9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee.exe
Size

1.6MB
MD5

6a47f4f67ea6394ae3183bf84ae78d50
SHA1

34d220dedd68a7ca57a324ee4ea188fe604d1106
SHA256

9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee
SHA512

1049913cc079ce29ddc9fb90d699c67faa924fca6e35970c93cfb5ce6f69bdae7bd0ba9191ff3fd29494116c4725d3e2b896816479c7c849292643181003b9b5
SSDEEP

24576:F4iBx8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:FdxgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2804	alg.exe
1636	elevation_service.exe
4108	elevation_service.exe
2956	maintenanceservice.exe
3048	OSE.EXE
2124	DiagnosticsHub.StandardCollector.Service.exe
1840	fxssvc.exe
1548	msdtc.exe
3236	PerceptionSimulationService.exe
3256	perfhost.exe
3404	locator.exe
3664	SensorDataService.exe
2176	snmptrap.exe
3484	spectrum.exe
1828	ssh-agent.exe
64	TieringEngineService.exe
4400	AgentService.exe
2936	vds.exe
4244	vssvc.exe
1076	wbengine.exe
3276	WmiApSrv.exe
3396	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8743005012041754.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C46D29B7-FBFD-4C6D-8549-2E7FD76C9A02}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb4ecdcbc589da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004d017cec589da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010e4a3ccc589da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcf397ccc589da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c5c1eccc589da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e5b3dccc589da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4584	9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee.exe
Token: SeDebugPrivilege	2804	alg.exe
Token: SeDebugPrivilege	2804	alg.exe
Token: SeDebugPrivilege	2804	alg.exe
Token: SeTakeOwnershipPrivilege	1636	elevation_service.exe
Token: SeAuditPrivilege	1840	fxssvc.exe
Token: SeRestorePrivilege	64	TieringEngineService.exe
Token: SeManageVolumePrivilege	64	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4400	AgentService.exe
Token: SeBackupPrivilege	4244	vssvc.exe
Token: SeRestorePrivilege	4244	vssvc.exe
Token: SeAuditPrivilege	4244	vssvc.exe
Token: SeBackupPrivilege	1076	wbengine.exe
Token: SeRestorePrivilege	1076	wbengine.exe
Token: SeSecurityPrivilege	1076	wbengine.exe
Token: 33	3396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeDebugPrivilege	1636	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2288	3396	SearchIndexer.exe	119
PID 3396 wrote to memory of 2288	3396	SearchIndexer.exe	119
PID 3396 wrote to memory of 3308	3396	SearchIndexer.exe	120
PID 3396 wrote to memory of 3308	3396	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee.exe
"C:\Users\Admin\AppData\Local\Temp\9393d95a243045ed866edf4674d70ce1e76e0cfc2ae84fb76001d9cbeae857ee.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3284

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3484

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3276

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2288
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
34f33a81a1e39f9acb00920c33a85730

SHA1
f7ceb48fe4af870ead9225928964cd07abace63a

SHA256
b852d0af1118312ac1a4dad225446f4ebe663b03cc23217f526984ac83faba9a

SHA512
3b42becceaa1d3c34a51f3cbe9f390ca8a3b11442ce504361be0d5b8fd8c60d1928c122c648971ef9b09f3c592e4000dd319e9507b6b2725938d2bb018abc840

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3899b21a8fe7eaffc63f50137eaa50c8

SHA1
65ea5d15da94a31883df718b525f320c7fa4e711

SHA256
fa259bb899a8ad2c769c0ce8b5eb4196b3a5c2ca12ca7212b40eb0169461ecbe

SHA512
3f3b2e3fc8150c29f4b79ffd0293e718e65d6f1ef84c3f381fc7a3208aca9591d10502effc13cc779c3ca6d2a68e826751b614991ef2b44c60d232ad6c5f997f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
cdeb98e513418d5e18763df3c5952a55

SHA1
f1f564782a4b3b26ebed99f01e63bb027452345e

SHA256
69ea4cc4f5633300ecdc4ed0d6bf8974a57ba084c92a2c94f60d5fc293e904a7

SHA512
6dba499bfbc601ccbeb6186ba5bcd9ade8fe82e4b6eb686c18cf367ae607cae143c6840a5c0b43353c53824cf3be2707dd621925dda7ccee54989c88498e0c13

