7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc.exe
Size

1.3MB
MD5

d357644ca4f8eb9efa3470afa65ddc24
SHA1

0c0d04d58177733e7341e8102c9d58055feccc70
SHA256

7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc
SHA512

ad4aa0831b64576fb70edc6a914597480e71732f5f0bfc8c00b891f76b8101bd89d2df6cfb998c448ee84230a2b67b2dabcb05ddc8acbe700200897c2b94a7b2
SSDEEP

12288:209B+VAMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:209BSSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3944	alg.exe
3116	elevation_service.exe
2800	elevation_service.exe
1940	maintenanceservice.exe
1316	OSE.EXE
4408	DiagnosticsHub.StandardCollector.Service.exe
4132	fxssvc.exe
1724	msdtc.exe
2348	PerceptionSimulationService.exe
4452	perfhost.exe
2296	locator.exe
4192	SensorDataService.exe
1936	snmptrap.exe
4080	spectrum.exe
1712	ssh-agent.exe
2376	TieringEngineService.exe
3976	AgentService.exe
3444	vds.exe
1336	vssvc.exe
2708	wbengine.exe
1556	WmiApSrv.exe
3868	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9890458212d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076999a976e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a52f1966e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000903698976e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c04e3966e8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c83c5976e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd74fb986e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043b131976e8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f862e8986e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008918d7966e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063dd81986e8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4680	7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc.exe
Token: SeDebugPrivilege	3944	alg.exe
Token: SeDebugPrivilege	3944	alg.exe
Token: SeDebugPrivilege	3944	alg.exe
Token: SeTakeOwnershipPrivilege	3116	elevation_service.exe
Token: SeAuditPrivilege	4132	fxssvc.exe
Token: SeRestorePrivilege	2376	TieringEngineService.exe
Token: SeManageVolumePrivilege	2376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3976	AgentService.exe
Token: SeBackupPrivilege	1336	vssvc.exe
Token: SeRestorePrivilege	1336	vssvc.exe
Token: SeAuditPrivilege	1336	vssvc.exe
Token: SeBackupPrivilege	2708	wbengine.exe
Token: SeRestorePrivilege	2708	wbengine.exe
Token: SeSecurityPrivilege	2708	wbengine.exe
Token: 33	3868	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3868	SearchIndexer.exe
Token: SeDebugPrivilege	3116	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 3976	3868	SearchIndexer.exe	121
PID 3868 wrote to memory of 3976	3868	SearchIndexer.exe	121
PID 3868 wrote to memory of 3924	3868	SearchIndexer.exe	122
PID 3868 wrote to memory of 3924	3868	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc.exe
"C:\Users\Admin\AppData\Local\Temp\7a1fad7c89fb58c01906b06a485aa7e9c80b022142851e081e3d13ceb416a5cc.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1940

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4668

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1724

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
87cf3812996d18337efce92436fad2be

SHA1
811e661143d573cc926016b10da1b9d695e9937e

SHA256
123cc8074b6c895a0c0b0ea70a7404f5513c75903fc61294e2db77caaa180ceb

SHA512
786af5090ddca8f74b2b2a9c696e8f0f892d0ad0ecfceb92d06d12bef4e9285f25e06d72762413261b65ceb8f7bc1c55b25221cba894240c44df8774dcc5c88e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4ab7e6cccc50729d1dc24338a92421bb

SHA1
f8a787247f215b0adf4435ad84642ce6f4ede64e

SHA256
2e19cdf8720132208622602395639ae8a7d982d6f992f23350b7982c26ab43c4

SHA512
a7b4248f44da2d56a3e5847aefce947c44a5988f56fcd56c735ce0e7adb5a084c1c13976a359fcd3820d17273de3885981c6f42ab71d70bdf95187317ea8d11d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c3b5c6850f8f86e7441f22a73127812f

SHA1
eb9542574d60f8e6ee94b64896e2ef625f7f0482

SHA256
7bd9630e7f41e6ba8016bc21cfe39945e3c0269338218070d3d67a72fa2042f7

SHA512
f43d92d2ce34803b3752a0e4c1e5fb44200148ce8185766065d70ff19c22212dc915065b94ebb0cc74524de0840360cfada3d5b79940faf67f3d408b3bc3ddea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f328a7679407f2d49adbb3b2ce822f6a

