937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8.exe
Size

706KB
MD5

d77f77546235a7d7c00c49d52165eca4
SHA1

7baf935bcd445d0c9888a93b9755ebc973aedcd4
SHA256

937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8
SHA512

cef5e8c74078ca478f68d1e1455fa849819892df4d5fc6d23779b84c3f77f27d4e354b7950b81aecf84ba6ddf65ce8b5811acbcc08696483aad214c113104424
SSDEEP

12288:lWiB+tdvvD33nzrM0qyLG1m8xrwgIYtlSRitbVRvOTeuE7bVqJ:lWiBCzzY3MCTScVRvOTexb

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2312	alg.exe
4488	elevation_service.exe
1384	elevation_service.exe
2028	maintenanceservice.exe
3976	OSE.EXE
1776	DiagnosticsHub.StandardCollector.Service.exe
4012	fxssvc.exe
2368	msdtc.exe
1164	PerceptionSimulationService.exe
4456	perfhost.exe
2236	locator.exe
4332	SensorDataService.exe
4568	snmptrap.exe
4592	spectrum.exe
1092	ssh-agent.exe
2660	TieringEngineService.exe
3352	AgentService.exe
1616	vds.exe
396	vssvc.exe
3984	wbengine.exe
524	WmiApSrv.exe
4160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\babe1a174d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093039f98c852da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f32c6898c852da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e815b298c852da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa75f298c852da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4488	elevation_service.exe
4488	elevation_service.exe
4488	elevation_service.exe
4488	elevation_service.exe
4488	elevation_service.exe
4488	elevation_service.exe
4488	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	236	937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8.exe
Token: SeDebugPrivilege	2312	alg.exe
Token: SeDebugPrivilege	2312	alg.exe
Token: SeDebugPrivilege	2312	alg.exe
Token: SeTakeOwnershipPrivilege	4488	elevation_service.exe
Token: SeAuditPrivilege	4012	fxssvc.exe
Token: SeRestorePrivilege	2660	TieringEngineService.exe
Token: SeManageVolumePrivilege	2660	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3352	AgentService.exe
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe
Token: SeBackupPrivilege	3984	wbengine.exe
Token: SeRestorePrivilege	3984	wbengine.exe
Token: SeSecurityPrivilege	3984	wbengine.exe
Token: 33	4160	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeDebugPrivilege	4488	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1568	4160	SearchIndexer.exe	110
PID 4160 wrote to memory of 1568	4160	SearchIndexer.exe	110
PID 4160 wrote to memory of 4348	4160	SearchIndexer.exe	109
PID 4160 wrote to memory of 4348	4160	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8.exe
"C:\Users\Admin\AppData\Local\Temp\937211f3d4b287a83ef01c543a6b9023f11ed4a7ff388f51fb115f60317332a8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1384

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2368

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
101KB

MD5
af522aac6d1b47206f9663a02c6c38fb

SHA1
c868ec10e8eedd442300183946960fcced5f1f51

SHA256
5e7c98bd741a9b1308886ca3da21c962ea039fa90e20d6c56887a5fbee71e210

SHA512
784c750f8e0426b0402d5914ea95b20d94280f694275de696ffa09adc083f6cfdfd0ebbeb0f42e3c8f12d034a8c533853d172f2badef870a65de1ec8ecff2f57

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
371KB

MD5
2635005c436775464b3a244e322333c3

SHA1
b3806984ba639d5e88429bf24a4c123c7839a4aa

SHA256
6304d6804ae6ac2fe7fe07567e26c18e1f356733ce8479d049e578d457955cd1

SHA512
80fa3fd9f8b0c6af19e0abab9ee6b1a0e6e36e35c5767d16c0461a0482ec833c2af2bedcdc4c70faf8903287d79be4384c3ce6307947065d6e0d8a1567aee496

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
442KB

MD5
22bc912d7e841892f20ea982d937cfe8

SHA1
ab0a13d0846d3c0357320a63794f03674b8e6b8b

SHA256
16eaf592fc1ab41397d3a9b4140522e18cc12f8f8f5d756e0df4bc1fd7445951

SHA512
0f09a093c1814d7e508d388fbe7abb0777e6a6ad61f4337e54604c3b97de0c8b463bc837cb167833ddcc38901cfc2614dd37d7c9f3e7025bcf4af907d34cfa4b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
53KB

