cc41

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
0470ad1e895c74fc803160182c0345cd

SHA1
2fe886478505446b79196826214dd405ebd47b15

SHA256
ddac65fa38842e8d01ca04bc03dd4740d350a7f1008e76b49fb50d756173f286

SHA512
98e66c0815bb067168bcfed4b2615c106ad7ec12c63e6ee9bba5488cadd8e21b1236db8419256a712fd01e0864874a7aa02e208f38ea4acb39d54b3d3db78959

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1bf6920f94ae2b956d01d15871254c8a

SHA1
9d092aeb2e163990ec5a4a7964b518dc8d15ac16

SHA256
c25fbca6ad5516b91c99ef817fa7408cfc173ca976c3a535e8cc07a0f0540480

SHA512
0d20431ffc195113adda325260f10bc0bb548a60aa0330b54174b3fa4088f0aada3f9b107f0d2258cfcaf1848e615bb781937a62495f8570597f3c944028a146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e79312f3ec52b96ee629bb21dbd5fafd

SHA1
5267210e84cd5037afa44094f47b5ca3204693ac

SHA256
0f4c499dc2e4a8934d0e2e684a886ff145fc4e1148998565018e4dff829e62f1

SHA512
6f6d270679a70036e06367a1a5d5a99f57c84a84814fc68cf116be23138a8d726346136b585f9eee3cbbffd4c03e5736c706fb7d633fe86d213980291e4022b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
20eb363193ae29bae561939b3f202942

SHA1
2afbb0f116d610b3d49f53fb607eb5eb6765e47b

SHA256
737224620ceac23008c02914155dcfc2a34972c63d57746079de8e13b076505b

SHA512
0a09bd1163888a37ea5771f65a6944776e3783aa5056692b6c9274e222f3bdca75f6cbb9effc52b4f0e2313a0c6c9b18e674279d2314a83f9928f565988ff94d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
bb18e82a9349a9d573169301c35a7898

SHA1
87d2dec19b13023557beeba0eb96917ecb9a7174

SHA256
9d53a9ae4c76b180b91e741d5e837f4e013ee248d1dfb4a03ab86486e19b631b

SHA512
dab35792d12ee4c75d1de7f72b2351f414dcf875f819b90010299789dfab63c45186d6ae22de40b440624e7643053b1be44b2b16b579591a5e31d470d55d2a4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
704e5cd3814a244e6ecd825fdb4a681d

SHA1
df714f4f8a93495c4e0e3a3ee7d0bfcc34f6aaa1

SHA256
70edd3ae7d4708e87771fff2e41ac5e2c183da39c76458f5ebd2c022599f21f0

SHA512
6dc19521790693c3a2dee872e90201fb42f775162ead13d983d55baf1b48b9bbdcfae2a458146c9d27026f257d2316020e7ab8aecfdefaecc2be000563f00e04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e50b46048a1fa812a348b59b74481e04

SHA1
2e596302a48e45adb40be4fb9acd5c568e505316

SHA256
b6074267513453b447e9e6b648737e134956be1bcb3447a458dc1060a99f298c

SHA512
31f3c241a7c4f3add516e89e9e6c51cfefedec6185e46d401b9811befafe076250b644e4131074c7fa2654781dd685fd1828fe641fb291b62ffb0456b6c4bbc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f7579143bce081f2a080d55636e09780

SHA1
9458c518114abb8fc7b5cd22e345265ed625089e

SHA256
8731ba5cececac7349c0c1ea78c19c34ee042ccc254f670719521c205ae48397

SHA512
8ca8bf306c2bac6767a2c8a275d557c46b8057bbf0c81ac5dff3ffa86b3de4fac3c4396f635059798961cda8c6839ae4cd50380062e264f12222c4aed8d5d1b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1448b75698ae6dbabbf27c45344a9242

SHA1
b5802c2526b308bfffb9962bbb96301c6b55acd0

SHA256
ebe128518e5adff365f4421debb4e18c6d37ea14e26b79b8cbb754d0ef2fce8d

SHA512
7695f3c315ffd56c5d1d4be5db3df4ab1aeac285c25ebb543a0e846ed6c18346ab7d171b373e5bbf8b029e4554475f590c5d52433c4057f1c9565b5c9e17c90d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
25af3675769366254ed3cb2e6b51209e