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e8027734ff60e50e07e83acbf9c4abc9

SHA1
fbdcbb05ba244e1a80f7335fc24534fbe074d3ac

SHA256
784c3a59205a4ecda6abfb55ac5793d70f40cc77c9f6032be0eacaaa4588421d

SHA512
ea4ac43d8436c040f087e463ef3ec009822af155a19e372860cdeeea77962d5680890b16f9efc9bdc5cd647d03b2fb88820b89f4f60d14e27f71efdddd6f63f5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ab1bb52c8eadbbbdad1aced78e0d2e2d

SHA1
33b0815daabb046ab8f59d84573daf3b14d5d6bb

SHA256
544d9f6200eb44d2de257b319644a89bf724607dc2328d43789c8beb9c1bfdd3

SHA512
1a8137b1615c77856443864a53083de0d0dbc614377cae8b40e03b1d51afb59fc92971c5a9f4960f72cca90dc18476c608a913ebc0c8fb414a761334c0cbe7b0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
48217143426d02e7ca835e42fad7f516

SHA1
82641d532b226214767521328264a3d407d8e0b0

SHA256
c2b2f1b6b2523988b95d537078b9845d1192a04568094349d7d25c09c95082fe

SHA512
7a121458539502af41511df28e1317e2bc8391e19d76dbf48a75302290012ecd51c55332783f9aff9ac5735e8ed77738c1ce6eabae9d45b0f4ef3858ea93b767

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
3b583a7e7af114c9c173b80ebb0d833e

SHA1
d7bcf69137a8ab303c577761ed68ce5c07ea8454

SHA256
56983f5505252b0d11b86a52f83ca1684f428f71bb5d7017863785cc33960433

SHA512
21ac2e26ba614e0be8b0e7204d992bab68bc5ab9ce8c071bd1a07c828f50ff8378134deb744d09282a9ce043262459ddf67d415c3a72a00538ca96a8097a3638

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3972d1fa1660f0646345102396a4fe6f

SHA1
0af4021c483d1a3b18d02616063bf13bee3d9f94

SHA256
2b168fde1ab452f8a602347cfe82bbd87e934ff2bb17abdb45e7d5eefd91eab9

SHA512
579faa10f8e3ac03811d39969bbef729dd9d22ffbbd965ab078eb70d19ca4ff7e867b56e5f79a23d46911af01b3441018838f2868485c8f910746b21a49eafc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
667dfab1e70a7e4a14de39438eff923d

SHA1
cff8a7876de31b54fd33c864d2d8b93ef76cf161

SHA256
ed5a49d35f39a4cc63fa39efbffd61b88837568fbc58d591b70f37393ad97309

SHA512
cbade5fc1003f45472287db7a5891f123b3fababa78f4f1806bcf61f04c25215913e7554e6afe73ecacc22b74fa5061090e07dfa49b82f658fd870d2a58dba7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
62f3974e3ceb8255ae201bdc122a71b2

SHA1
cccc193b3016b8f70eb47926c2dae61fae61b6ab

SHA256
6fe55a007fcc7a9a096b23a3e6e1b608cb265976404d19005a1630fd8cdf8e80

SHA512
83a3f39afa6486a46fceb86e63fc1cd1f75e0105f5eacadfb5a13c2277da0f36ed117f0ab1daf6a5d019cbf4a26071334f254beab42495dd92c9f4cd1674d42f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0abd83f93242bfd783e8c433f5bd7a95

SHA1
527cdf59afbde9a700d4c521e516e4e69f775441

SHA256
382b6cbd888a387b064529fe768ee4118696e535aebc33d36714795814659009

SHA512
6447e7795e9583ad9101496162f710e8bf8135c3369577183807d4923864f38176e2e02b1e1259057759b23c3083de2578fe3091c9444597678080f6b4975327

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
af3cc3b850585e4e6a5d136a57d2d694

SHA1
a0a4028211150f7199337e7a3f9e2acc195e588c

SHA256
c6d126b63c18552c5d24649bde619ad427e6e73ae39cee877bd45f337901d88f

SHA512
53eee10757d8180d7a19bfda0a470b2c2b3053aa7188db126a503f2d75e064ed161f3331ee92b2593c98dc69dee6aafe6c56809eebc368cbed6ce01c632a7b4a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
bf4b50bbab3ab8443061462e762e3852