MD5
047fd0dc22d8d5c19efe11f7ffc536af

SHA1
438ee17cd7ad8a4d276feb2a78bda5caaf9393b0

SHA256
83e9cad88795672fbdb386fec8c0bb00765fb7d5a2c2cb1cdd23728826190195

SHA512
65f51ef80fc0fab10a5944362c298a02345f160019b9ad7c61b5666b85241824023d764e00ab7649d591bde7f204ba9a9c440f1b3da8488e73702f9d5996740e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
92KB

MD5
a886bab774957445b44562475c9991ea

SHA1
a2017f791404ed266d2c743f3f057ec05247ea59

SHA256
badc0fb27c07f1592fc01746f255fcdb93c7e32f5aff7e8085a2f8915faa9a84

SHA512
136ac6f651f0b91844b2188292b9313d30d2a464891d817bdf6250a1f0af9ad4bf735173ea7982fe9b542a1692fbc87e0f73f6c872036b92dff4a92b28b82f9a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
32KB

MD5
32ac81fca2634524caa9337140a207bc

SHA1
df22ca5a0e6b5ca5ca14bf8920d6c426e802136e

SHA256
989c44af8b11fba2f1c8a7de670890cb643cf39f23bad63a12ce475cef18034c

SHA512
6ccd22f076bbf5e0dfe2ead3a38af85a46ce608ef64d584524c7f160921ce1d0e8e36a631ed1cb789f32eb4346168c63c85533a41fb03b20d44c283cac80449c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
57KB

MD5
59b3a46ab47ea7804e773e5ec578261b

SHA1
1a60ca989ffd02102ef668303112df7e62c3ae4a

SHA256
463394aaeca41d0b18469365e44da4f5a7ac6f4752b62e9b443a1dd718330c53

SHA512
2547c78c7b0ced087d16e0fc9dde7fb6b6b3800607edd29688cdec0d0ead09f1de003a5ab81ace6de330625543276a1eb07861e0ac128e4d8307c6a720accda0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
67KB

MD5
522e7da5fe444138c0307619a87a69c9

SHA1
8ea5ae1ab7d07f1f78655a234189bf3d979aa6b4

SHA256
0fffefe4eb71c79ccb6709518231d20e8003264588701a94e00b136bca32700c

SHA512
7622acff4d93173398f5d56214eb6d98f7ed30458f231bbf1af7a504fe6a4985bd62158d5197ac5f9f36c3bd93471df5ac2d97a20b9d3243d3c5ee87ebc2a85b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
134KB

MD5
2d4b1aff0a89dc0c6b3cc3345daf822f

SHA1
518e051b6116241ff4ca344f9ee32a7c20a7c8b4

SHA256
a7395ba99a02acb7318daf7bfcb654575cce2c6727d34012a0558cfed6348b79

SHA512
0cc6d96f0cd8d5fa8fcada21be929e0938912a7443c7efc4d35880ec6045533671bb1bdbe41e9f48612fd1b67257f73d36dc29b90b348f5bfdd3a9bdbb7edf3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
80KB

MD5
70d3a2e292c81648a19ebaa68c217bf4

SHA1
d056f5f204019939730ca97b3ba4bb35073676d6

SHA256
061773dfccb7f72fcea6e2cc3cc223fbf27fe6931e1bbb90204344c1b7fbcebe

SHA512
5b00505a9d4a5d56fd96350c404fe71c5bc1941e44c7b6adc0806f38b60320822779a4d499ca50db0c65d44bd60e04714d90ef5f370e764128312275f74815a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
144KB

MD5
22ec147b5a8f383251ce317058029610

SHA1
966c92a21dd1fff655ab4ac66b52cb5d9b263fbf

SHA256
22c603a5f8fae29a6d20de66976d0681b7ce2749019423e6059b29c529f8f621

SHA512
9b03d86baff3dbb08008295a53570adb5b650bbf2b831d59c4deba5389f92f6777841306d5029d7d785d89a3fbc8f9ac1572958f4a08c9f1157a7aeee8f682b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
115KB

MD5
d03f05dd4e1143fd7ee3e4885125bd15

SHA1
0c37f00c72a4c2cb7fe0c59387e379430d2682fc

SHA256
16094f7e006e99de5f8ac5b1c14003c403034805766f35df73978a5ce609aaf7

SHA512
d80ffd3a91331e2abb4585b02cad44fa2e7467e2bf34f5510dff5bfc6b5afbfadd1e98521e4d176d08425fa890c83d4aabfd37ed77abf5451aecb160103dd90e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
84KB

MD5
d9f66425f4c24701dde07ccd3ef2627a

SHA1
18c12cb586c0f91a53a1eaa4aba0946ba442711f

SHA256
14411c033960c7bc715448d634ec255722392765e8a0dcf1a132e5480e3acd07

SHA512
fe360bff846f681f17278590169971a272dbc93027546ce9756a25c972f97f4d4e7dd654747a0467cd19e23d6b8350c185b3ad94ebdfb4ad21c9504d5395c557