SHA1
314062ba2048829f78ca366ffcc88f044821546a

SHA256
b39949f824c243dbe61ba3288b3fb662da9e1d5e966cf5e128efcae2536dc61e

SHA512
148442789021ece00e7527b4c971d9d328ec29541294e50e3e56b524b27ef053cefc2fd16d3fa1e8d2dfa03a960cbf543ad8bb919fa6539318a5954774b0fbcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3f043993bc39f5b0421e213d3ea6d1ed

SHA1
96383890357f945e1681f33c267699435f474585

SHA256
3e66846b8e7a60242e4ef863ea92c3f8fdadd730edaf8a62c1fc090edae16760

SHA512
8f94adb3a42b8a12258cebbf7eba34ea13bdcec11a3f042c034eb14c051d436b230e7d212e14af7f7b37e1978ad46165627cfe4b2b6fae172936fca83b3c0754

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6f118074ae401e3a418b035bebbd1c50

SHA1
2d51012ad771008fcf74c1989aaf536810ff52d9

SHA256
b344aa649c5e32ace45226e561e64351dd5c06cd08c359d40b4e34fefc392e27

SHA512
4e5fd302a89067ed270a358778655b9336e652579df6d742bd4223412d64189a6a8097d81543d45f0f9040d8de60c7be605a40d6749df10a1ddcfb7758190014

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
91117c7d24dbcb5df5dad305d9479d29

SHA1
a8bfbaac3fadbfab3f6eb9bcd08800a911ceb01d

SHA256
2ca429ce0213a800a51931a072fb614444eb28baa61281e4e48fdaa73c1d2688

SHA512
36b9275df9a7a362cac46b0a256a54c6b6c88be33e2e856fc9f65ec86b800918225a1eea193d0e01575149d03e91ccfc769ba518544ff005bc9cb960c8036857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b9487063d81b3db44bec6c3412bd51eb

SHA1
6e9ae77b53211bca6867ca3da78691da55729233

SHA256
9ccf438e67a47ad5da3b2d368f264250f5df256c54adfd0e085bd5aece26b447

SHA512
67a263a28f76af0693c01150f18c02a77c68940ae33b1fc536e95175d5e8fa3aaf56e1c850341bc5ab87acd1023f42167b8a28b434ae90670e0bea3cf646fedd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
febf344165ea9c6a11a5550cbd26e156

SHA1
e046715d0e3b2c2b933eca5384432ac105c6cc82

SHA256
13ca84cf91a95bd60786bd89976b74db1e420dba931b05d91ccce12d38c69ae9

SHA512
3094fb6dcee558615387336074099428278dc7a4f5bb707c81b25346bf8c70cd42c325fc08d67a713373d11a2b2fdc84427dd9852188f40d2d80ae067da7b2b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9176358abe8bdbde1f73f887aeb864bc

SHA1
94200c664994ce1a6190f309b5706efcbb3d0900

SHA256
a9f588393f1e66fd6c57258c6793f3dd83d58732472bc2f2173667c11c83ab08

SHA512
0e8d1d35ba68faff2fb55a023c952b53e0716578d518204a6227d895f05597e988d302b9a99516e07478c8a7eb1c734386e489573914faad4ff68f7bf19e7f96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4851bf992dfc5dfb0699221c8bec8c3e

SHA1
6b8c4696802556bc19d86416c575ee4a1cd32322

SHA256
d5bc7738e3d71e49400f72f07f20ff820a2d872eb5f0a9736962c8d69641e1e8

SHA512
5763cb180e83d016af18225a16cbc540a2fdcf9689f12f3430086bf37710057ce87105ab80679247672872c9b811abb33423b4554e38c3ebbc5d16c275f974fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8173ec746f04946cf467e97549aa85aa

SHA1
b5a711c68ce93952fd925d46be4996901bf9ebb7

SHA256
aeebf06e1f61c798b0583f45a87c7f5d5d15e8278b46d388bd5142a967dadc36

SHA512
eb8e3559951740ec8f2e763a8424f40a3f52d949130072653d27938be8dca8d1aa6b12a8d05df59002cbc2eb6b52fa912f58c02289eba9b105acd46c424840f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
3fbf60b1473451b3863a61f881a50382