SHA1
401d5c8536fb55932ac2088996d6bd78a0bef615

SHA256
6b3c0012edb59c472514d483deaaf55395b3fcb6aeb2701197f37d00ae251095

SHA512
9200e64738475e0d2e286e70b77caff019e5956c4315ff60a679bf8ae7c38f5dcc61cad4ca896a014409b333b09fa99a7ed1ccec49389396ebb309e1ba2957ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
469ea7054f430a27a2a69b91346deb1a

SHA1
710fa9775a1e8d47b5f06ab4603cb24da31b1ca9

SHA256
f778574309bd777972c8ef25c2398dc34b361501813c6005074a850866d6c064

SHA512
43d48ecaea6c7fd9a4ad6bb5a6d7e08c2d597ff8f54a17756e55aea1c45b8b2308417804e347dd6d6ededce233533b81f24b08481d0185b49007645b4729f51e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0adf9c759eaec5117bd201f3a35c6b70

SHA1
4328597a5bd9a171f018cd98271ebf2cf83dbdff

SHA256
ddfc7283ed719cde1e00ab5797cd02310f649b199cb912b1fa5c6b73b28a1797

SHA512
f64ed2a56101ac608ff4d7cac8e2ceaae0b7851b67391020fd5fbdeba259445bf1b6e911b702592deb43646a393b4bf3ed20e33754e28cc09fe064c20f189e95

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
cc516ed340dcfcef33e2f28f4f1dc414

SHA1
d2b987f8cbae5266f7c90384e048e8e73d8b6e30

SHA256
3f2496713076cb35b4ff5b29a22f77d8cc6537b3c18d0f65243adfc2e1f07310

SHA512
6a585645b5baec30392d39a08b4b9dc6b8accba5e67be2f798b5b22e65417aaf0c96c11b73acede0831167f1949b5719b11190c3b423716cc3973bd4e96ccd68

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
b6a5fdf5d6f218fa8e48a4ee4839e76b

SHA1
9ad87b8fa330d7825c0ef4363f43092214c13384

SHA256
08e3999a8b5f937971d6af1bfc5b8f54b94fc90e9a093bd4f75e952799c307f4

SHA512
d72abe67c704a88cde7335e2156b3f1f77151f5c2e8438b6b586167817942feb766413825b7b2ccafa59e46d536c46f32c08ba91cd8287eba0b1cfb98de92b37

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1963b4750d0ca0c700012d15a1582aea

SHA1
db0c6b32cda065f6d4e3bd73aa9d9428ad31d29a

SHA256
b690fc72d5c69e1a5b48c86665d5c283afa2e5bd34281c702fcfba05c37618ac

SHA512
8315aeb1c129c0f62492f17bf04490dad6a8207870f79201a09c42f7c2ee93da3b507cb733de657315ee2d2d8f22602159a2b6b8b619f4ca4df1d73302afc7bc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
075788411d4266f9c8b85d0410900bf2

SHA1
ad5566ba9ee9f05e2503dae9b72d9fca7668ed36

SHA256
b2946b9b9657caccf68892710a019641ac23ceaa41d030049121f9b28538185f

SHA512
08ea2c5c402c26fac2b295fd743a384c164a5206ee3500212ae91434ce1244a95037d25ec4633e20366bb2b1947f22fa736ed630a7d70ddcfb32a40455cc5339

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5f90c2a630511c8bb9c2fb6a7d7d7e17

SHA1
a3fec3e165d293890207751b679d4f01752950e9

SHA256
78d987c698183b85e50fa4d8bdc3975398ad1576517c20732ddbc7e0b81909f9

SHA512
700e1007d6b20abbcb4c58497fe38bd4514cec2252f830aaf9eb1fa1a91401bdbea94f4ebe49249d93b6ad8c8bed12b7cf41ec9c37c007c183c58db0d3ae9b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
cc361764a3d299176dc4200988839d23