SHA1
9f6a5fa751b7b1ad430e6bf1d63d3016580b7e70

SHA256
f9517199c4c6510ff85ea4d6154974b051938ce96e85831402c555981969b953

SHA512
616faf878953390ceb077928ebf93623d8638a2e6c85f4a4e341c7183e12fea9b5f5375c5889285e599fcf5fef23e98238dbed17aad9dc6fe4db5907e8abce8f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
974c31d57276d827e05c180a0eeab3e2

SHA1
2405be55cae6318601ca06ac827b960a1eafeaa2

SHA256
4e80c8943de6fe276b66f6bae590ce790d4f5d25adf96ede01c194166f4f0af8

SHA512
192f0b7c203df52563f0f1866193d907aa80f1621cd7ac3304f861b0591432f398dbfb2981a4a4a62565b5c13528f5371b0c1e1ebb966c0b828958e80be5228d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ab98c47d55bd359c8405c238338929da

SHA1
6bf313d33f86d8d8523c41aba6e1ff9667938aa0

SHA256
516198ad4009b6690ed2afa974453a3bbc74bfd3d148cdadf672cf85b51d36ff

SHA512
0b3976c8459c8d8f5a56b1c3f6bf6780c950c59232c5bdb110e4ed0e474d0df972274acc647f6e6b2d3bb17a0486979b65feca6ddb1ae738e72fec8412c1f396

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3b939ce5d0e8bf9e7b9bb810b4143077

SHA1
3a846128da6143226fb8a5c0a6556ad4ff1e0adb

SHA256
740bd85f8215125972f86ae64ed27e1b5b4971f016c29e53b6d5ed840abdd9f9

SHA512
064304697a6419484f14adae1b30c543075847a3243a5ee9609b3a0b1aec69edf96fe91fe71842f16abe5edb9bf14ea1cafecb7f710dc406cdd3c95a03b6802d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d359a7e2e8023e12d3c2f7564a223340

SHA1
8753db5894c1099e72e0d7e18ab897011ea061ac

SHA256
28e1d36d30566f1673589495b5f3c0bea64e344ab47124127af52b18f5dc7b00

SHA512
9648d5099f57c3aac232793be4ac9d2bece186e5fc96574f84d7f9387e7db2dd5a52055f80189efeaafc0e827990412e9d1d31ea634f8165ab10aac5255fe75a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8d011b0f2846feeb76b9a02e55cb05e5

SHA1
e4c7b5457c608677a8664448749997975483c828

SHA256
d8d5fb3de820b54aef2ad7e5dcf8719df531f257307ff85d80fdd7402841986e

SHA512
ce4e9ba859a74ad1bfc83b1ab24dfb7d0b22609b6ecf03d7af4798981fc272814825768f84166cf758690673ff057be3e5e9d1519b1ca27659d25157357665b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e153956f55da16bb1adb03bb97efe19

SHA1
4ec45f00e314dbdbb7aa9fff1a2e3764aa6ff550

SHA256
4f2f4897fe1ab53ae434faffe6b3d8e692c16529f04e604d9a758eed76675288

SHA512
1feb4656a398f3552410f7f92d2483a5abc09444cfc4c8165d43f1baae26eef660a153ef1191ae9de71c1ce8549be5f10f5c9c27a7dda85613afc890f4d7eca6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7b1cc17bf16b5685ed42fbfa778d1726

SHA1
d28d5a8ddfc30c71ebb25d3ad3402071c91f4309

SHA256
f81adf2fc4ed01d8a320de91628c20ea3d19efa3fa6da55b3212f653422791c4

SHA512
c82ebd460181139fb59b507f141a25f1b70553dc2a019b5abb5dfbe0af7592f5740cff8161322eea65b5bc949d33332a9846b1837192a9b28e80ba8a9fefd120

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1aca7db7f13242882a8e67fd67d013e9

SHA1
cae695d804769a5acde9c3f1a3b4e0455fb80258

SHA256
7f95a05b855d29459441b3873c64e2f2cac01a5acce78e58680de349d76722d2

SHA512
51e816aaeb061c7b242ce8ad08df21e763b1640f80a134160ccd39e6767bd0e368d018730dd118abe99be4de43c5bc54148dc28b83551285ea69c41f61967c81

