82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339.exe
Size

1.3MB
MD5

b9257213633face0c3a1f32e2f3b4e2a
SHA1

f6b70d59aded92e7df0005545f4a506403ae26b1
SHA256

82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339
SHA512

4e7262ccdb58afa28e3141ecd1787ee0f4627c3a06895453ad6a05adfff993cc647afe114646b326995cdfcee80abccbb67546a09ec7f97d9dcc7eb507693428
SSDEEP

12288:XPiB+tb2rQ9KbFwOKpOz5N9vWst3QVkBNhw6Y5o+SudAfh39z2Go:XPiB0EQkbvK8N3t3QVkLhoo+SVfhl2/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4296	alg.exe
4408	elevation_service.exe
2408	elevation_service.exe
2236	maintenanceservice.exe
4124	OSE.EXE
2440	DiagnosticsHub.StandardCollector.Service.exe
3448	fxssvc.exe
2368	msdtc.exe
1428	PerceptionSimulationService.exe
2320	perfhost.exe
824	locator.exe
2652	SensorDataService.exe
4988	snmptrap.exe
3860	spectrum.exe
3260	ssh-agent.exe
2304	TieringEngineService.exe
4044	AgentService.exe
2064	vds.exe
4948	vssvc.exe
2916	wbengine.exe
4996	WmiApSrv.exe
4276	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3f48e364d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082bb09cf6c52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d182d0ce6c52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f3784ce6c52da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ee4d2ce6c52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4408	elevation_service.exe
4408	elevation_service.exe
4408	elevation_service.exe
4408	elevation_service.exe
4408	elevation_service.exe
4408	elevation_service.exe
4408	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	240	82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339.exe
Token: SeDebugPrivilege	4296	alg.exe
Token: SeDebugPrivilege	4296	alg.exe
Token: SeDebugPrivilege	4296	alg.exe
Token: SeTakeOwnershipPrivilege	4408	elevation_service.exe
Token: SeAuditPrivilege	3448	fxssvc.exe
Token: SeRestorePrivilege	2304	TieringEngineService.exe
Token: SeManageVolumePrivilege	2304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4044	AgentService.exe
Token: SeBackupPrivilege	4948	vssvc.exe
Token: SeRestorePrivilege	4948	vssvc.exe
Token: SeAuditPrivilege	4948	vssvc.exe
Token: SeBackupPrivilege	2916	wbengine.exe
Token: SeRestorePrivilege	2916	wbengine.exe
Token: SeSecurityPrivilege	2916	wbengine.exe
Token: 33	4276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeDebugPrivilege	4408	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1968	4276	SearchIndexer.exe	118
PID 4276 wrote to memory of 1968	4276	SearchIndexer.exe	118
PID 4276 wrote to memory of 3220	4276	SearchIndexer.exe	117
PID 4276 wrote to memory of 3220	4276	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339.exe
"C:\Users\Admin\AppData\Local\Temp\82d0f0337d13083d3e906c1e3cb838198b886c2a4cc426b2349b976ebcf48339.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:824

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
176KB

MD5
b5e55c7ccc00297262288a51831df612

SHA1
65945b359b0b6da52daecbf1e36bac0d81bef125

SHA256
b94bcd6979a37f321a4446b24fd7320cb31a75fbfa00b6ec4c863aecde92498d

SHA512
d922b4837283507fdbf37876b7f842f0ace3fc857b574ace980677e0855904c4dde49feb103856def0bd787c05dd54feefe3c6f75aceb85d870b948cc05b3ca5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
299KB

MD5
fd3efd0c366d265bca4fbcc396cdd51d

SHA1
20820376622cfd5165fc8519347db1f1d1940fc3

SHA256
5ae335886aaac0c3c8ac710244a2bdca5a221e368ba9582999d8327a32964c38

SHA512
fe83b1425a7f44d83487a3b71acb828d3503cfd7300efe63ce9d3ce88314062a7d3de7a933d8520ebc4c2335127765f06dd9ada4c959a17c171a9d02a5c9bd97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
156KB

MD5
a3d44de9baa9040c7ad0bd63884acf9c

SHA1
1f2a2f2a31ce716c9ebcb3dffb56b5105ec5aa3c

SHA256
ffcb12ef0e0ceefb3b94f9a4a60a29c50ca59a4280756503c318d92ea42531ef

SHA512
fca35e97bc28f0019e6154a6a7016072684f5f4fb6333774a360f99ca44fb529812a874ad42d2a52327475d9063e98a638634ec5d6ea6258b3ac7a75f99ecf6c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
110KB

