e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27.exe
Size

1.3MB
MD5

dc4ee4b2f1451cfd441da4bb88f6d1fa
SHA1

927c14c9ac30a3280c53c08df22e46a0d41b6a12
SHA256

e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27
SHA512

1aae16ace59ea5675b76ead0427fec845e2829929d72facad63b38e8ee95e7cc07bb7dc80739ec170ae762a2e5b7f92a7f2bf9f4bc3a98c73af993a0df97acac
SSDEEP

24576:xWiB91N3RUDHNmdPCAaq8Nozgi/rE0TOj:x7Z8HNUPCAaq8Wdo0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2176	alg.exe
3796	elevation_service.exe
4180	elevation_service.exe
1484	maintenanceservice.exe
4456	OSE.EXE
4616	DiagnosticsHub.StandardCollector.Service.exe
2632	fxssvc.exe
2908	msdtc.exe
5076	PerceptionSimulationService.exe
1716	perfhost.exe
3560	locator.exe
4872	SensorDataService.exe
1424	snmptrap.exe
4988	spectrum.exe
2464	ssh-agent.exe
2548	TieringEngineService.exe
3716	AgentService.exe
1948	vds.exe
1472	vssvc.exe
1708	wbengine.exe
2740	WmiApSrv.exe
3288	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7e6180c0c98e5a49.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_106859\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be17c372a75dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015947870a75dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf07cc70a75dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b556172a75dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3030a71a75dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd842770a75dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025f2d770a75dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7606971a75dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004efda72a75dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3b6fb70a75dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfea7271a75dda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3796	elevation_service.exe
3796	elevation_service.exe
3796	elevation_service.exe
3796	elevation_service.exe
3796	elevation_service.exe
3796	elevation_service.exe
3796	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	208	e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27.exe
Token: SeDebugPrivilege	2176	alg.exe
Token: SeDebugPrivilege	2176	alg.exe
Token: SeDebugPrivilege	2176	alg.exe
Token: SeTakeOwnershipPrivilege	3796	elevation_service.exe
Token: SeAuditPrivilege	2632	fxssvc.exe
Token: SeRestorePrivilege	2548	TieringEngineService.exe
Token: SeManageVolumePrivilege	2548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3716	AgentService.exe
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe
Token: SeBackupPrivilege	1708	wbengine.exe
Token: SeRestorePrivilege	1708	wbengine.exe
Token: SeSecurityPrivilege	1708	wbengine.exe
Token: 33	3288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3288	SearchIndexer.exe
Token: SeDebugPrivilege	3796	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 4316	3288	SearchIndexer.exe	115
PID 3288 wrote to memory of 4316	3288	SearchIndexer.exe	115
PID 3288 wrote to memory of 2380	3288	SearchIndexer.exe	116
PID 3288 wrote to memory of 2380	3288	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27.exe
"C:\Users\Admin\AppData\Local\Temp\e882beb7ee1e6a3e5f4cd98f8de58ad006d4f4e0d432f0663d6af89219e0cf27.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1484

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4316
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
381138297adf38fa5a030bb0c6e206fa

SHA1
31e0f874f6c8e1571196215ce8c411b233f97b87

SHA256
a0b87a2be7c1ac7fef72a4e33080791d4a7f92e00dbaf05d720d7d308d7d3cf3

SHA512
7b856267731f4633c112e665cbbb4de167f9e6210938a2243957cdafb176c6ae4987d5bf99e65422b771e5cc772191d36f3d2dcab50af04913d77b0462161a14

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d70db3496105c25360a35b3053a35e36

SHA1
7b66c20854d8f2e0669a10a1be40b4f099872410

SHA256
a52ae149027a336a60c17fa396f8868bae9dfd9ca42ed8c01ffce5d844453f37

SHA512
2d9403a7ca4c5e23b692aebcfecae1480cf878d01fbf4ed7cf9dc0876e324aa1e17c1dea7483637e226fb010d8b0982cdf804e802f2043d12d65cca7ba2f7400

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
512KB

MD5
60542f9a46caf64e963ea82831b37751

SHA1
6562195d7cb927a75e3f02f0f51d7bb8b8122ad9

SHA256
813e7fae0ff836e0be07676b24eab44681e741c2170c43d8082088a46dad9821

SHA512
a23cd32590f99eaca131ce32b71c5283655b4b2c3cd36e58fea12f71fbc7e972751eb61195a2c5add3084e2f722afdc447a5bab4898a810726aa276991282531