SHA1
c93176c9bbb9174d572e3f6a4f4994d4e5b9dd21

SHA256
77030e4a6445337fa1c70664b74aad7f94c44af64a994d36f1318fbda35ffb79

SHA512
02ca92607a0db1d506222d98742ac870f3db1f91e8a171e42c83d5cf3fc7a53325a0e295ea6ce04ef623e8501777f80ce790ff883ee678f7ca4fef81f852ae82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
eca8eef1563eddf5bdd184c38219a6ad

SHA1
46011c5e2bea17880742d138d5a285b05a00e142

SHA256
ad8f3b760fd229c40586a5ba6cc4e487cfd3e19f0e0b6130cef58d39ccf4b71f

SHA512
a83143fea3b8690ce87d3067e9e04e2a02e0dfb4f7e2253a0246d82e692c1536d85ea1d1f0ab07757891e058c3fb58a5c215bb25a0933eebecfd6270de1d7275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
922f8a593e7e7964b417961c6340ae8c

SHA1
79bf9bdfd9c426c600e10bdcbfe6dfe1586b6c24

SHA256
234d8972ce35ddb43620810f8109cc2e5f4eb7bdba9ad4126e8fc199e89a7c69

SHA512
2efc062f90423953eff49dc7835c2ee5246f6384837520828b11ef3aac6e34c680e61cd63a8292f9c216f31f8c6d0b55781d22e00aa8c661229ca894d219e2b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
d52b18243f7ca9b20264ef5a8989c045

SHA1
bbe8ea93e44cf360c22aab1ed41de845fbca36de

SHA256
30acbcf164ac837fcbc016efa0bda421f5d96db6e6b171ac0a755102583d2529

SHA512
ecccca8ecec5947b72233094d47c1871fde546f95251b5237e3086fc227ca03098270ad6397b6bfbff662ace6c5cb490f6064cd3455946617bff3d9127f73506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
9bec7256d8913168d794b780d4c886b0

SHA1
3ea06d7de70e767fe051530653848a395741f138

SHA256
a659a31ca7db9f68bbc8210427d2ceae1ff10829be1c7603d36a75563c371314

SHA512
174b174763d698b69034ccc41f0cc647f40128fcdeb3186c9ef7917236c005ba3b333c026eb2f7f1fd669b01f964ddc1303ac33f742e6d51d4e8f6508c1e66e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7f6696f0578fbff084789a92d8ffd6cf

SHA1
d3b44b68f00b45667260dd83e97ccd298b3527a9

SHA256
90e33912052cb9b915d3e3c37ffc90ba273b1eea5c4cb4bd324cee106f5ae947

SHA512
f389b70b442c0069baa83dba0fe5d2b5005b8070388594195329753dbdfb7a2a2285ce088525407ca89aa9b9ddd11739a9b41a04aba9232e57d144665ad8d50d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6836fd780d7a991743780f299aa75518

SHA1
cbb91a3f3dde16389a09fb2e3190e44460da73a1

SHA256
a502dfb341a8eeb056e11e310e41018a629b6229b7359ab9f9d0e31f19ddc5eb

SHA512
f25ebc4efbbc463c2183b8cb838e2d57943b1ec2e51e5187a8d4808136fe43b9df2eb9df707259084a02207654b7333ce6f31fc43e9c70853e55181f887ad5c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
b9d82c3a7d8a862e69b5b3981f347267

SHA1
addec09a88548af9c1ff6bdd4232e5dc4571a4f7

SHA256
30c0724fa2c04d94d4b9c23c32f96eddc34a83a8de3a7470ec708e8302656d20

SHA512
e40c3f49e75917601ab9dd3af53a66bd90e1572c81475554dd156c5219f3e785f742f550c5a92a3fc5583c2cefa3cae597e6ec4c0246ba044125e12904f773dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
0e9661f58221c532dc847d7f7fa56ae0

SHA1
19aa19dacb788bc256692f6b7c1bd6fe40c3e388

SHA256
f1d2098c3957d05b864c901023baf65dc54d246af074e49771f141cbf16e7248

SHA512
2ced367c31cf6d96f18f0f9a8d62d4f7f827a9d009254dd079d2af3a95eaea06d9bc8b1c026b785f4ab498c98a7cd6f37bfa5bfc4cd3d807d3aed4bfa0c529b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
dd15c6e440e9bd8123e2310f70c3c939