MD5
f2df0b2cff22bf39c151df5c6a4ca17e

SHA1
d50c6d5185682982f6790412a93a7baae6b4064c

SHA256
bc40d1d4f728c28638f176210756d9aa9ff8623813be0280d1f55be0b644a577

SHA512
c820462e09fe8842a8e39a2cfe9227eab09d2ae5b2d6aa44814e1ba6dfbac5b4368170ccf0e60fb4ad7fdfa2e29361a7a53bc93be0cbb6550da032ce292ceac7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
224KB

MD5
8e2ff65db3c309221d36541d9609fbbf

SHA1
f5963f5269158a7edf469d630a5850c1a53edac2

SHA256
064d23c05eb32abf96702932b01bc7a22ce39b2b7918014c2a00b3161f2d3007

SHA512
923abc91693f7a5b0cb7e1d4b67de558c1e15b503e9ecc17bf0fd52c8ee8974d74995446f736fd770696e98d5c6b0c94152f5b72b606d1383c540e01cdb7577c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
135KB

MD5
b4b896f19de2d753521e0f1c3ecbb591

SHA1
3a11d2fa71132a322e142616da582164283cc244

SHA256
8d0a934a237fa14e5611c54d08653a8cd1494ad71e8385d97536bfc554988b3a

SHA512
044a9a5ae77c2f144a50bc4dbcc79e9c66cca813e248bcdf0dbe65e602584271cad138bce6a4235c1533fba2ae8b77af0d48d565a27704624632235bf7692986

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
97KB

MD5
4093bd4352d77d2ac019a55816e08158

SHA1
6618148b139fc3e036d4f1a6c51b9a249f4b98d9

SHA256
ca4c8d73716376d8e209b59adc95086535c068ace47e1b5d7627a4c7fd227534

SHA512
fa922421f13146ce87f467e253f7cf14b3e7a4e089f1f130030a62b43d8e0e9d76486c06a9ac8d6d600f60a16a39b535eebc18618aff9213ea45f76365e2d7a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
150KB

MD5
e63bd37e80e94b0614b3a0631836246c

SHA1
a27577d651915ede397f4350a661b58a8fc5c661

SHA256
1408e0de8ba2e4187b5cd39b7524f08280936a5aa0b411dba0955a317104df43

SHA512
9fbab3fb0a92a76cc2f6454c1376e437fa8b404476fa9ddf616f3a09fee2ed8fa00f99e28be73eaaf5614b3fcbe5bcc7d6e562fe712506b4c65d271d2ac2105e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
141KB

MD5
c656a102c5dd92232005ffec5f1ba8d4

SHA1
fd2414fb61ada111c7325050b865304ced15e113

SHA256
628d92bf458356022d76c7b4c0639a52345084c5cac4c5476e63288462a00963

SHA512
d5deb3f361d1d8900eba3ca9cad4bf09c8c75d7ada60411ecdb33e73d2c3730a8411dd27cb145d4585d6cc25c906d4b79c93158319e1c4281ec42a6beb4f3732

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
127KB

MD5
c5dd6eeccb512223207fb7db5dbc0938

SHA1
1ec9d3a41be4b30b96001cd176ed9c6590ab579e

SHA256
fc0ac707e398192ac757be3bb023d09350180154380d81e900b1067f8cd6d9c2

SHA512
c4e90dfa6c3a5adab61afa085cca29719170b0f67697ed050fbed6fd7e59498e446b0961ee7bcc4b68bc3d40c76fb7188e72483fc8cc51fb13c733b94e227fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
44KB

MD5
0197cb1a5d11cf51380a6159831f8dce

SHA1
ec8500ad2d3947efc782cb56c6c8cdd4c48eeef4

SHA256
e758501e873ba8a224c6d7d626b44795e4ec6d762a48c44ba58a434546a28db1

SHA512
fd0b411ee48a6c2cd0c5d8d7354c50f84be631915ec4c025b62ebe40de06cb30e32e90026bfc0eb51a2b1a9d5436890b33c66196ba03e457eedf7772b13546a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
100KB

MD5
f7b08825cfa883f34ed3321eb92edfc1

SHA1
f20fd8348885d85da42dd9bacc8821f3d0f1d86a

SHA256
883b5010a942cd98b88c6fb40119531ae41301d5ac5968ad281abae0ef5e89fa

SHA512
9721695cbe48b26bac2bb244be51b1951ba1862bd88e18d000c85700c6b46194210e46d2589e62e5191eab959060329c37d3dabffdb55b0c09f49f1394496b98