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
293KB

MD5
053fe2d18130e3c5c903037efefb6bd4

SHA1
63eb68cf671ebeda0a98dce7ad9d84de06db2521

SHA256
2b4a7d51a01601e9b9d308afef1296542814d9d8d063b0a14e034fe50fedff04

SHA512
a1a1900087c55a02ec6cbac4954feb57be0e2e0600e8ef12edcce80fa692edc0039b8f5b8ae6506cd2f611f8f18aacba516e8d37ca41a5bd66b0d04d593d3905

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
105KB

MD5
d37d34ce41f88d8e864495454d469715

SHA1
08bcd8ff0ac1a30db2927f9195ecdad1b4beb027

SHA256
6c8eb01940f72f55ac68f22f0a76a2ccf6e5dc22d8a9a3898d9a72afb4485c9a

SHA512
25d58f459b624d6280bb69e0174a2dab5fc407f4481f4fd0c349b7dd7d01444a3b4a86fc1776ad3184bb428fc8e9039fb517924e0472ac4c1c91280ff73a0161

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
88KB

MD5
a1fe7566f840ae1cbc821c316e620cae

SHA1
aacfd62d3d78c5a1a165992d0b5dcc3aa7f3459e

SHA256
253c7b5a8a4f70eace6f0adef7b6c079ea8fb5cc224d6805373f41419c07ef82

SHA512
1192fe40debb1fbdb873350a6d5f18ca2024b4d5f67260d66d2d3311f728f75a0b359b0688c110e668f53102bfdbd1f9ef7f3c8250bd6844ac520e6e4399844d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
104KB

MD5
8925aca6c7093f7846fc73fea1ebbfa2

SHA1
db0028220c5e8f7b843e3962e337e27a17cdcda0

SHA256
298370df8960ea0419bd250ff81517f9400dce678d341c93f293347369a2c5bd

SHA512
64c2c78f5e48e20a5c2b8790c92afe3b28af939ab24e7c0e4af2bed8f92c9afc56f79ea2dd15ea9b6f92b8f7800798f7fd457b3931e7ac6742f967a10b1f20e6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
19KB

MD5
1ee21ae3994395f290764dd3f4ff58cc

SHA1
08652373049e040eac4f656dcd5f9f0832a96418

SHA256
d590a7e7d6ed1a7f63d1986811ba3fcb3a8b8a2bbdbde36502653862d4b4efc8

SHA512
0631882bda0d94b2ace01070385822c59d7284cb1744ce02ba482774790bc02a992f2d3bf3deadb27e6dabe5262b6562d174f854a2911b6d75e987b1416208b1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
153KB

MD5
66ce2f7e76b53f7d8d9d13b18dcbff67

SHA1
46cccf2d95055f57702e8d5717e9f3708feeb737

SHA256
405f9fe5a11b6a87aefca21af927e4d154638b37a6d0f8684d7d152f16c0fe05

SHA512
d104dfdfd7a9d9970ebad2cfb46cc40cc2b8536c73da62c6f6217bb1a50cd937b5acaf28c186f792c77381f91dcb0a0c0c416c3e9e9d9fc59014c9161563c00d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
182KB

MD5
b9c645807b3f45503e15b3aacc2c95e7

SHA1
3201d6a7c55a769ac5d4adab4907c273d1c79853

SHA256
172c6e86f2a6937488486a7ed05225cf222671e14c0fe9acec0c2ffa47bb7142

SHA512
2f8b5e3a7ed62c14a81e2d2347bd3302dbb28a85640ab19359826eabbe54677c6b078f2d85d069b0dc9b1f15dde54bebc8976ef17a53918ab8e666aa2bfda8a3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
152KB

MD5
3e67b7153c6b73fd91de1ac366eff735

SHA1
4570ed74db77568ddbe8983954fc00da3c1e63e4

SHA256
08efff8489cd4a9bcce2139a6e1f6c15bb2d9e2b48b254c68e403ec83b90c708

SHA512
7b90c1f8c9d53185d8c1e99c3d8144fcd52525c266fe3637f455d81bd86ad3c56bcaebca6a0aace6367d4bfa46a4794c4e848db55775588e6f1e1390204e9761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
100KB