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
115KB

MD5
f38dd7f14574d16377058e30ca244995

SHA1
b5850d504e2fc03ffcfd3c8686f9f9211b716c73

SHA256
47db004f11a80bd70bfec1dbc80c9081c3739265a98b16950ba548328a5b2057

SHA512
7bcbbdc96c2045db6873bdead24b6749a362245b023f31671afda39796290839955f12779afc08d96fbb02f02523f2523a9bcc62b5b11a30bfaccafe80b9f3b4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
64KB

MD5
5a4be640ed78f32773e2cb28681fcc83

SHA1
1a05059eed4142cbc18a9044d7f4c35b2edf0af8

SHA256
58ed07696bbd61aa703302047df2271d30425a6311db0c6b68f02a18cff838a1

SHA512
d561bb540b5f1b41dbe7ac0f625eb72658d1def7bf4e87796c0c61df254bb89c7550a1d2fc509b1c0363dfaf6b276f6c064ad43435ee9b4cc7138977f1db3ccc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
64KB

MD5
65d4f841849a980319c958f690070cbc

SHA1
a1dcef07deab04eabf0b1cd645ec731cb8a6868a

SHA256
15d19b82ee1865d6d2cc8fa1c289576a27ae9ecb2ae5b993f57cfaac7e4a54bf

SHA512
592c41e5f0cc13931d832b6cfbb53f4b6b232376fa1826bbf11beae2c6e046114e21326c522d88972e0bcca8208fa7c9a9ad985758b4517a8b2018ba9174463d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
64KB

MD5
2f747719208858fac8ff780be1d52005

SHA1
495f2734c1115056517f951b64e8c3a150900535

SHA256
d8c64fabcaa122ff56dfe8bb978752109efff9a47a5237fe9279869537c89b41

SHA512
0a58e4a7f8af492263044112547b806e1509936fbbc29d23d9b35b03aa5035c431eee9656f634539ede8b03cb4bb5f352c21edc5eb5c167b5d5be05cb44e0337

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
64KB

MD5
b0d931cb3d2ea6ccfaa44f291b46c895

SHA1
25dd29b245816acee354a96db0dc653b0f75bb77

SHA256
44fbf4153c68dc1e5a8f136772e1361d98b30d86dea7dcdf6baf5fedb5a3fbe4

SHA512
80835686817c7b4d918eb66fa7af230a7b52a181a79d6cb3fe2daef4f66abae543ca6cb97f9a0f1292cbab82c90a44a52d98419652680db6e4a0c18c96cc362d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
64KB

MD5
b156de2c33b9b65195aa5b005e1e0bd3

SHA1
1840e225a606f0733e9b946f03d99183a8e09b61

SHA256
f92022040e8bbb0a037ddd545506b4d56a0f69fa2f20c90a3b469cbddb3331ea

SHA512
1579b4bd1c3f4b4e1b079aa8dd7ebd0e1e485e1805d07b9a048bd746146c078054983f48fd9b034c639c409bcc4138f0dab48f5e80220ceafdcb2d03985173bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
64KB

MD5
fac412d692e6cded65787c65d3773cf4

SHA1
3c4e251f111cd2b3f40b21eb260ecf3025cd4c30

SHA256
4908c179004d08a21fddd8d1f687dab21d26d04b4e91c95f30eb5b71db6e209a

SHA512
7c74db1f1f7f56e3524b0471ce3178476809a9bdb4e9c1a374f2347746b0bcc6ad5dacf3035e80e287b6e7f05dc8692551956bafba24e912c42ad70eba294fbf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
64KB

MD5
7105e9169fbafbc3642511b069b411b1

SHA1
8bb1645c16d58c17b6c077add1c97cb0df92dfae

SHA256
17e87cdcb9fc64e1d5bee97ac1ef32a87d41c832914c5d0473e8492ca0992ba6

SHA512
2fec807157c85ee083bf98b6dfa2305e653b4264c9d859ae9deb816b9b7a72322e0de6ef2feecf01e8bdd84da720459697c614aeb84cdd6144d77884da946c96

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2cd044394538fa0d2c95e14389830bb7