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
119KB

MD5
21c9024af1a115dc417a43647e4e5dd4

SHA1
e40bff504c7677b9f11ed24082a12f781e9dc4d7

SHA256
095fccb68d6986a56c20a5c639e3864e92e59b4aae916dd78a927c3cb846f01e

SHA512
51f3b78caf1aad1966a0ac4c2c545b8d56f53ba791ed1ed357565ed417308c8c2acd2c533674b554315ddc14fe618077d9ea907761b0db5f7e8c32dddfa0d824

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
133KB

MD5
e523848658682518cf00c7932504e3ec

SHA1
eef3111c5603df45ffee57369ec59a62699024db

SHA256
45d6a11dd82c1391859d5639ab3b6d090d5f3b65757e8ebbd2008cf3675fee5d

SHA512
61fd5aa253a2842d74dea0918060d3f9d7a6d48ef4d463bf273cc1ed7aea5e3cf9b208763c62a7e01a176de5fa91b686f8b3c9aaef694bdf9393c1c97cd24bef

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
172KB

MD5
f732eb8cb38f94e8ba90f71e99f66a45

SHA1
94451df706e23fc0fbe9ebe841ee912f65660af4

SHA256
2c75a44fffc4537d72d153ef52736aafbe5cbb6aa96b1457bb3392ab1139dcdc

SHA512
5e4b076cb6ef72d77058955d0c98a125e925c2b5885f602a1428ad13c7275180e6a20783bad064edcd8002db95e8911d4176937b58c612119f1a6661fed2a754

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
178KB

MD5
97be8d49c3ef37b032583f8d6e3a3abb

SHA1
cf5d7d292422f4070275b6dbddf0469198f811a0

SHA256
420c2ebb129bf246b94fbde849f1482cc6ca48a1d99600a3601263041835aff5

SHA512
ae374b3d949e33aeef54672e23f068179b5f3630ab483ae84c8d7f197057acae8ebaeb879a2a70fe9bf6d5db54c17dca074fbb23058c1ed5f0117143f9de6870

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
151KB

MD5
00f3df1482e54669fb9c2eeb74dcae69

SHA1
014d60ccb481fb8f9d5f3aa7b1798a6e734d469f

SHA256
a5fc3b98030241e775c6d14c65fefe433e965dea2fcfd5aff07ec513b739c9cf

SHA512
fce7d8f5e637b32cc2e97d24cc58b1e345bd13694dc9ea0dc39504801816bd7ae2dabd1f1584acdd7ead037398075c6d6be012955736799fd71d768d322f2b45

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
127KB

MD5
15e9ea8aec6380aac751534a0057f28e

SHA1
2e42bb55be7dcba7c8a26234941cf2f00f166c88

SHA256
7b4dbd300f67a236f79843d9091116ff0e64bc05be073f4eb0f47650ee4d0f64

SHA512
587991be67e54662ea0a142dc9c61b80afc325ed38020cd7a014f1f42412f9d7219b5f3b2bbc566274de3e4d8a094d4fa4d8fa26085e07447c533a195fc297d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
65KB

MD5
2da60ec55832c1c4c12a977b97415bed

SHA1
880eab28b670cc7183f723feec271d9cb50d4e4d

SHA256
a6ac050680422f5987b35758a167b2fe553ea0af7fe180aa9ebaeee32265b66b

SHA512
6e982fc2530060c7ae171e92904358dbd8ed4ec34a1968c4da561613a97a36bdff16e24312786d11b83c17df9da13301748deed8a814590083e41be153e12742

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
145KB

MD5
cb3096162c6a8697a01662ba8193a84f

SHA1
ef1c4f40d8fd88f9bf6a1ce0a188d9cac4384648

SHA256
b5890e79452ba5230a99b911f8be828f953518549b7675664f6c55a9d9a1afd0

SHA512
c620bf37a04767135b7f1af710e4a419328c9486de033a90d3890c9e82549d64f7378bda5eb73458e6ad5362fbd7c36dec1920e10baf0f876e894ecce1758348

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
148KB

MD5
16726aaa5fc0daa114b6eb070cb2395c

SHA1
7fde71bb4f8a41d01bc4ee4fd94d26dc790af26a

SHA256
af9769da65acf9b1134f0e33496ba2beb642afa73cfd3e82016e12d5ee3498da

SHA512
8d47fc756acaae5d99f35487cd51f026c6217ce2d600f1b0402a16f61215ba481d8160b32cff3aef19488a1b3f5ab5aff67e1f1d28ab4a928647f891e4ed4a33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
107KB