MD5
a740edb10c848eb794bae07e8631e0c6

SHA1
0374266a74b6a1cfca4885927cb97f83bb50e32c

SHA256
6fe57e233c1e56c47d2c50fa583329d84baa2c4dcab51d4715393933e8a24c84

SHA512
a5c7a745d8b82e0623ab49a51cad62a7ab572e9de4afafd028d3d49a507d207a32a1d3c3785ca94744976ef8d4529482c408997391f9998519a73ff1c3a8c107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
196KB

MD5
f6b0575cc65e0e98c904f4a99a036cc0

SHA1
a8b86163d8fe4f2a64eb032f418a36045b71c4d2

SHA256
6ae3a6945de5dd5c3f480ea1c46d5e2db1ada2c075ede2f7c604db938e34828b

SHA512
ef45de57d925f9b5a86ba43d6be768ff69db7973d554a671844bbf8a0dc2084e6ae6382ef2ac26f5cd483ac290b37d684c4584d9b18bbec8f9989cc350b4715c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
167KB

MD5
17f9c6148d1100f7768781e09e4b8bd4

SHA1
3dd2c59a0d47f8844ee5cdcc390560051225e5df

SHA256
8923a1606a2c4190f27ca475f177be5c7801bb845891f65f08e7fc03cb717608

SHA512
4fb1b60810b68b0345257e9a981f493cb2f7fcc200f42a0ca43c8307016dc1dc68bfbe765d123da7e697809a1f516d3ebc349e936596d0be817a479f6007fc1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
124KB

MD5
3b3e603f9f9db02df7f46bf9b55a1a9e

SHA1
e13c53dcbb949117a6362372cff8aac126dc38a9

SHA256
3d9ee2b24900ac27a2511e2c8190ae6667637eb4c56cde581dba2424fefc5ce1

SHA512
632f9e5488060edb4c484c0d9c0256c5be6599f37a4b949a66e5741872b207bfab83e3fcb707d277286d128b45e234eb003d634d147221fc7e992626d0e17e3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
92KB

MD5
6668d3d2138a3bd77cd8f5e39c6737bc

SHA1
0edd8d038bc2d31d54d5e6bde1d1f7c349876c0d

SHA256
c0eabee1d6717ecd44f3c5cac89b0684ca0b954d818851e91496bcab8eca2fe1

SHA512
5e70a5a2313ba180cecb1028e13e0d3c07dd1cacda2813189b79e772c67cb63de74fca97aead3a8780ba42d03370b9903378c20044c24f46433d77b469552db4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
72KB

MD5
81f081d368ddefc39b35c7966e2295ab

SHA1
a925d34b8548eddc34f770bcdbbf0c64c5ede70c

SHA256
32b7c2c9ea7772622375e8ef26be74c39529f3b57cf306a0c4f033047cde1e36

SHA512
d13d35383b198b1e54440b345978a6652630de044b749115ad44090956afee8642a0ad5423ccd5c485930c1cf46799fc078cca215ebb11a80b93f16be58e52b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
92KB

MD5
b1a1665abe0ea648684969a32a530876

SHA1
594bfa3e87dc11781d1b2155fb47485c38305f28

SHA256
869cb0489ce6ff2fae20a5e909f4bfd603a0a1bc230c78fa420331af6d59313b

SHA512
13b1d970203d844d1a9dbf3996612a9f659b379a30682006de85c61f31e76d3dc76e60ecbfe40f4f6eb68f4ae4c701cc73fbccf38220f8c12d0efd2eccaebd31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
59KB

MD5
09410272690f971e03a848d1b98b41dd

SHA1
24d2666e0f87bbb98c999d11dac09f8ca2c30f67

SHA256
e93487eeb0429f7f9954efc150d18394bfec990645cd6a937e09da9c56d33c3f

SHA512
6aa2b539541c54b661794d354cadb9749b691efa6f9809acee8b9ec9a6a60e823e34160beb39aa56530f4a2883ddd2140832810f646e61489d64b98b44a12e6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
99KB

MD5
168b53876ae29d77c156d3619ce045f0

SHA1
d19f7e53b1bbcbfa9c3f5717d9fb2747c2d4a8b6

SHA256
c4d6fabf250aa91e9dca7e051cd62291b0a22cd6871c2b09dd70be3e939ffd43

SHA512
b9f3cb028867cdbff6b529c45a5537aa01efefd1b5df7b0ee21bfb4ecd8b7e383d237ca9df42b3cc2b11f7ead67d6f7998b280501545810c9f2e99ea245e31ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
93KB