SHA1
c3dd9080f7f665b22cba5a19177fa17e0a9e06af

SHA256
01183278d5b62f83ed7f1980e8b7b0240a71a46201c13d5b5852c5a2bc4398b2

SHA512
03481953fac2f8e17d048931bbc724e2b2233e3922969815940c0a08ca3c0cedfdec784ab0e1c953ea87c428daa7760e1528cdcfec46217e3895cb098a93ca63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
f190335b34c57b2fe2663f28d2dcb500

SHA1
44f7c34fee715a552304b62c6e54c7a5e5830c69

SHA256
66ee7b70e08898d978a071d16c257e96294aaefce5cb186b5fe9516ecb4fc92c

SHA512
064c1155a0aae18c3f9f2edc9a7fa4143aa6616256f1e2bda6dc5bedefc2718140c6180575b780039bbbc62f20f092146c2045571721422b9527511a13524e6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
cc33488ba94bcae91543b8be7d9a512b

SHA1
01b77461c6aa8d2e1ad6c6472b12b625ad377e5f

SHA256
8c29587028c58e4f20e2bcbc57a70e6b43e93536691e3ef7a808de99689071d0

SHA512
ab960dee66534a3d38d09fd0d489f744cc433878e321b280460aea90df398508684cbb8b6e12b12f8ea2754b5a17b3c125d60c449244d1147a3276a765aff4f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d1ff4b0c56025f14cbb5329972f5a00c

SHA1
3822b8218e6168b80f1b4102f59c896696beec57

SHA256
0669b5d9f88953ed8b2f8d52ef61e1a0ab841fab44b95348ba0c377ccea38373

SHA512
2accad41f35f1d0048d65cdc42c7c2742149cf71f601e67a758ab31953731facc557db7d0ab20581cd16800eeff2612a61c1ef2eae740b7940706a6eb48936d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
481ff911050d739c10bd07b2cd6c0e85

SHA1
aa7c471e2b698b685131218f289f4087f29c14de

SHA256
cf250925b9cef4c71c75303a92750820f182b795736a75eb31bdc6b395d8070e

SHA512
96a83fc108e89899b68fc175206d220323bcf02e4ff7189ab04b2d5ffffbe75596a9e48a8b8b7be1d7953fc501537eca528681c3460d12ce8f192977931d38ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5112a71754c1d47b7e51d9cd909e7ae5

SHA1
b270be93d046142a3efd31f0162c3cc9faea0f69

SHA256
eae68985be5db1c3dfde3fd03b2a6dea107eed6fc8e111f3018b2f7010d1a449

SHA512
def0314c14fcb52a8a7452ec55f3860c1df000ed41131ead44f80cddd4b8e54ad9152c6f65212e4cda74e8c0b7438524672c96bb18b6287e759a1ad5e0a1514d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
4fe5c54cc570dce44cc80e17b5f7207b

SHA1
6ee5f0b0799a4e613b2862c4b01f1bbe39f08f20

SHA256
6550f182a8366a8b468ed06bc0875eb3919ef99574d8d605cb677bd5868f174f

SHA512
10b8d609c9794472c0675bf808ad1ad7c4be8dd14c466e953d489155291c9e48d8394f1633fbd8ce668710abf73a13435aa60755304aefead0face58f36c3fe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
bf6c445907260b63a5030aa12dfdb0b8

SHA1
a7b6d8c1413eb11d3e9ab23db840c145b4a075a6

SHA256
69acac8ad106db47cd56af4bf41e5ed9117b038b1c417ec730b23f0b8b1cd8dc

SHA512
275ec75af6c5ca69e39a1abfc639c171fc70129a44d3aef2f931cd1e166f8894a60dc8d7d2eb1ce084dd35f3d9dd1291874875be3f923d4be8cc2953d5cd9c32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
5b25d4ebd1ac5b2a17adb7f5638682bb

SHA1
6a605ce078196e03ca63d1411e2725132840f830

SHA256
72fa7b85336b722ef18c5b68fe76df22f63ca4d59d52b9b71ddc5d6d26edf01a

SHA512
26602960828ae831640eee658d4daa0d600d9dd0768fdb1d1e62e64e3cb3b2dc3e2d40b32528ac5897e8cf2949cf4f934e5195957df4f235681c7616996dada4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
568a73a5b9ac2fe60ddccdb9b5f8a394