MD5
f9bdfd1c6abc8f0fc520d43fc1c5d032

SHA1
9df07e894c12332ca66a974cf0f01cfef30d9143

SHA256
60d1669b544dfa85ccb6e40b4573da63e42468c0cff4bbe3ae6dba10797466cd

SHA512
b2ad09203ddf4f7f110878268be210553804820c59e5ce4c8957bccb3502c1c4aa8cfd288a8d755d31df99a399c525fd7613900454468cf95b197a994802cb36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
266KB

MD5
0e153d32f98904e2e364333c8525a595

SHA1
3eeecbbc314cfca92ed03b4c5866473bb70a3128

SHA256
a32ba2292abadece67a3e0460a914d33a42aa88d711c2fd484cd22ab11ed4c9b

SHA512
bda305aeacd4766ded0da8b4d6a7c8bb04a08a1bdeec36c827145b53c36511a399506998db02dd07b1c21ee6123d1f2ef82f876c06111ed9e88c8799c9531967

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
47KB

MD5
083ecb6066f3eb384eae335f35bf832c

SHA1
9e7635763e97788d2c50b2fe45ae155cb41e1137

SHA256
0d83e11e2784b159220bd2ca6e2c66be48fa48ae4470974357107c1bbf864c08

SHA512
ed983612b7b9f158951e419cfd52b0a2da0c840688d18dfb0d67327068b6876a146ab5846bf0fbb5f86fbec2cf8bccbee38dcd8c502ee0e0b864bb896e04c8cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
190KB

MD5
2d117f3cb900aa62b56fd44e66734822

SHA1
0e72eb33acf16b20df8601235b22f1cd73f8e6fe

SHA256
c5626e903fb48165978c0b4c018a6eedd1cf609710fe2ca5a088d2f7f8122296

SHA512
f9fd3e64e4931cfef6bb2b3979e151f9282a81d2a96a7b5755ca55d81d5ace82bc92c76242754ddfbd4fa4e452cf3700dda4f98e91bbacdbbd40e8a305cdd46b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
179KB

MD5
7cd5c41cc2f43d5f8a4cf6d84bb11b28

SHA1
d999cc911d7ff7bffa14720c07ae3a24a85eea56

SHA256
1ae3e9b30e6466c1d205973ad54e8e878f58fd49a16c3f1ef1e8ded463f80b0f

SHA512
5b505582432c04ab432bd5470f104739911288d61c38825c59bbe6f9837ec68f0f2015a9eeda6d1b6ccd1b5714e6edb0f1f8b097a6104596d8fc072e35ff555b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
139KB

MD5
4e068409fc3550098b4cc0b6bf43bda0

SHA1
a53b6112976e40f97c93723e599841ae3530fac4

SHA256
740b6f01ad6d6f1b2c87a7c74dfbd29c7cc2e377346171dc22ce831f3ca354d6

SHA512
5effcd712f35436b51f70022051f8e42e4496ce12ea4cd7a6d0b6d077ba6633b1447a3c2a4f2385b5319808736a1541f49413f44a93dfa15c11dd1095a64545f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
190KB

MD5
f8768bd173f303ee852f010821784b1f

SHA1
e356b0243ea9452a4e756911e3f0aba3686e6408

SHA256
aab6f4d26b2045929f7d586159fb9afc68b9de4b0b23e973b042ab59313a6a8f

SHA512
ebaacf3e15b744213280360c1958891880cc88f8e1c29798aaafcf85a805d4bc1adc7c864a0a10a6e6b49593ddca3675addf81c290f232ec272e505d0a756fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
128KB

MD5
dc69e5f9445babf7d36abfa6360a87e8

SHA1
bab16ab8c368d302d00f81335779964a4ac8d7a6

SHA256
33e8a76887771431c3b9497c4b7aa31f66ffc9e403e307cb7ceba610eb0b3f6b

SHA512
c9555e4ae60d881b3442f7425cd7dc5a1cd8c61b53ef3709c5496b6e45629b3a2ec0aa05d80dccfa35cdb25eb7caa3ee9b0d3bd669b3f97bbf7a11112ddf66bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
87KB

MD5
ab083c6a6a25cec18f7ee726119b653d

SHA1
e070673534faa03a6410849e2b10172e54f54a39

SHA256
9daf4bfce6a34de2ab87ee47236ecc69062f17df865ac78ecb64cbe262d82e73

SHA512
b57802ab09bbaf81fd3a2b9daa67703727a2ce9c91c5fecead7b28f23740973db34319c72171445eaf51a2835827ff5711bed37b7da7a47a2aeea887a2b653c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
30KB

MD5
35f6b1bf876d111d27d7f3790cca3cc3

SHA1
272791826b58749bc4a4b510537ab15d8ed0eea5

SHA256
0227320cbef723de91aa881d7f6df03a031cfbdb3ee3aae4b89bd8d27388b4be

SHA512
f4a98a596c6e41b5ba3f8ff3a1bac7fa240b329c32e215fd9c037281c1237cc7ceb5421a4261da9cfd60194e85c1ab80f14a73a2d1c349c07a10718e33963b06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1KB