MD5
04fdf0dc571e801670e807911e2ba8b3

SHA1
ab89948abd8d8416641a4610223885b543e9bb50

SHA256
d482546e4a1a60d3be5e1dfe0b0e4455bebeccdfb77fe9134d393f1367f8b284

SHA512
44a65192ba5204684102dfd6bef0c223a9e0fe01f3338193c5345e9ce1d6822fe0f46f637c860921e1823fcd85bee0c69d552236063fcf911cbf0c5eddf1f9f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
118KB

MD5
0eb3408979d698366f2c77ae142bf306

SHA1
6706191752edc31580f7302e808fb5b2eaaab603

SHA256
6fe19e9f32147ac89071f78db5d242ed3bbc8434caff2cfb933936d825eb423f

SHA512
94edbe5a6dd856424c27b508bddcccf00c8a6d5a98c9db888e639f30ed8d692ef84297af5e59cf656ff4c24c7f19277d8bb3fb7ec7d5682b59b348da5ea1ba3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
9KB

MD5
c8d77fbc3c8c2d488f13b6eecc2f978b

SHA1
37a8f00c3f8d05836543c499d35a288ae6d18708

SHA256
2e265a7ff569bc120bee5bf427a0bdcbb2e77de5f4000f5c1ee9edbed652ac81

SHA512
162e0c4ff696c007e854ba6120ef690c006b9113c82373c30c46102fbab6060e00e51503ae4498d775eeba22068ea46153c4aa763cfa4cf6ed033dab1c9aef69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
33KB

MD5
f934707b9139da4c31f02344466691f9

SHA1
e8c0361877c18f1fe955d00d78a5f5395f064948

SHA256
7562dd8b6f1930695fffd496045e26dd2d06fd2c3ec6894cec8f3cd93d641c06

SHA512
6e4f3b41f27aa5164eb48efebc33d178cfb172935258070d9873165f5e6d84ffb434f6825bd7410acd2ae64b2dc0dd378e5136296a7f2f0203e2bf634f979a0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
28KB

MD5
79df964ae4654d5516930e4fcc832d79

SHA1
a62b406e074a121336fbfd752596e6ba63248c9a

SHA256
603a2c0a1b677be0f0b7a2d442e6f984da73a5082e822820b0a8358437235c44

SHA512
f3cc3ed080fface1b41be2d0d865ee3164093ef37739a42e81fd7ca35bafa08b035697d32dcfd2fb4bf61bd063d4274efeafa33abb5daae0544c72d41f29736b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
56KB

MD5
202a25473ca156fe8c95ae6eeeec6b59

SHA1
08842017e4ea00a29988833981beb21d1e6ed7d6

SHA256
56826abf5a2c9c16961bbf94af8a75c13fdddc49307b7b4e8e1ffdf2e49cfb84

SHA512
bb382a9760d2e7cc3a6b270ca12f3697969505395b8cfcbbada0db0cc0a1fcdd0b1798b0cded802be2c279dfd54e4942a059354100a55bd061ce6560667b179b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
61KB

MD5
6b1a837e9ae3b78964038f7d9012dc73

SHA1
77b9fb020dc02b86bdbd89ce4a22838355963c0e

SHA256
8c763f72b40d410bbe8079ac7fb0d3fbf6ab6fe7b0fed6835aa0f8504d613c0c

SHA512
7485f89dc4e7a8cc8b3d563a963a977cfb49a54504356230f00ff6751a2f23ba222d26b19c630d19087486672ddef6d0a3e5ad899adf35770149feb34ae967ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
46KB

MD5
5d7f5013aeb3f12c2fef4b331b705d4c

SHA1
48dd6e50ba69a380ece55110c06d0f79ffaa78a2

SHA256
ae088f138b53c341f634a732c8dd271e4cfcdf56d6598caa1a7fbcc627743a70

SHA512
bd2bdb9a012ee69a71cd48b69047e133c72bd25b0b49c196eaabc70ca734666d8785753e0d42866b46247ce198bcb4dec87dc67c6abf6fdfe8be91cca7b59ec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
37KB

MD5
b539ffa00c4f2a8335a7e213d8737a75

SHA1
c4a2d66f2e62f79a613262747229cf0e782ed6cc

SHA256
9ce2e4fd62da8ab524d2bb6b86a122d38dc270b932759b1fcfb6b2167ff01c07

SHA512
ab4ef4d59214be17efdd72337c2bc8cf8026fc90fb684431e1a5495596af05c4f1041ea84f98e46343254bfb79123163c77ad001c22d262931278aba8dc08345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
59KB