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bda8f190ab82ef3bf803be1d95757aab

SHA1
f0fdea1a48a8b81bdaad9ab50806e6d12b38327f

SHA256
430551a2f32ef920cab5d9edf0bc173d38707f0c1eb6946d0b21fd0d08ba79d4

SHA512
b0ddf4d23218ac4c3f34ce348e69327cb23cdf240d9f38004adaf2ca31732eea6912a9c6cff0340a9f623c92cd951d99a0c2b4f96f6b14d6cb75450de67f95b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
61152e465d98aef5a5813eb0045e9cb1

SHA1
38bebec37812a256a01e1100143af3ed3bad1a2c

SHA256
4d9aa393fa420d2f14ededa51feee577ceae309317a0c62c17acc71ad4ff19e1

SHA512
e980e4b415f08ba0ae1e3e6bdbe1efd86255e4f553c54f3fdb9dc622694e7276e89fc28c9c7dededc1fae8b7216d93bb32659861c4f07b90ca09d017110d36f7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5f336a87f07b8a7d024af4db51ddc118

SHA1
677b5132fd5b561345c61cccf2955fdb72c2d243

SHA256
85ed264f5edb34bef539dcfa0f1c6ebf1606255a5d563c49222cedeaff62feff

SHA512
f5e3aefcfa1968a0adf16291db0b0e8ae5b59d8cd5bf7beddedf5f3d680b1b5d5cb5ad12dc6243d76adb81af3ed84790d7aff0024f4100009a7b9ef630c59917

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
069e4d080abdd8130277eb465d77f122

SHA1
b4a0e0833926bdee62ee15b80faeb8149e9b286e

SHA256
fd92a62a73fccdfd8d1438aa948424fdbd7304f8cade3e5b02b11cb54a83227d

SHA512
61649dda81f30080f70feebaf0dc5ff898ed42236f09617092bb49ca441097a3a4d70f611f4dc80d4b0f54edda8baef6cb5c81edb2eaa6bd92710b4cc42aa10e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8a8a627c1d686d706a9220e30e6a5d24

SHA1
06cdb968a3be25fb69c76bd9e40d56ea45b7448f

SHA256
93565eae2a55a21b3105bc262a461e2af1cf17fa39276d55416f86e27e357439

SHA512
00d839f17f513810d0c1773468eecd06961c64c8693a76e72e9e2e3b028890902ffe3b6e3ff6a1062b9fb2783bf3571dfb7fb10324d905043448551f634d8809

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6f7e7dd1be1bca92cbd96aac50d2419d

SHA1
697ca172bc520a32a302aca0e423df28662ba6c2

SHA256
f266f8b057f97de710e32f791d818827b0263d03b181818c154cadf873ca5525

SHA512
22afc789ef84b41abccf575af57c912e426df07c265efc2e34a185b59a66379b9bf9a047ad41ba12099029e0157b0b5c4b28207d46a95525fdc0a04579b217b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d649803609343c2ca5a6c2ef2f9d6608

SHA1
11d7184ac5b4c63e3e2b0938721901a1abed281e

SHA256
66356ddbc85266931ca82fc35c0a67dedee1a752784af6af54c4d7810976e7ae

SHA512
f87901557ab1fbaa870ce2b8411f9c16f4f9bf697d892a602aed1e3dc951eac0dd6c1e2618490ae08c2606c8b982bc1c0ba11e6fd7dc4de62eaf9a8d2505d321

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
fadb45b864fdcb1a35b670648e9198a1

SHA1
c5fd1449501ebe046a63ef2b6f044f4aecdd91e5

SHA256
1f9e943da958e5a386f2fd7dc6b7791e3ae78707af210fd155572c0d6c111127

SHA512
fff18c74fcdb16a11574c75fa6a158e56c82f0ee79ed4b5d1ab65f58a669a53a82197979da2eb9bc35fdc7865501d7582b3fdb5d3321bd830b3a09ecc78fc97a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1e91f3c2475a082930498fde0277a1a3