MD5
41cd5918c79ca7a9270899ae13f1fdb8

SHA1
e98007547ed7a34a630e5bdc32185adc1d7a6fa2

SHA256
597d13ffade7b864ee17cb81f4054aae4a3b38de501531804fb1ded34f17a3c2

SHA512
55779b14ab4445777bee54d5c57481a1866889bae7415703bae504d3271c0bb580a2cc3c5032a8476666e660b176f20a91cfcc75e006aa329a8bab0ae379ae7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
38KB

MD5
0eee7d131fabf6b9079cac7857512128

SHA1
07164d39f46d189afc79c12dec7d2354ad0d1e88

SHA256
efedef7be00c81d0ee28e5a686f94bb1d00e5024b5291267b30dd1575f08aab4

SHA512
680871faa4b6e0b2f009c119c9cc30cdc3fe0f88d10f824c1142755be9ff880a698d577a2a3a333a1a616594cc5a85c0bb9864f0c29655703652904f3ac99fac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
9KB

MD5
db3defa76e1c3e89334a1af1a7dd5186

SHA1
ea606b8c1753adb14fd8a883b27bd8e25725e10b

SHA256
530247313ef46c4a9d0910a9c9e89d5ef29300bcf5c70824ac3cb71e995e51b7

SHA512
70456e5b991f4bce3f4317c4fb78b9a60dbf1f9ab115e70afa2c84772c8c47b185cc68b07d55a2ee22f9adf24e1c2071a2aab162b4ea50af7608a7d742740c66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1KB

MD5
062697417ed0ae7a54b866c169030d61

SHA1
d8f4022930a5427095990a4f69cb880cc8372eb5

SHA256
537e71d7710ff6d5a95b139eafc41c8f0702dfe6b2eaea7198389aaea93b591a

SHA512
10a9d054289cab4e5adf708be414cea583f20530d534c3fef3fd768cf237b2751177354c6542808bb565b2262fc633a443a50e6c758a257c463a6b045a6a636c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
43KB

MD5
3ee941b3222c388a9da52f3cc804dc3e

SHA1
c4e165e4e37aa8d0ab5c9f871c8f560471de5afb

SHA256
632d171bfd651ee2a70f1204382a70220bcbfbcf9e80b1afb3dcb814d4bb17f5

SHA512
a97ec4723fff2dbaeb4e6308a966703522ec6c677823aa6e6ce7760fc9bbb4dde879e4820a75f7de4a49e7e3c6d795648ed5a392ea63fe306991cdd431a4dd78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
10KB

MD5
150121247d22f3074511d4c95eaace38

SHA1
98d6e0ded9545fee249ae7c560ffe342e21aa049

SHA256
aac8a0befbd3212eb0bc4dc280b25626860fcf393a6b848b7c4fa670981e4116

SHA512
674afd20442e87f17fb4be8be1df269f737043ed1460e3caf427468a33682a329d0e5eaffbf57b9a673131e32feae8af084aa4f67355953cc5467cc50fbf4762

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
63KB

MD5
f5469f18a7ae407e759c75441c367187

SHA1
34927ffbbad89053515cbca577cd2882fdeb9d6b

SHA256
0229f513b90b47d040963647be08a216eecd2d292fac969dc2b5ea73f0ca5ebb

SHA512
1bae17a804989164ad3b4bb1005fbf56a4a6d6d6aabc68f00d247d7765d39ac296b696a9de44122ca36c9220d0f5f607cc2dfe1d36bf3ad52c58e70c944e1ca8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
38KB

MD5
2f6c1f3f53c8d69635d981aa49d2854c

SHA1
a3e6a700bf68ac3ce3e8ed5c1ea0438781132fac

SHA256
27339436893502f4c52ddb30fe74d1ae5962d237643fa95d0e995c35fb793d82

SHA512
a9ae0ff802066ea6b7f2a79aec0b9fc54953bf2be898bce1ee891c5817f646061e18e0468ca3297b1f8ec38ba3f2823aed13f827d56722adf9abcdcde740189e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
5KB

MD5
3ac5c1ac58f604b19b320fcd2404ef00

SHA1
db02af8dde00471a7318c05b393fde132d2ed243

SHA256
3c1184794b40319659aa1030e38c5d790db71e82315aac988ee31ff2fa7916a2

SHA512
26a1ae573c99a16bb45e0c39e246579cdb3f177ce73fdbf3a4ef8576b9a86a6ef94f7961476de50005657a7b05267ce9fc8ebdf0e5afefe75d51b4bc9627f53e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
16KB