SHA1
6cef3e765fe3013bd354311414794139a97537dc

SHA256
972dcbbb8c1f5a2f0d321101a9d4b8fdf14b3f8ae66b92ae875f7528cc50cd26

SHA512
84a7044f99986e927be2d7603f3964401bd0b8399dcd0161436c8d71e72a0152c04e6019af2a42ff207b89d4febb0e769958fe984784a97a667c74f418d32309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
9ea527e0e389fb96742885565e2144ab

SHA1
0c1d2b49bf029f299b79d47fa88894e246f7aa6a

SHA256
ba508be11e8abe130d68b14e902fb9813bbf9d951fe21376d5f4e549320e01cb

SHA512
0ae12bc7a8f5eb92193547caa032332b175dcba279d8499b99d042b553645964f5c01a8524ca708cf0596e974344db1d62dc485a278bb69593f98ff4f23b4d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
c1668d7d812fd0e83b26171235a30079

SHA1
b07207f45a5151e689a8d390e3f9e2df790c4926

SHA256
936fadf5ba3536f574501944643225a622e20eb577fb0171e10d2a9d62c97867

SHA512
9100f220d907e57f14eb566cf29636e6d79bd036fff01d73f34d737693abc843e33be3a2a90b4e067802b5e0f3efd548b06b91f1b2f4ec5b5e456076c79a4b4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
0a5d1ee972dcd5c8086cfb7502f99e38

SHA1
0ce7975928e029dbbc8b16ebb65828e11a3d814e

SHA256
63e823715f03a3eaec6bac2359f12a315c431e56fc48ab4ac17de8300070abee

SHA512
2a92b01a7efbf2fd411de3b065c5e577d5479dae4f9037715ab1159a7a5a0eb3bbf37ed5d2c1c9606bf42da586c1c745c5e21099e399415bcb158c0cf708bc90

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b8082e4fd973283abae1786af8491373

SHA1
97a5063b7ed6c2940b0cb816e74f2251990743bd

SHA256
88b8f6bb703256f48fdc8918958a8a2d3dec9824ef0a9f2662a881b76cbdd4b0

SHA512
c6da5adde7c91eb1e47f9b2a2b519ae41f101cb6ff1529c4f00d2e57782b26c0e3f655abe5a1bd0fb7ad71ab8d772668a35b1c68006e634828db06b03f7b6a5d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
14472cb45be4304c5bce353e5276061c

SHA1
5cebf954b37edf6996a88fd62e868a7bc300ec57

SHA256
55fbed65d96b8f89062f03c460d3068eedf65d8fcf28653e2e8893024ee41954

SHA512
7b6914c0cf95e9642ace5318d43c1e99eddf19c1853d53af7f5baf8a7bb44c414f84da8ef08d4f6f806431f8aaf3bf6de0a98008d238cb5e6103ce47b3971980

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
326a516e465e8600c7486cfce8e27c83

SHA1
f52ba5427849b1e937772fa0b9c09329151dbae3

SHA256
ed437c7a607d823fb94782cfe4f6c41afa23ac521bc1c13111cf84d163f1524d

SHA512
5a35f5001ee764cfce8328516aba37b779d6b2d4794e0b5a098a18a73bc65f3207b2f9d7e39d1e49ac3d694e7d1b169941565461127b70c063ae1cdbde850a7b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
820ed65cf82085d0b29b4ec8f51740a8

SHA1
d56cf3ee74349102d7ee12d83eb2868e52416acb

SHA256
68300ff13dafad2d62bbb5efec90ca393f2190d53ecf3d603517b8c4b044c40e

SHA512
9feb9493fe943a89c124df5661e8a6db8eab642609b8d927da02d12ae66410c47fd3a7ec6dd8f8932f4f16b92c6bee3bc8887ca2814a7ff45cab09dda3977753

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
25deaa1d4830f279d1cf532ecdf30774

SHA1
5a764ddc85415bf8f5f6d13e3aa654086b47fd9a

SHA256
f537c76a6098ea3a044b95f1230287c2f8b712be504f8181de1a1c0b662e6c01

SHA512
c73f276cc7a570db505edd82a8b4cb2d0670a4dfe80408da15ae14cbcd45db78590dfac37c048e219a3a6022a3e0c91e6246defada057679b9591c82530612df