SHA1
38c45bb681b68968955606dcfb7d4099f1fbf6f8

SHA256
d2da08902b869dbe3b0ca5332c99a0301b5e1b16818342cd7486e2e69412e6b9

SHA512
96ca9f1cd2ab1eb496467caa58948b7f0737e6d929b5ad97a24c487e39f43ae73fbb58b9a988da2eb60c575c772655299b9404b7688651b4332c72ff9e75b50d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
64KB

MD5
c9667ec245a00df8d35e465313e9f96c

SHA1
8e16f47ab4e85daadb2d746f679b8d00f32852a7

SHA256
bcabba48d6813e4f883cb8ad3772c4f97dfcd304e460eaaaab652fcad66ff864

SHA512
dd7b7751d9765e01fa519ee0eaa8855d6648c5f99c3a577228c4b05e7786a16354699d05d8028850e87300295d17ba5ef4f6eccbc16528d859622b9251c38f47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
64KB

MD5
fdee6a93df30a80e588b1265a83bcac8

SHA1
41436149b0fbd5b1240811a88c106bfda1bc8a3c

SHA256
981c2bf37e480dfa2e0709dc0e34d984db308a939ee599c815d409c8914de338

SHA512
d81e413083e8b5958a74c4b810918949b5794a545a797a95402bbaf406794977b86a5050f0b3cb9afcb1adf002e57ead37fe96aec8894a3f0ef21d14c3025988

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
64KB

MD5
6d2f6a8ac6eae54c0482e2e8055b074d

SHA1
28e61d6fc574451e4774cc32de9c521560108818

SHA256
717cab23bcb6b6c6632e8d07568112242cfa118cd706fd3d0174a1a4166b8c28

SHA512
7fe4a9d14bbb27ee94920eb12911bb1dbe5098b00b6b73b477a2c5cb76d7e858d208e2a285dd2faf9454c58baf4b198c246d8bd71b8a103757b5d76d0a8fbe1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
64KB

MD5
80bbaa13636ed36648ea25c4b83b8838

SHA1
3b41eda4b93c6f452d7e492d54eee3b7a2bada7d

SHA256
a50b02122618c4e37e49bcf75c4b26a6c9f6900720a87e1942830298eed9dad3

SHA512
408b8442cb0bbb9fd5fe95be9d780f8311dcb4787f479819bb33bd8e5ec40a42dfc1387fe29c4d51b97eb1e2480ce974f247584586f77dcc4e7fb589b7bb54c2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f5ffecabac95b736d050d13427d3b5be

SHA1
7ee5fe931c2c624f95fab9a688ab8de4a20de5d5

SHA256
a96b21f0ea468fbf6976f04caadfe6ead3c17c584b1f987acb12091af5af5f55

SHA512
5ff2f26c14e7acb391765b26e382e0f4bf9ae55c582fea2e307d665c34c3c5a30307742be5e8616853bfbb7203ada321bcb2c9e58b612892f0b381c7cf2272bd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
325715d31551fda2ee4f1ac3d7f53a62

SHA1
6172dcf2d022bfa0635c0dccd9797a0de77fc7b9

SHA256
18693b65fdff2daa84ecb86cd4d98b4e3ed2168fb99566dcff141a1a5ef8c042

SHA512
8ff2d595a4b949be2fd4cb0267e21d0631eb750009558b21c93d1c3bb8f0a38a8f734ee15c0a4269f6ed5e5bcc0d7909223464c76a4c3ce49bdb08249187782c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
378e42d4f50dd7ea9ad91b7b5058da0f

SHA1
18886c0c8cace7788edceace1126ca94fdc88535

SHA256
4ac425cd986cb637e8df156211c46532569d6850c9d9a48c6cc5be21ba5eceea

SHA512
0f1f058ce0b96c951912c0944b1f0126562007b3d738c21e5ecf28163869af60a835765b1859191a2c4efeff62f4b43efb3a05cb1045dc8109baf43a1861e52d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
10b4c949a640045788d0d93a632639fd