MD5
5b5c6e153c1e64998f816d2153bc12e3

SHA1
1c9608fda1d8f3cfa3976d18382d08ec0ea41bf0

SHA256
6336b4f8a1061706e77b11f05b10190ee110bafbbbb08322297888dc4e65a3e9

SHA512
37a67c886bdf7cdfd15a0231c8832f56d1d6ad8cb00e8013479713ccbe354012334d8e83e6dc1a12e704a9547d9a1e4d27eef9ea5986cc83842230e82aa6d103

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
30KB

MD5
0d52b145d4e811f6fb895ca36818adba

SHA1
04d894f9a99124ddd09ee3f14a2992e1b11e9bda

SHA256
7d979e29facb9b7ceb83ab0a355fd522de9d1137bbc48538e8478ce2a2b1811c

SHA512
ffed70970e208a0ca3eb403a8285f75583b5456c9c95ac48300dde6dd2454dc466f3f4bd58e568389508158f96429fe0c38d5a5e5c50a0dcc304ac2bb7911360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
7KB

MD5
5e9ecff9efc46b031864adab22b60dca

SHA1
eee6cd9a579570ffe1468ee9ad200e6bf046e03c

SHA256
cf9a94d511b77eb9c54dea0e766390e1ede136c2742ccd9759fc6882ca5e954e

SHA512
9dfc59de0867c222a2b172eb06d816c176c8dcfb50b389c043423434f6ab49ec04e4e547250bfbd09a14cee2f3eda1a1e9164348d47fdda13b266666bd815841

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
233KB

MD5
178d12458470dbbdc355785d7e6131de

SHA1
97d3d947d8c7e39054d78dede1790b8843c2439e

SHA256
9ddbcfaba65c2deb528f5fa9c19b544992957dafa2d1d424abd4023d80b21162

SHA512
d98d366b45cbb790b7d5f3fe0bd59004df9fe5acd5558840273068bb3c7dd70cfa18378d3f774cc07a32cc6a01c232e323a6fa29bb3fa0febf87b4d0ef367227

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
66KB

MD5
016c2ab822d35ded802a3d63b0e244d5

SHA1
d65dbbc3527e99e4a6af04dc218acedd5bf3a063

SHA256
077c5f04b2f335aa56fd40f1268b051e6099387b3cef708b6d882acf9e435da9

SHA512
87a94881cba622b1664293b059314d8f671845720eed56548c1e63ef2587c550e88ad072d4be5d5c46e1729b2b260c96fa93f71cb6a1af2010ace4cfccfdecfd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
176KB

MD5
94f339f185c4a2ed220c09e7c5266ea9

SHA1
d872a4436594a16fb0b4ac84590756fdbc3a7b34

SHA256
dd79bd802f2134cc54c3e938ecfcd2e2ea0de2a9890c7ca368d0d77e8081b93f

SHA512
0b16219ce7a47ec76622f0d0d00307a7f10702a3c65f90889b5bf0f4bec982e72467674fbf13e236391744dbcfe24aed7f2ec903371c8845bda8dbaf2acd0bf6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
960KB

MD5
cc9b8c198454c44b85a8381ca1fcf2a4

SHA1
678c0d2034d5fa6e0e8acb65c4294fea6d58250e

SHA256
5faad73cdb539aa2c64301874ce4a31bcd0494765b16cbe1abe467e94bc65a83

SHA512
de427306fe7f3b19215e251491f4dda52c4597337c6011c732330307363af8f8e4264533d730a731d3f311e2335a6c186b10739b39b5b89160da003d5ba5ddea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
467KB

MD5
5951ad47d31258ac95ddb54aee8e13c8

SHA1
e8ad351902301e9d803d0527a9319fe6baee898e

SHA256
852765a58e1b8b239413c16560ac4ecd0f501dddc5b426e10e3766bdf4c3cdb4

SHA512
2c3d2eaea34d0b26ec094196e4c5bf5b8d8f75fd226c2fde00db280951019b72deb581faf3c11dffec6c1aa474a74b7cc0e8bfee4052c8de85e3f726032d83a4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
206KB

MD5
4902f91175597063100eba51d1680e34

SHA1
5e6c2b9e479555fcb649c803f258be7d3f13b0c3

SHA256
654482e4ffae284531a8d18a2a7d78d408b5aedceca35a9606616eba4eac6099

SHA512
d1776d196f89ca469017c9cb40bf5e841c58239700c9a3e563fa4fb29f4a33ace59f098432e6312246196070d3262f386ac970c2d7e10068d8f5f9b970bfda6d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
263KB