SHA1
d52c64c71b52d651c877fdc5b0c1105cdf1f507b

SHA256
7fbcc3b98b3c444963404de25fd7178a2b536cabf1f7ffe864b64f33f224c4bf

SHA512
511d5128aba8c105a428fa1e733511c167d62bee42ef70712804be31a89c1b634f70aa8909050189dc033ba65332e6df8d7fe36a73f329ddc5939420779a1539

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
47c7bfb4491878f85367037ffc2ddfc4

SHA1
180952248021164896789916f5c33fc2f143dfde

SHA256
fa0c6d732de3afa18032990639bde8dc2a52859b76fe025f7d2169bc5e3d379b

SHA512
1959d04dbf0a0c58afc582820259fec120a2a84f785f6aa09303749c85840fe6931bf77ad88296348e6e2ce33f87a47024fe7d649c0b89c30356c872f9d1b458

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d444781a76a46004894df90c302f6672

SHA1
0f0cf2b16585d9de78c6e917ae00f94c2e93af61

SHA256
00cc9ab14fd5333b75839e5e4aadb4ea1384ba4edd879f053d9bfc6f2f34fbe9

SHA512
5abc89b64eeb832596c3d66396545e155ce3b9d84ff591888421952692130d9f3e3657c8c77dc2fc2a12d852e6c29f78bfb33cfd751a4b61644458e5f5fdeb13

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.7MB

MD5
22ab12044053b95401b449c62bfd1ab7

SHA1
1314091bf808b2619038db74df7408d9f121627a

SHA256
1db542624662469c594400fcc4fe3334fdbfc4069d7db586af78b187e8dccf7d

SHA512
1ed8f001a5b716e98f7dfa099e983fd7d91e1d56a026e38d5edf167e714afe31aad0747ef80d22f0dddc1cbb2333d7ba11e83ab1e43fe2abc458f91915bd16af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
64KB

MD5
d9616216b1816de6df0da8ba565b4c4c

SHA1
4e9c10a286f7dd42237d6d31ddab98c8e7844953

SHA256
700bf5e5c226ee87f02796dc39fb8bda5fe8fe1d9126756175f2d0d2c20143ec

SHA512
dd68f2c0394fe7c90a986dbfb84efb814fb0cbec0318812c2b06eaa428e971c2397b87633bea1eaf770208cc7af7ee23fb8d79f29c2ef232138365f222b06be1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
80222522cc024100d13d789ddc456253

SHA1
ae39c7713e68670e1c213a55ef4d6e91e4e92879

SHA256
49733c0dc0419843b52084bc6f43653058f4e0193ce1f5a462f8e655cb107a32

SHA512
3717f02c345856501db435df8791355b13f8a31bf82308a0c6a7dd43a2687d34906a837b2fa8e1b2591d38fe648c9ebe9ea2f36ac6978edd9ead421208866050

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
88b7c619d8f772bcece32041de2eef77

SHA1
ef88853860f3326521bb673fb7fc5f6ef4bd86a2

SHA256
73d087fe56fc58821b80e63ba624b989d2d393f959b9a8db6ee34162aa6ae71d

SHA512
dd33c0060ca3c9327749d783700ab5984ce3a95c38c283241edba841b4824effd7289de2f9ad0404102526e1fec4b1967e27ab78cf2f6289bb90bf29a8ef9a5e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
626b0539b35cb4dfad518d27b28f1de8

SHA1
8ac71ab95b550bc5f72f3c037666f6c2441e1ec6

SHA256
5b7bd16209f423a9d342a96ad4e53524951ac832e20e2c49a9414cca825a3913

SHA512
7ea1b72b74b134f894eb6bff8a3f821cf5ef5636a20f152b90f0acb7a622a83463e59afd092c79c586635d575007ba4a61a0edcc15ab7b157bbb8edf6b970514

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
b627a2f78f519ec43b5ded1eada2ae8f

SHA1
90688bab8e77107c986aba54e1c00d087c6e2a72

SHA256
79eb5a4db844afed789139790f774e5a0ee7b002ef2405b902dc863ba1c66e26

SHA512
021ae26dfd160da2ce98512c0707eb8bcd95d4eb5a6224fb94337d64a5dbbc0d464cd271022cb9a84f7b10eaa37dcf35ec8f84f2cdb8bd4e49141ba164cee7f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
22b3a0b4057c6d319c95752400229dfb