MD5
9b0bea662f7de4ceac15f1bde2825f2c

SHA1
f64e5699f69f4cafac94fe03895d26a01e03316c

SHA256
06aae3826b3aa10ef1c9bc4a9c59915f1ec9b21dfd51ca5deb1ac3e3d12d89af

SHA512
c014af551b4f9c0b108b54f4ca03ad5c7dfec88ffdfabe32fa30bbe3e54fefe0962d6c52eceb99509c823c3ef1e3c7450acf9a87cb2a31afa74204463ea8b032

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
4KB

MD5
0cd6a8727df192793fa6b3052589af71

SHA1
b5345265fe16d72fb778c52574d519c793181dc6

SHA256
c491013bc0073def8d01eaabd00e17caad82a67555523af1fdd5598e818aa66a

SHA512
5bad7c661581760fc2e0643a7977d24fc26a0de402a662ceee41874406436ea408d6cfe58d7540248fbe73650909cc42f1c650270fda943e8f4ec9954a9287a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
13KB

MD5
eb50cefdaeb300538dea2c6e4e130597

SHA1
cf5324ff8f2b48602e02c0d87fee1008c9201ff7

SHA256
af9c57d234a6b31f0f5ba0b629776a108a812c2dadb143e043b3ab7dc8fb1fa6

SHA512
b9e027d144e93981810a71141c6613c8390c26844e68ffb39f8dbb98c685769c89c1fa317aba427e726923bad59470a1b7d92f5d4d8f1e7fcd19904dd5720271

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
46KB

MD5
f4626ffbb2f74aba6e911eb5477f29fc

SHA1
d61f3d936cc1d101a0515ee776c7808d50b61075

SHA256
1ebb58b9bb3e4c5c416f9520d6f75244f9785b17a4e836a92237044abd4b2827

SHA512
975b8853f92087866fd78b29207a9f7b377756f791dbd636576797e68a3a64b5c31a2083801465b0b5ebd6f397880f106fe17b833359c0bbb006fbfd06166542

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
115KB

MD5
d07ec6497da7cd16c06ebde3a7b2b9de

SHA1
2f145311711d5653f576fb76996422515e374561

SHA256
098cd1884185bd699b3eb1e809905b473a5905b5a1950a51ecea1338b21e57c5

SHA512
0b1bb0d1059186f410f50d33aa9d23fad1349f9a0fbc7b8f6a1a28c72b6f2a64cc95054eba8e9e0c38e94ab6bda34b3c4d7c8fe16584e566bdcd77acc7139906

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
143KB

MD5
f127ffb00dc76cbf27e74682399cd5fa

SHA1
3e2a4a8adc043d66a788c732d014285150a0e6c8

SHA256
c6559bc64f90e868fd9d25ebdda8c2ead8db5b01a0d332be2ec23f119667d93e

SHA512
4b4732d877b968ce7a0ba5fe0f399eb9003ccd7dec0dd3dabb0ce130b55dbb3d30ddbe58ff4ea7f4b456b504ecc56a67e8d67e86dbfc5f0dd159494d48db8803

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
57KB

MD5
ca6e902c9a8a91175548349c96b5d65d

SHA1
2c4a37ab326434badd5d147819c577f9f5eb27e8

SHA256
b4c5821e8ccc656dc716586f6cf229dfed3ffedf81115f38eef7a860e6d537ac

SHA512
1f59af56000f6eece86f16c8afe06ad62e920c1caf962002629a1014a7d490609a2a36ed497cfd7099698e2de8b397563a4ee5cc6d2e8f023352f3c1eea28e97

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
368KB

MD5
727627f5a0a86efe182ee4d07c8af9d0

SHA1
60641f2c4805011198e5a6308298ca446279a2cc

SHA256
f23d0cbb7b711b253ae03dfc2bdc01164eae42256c4255a465bd4da7066c0236

SHA512
f9c7fd2ea2cfa9e5a73f542b9775476e4aec2e77e6cc076fe7566c5722718cab4d5c2a707ff06ac51f0dfd1b9b203b4b19befdcc9a9eb0c7be9eafb1edd15f43

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
113KB

MD5
4be5225ebadeeea0f5ecaf0708ea3f55

SHA1
a5cfaa59681399a5c155f43eebfaa549211e8bfe

SHA256
bbbbf0c200a565fda469bd230f628ee817ad744703aac854124929f53d82fbe8

SHA512
054396e357ab4cae19a569eed345880f926c1a3bf2e090323cd40764785003b0a52b1a89ec0938af5ec1d7aee17c16187c14d6220ad9e5e00bf7cd9cf279f6e0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
359KB