SHA1
1b0695c7e88aade01e61b382a5d3b510a10ebb53

SHA256
bab8c95835fa163eea6a092892d0ff686895d0451ede3385825c84754e89a08e

SHA512
119e3dae42da212168f2fd84ef64d67e36ced6a4531bb710ad74c7db0f5bb89b4027c098efef60185563c7101b54f75ce6e72bbca1fafd86de9439a591651dea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c9be99fbcfaad220cc69d9d7fa2ec562

SHA1
2676f87757263008412f6ec3b756c4d80290bccb

SHA256
7402a1aca0777f5758d42d58f3b310728829c2f95b27eea13b5cc67367b83125

SHA512
44fd815add544bb972284f6f2b09ca0555b3d6a6dcc09ce38d5429201ce807e8af3c9f9bd444a0551c08d1d675380df06ec7a32f31d522432c612bbfe5c3d5fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3175a068ad190d3b6c38aae4b51c4409

SHA1
f4743a58de6f546d97418484cda23d5d259a9f6f

SHA256
0b5f06cfd227c2846771bee4df4a2fa5ce7b95c9bd1c44a32dc8932dbb2a5834

SHA512
eaa6988bb5ff2b80448abb989d628a22b0070f1fb11c0c70cd89fd208c9893214807444f474956d66b3362f6815fefcc84c63e329fba066a450911289d42638d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
83dbd2baf58f74573247e4e2c854f532

SHA1
be46171dd565e26276874e04cc52d017143ec636

SHA256
a7ac85f1042cc6ac5b22f092ee3c60c52d064b44df1bfbee1995ecc15a2e036c

SHA512
90716de96b0be6b9f5e8c7277ee60fd9dec246f592d7a5fc1aaab8c41deee69f4448055040db4b766ea325edbf26d25c84bf916be91f9338e0495e47589e627c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a718085c9867b4e9196cbc2423516417

SHA1
7e6980bc59997d0af79ef524a69498d7ba73f67a

SHA256
dc60e59372a9f4a14fc7ed80079f27dff49a9513223e78ac2b5c0f1eb763293e

SHA512
5c6f838d092e37c70c7d7aa31daf5dac8965a0d145142b478cf1509a978b3bfd8b75464d0200f9465a2fda6dc3ef225b0d2a0ba21e54ff803f0ce972deb9919f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8ac77f7dc54f1061432e278e4b46905d

SHA1
d88c9840c65053d7c9aa3049a955d2be1558ae4c

SHA256
659ce49f75d4851cda575bc8177b804e37e351c87d579126bc8bc5853deb4939

SHA512
43c7d4333fbe32158ac133b4c7f37ee82fe5513e4ab885bbed4690fe10898aedcbc1837da63824cfe79b1304957cd91f0789f51b57d866543da02a692a549819

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8289092710519ab7cec92c1c4a68be82

SHA1
c29f4f28226370e07e01b514ab1fb1ab198a1358

SHA256
4eb6355ffd51c5b367b7c386e0776c577ad4f93e438588228938b5e2b6387ca8

SHA512
f92f5a2c97b4af4cb5a968be4fd4b3b796c662787fd4353796e4c372a582d009ae5bbe997b6431949bcf9e8196012370a31bd47cfec7fe973bf7979d0791ae6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
06e5fb75f219e868005c84cd3b8c769f

SHA1
4dcccd47570ced84be231bc7d8356b048e1eb6b2

SHA256
4b4b5d109c3665462ac232f09e08cb476311ab98c625ea7570eb0c7afc479f3d

SHA512
9662e795b267e6b72a75ced8da9bc6fc25036450c9014bd7440e026efd861aa307b58c29edcb50831c68c018db58dd80d3e8dcbcb8f3ad50bab4b4d42e8106b8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d3bc9d46005717830d9238cd529da056

SHA1
c96cb06bc34aa301cfcf73226b9d9b804ac29c41

SHA256
e17e8a6af3e60cca965db9694a6e7f5eb2034f6ba585a1cc1a4ca5e393d38f50

SHA512
0f4e267c0c57950d844349d83d24b614481ed6a341289a27cc5105c818f0460646a635e9c6b9df05a5c21b975b34fffd9a25d75d3a7a048031694b4b0351c005

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7d3f7e6a43e2de450866a80a552f8589