SHA1
3e43734f782f802dc122be3ac0b1fa62457d48df

SHA256
0f22be9c62eeb34697d72a84739919af9e13391d71dc0abfb35d83767dae8ea2

SHA512
b028f330adc45ebeb382b2cca09bf355a2fb7ade14a17186eab106e07693aec66d6ffe0daf19e6d8e0902a305e11b11b222f73deb3616c0fdf5ab990be329194

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
68c7f2b413e01c673e71d1b677ab5822

SHA1
eab8b0fc0b0d0aa7b3005e3b2d88f22ad4fdee0b

SHA256
ea8f4c336bdc1ea9faa8e4c52f5c061a88e1390e1f4a0a4ee4422ddfb14fdc5f

SHA512
626d9fb042bc5db656fe4345c850b546e2ddbcea37807af25c18d4216adc7221920bde21553f1229c808baa15a24d8d4a29f89e149ecacde19a533ea11d29c0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
3ec61feb1a27408335937bb1cb1d5f35

SHA1
b90b72588576eb36ea40b0a5703157337a1deff0

SHA256
1ec79e7f170db35738e5352aa8ab8313deb09f0cc7b419e2b28e65ab6402d2b5

SHA512
ec40f1336fc040db79539247f082d97b277a3818eb4f17b47abb61b5b1ade2495e4b5977171b44b9d424c43be1329b67960493adc7fabc625e60c6a7a8f3ea1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e1082a18bf1c8b0b944519a1b8bbd666

SHA1
1802fd3e65a5efb78432f22059e3685e50f29b8f

SHA256
a63f1b746b9ad88922371adee50bf420f7726e74d5255b097ef2c352f0e93ee6

SHA512
63fdee0dc5cb8b581260867a2e1ca812828445f9c07b66ca06b2f80f1485e3febb92f55d95ecb0188f97e315baaac382f834cffe615ec183b03d12b2f14af5ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f6b43bcca2899bf6f91bec7771b7491f

SHA1
a0654798f80265265297ed9d67b9236f55aa6ec3

SHA256
85c47fbb1f7418f2e5a92b6877f3ad0c69fce46adf2b955bd06d088031b2c8db

SHA512
8334a663281c5c2f2d5edbc37db8ca7b84d6c5d1a379ccaf37e3a8f5f7e0c967ef7480d64a731e7c2c873af965cd419488bc6fd4c03103eade7b3449637fc0cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fc9ff9e1669d665c786efbbf06e6104e

SHA1
79af0ddebd5a42c8c75b88e151020043905201b9

SHA256
f643fdb5e7bc211866de5d23d5a22a154fa739aab23ed1cfa2da228938753419

SHA512
6ce0e5f1d2af9404ffe4113ab02028e82ba6e1ccd2350d3422660d229bd2fa3d3700f57921e9d16a774a6e2915ef4018912abfc45b279f36566b61a5a3d8a2bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ba0f48bd464e3174d7cd7d6afd16cb51

SHA1
d378a5f882c7e2260fc35ed016592fd512d53b9e

SHA256
7629426b3fb2128435e7ff039a458a5852e41f6b2c13a9e022d8ebd61b5b8962

SHA512
8266db032551786254d120cd47de2e145e439976cbeea3b6b2e525b61dd8f49509074e490ca21f9bf8339b03bce68230b314b16ba6be0abfa721170b7a2e880a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
3e8a7a00ec8b3add3e4de851cbf46a6a

SHA1
5e44d7bb13e5d5344475e641163c282b35d50194

SHA256
0888141c0544728452456a4eada4826537817f0161c401751bb393c204e69cd4

SHA512
d9c286046221056041d890836e5f2bad084e32150f331ddd43769f02e839e53a08752f7f46a4b1acf160f4a16a7241202cf96c3a4050b344a1a67192a67a909b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
704KB

MD5
4c2afb24586d09ce5b2b2a5e2cf9ffbf

SHA1
3658aba573033071835d0850fd9d0e7a9165f14f

SHA256
a5b29672bab865d7fff51cb721ab311dd73ab499ed3bfbda16b9c2892df67fcd

SHA512
cebb705144d8c0fe463bb1f4df09063a368e45de098071d53ce42c241e3fe37648e0c1e3503ee8d2fd69bf8a31efb80ff4aa9610828ec01881a64d0769445903