MD5
da1278204f1063650c40af0a483a969a

SHA1
d6b3a115f0a95b901d962dd2e172ceedb37aac79

SHA256
ea720c26c294d32660461686d0717013ac5f569374f3867eb583ad435c3ad080

SHA512
b80f15c672bc14e05dec9c621de4df73d97046676f19b43da5c656cd046198e8b470a09cb72fd774960d59f68076d65151a4d0d7cc661dffbb4243ea5733914e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
249KB

MD5
2dfa23152195268647fdff3d1ea0b0f5

SHA1
bf1bbb8bdcb5012853d45d3d17665ac41ba1156d

SHA256
6eefb0e73d256ef9409ecd46b8f75ff12edfa62d4bd849122928848f9737f4af

SHA512
dac71bbe1326c55a2d0b12ea226246e1b4d3513d2ac1a4cae6104bff8f8c2777098398df19229bd965792cf100a32512c7062d50c0abb89922b2089e78ec0f66

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
286KB

MD5
c9fab03664edf88a894ed4a761a1db0d

SHA1
c22f1760dcca0e7406fd1b3669b42cff016fb5ee

SHA256
892ff4ff4356401a4487c574bfcc6fbbdcff0c632dfa08d7f44445d6acd45507

SHA512
0c402031ea3be2bd27ba6441ed355c45a40ae26221942362b47c089a3528017c755ebaaf97117f38c43998fb00453b2f878db70c0dfe3f05157408ae4abd8f46

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
64KB

MD5
34586edfea5da07670dd193fa25ebbf4

SHA1
3be655c98ccf861d6bd707dcb111d3218b620e03

SHA256
7bb5d68ead6d66e1780005e3c18b16e3fc96ad4bcc602ef850e3ccf6a45f08dc

SHA512
e5fe33c7f24889fa8246ff33f5f1353a9a658c1a1b400fdeedefaf57334faeccefb16058ee1c9c77d070ace8c6d928e71fa6ef71fdbb08a49eb3929fba01e730

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
83KB

MD5
49f8e1cb04241b2eb4219bda9b8e9880

SHA1
d78bf23f9bc35dd4f3f884483e3222c4f2472f9c

SHA256
cb0b7d9f5b8e6d319176c3142a2dcfd9c754439216ea2e3c4afc5ab0042816b7

SHA512
a802199a3e0df23bc233ac8f8255914c05f84c8bea9732c5a2d0fb3600a0f872fc39ac4d179eadb5c7943d98e0af341d793b5df0b63ce2a534ec2d35c04559db

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
182KB

MD5
063f6d5ca8173204085a0b848382a122

SHA1
2af4e996bcea0447ca0545ac62f5a92002b177c4

SHA256
5636b7161b26482be8652aaac348323d72bfdf10bfbf27a99804ed041c528c67

SHA512
4e326d9a8ac035de2723017842d1a3fad31caa67d9392637725094021e485121c3d1f1e248f0d512e60e884d4d581a03c06a5924f39e32c7cd5dd22ca8d8fcda

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
16KB

MD5
9f5595779c47dd09de886a6bb103320b

SHA1
542ef190308153b788a1ecafd009598720ad6b45

SHA256
6d696720229da276b9c322c6fb51fd68137525e3455d7faf4dcf0bdfe84e9fa0

SHA512
8b7049454d8866d602453920fac9efac09a01e6891853d0e1cb129cfd60009614a6f6c1532a94b4e2a6d4b7009896bb98eed11928e103e46ce2c9832ef87ddb2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
220KB

MD5
aa313a247d63137b07e0fdb2a7e38c2b

SHA1
ae1b36974c1dbeaf3676154834e34441b534c0a6

SHA256
38af13da691e84571e863f5de6731251aaebc8c17b5a9959a90fdea5fb3e0d9c

SHA512
17c09d9abbe12a0aec2801e7c82a61fafd7b3dfc70f977806d869d3398ae85b7368491085441db2cb64f53e89020a0955864641520c8b8c918cf800dc0f43919

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
27KB

MD5
1a601022ae55a03f96ae9ffafcd8043e

SHA1
53337889f81aa146d50179f122a419432aeca987

SHA256
3718f4d95b46ae2adaa04520d42b172997afafbb8d68838fb8a4452923934964

SHA512
c423560946912e77c04a6b80482eaecb4b3ce03c4b397ad21c08af4693baa06edf086426fe5e35db588498686ee244ef8842179a1aefb8a9bd7f22963296644b