SHA1
9d7cd83b1bc1c42dc95583698a05d133afbfb415

SHA256
63d895a82d3c52ba114466be326f60bef47e0b49f35b7d8c139defdd9d1ee4e9

SHA512
02f76386ed588c7138dd1e80dcb22876ca64fa7598a84003278d55a653b548cf06f460176a8cb5e17f39a47dd49af7a38b9c49ca109516afe8877175df155316

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
29b51391f2d21a21ae1bc5a95a87c38a

SHA1
e5aa02c9e8c4bf5c88baad62caea176390d80576

SHA256
d1870ce4cb106a98a5a24af754d297dc2cb24d58df7477cad3c3d363d7f234ba

SHA512
31d37c98099110f1da3432da729ce297cc619ab03e3bacc80b8450b02558cbf68d214a89ebcad2b5ffd15995b81640e8cbf78d89674238fb8893671bd679497d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ef56b7e0c23dcf10beaa68214684cac9

SHA1
12bdb83d4126eee73241656fabadfbbbb6192074

SHA256
1d0800afee778d37f6faaf9ab82def664391bd48da3381a39065f7dc816cd6df

SHA512
5ea88ebe74fae2fa27751c6a5b029762512bff4845ff1f8ea93c2075284609043a0e0f168b6ba5e84e83f5432af2ecdc7c2494ab0de499ee028c9d8a353590be

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dd3de86f06426717f67a1cd8153349e6

SHA1
51c1dee79f29852e301cbca6dabdafb3cca868a6

SHA256
0073aa01c99ec817949e083733850841e805dda131d5e60ca5475fb14272875c

SHA512
c36886d8f9105b49f0e46c72d4102a92802b5da620b5eb8b46194af01dfc0ef747ccbca0699e981e66ba1d41825981ffeff2e34c36930814603118ac37012b6e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0dc3708acc51ee7df682d2e6acb5342b

SHA1
9da961643e968613af6db286346ee7692e8f8e2f

SHA256
2790d31a695b480a7ccd32d59a0691f085bfc8ef1cdcbb929f3bf7da6fbe16a0

SHA512
c46296c6dc88a8f38aec131da9180e23f0045feb353bcb3f3d85046fe5d84a4464c8994a18129fa86f775bb686f4445015b2873a36a09071082d2bd49bd5bea9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4140b8f6aab6ad6dff61b309d3535474

SHA1
20af69526e78e3980a3c9f36de8db4dea2964aac

SHA256
e3088f6cbdb46d5089aab4a34740c9cf564bece8f82ef1a0b634b1bb078ef2a9

SHA512
02c7962f8e3586a91897f43b4861a5b3d80f1d971b4b53af989b907e00bc42faafeac0ff139b04627ba0c79aa66affe1d145e37aefdaf40266064fee0dc29d2e

Download Submit
C:\odt\office2016setup.exe

Filesize
1.1MB

MD5
f6cc72b940ac08c430dc651b55db38ee

SHA1
d794113d1a05e2dabaf35cac0f5fc1a5b0811c9a

SHA256
b79a80229b82db800aac7f0c903dbebc4b900b1739da45312d30e4e27ebc1288

SHA512
ced77c2fa73cd0b1f843097f884a9d40bcaf98e85bacbefb7f6c062093677236f2b9059632fd6b87ea1ea4738e76186402f12d4863222ebd78a6873b17b722db

Download Submit
memory/940-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/940-430-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1028-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1028-469-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1108-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1108-297-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1108-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1772-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1772-281-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1772-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1808-375-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1808-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1808-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2052-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2052-400-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2052-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2052-406-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2272-456-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2272-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2360-270-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2360-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2360-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2360-256-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2360-264-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2936-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2936-320-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2936-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3024-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3024-359-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3024-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3148-250-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3148-251-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3148-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3148-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3244-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3244-347-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3244-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3312-33-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3312-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3312-27-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3312-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3368-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3368-122-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3368-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3368-14-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3944-333-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3944-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3944-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3944-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3976-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/3976-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3976-6-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/3976-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4100-72-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4100-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4100-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4100-66-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4248-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4424-57-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/4424-49-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4424-50-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/4424-60-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/4424-62-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4424-417-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4424-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4448-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4448-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4448-387-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4568-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4568-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4568-306-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4568-372-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4972-444-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4972-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download