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
704KB

MD5
bc9469cbf9b4b6125f2ac94381697480

SHA1
1932137ee7719b08b7939dba0b391408f9a9d60c

SHA256
feaab9ae7e5e2d087577c0910c8d596127fef522f80ae4078a7bcb3ec8480a69

SHA512
ae6519e3f9b829aed27a278033344dad6a939b2e0fb7f273eebf8b0e84044c1736befc92e8f98a35f33c0cdfcb837b9982b517d3bbcb869191c17b516d338da4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
704KB

MD5
fd9f6b997e4b14d59757664d902874c7

SHA1
e1c0f05ed2f720f20521a2cb4cdae0e68115d585

SHA256
ad832068f1c89c77a0450ceb00097e583055a7580243f85f9478c32aa9405878

SHA512
82cf8014349a35011dd6dd6da530d0c69f1b66b8e4f364742e916525c59e2b8c2c818ef4727dbd8a5eb03c7bb7aa491afc082f932536168925cfb9b7cf4ce35d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
640KB

MD5
4840a9fd1eb279f9d9eba48beea48b47

SHA1
09f11620f1ee24aea7af4a61564d2a77d9b5a93d

SHA256
f9decf9392794a91f8c0005d5afeaebce1df4a708286a063b8958131a1e0c8f9

SHA512
5b5d354d9db22081df2d45053d5d4f77a350efaf302995957904b905c9b9f89d6b4f25768c325f3efe8d8811e82a2bfcef528d757b4a701c14e3286e962d56de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
640KB

MD5
6f61b128e5bb8efd5edc313e16d8ecac

SHA1
2ca50e7c88339459043969dc66d48ef51a1d3188

SHA256
1fca67cf3d3e6298fb896890c6a47746738bd8883e2bd12d433d47f825b7c94b

SHA512
9716a1c03ef6fed4d41062970a658dcfc34cdbac250444563381ab5ab8a92a043e55bd18aff7f7712226bb673648a2fb524d18393c947e1ea59f215c512d9f51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
640KB

MD5
d1a00b2d4c59d32327f62cbdce2620de

SHA1
a3578addbd69edb0bee5ebe9f38f2edd8df42d75

SHA256
5a7c14f347a015fb33eca09106210e631f436745b5767db8c75e4e71e874448a

SHA512
048c34bd5f1b08aeddc3a3ef908548c045936000b803fc0c9a67ce7cb42d46b86eeec142cf063a72dd423649f79f596bcb7de59f39d3fefc65ab56b1e95f6cd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
640KB

MD5
54f89dfa4e65985ee9e20ac32b333cda

SHA1
4ac6142ec64a7a3a728a6d7bef4b321343b156bb

SHA256
d326882b757a0641d7ee9a6bd714f4c7fe6f40b6987cf7db56f53ecd90094c78

SHA512
f311b40d0fbace0793f630d24cd750f95f5d287e756a10eb1eceff59f2017dc41368e770ec7e5df4bc2c67609e7892e74585b2e91635b7608622d491c9cd878a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
640KB

MD5
3053d46ed6a43ba6214cf56612497519

SHA1
e8a9e6c09ed5e9b9c83644accbfa7703ce44dc94

SHA256
17014e1da630189acd11706411b60e7be8ef0db41d78eb805c4ba20fe52fb92c

SHA512
e8e7aeb822ecd173a89fe9bd512c2fffe97252ce917c592d4142dbfbea8bbde772d6abe92edeead9233c6ce15c669b60e7ec39baa65d93e906a5c937f7b191a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
576KB

MD5
9f70a7cf0f210b0d3f4727f46cdf03b3

SHA1
035cb762f54461642b1ac16930dee0f2c28ea082

SHA256
3f79eb366692cb32dc47ee4032563e6b174e0349fc154a298b7400456e9c1e8a

SHA512
8eafc73cfdd8c95feefe16f38a9d6ddc7ad2ba7a261b84455fc56661dc6b2b5a9d36d4867a7dad69318304969007a35e64e719fdad301d8b0c41fa0d1487da4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
576KB