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7dd1f384316467dead0e349d8d55ade1

SHA1
5b6d892aed9e0ce03a51a3c0f2fc7ca8b4cf61b6

SHA256
09ed4472e31c559c456dc3e11fa3cece32f093039b03830aa59b50de7db76001

SHA512
7a00c8d082af9ba87e54834340876f4067b8277e8b78e70ae37de7ac366197e6c8a0425627b9cfc00759993583d97cd70fb9baa7faecaa1ece6a4a9ed20cb8b8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
a8c040a6409eceb241f13e704d2e8cad

SHA1
045e867d896fb53ae1f03bd54ac18f70bf07e146

SHA256
337ba7dc9645f9434f8eb441c7299f3c759ec23459ee36a132f576e195a465fe

SHA512
97627622c3bb7756305c4f39cce36baba1a7f870e24a7d405dbf658e7d9825aba42cd3f5fc515197a149780766abb0bb3b1103e5d49e236b2cec7d40b047e27c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
47155c59a9f4adc8f6f201a2b25a09ad

SHA1
b94dd8d2a72baf8c336f78a8e0bcfa134ff2a7ac

SHA256
832fd7a7f6b75e2199b36fe6d81008ee663ad97c232a0387d23f55a7a907dd18

SHA512
996b109ace342d84b5cd7ce76c083fa7df1b166969ab980564c208e25a420cfa3bda36633c392562156c94147a4ed1e0c22f8aa2228b826d5334cebb4d5a8e51

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b1ca703dfa5fb4a93b704dafc9539cdd

SHA1
53ff9180363470b1ebc249e93d3f9865b7821053

SHA256
d9f4099b4e58f8af6a26d418a9ddd67827029e1799bd8e35af98a6f164883cf2

SHA512
f58a392c14a4a6de8eeeb6a825e26fa3b8ed22549c411495db6192e5ddacd40834884fc02b71e0c3ff52ce2bc84dbe5e9dbcb5def92ed0fb3fe75bda5a0c7ed1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
918a32a52baa00d2b21b8ca4adf8a0bf

SHA1
21ab83299ca212c5b0b4bb41c8fd482e9026e233

SHA256
8992ef816f1309060cb900498b1d2d2f81664a4c153ffa4b110f9c999e21149a

SHA512
b97c38ed61cbb0e3d36d77fa91f57e6fe3c6e82807d9bb05d59f4c5a6a723d0c81f210992230c8f4a92ddb1e44c17c726a0284ac4a44569588430766e4b433e5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dad4cf0b22c3137daa1e59514bc82cd8

SHA1
2515fea2e33d84da43d6142b9ccc1fd35b2b0901

SHA256
758986d38e723a5cdc1e64b5bdc9270cd9aff399f8bb2a1993a6de196f68aae3

SHA512
130ac0906ab6de206e443ed73ab3e7909586a4994a9c530b6b7285af61c7832e870b2dc61e9c2f6631f9c18f22ed9c18ecc5cc68953ba00b88bf6292d4f01716

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
12b2f9894b6aa7a8aa3d569787434cd4

SHA1
511e7d9c40049c097e9ecb380d2442a2d9ba45c0

SHA256
5f0aa914d75e58c1cd176e700b3f48eb98df2c6b5e89602beb0551b9e1d95bcf

SHA512
c4f53cd3f4e0b2c47d062df5c171ac5c61de72b40ea978f289c93367a0f4b8c83c660510cfcabaed80de7efb0041eba8f062473ed290d732d9406db8e9fca1fc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0f874c53abfc8836b54b273e0bffb279

SHA1
163f33d8f4f8e21e021833df07e060b12046b494

SHA256
6cb8d71068cf2f4b5994533a0e3bda5079a919505b2042e2ede780e05ecedfd3

SHA512
4eca3a718577f6038da70e6d3c070453fe0eb72e85947ef7bac05f3faea44eb9e7eafd4cb07dc38b80bc48de371cd68a26a20d71f60866544103df8f1648fdcc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
5c118abd9c2e425f8c6320a220c32fe8