Download Submit
C:\Windows\System32\alg.exe

Filesize
309KB

MD5
0864f5304721da34eaeba8ee536687ad

SHA1
896eea0f234ee4a00c433809b4a82a04756a4a92

SHA256
a21101fe0bfd214aa0abf8deef73b947e0a7584dfa255fbb8d8b6c6a1eef99ec

SHA512
721944d6c353ab0785f0ac254e1d5b0fbf63ef5caf0f8a5a5ff0374dc8258b8b732d02c4e7e533e0b2515616870acac6c8a7b181850b003b4552988ef9cf4b73

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
249KB

MD5
c9388f21b33e3bb13af24f913f68eb84

SHA1
f80ca6a5eca086e4c3ef5bb70e06d07a9c35e486

SHA256
f8524cb580bdee2c01847a6e7f235673eaafb09e0c927391f5a97fc7c5b53f75

SHA512
9cf2b3d82a37a7c7b3f533d91eb2b34c39b2186efc84999cf62995244a365ee74d4020617f003ca058d9e81ff943f4d91956c59b9c7b4bb191e639f7f6c0681c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
64KB

MD5
caf0d9a660cbd2e99876cd00e177cfe7

SHA1
6a1c14d74ff125210d901fb8548d5b72db5039d2

SHA256
e76848c3f22373e4f8497a3b650a7ee0ed7b50108467c98487794789a1350485

SHA512
ac99cbb856685a5a1e66b03cdbd2479bb27cb7f75baf53cdf5d7086e1cc48640d0f5fecb74d2a5227e3c69db71f785bc9672b997a1b9fb035df6b2fc545810b7

Download Submit
C:\Windows\System32\vds.exe

Filesize
92KB

MD5
4894e168aa3f4c6f8c1b43ee2a724cd7

SHA1
4544bdf1fae3938d318c69fe013a7b59bbfac6cf

SHA256
04a8ca82967eaf7bcc45d874781d43f9e9dd090fa142c7b55f93ae9b1e16af11

SHA512
013936c89e06ee1efc43952b802f7ef5c60c9b35cab8f36abfd6fb16175e98f25e749a5f997266b51132acf0785148bd5eddbe47a28cd55bcf9033224d958a38

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
46KB

MD5
2951fb9843709c25f847bf4c17b1539c

SHA1
1a7978fec119baa7990603b728eaab6c9b405fa9

SHA256
22ebb73ba1a4f42c35f255334cc134f86a8606043c9abb46fcdd9e3af9b74949

SHA512
fd162d8c24a3aedcecbbaabc111786876278090b367a4496ea43c89040e7a365569346ecc2ca7715362f3840b8dfa6d7928989a01fdff83d2b2a79a6b55def50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
62KB

MD5
90b4d5e7faad7a5a7208f28c759744eb

SHA1
faeda1b095e096f66f2c4a177d07e5518bc9412e

SHA256
d77eef6c719fefc01faf7ea275a39d80548fd8fb950a002812c0cd990a10cf4f

SHA512
5c279956bac8deecb6a6171ef14f73a5ac21437d3e97c70dacd3de17223eed2f2d4eee36109ea539273e9f05b5c2050fbc4b1c1402d0dbc36da2867686db54d1

Download Submit
C:\odt\office2016setup.exe

Filesize
149KB

MD5
221a12b8da6c3072ba13e910f27ef55e

SHA1
d92c2df77639ed2aab167f2c3fde312aaa91549a

SHA256
36b9ec3d66098414a64b938f0359ba7ce83c39c8d92de204accb46d410592e8a

SHA512
8f14d91549baf41fbf9eba5034f4ac6f1b3d98e158caa3ca5ad41e7ee836d9ff9a82c677c36ae58895e0dbb8a709f64cfd1a977d98818b00d8b2d5096b08282f

Download Submit
memory/236-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/236-1-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/236-6-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/236-7-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/236-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/396-431-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/396-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/524-457-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/524-449-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1092-375-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1092-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1092-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1164-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1164-298-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1164-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1384-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1384-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1384-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1384-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1616-418-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1616-411-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1616-555-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1776-251-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1776-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1776-250-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1776-244-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1776-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2028-49-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2028-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2028-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2028-57-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2028-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2236-379-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2236-314-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2236-320-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2312-227-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2312-14-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2312-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2312-22-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2368-282-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2368-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2368-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2660-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2660-388-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2660-381-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3352-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3352-406-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3352-401-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3352-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3976-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3976-72-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3976-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3984-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3984-444-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4012-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4012-266-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/4012-270-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/4012-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4012-256-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/4160-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4160-470-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4332-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4332-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4332-333-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4456-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4456-302-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4456-306-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4456-374-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4488-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4488-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4488-27-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4488-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4568-346-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4568-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4568-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4592-360-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4592-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4592-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download