MD5
bc12749ee69c1fed5c10f7d21cef55ba

SHA1
4cdea6d6502d9904f8f983d1d87c5c84f5735c84

SHA256
5e0f0e9599414aecc796008086b5210ab4f4e0dacd2abae6db620e52e2bba4bd

SHA512
7b80135e78364718376b6588cd6b05fd2a20deb82665cd4103de558b729041bc77204e0ae1e63e5fd23eceea87805113f366a1c3ba3086787ffc030f7ea4cda3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
576KB

MD5
47a2ec7b73e2186d550612052f308bd2

SHA1
66ff7eb62681590385c26cac075bae055c9cccd7

SHA256
cd4b3e7f0d3cc36f7d9a4e07dc7de9600e1ed38cade85a28f61d82a967d81555

SHA512
6b367f43cefafaa876217b27c9347db3d7a94f0b5e3efd70b6c40d92c4d4afef29b4348b877bbabd7176bc65b6daa09f7594e040baa5d7eed0865c2df9423bae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
576KB

MD5
3bbeeacd1b6361bcc65f534723252ea7

SHA1
d518b1f6effa2e3fd5220bb69b6da644242e29da

SHA256
be8ccf98938d38d99aefe2bb031243b63a051c9d0150e7cf562048af765afa76

SHA512
0bf8aa8abfb3689b553da21fe151c3ddcc8687caa90adb4ac89af8263b71490d289c9efe528267a9139f1f6cb7ccf19176c1c4a682f2942b4a4f15e6f6f93e72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
576KB

MD5
fd0d3edff8ce0b5f8ddaef53c9925aa1

SHA1
1d325fb85f075f8e71e7722b35a2ffe9302266db

SHA256
ce8363155b9030080c92dddd5f690f8dcfeb7c41a1e0e9511ac961b1c6aa5481

SHA512
b5248d1d5e3b634ffc399e6f8ce42d634f9f7c85a79d4bdc4943e53863a8c14738f0f759a26f3cb7fba8383c3e8aa89ef8075efa9f9baced44caf0611271b029

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
36dd72a4bcf5dad2f5bde7200a866064

SHA1
2dc8d4aecb6026d9c8b61fa2654b6126a9cb9a9d

SHA256
092b0d251d8dc094cfb301af0c8be7e9b709c112e0a93c3eceef7d9a812d4739

SHA512
d3b78481c0136c9339a7250848270b87f2c5ace2d836cb92a70ac6aea72824d1e5bf0cd157804e7635c78faba0dac98fd62b006f55605f04eb204e44e626bd78

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
960KB

MD5
47fd9bfc964d8c9f530605e17fe072a5

SHA1
26e2ceac3942a779af90dca41119d3d61dff0540

SHA256
59f666092cd8956f8d8879ecf3a8290c69be578b3f67f2570663cacf2b36e78d

SHA512
e99abc7b6d2ef9789492db697e98f4a4f87154ce95d23a335274634a41a2060e77d827b863b6aa001545b5229159251ac4ee9064dc93a01fa440d791e9e3590f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.4MB

MD5
a40bbbc3c94c0134de261e89a4caf140

SHA1
2e0d1975fe01bf224ef55154078210cb2fb7ef40

SHA256
fe8b273c1d47dea4f91f8c1470f82ddf538f9ec9f41a742d4cc88b1639c129c6

SHA512
4f7c71fb388280e200c300e23621518e088c8ca592219d1bac942a86299c3b09747adecb096cf52b6ac62cf1078cac7282ae842f4316ec2c6884a4993c8f1352

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9e4ce5070a972f36a7131c56b206cadb

SHA1
909d8a1f40a6a4d26b1c2d1d14d9bb737a881df3

SHA256
4f442a1a887e6aca04178c1bab9fd51e0a0960fbae3bd17ae463e5af1c95249d

SHA512
acb5ab073a959a18a78ec6e15f6e2195799eb894481dc62b387f839113fa5ae174a5f051cb1bfa100cc3c5804a0347c35787cf44cfdbfa4f7eb7b018889765dd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f809fae91a1f69ff745781f09385d3b1

SHA1
5ae52f244cea08d19d9b79e4a60114c1b27be0b7

SHA256
bc2a5d6ac9bad3ad63d1cb258f1a5ab2574e1338e451f0447d24d4981755e4eb

SHA512
af7708a8cc56ed4a354797d42153f00e17320883eee2d9105aee3790d4a7f68524ea7e646d3129943b0e3f6840ca69dbe307587358180cf4fdd62f328a5a1360