SHA1
942f8c22e9162acb00e169e3356dc984776ae888

SHA256
90439febaa2c5d019597355ef2e2ceb1344e3714048ddfb845ea29c64a529a5a

SHA512
c9ebc9a17c8e8a7965b3407119e83a628a51492fd63b9e51b4bc53ea7dcd7e1c04f70030167182f5ea9ec26d858de301d66022a8e53f863887a9ee08b0256f15

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ebd260a63150d596e92a84bae314e7fa

SHA1
bc87b5588d6c88ab61c0620e714dd49d2cb92181

SHA256
f5652b6eb1ee95dc0893d2cb80d8483ed5c957334f896e39769983defcdbaebb

SHA512
f6ac0e4564a02a8cf177610a87435a8b396b3a002c25fa7d4ea3a2a557a418d39cf3beb5eab9607e756098f14396ba40d5a3f3b638b2870d14931ee105c7dff8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
19dc20f1534704e95499188bd5116687

SHA1
b0ff3495f25c7f1b9f7fd05350430aadde8cebde

SHA256
b352f31b11979a6837dcb050a8f48180af9246c23210249b6efaf927821e5baa

SHA512
58741b2a13dabf6469678e783d5f029af1142a484e5146d46100b591cf08f907403d53b957902ebf30d8263b1b9d6d51616f0d4646a7d9d455cf9ab825edb15c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
18d3a1179c5282c29d8b935bdcc04d2e

SHA1
6a1fe0a35412932b3b8f0bc2de4c0ede9af31180

SHA256
f71a82c8a0be12a57dea1d88429e145c202468f5c9d100883353cd8e66091b48

SHA512
a2bc74508d7c789aa936dd740b4382f815537e0769cafde191ce292d82702c6e985532876e84188cb3c5553dc667393128638d05e63e0fe3b71031f0d4e6fd32

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
11f9e86079674cdee73d8fb44b5fe038

SHA1
71b0f357a97542792d2f30610174e1d6d0deffcc

SHA256
98a76dc44a6b56c2ef4b80a3a55866c5bff1f141a0f2100054192c4c8df8c399

SHA512
a0408529c52982b2325412e7c663de6f2a662db73bbfd8a17a6a5bced5677eaa44fd079d963cf19cede57ce06c3dc4367a28d98340f3eef86fc3aa2f7686b452

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
499babd73f1573ced7866f3b7fc375cf

SHA1
534e4b3bfcd0de8827690e145fd6c6536a3d89b7

SHA256
0c16b6e5c9d40be92e5b7ecbbbdb671c7e98935686276b0ea4474286f840fec4

SHA512
5349860d2ed55670a9af83f57405af176ad3c0be636c62ddf52b080073ea4eb1eb82ed6a7679a8e0f2863670e97d0972d4a9ed8554b28bbd427bc1a2adccebbb

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
614fc019779ab1a1e02efaed709fad31

SHA1
314b984091f1c7b2dcb01974213ba3b86ec21ae9

SHA256
ff555dd1db32fe50c6374acc34119d4b480f794d4bddec06b115e1b4f9ba6945

SHA512
d21ab848a91cc24e1cea31c0f73d6eee95539691c009432f043833c7a52299555aa0a058403dd7fbdac3e8e5522dad4c9af4234d39e7f4375f424a0b8103c02e

Download Submit
memory/64-379-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/64-386-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/64-447-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1076-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1076-445-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1548-338-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1548-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1548-281-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1636-34-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1636-228-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1636-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1636-28-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1828-434-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1828-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1828-374-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1840-272-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1840-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1840-263-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1840-256-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1840-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2124-243-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2124-244-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2124-311-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2124-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2176-340-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2176-346-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2176-408-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2804-14-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2804-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2804-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2804-121-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2936-411-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2936-418-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2956-63-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2956-60-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2956-57-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2956-50-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2956-51-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3048-66-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3048-236-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3048-72-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3048-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3236-350-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3236-296-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3236-288-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3256-307-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3256-300-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3256-364-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3276-456-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3276-448-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3396-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3396-469-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3404-321-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3404-312-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3404-377-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3484-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-359-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3664-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3664-398-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3664-332-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3664-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3664-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4108-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4244-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4244-430-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4400-412-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4400-400-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4400-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-409-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4584-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4584-18-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4584-6-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4584-7-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4584-1-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download