MD5
f8ba73072202f1442dcc229688d1c2e8

SHA1
06b835d667186ba1009daa45946c0c00bd68f0a4

SHA256
48e90ca85a619889f2bb073b36a1f182fc4b805eaf20eceedbe4c3573052ad4b

SHA512
9071f77a69a78ae40398122025cd319df6579992973c0124628514ab45018dc0a1729cb69ed0c1e2873dabbcf6d7dc50ebe12f144c256415709a4fdd52b04c1d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
316KB

MD5
b0994a0092418fb3cdf869377b1e45db

SHA1
7ceaec529010b8a6a4c57191c8763e995609c6b5

SHA256
2c7d87bacc00fe031a6350303fe9a45273fdd4d32686699cb78ac1b375d99d21

SHA512
1bae0db7bac1bf6a8e2340c766cd1382123298be9e1c558e78398da542c744542c0423074de8132d293b773d29be355dba0ca0284b052cbaa5bb73b8f46cd5e8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
226KB

MD5
92bfdb349a70d7260afb3f0d58a52348

SHA1
03af2e4c0b27697d0fe1c4bde1aa7922ac7cfcbd

SHA256
e2203043ea08bb888f27e63928cf7007b0038201d7c8d5640da3e3513f419b7b

SHA512
7c34d3bf0c5ae13ffecdb73865ff5af31d43d775a3d031ebe1d4f7474e81dfe96ef65281a16ff5b6b1e4cc47daebd74922d9932dbc8041f63c3547c15290f118

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
48KB

MD5
92fa99fe184a12fe69ab86fcdb358982

SHA1
5672b6a369a9f115b5dbf85c095883b4a41bd89c

SHA256
27fd78ec32bff3847fd9d54b012126e9019cb9119cda6df47b2b2c72731bfb63

SHA512
10cbdf1e811a1d89ca4d2469a1547dd91cfd5aa2688cd826f2968a43e2e771dc9df14f869a86d3c541168c21fc65653ea55359a80cc64ff3ce0d93a846b34237

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
61KB

MD5
428da9d67595883b8ce89d20b0b9753b

SHA1
89fc6ebd831ada67f5849bfce953bf9ef85f614d

SHA256
684319559e41c9f3d08254cbae0fccd9f8b14832f2ae536b3a40aa8464fd38ae

SHA512
48a70cc9764b4a1289b2aab4dec5bc8d99494444388103a56f530562f946c81a327b2ce7ba93cd7266399119fceb07f4751f3c48bcbe000d20b4e7ee36d2cf9c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
172KB

MD5
1bdeb716101e3358415b66edb6fb394d

SHA1
c2a1cacce1b21624466d760382ad23ef2a700e2d

SHA256
800ca87589c5044fea6566d052107084628517a82544b38b010cb26e7fde1b08

SHA512
823aca2762f0966c06e3a71670334265c0b72425bc37abf918dda7e7a5a6e00018f1dcb0623da5c1c93bf9b04995b46f07f8bff5d12ea9de48a9e61f00746b73

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
207KB

MD5
eb58e6a78e80bce5419b15323630505f

SHA1
a991b32094c91e02aab8842b8425f77dd3e09ef1

SHA256
ce7d5700eafae942e9e45b4a70cf3334e761f73bddbd8c91ea0c17efac923590

SHA512
967bf5d70ba52f8dd33e86a4b98171524d2f68065dfb2f1c1bb861bd606104c21b145b04232d6c0eaddb62486b6cb17dd441691925ec11b7181eedc25a951c7b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
116KB

MD5
16afa7baaa1891f6e03814f4b0b770d5

SHA1
966ee499e0cc90cac95f8c0bea8a09aeadaf263e

SHA256
126ea27a4d85d303f2f2ae32388cf3eac2afe1022f1bf862fd41388029601804

SHA512
8c23803d326a6ddf230bbb4c840439d83c9ae20c4a194fe2860b54f4cd3c412c2d6ac12d9721725f68be8aec232bd499c083a836c0f32a7c7e090f491fc8ecbe

Download Submit
C:\Windows\System32\alg.exe

Filesize
67KB

MD5
1e613dc488ebca7b69973c599f05af41

SHA1
996c14744effed7c9e019090c4eedcaf051298e8

SHA256
953dec1cb7324b7f55782a468c36ba798cff6dc1565a70988c0f09f1f37535c5

SHA512
e8db982ef3594c988e6e83c5e5f8490cd41465607a40df9fb441888e50430756ee0db3681140d65685c41054f5cc0a20b3dcaf2e562a2e9b2b749ec6466fe6b4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
293KB