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
604391691b16fae71eaf84e10af0b040

SHA1
4bdff0486fd19f93d7b3323f37f1ae01651ab542

SHA256
ec5185e752092409bed421ed7e72bbb42fbb183c9b6af3580c095f579ecdb1e0

SHA512
1cce7fb0f8c0a537629f38aec7a23a120e5c6cb0d72d07ee6a56a81c0d6f55b8ec7ed58aadb59eec0e6ab80e36ac9ad38a34909f0da927b39b60ea03f173cc72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e057468e51ad8d58b8d7bbc519d4e491

SHA1
b3864d2e09db2505cf70646f27301e88482db1f9

SHA256
33820b04e4306093b5a38b8dba7944b8cdd5aa64ba1325426c6196ddf579e43b

SHA512
f0b6cdda74c6670d84e3e55dc83b579ff3de8752fdcb1b9067b5cbd7a6be351b16c93e15c86eb87f3f4b3ace2701c7713de1cb5bc7f00b588c563522b57ee689

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
02b315800d0521711017ec337852314d

SHA1
1f9f155715062bc2799d49d7fb0b73d8dd1347bf

SHA256
4d6facdbe48198bdce35b8b01c2709f950cebd7062c2ac7645589d709e1696bb

SHA512
cdadaba74fe5eae1987f03c6f44359c5872a2e3ae9cb62b55387dbc5760cdf5691c369b012c3356da32161a7af3c0e9cf6aa44a980ae40f29b6ad285345ebcc1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
95e7d9d880adb9fb14b9e5edf324e4c8

SHA1
2e30b44f14b11c6ec4a6c9ab8c1560926574b535

SHA256
8d49b27f88a0e12b79df7fd01663142a6357725e990e5ec335bb27fbd5750a55

SHA512
9ef504b78163585aef59fab41fb9f62c91932fa36a7f94f5ba329e49a2e26fe5d9c8f181a63b14758949657deabff3043c772d22f2989b7070f87cde649b7af7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0f0cac9ea54550cb087fd36a1bac98da

SHA1
e0e4dbe24a7aa3fb150b854f2407b3c6ac643499

SHA256
4283bd7813fa52638a5e61ce0cc0ae7438b90579766c13d51c5994b145c70fa0

SHA512
efd6b48ef02aa1e35b3b0c6fb6f99d39f0736aa89579dad77219806be3f304863ee6b29099248232f54bd92a030c71bce8c3ecc78e1ca7b2707eee630777d3eb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9265713f9b0a76dc62940ff0a432b212

SHA1
92c1b2fa33113fce0ede2c94f0eabaedfb0ca96e

SHA256
0ae9b9f70c4cc6de212f1de6c3c46a930b59a98f06f7b4eb72c2fc912d3786a7

SHA512
ddb663ca487e5797f38bab80b4e4afae786c558ca77311282cbc61b1f864aaa200c07dcfe5d8101109f4ac938c1136b09572450e922bd88eeb61d867fb51b4f8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9273dc84028907bd8129805e46ac21bd

SHA1
baf35b78831c62366e705e19e039d4b4531d77cd

SHA256
679a1f40e47a82b09dccba7a4f9da28a03ca45eb84efba41dc65810372ff6fe5

SHA512
f7ddb3772b2d87fafa5cbd8d42bd1f13a84fad57c7d6f0d6e4964c17ac1e40821d969da32d538604b7329c6a5125e96578c59c30357d199e8090c13f63e002de

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
268ee74e8d6eb4615767e2231041d5c4

SHA1
1f8b9ff818bdbe1d479f32a6106ce1009689b4ec

SHA256
5f91159987de4c49910f14334b2426c08559a2e52fda4e70f9b88540cdc5e7d6

SHA512
2affb94d15aeca8765b9d6f14561399b32f28a97e0c8a357079ac982018263ab67c2f8def20e7ec81d687265a17089b701c5540c9d211908365220d948cb1657

Download Submit
C:\Windows\System32\alg.exe

Filesize
512KB

MD5
1e396faace2720a939e257bb416daca5

SHA1
98f935157be29a73c0e4b33e227db850db78edd9

SHA256
42e3003ed0c4fc8dd585a5324aa84ff8e150be743e8d7a79983eec9ee1c7be7a

SHA512
0d2c5e75dac0c5e222315ccb7e5abfe15f4bcd262fb6c2c098dea24442268bf111feda8a591b2256090687eac5acd5f547eaaa944ba20a29805f93faf01a30b2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b50d634aea8a876f63e766a8f8f54edd

SHA1
bb4e4cc7ef3c9408bae42989a6b347a422050093

SHA256
41db619f4c01fe1488f455742a2f6884495c326e539995546cd409673cdf93c5

SHA512
3c3d7e80bf9026533218cd5948788f2dd9e462620fde0fb977d37c39702a5cd154d1d0a914b9680dc2a76fcb20e783dad00f1713eeec3e55df76973f970058d2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a15d366e2f62a282ccf1ad598bead278

SHA1
1ef5f1e7d7ecf7f03536cb8622750121f0b2ccf6

SHA256
f7ee0e39bf245dff14d5ea0a4b9e85e0f8602d95b97d470bfbdcd37c0bb414a5

SHA512
65205d95bcc0552b57a30e53f177bd128ce4d61bd71a0c4bce53c8007511d7e9f97d5b2f4431a59e0ca4279b9d8739a2adefee031bc238d84e693abc1a870010

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ca4a7489c66992ea97208ddad42eb385

SHA1
33f61728b29ff514058aae1be5127d8a1685c183

SHA256
4bed899f08a72b28cef0057de9a6077549dfc44bba708f070781d1458cc6aec0

SHA512
c0dd66e923b02a428640272cd23979cb5e9d18304d8cdccc4bde13e3056d5310d51e001d10dda8aecfe8c3daa3fd1ca7cf3eea16ea494f2a70488b95303db63e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
48269c9b389de77dff0816e55afbf5e7

SHA1
33e0a87ee7898b445a3c9bf54639d9b7ffb5e706

SHA256
9b20ef58f0302789ca2036f215bcc6f1a8db9a8a3d20a957802080acffef0614

SHA512
77aa3a5d7e3a774df075a7cb101a9687a2de8e30ee962ad6db855192761916550d62f316cb3e1b986a92bd1ea25e88383ee40697cdccc09aaf160562f43e4f54

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e6df6278b02d04099d8a4e4157e39174

SHA1
c00ff7114cda9c9a7fc8d500a37083e8051362ff

SHA256
c3a787beed158e9bda0959b835e6ae45d7e1f5959d29619580e23bae5dc7eb73

SHA512
d25c5415adf6f3c9a9ff53449ae6969024cdc5cf5612778461f035ae84bb383d6fa2080db43d3ad3e47eac462c6e1471751878ecd9383153ce7c1edac3b4b1cc

Download Submit
C:\odt\office2016setup.exe

Filesize
1.4MB

MD5
ced9ed6e256572b92f16510718cb7b3e

SHA1
2a126668cf1c3069b77e8d3279e26fa969fabbfc

SHA256
190edbba489e8e61d802bd71f48d4a188adf83de34cbdc81c492257d160c900a

SHA512
ee550ad9bbcda13c85c42f5766b13973842bcecb7eb1fa86233356e38433e352cf9d4fe0bf2c59ba741739c009fe7d84e1086d70440958b7c594f3ab209e8ba7

Download Submit
memory/208-7-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/208-6-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/208-17-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/208-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/208-1-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/1424-417-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1424-407-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1424-340-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1424-344-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1472-431-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1472-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1484-59-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/1484-56-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/1484-49-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/1484-63-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1484-50-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1708-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1708-443-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1716-364-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1716-306-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1716-299-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1948-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1948-418-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2176-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2176-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2176-111-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2176-15-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2464-366-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2464-434-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2464-373-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2548-386-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2548-447-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2548-380-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2632-271-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2632-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2632-262-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2632-255-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2632-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2740-456-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2740-450-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2908-280-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2908-270-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2908-337-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3288-470-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3288-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3560-319-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3560-314-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3560-377-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3716-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3716-399-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3716-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3716-405-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3796-228-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-34-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3796-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-28-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4180-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4180-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4180-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4180-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4456-64-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4456-66-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4456-71-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4456-72-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4456-236-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4616-245-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4616-243-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4616-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4616-311-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4872-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4872-332-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4872-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4872-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4988-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4988-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4988-360-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5076-285-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5076-358-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5076-349-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5076-295-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download