MD5
1ad95081c759638c4f31f651c8964091

SHA1
8b24e5109c379520c432cefaebd19b8adf48be4b

SHA256
87ee78c1d377bce40e92c560d5c9f172d287f64a372c097ed59825d94836fd7d

SHA512
5dfbf827c30198688b1d6e7b015f051ae3fd01a007d397c3054e8133271a76db328c27aa960dcc03caf28635cddeabcdf3ad33576b143c2b1e2eaa14fcb8af0d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
76KB

MD5
a492829940a20876a3fec768877b8934

SHA1
e7d15eb6a573ccff78e124d9c5451041f4e6fea2

SHA256
88613fd16d8680d1aa6149f0dcd0382987f93c28511791bd0c21977f78cb25a7

SHA512
d32f2a4ba622f40eb59c032c08581ee50a43f32e4115f200ff24eb248d9f1bb03c2677a499bd988f0fc8bdd2644f9596f500b3e9096ee8698fd2ceff72caf9f3

Download Submit
C:\Windows\System32\vds.exe

Filesize
208KB

MD5
d14bcf193dbe8d4f154536f5042dc0cc

SHA1
320107001bc607a24789398879e11c0cb8bedb5a

SHA256
6d0ad063e04ae78c442acb5fbe724a1292f5ab9d79c12ad18dcfcca9fa083ffb

SHA512
70799ec8dca4c5f28a008fe7bf03e4b12ba5555e86817fdfa6ed1450017df3b788dcec5af2a0b89af81710ab9c83df2c59ee1c730c8eaf10f1ed6bdcbc90d97d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
57KB

MD5
5ac6b692fc8af531c5be67593bcc2a77

SHA1
e3cf73711727fa280da7b85335806817a077a50c

SHA256
921f21109b324abada6e28eefc618c366258a8837ee50bcd116bd573d9441f3f

SHA512
ba7475c1170683d4cb2db64cc61497ee8cd8c4ac3f0cc52af6d3c26bdbb6096793bdbc2d90088fe8be4d150cfe64f701b2bd335976d35ca7bcfa4b5b5580e58a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
169KB

MD5
6f4cf3953a4a1c1e4a1fd796d8f5dad9

SHA1
399c75263ef9edab64bc254d61d9811a53db6bd0

SHA256
daa67601c0ae460a8fa50b4759c54ee53cbf1632c0cc8d76daab034f6806e537

SHA512
328c259d835e7767e297ddd5f661fb5c20bfd31f7a7d9ef0617144fa256890d51c730c11fc1955ab152be5d17a0614bc9636d91473befe6ff9dc50a47279f7e6

Download Submit
C:\odt\office2016setup.exe

Filesize
160KB

MD5
b3b99ae7d3db5a5bb54e03ea52f15254

SHA1
7a8be2b8aac6bb288358c4833101f4d187731127

SHA256
e47d5287ccfc3d645257e5574c45b222f340bf8cd116de7c9a4d0b7fc1121411

SHA512
66aa80ada0adcb6a4a32dcd745db4388a3673ff62f1200b81d7c965888cacc2fa7f33dc4391d8f44ce99ccfa47a52d2108b19453f81ba4ef9caa5de088c43041

Download Submit
memory/240-0-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/240-16-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/240-7-0x0000000002290000-0x00000000022F6000-memory.dmp

Filesize
408KB

Download
memory/240-1-0x0000000002290000-0x00000000022F6000-memory.dmp

Filesize
408KB

Download
memory/824-320-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/824-313-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/824-378-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/1428-294-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/1428-358-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/1428-349-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1428-284-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2064-554-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2064-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2064-417-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2236-50-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2236-63-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2236-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2304-386-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2304-446-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2304-379-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2320-364-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2320-299-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2320-306-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2368-271-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2368-280-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2368-337-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2408-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2440-310-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2440-250-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2440-243-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2440-244-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2652-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2652-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2652-332-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2916-442-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2916-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3220-561-0x0000012AE8E30000-0x0000012AE8E40000-memory.dmp

Filesize
64KB

Download
memory/3260-373-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3260-433-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/3260-366-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/3448-255-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3448-269-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3448-262-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3448-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3448-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3860-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3860-360-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3860-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4044-400-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4044-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4044-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4044-405-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4124-238-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4124-65-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4124-66-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4124-72-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4276-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4276-469-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4296-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4296-227-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4296-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4296-14-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4408-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4408-27-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4408-35-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4408-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4948-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4948-430-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4988-338-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-407-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-346-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4996-456-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4996-449-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download