SHA1
8af625986f058bd634002f30ff4660e8345777fd

SHA256
777307719ecdbe9c498af71e4dc31a0f6fe6d972b1d8f3668ee224b5d34d9eaa

SHA512
86ba7c4793d129efefe5544ff0ee38b0dd6c6e047a5d70864519df299666ac6509170fbdb88408fa44dbf61d58427a344ad1215084272f6655aa6cbbc9493460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f519102c0544be5fdadbec9fa00f8301

SHA1
c5c8581ae295ec523a4db29a357b88afe3514b18

SHA256
39a71e47caeffcdf75484da2b292357f88fcccf26c7b4de635ba4db2d8b88dab

SHA512
9cf52738259dc37f09dee4e140d58e520b31f22d090f0c44cab84288a251aaede4d605b0376a3e70199f7ff764c955f2f0c2af41cfaf1e0d89759989ac0d3d35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b49d2b8bf04e81c1b2d8abd012c1f192

SHA1
2f33f2dd4af23a278b08081828949ac7190a4a00

SHA256
301af5ec086998e00a0c61669ce39ef1ecfb86fa00bcd4ae3bf8fa5f2382217e

SHA512
df2083f87c133aea4d5b57e28f362a6825cc91b78f32ec572e8e53322a892ceeefaa44a38215e2b026afdc665400359acbe42a62453b9cf1ba6fc85aa4b49578

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b1cae84aeb65dfe8d500e9c3601c6ba2

SHA1
75bd4c3952a1156b403c28aa98f098bb6e5f955f

SHA256
4b71758764b148deef87f4485d26564985524447ae63a0bc69dfb27cdb63551a

SHA512
6878da0aceee9c002aea8ede8d56a2bcef8c6c02b82b97313e29cd14d2035b4e656636c10729450793c9cb0c9ae491fcb7e228d84146286b9db90fe1c52c2556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
601d7a6c9b7f3d34208fb2b7efc917e5

SHA1
4ba5746db53e1d9008f3df26b5ee2258e9a7a1a5

SHA256
6d98604f77d8e425d774c5c8cb8160386ecc37b6a0af6ed515eef861c8140d2b

SHA512
18bf9001f9bcc7350acb671027de2360710c8fba495eedbe318494fa6400865a14be7952ecc8c1173b65beec1b279acab53ef9539c58c73f191a686141ad9c17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
3c3dbd1c8ebf8d28bf49e1173f30e933

SHA1
fea9c1b8d24b0bae6db7a1ed8d59c4d294909f4d

SHA256
88721209f4ad1f47a7553270e86ad6f67bc82880dbb25148f8a9afceeeb334fe

SHA512
4caae87410367a7a9f0e37c03f4cca845f762c12a47baa8bac2c34d4f3733c1789d709888ea0f68ea8bc837320d7064bbcf0653fe750f18c5bc393ebec859948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
76f3ac00f70963a7fa107443d0b59525

SHA1
f6c9841ecf6d4b6e4fd842ba39bff41db9323bf1

SHA256
8b02a78825d15b2ef8355a2ab3a53c66640f2ae8d5d2fdda07e5bf50c9082c5a

SHA512
0cc21dfd5117fdfae80ce6392bed88624d9d0c0e99a40f3ded54f897a9a739493fd79baff0ef934e2a3081d6eac4aa75dfed2c60f2abb6a0c4aacc1d97441fad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
f256bba2ad5e505cc3c7fce13e56b49f

SHA1
28e8c45de50479a2b7ad87bfa3be251414aa99eb

SHA256
6aaf8120faccf74e3d8ebe22d18da316d9c0e624a62753875795b252415db790

SHA512
0ad6914f07da2692784b22d6e653ebccf40fc4c1e276feb9141fb1dbbd044801ed233ea6b52c183b775b6836e9603343a46a48da8d6678e8f015df8ffaa26b29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
53744723ec85fb8954bea95fc8acdf58

SHA1
4b42a03ec45226971060bb654906c520920adeaf

SHA256
66682e81cf2214285b900c67743422d2903de25211e3767d4fcdb2cacd153a71

SHA512
cb2c4a34d513d45c0ddff89504257734f3b7086ef001126815f56f85456e1506102af6d1ab8edeb50b089106ce284e64536839da66408d45dfd6d65a37dad292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f2de4d7909ddd89938e029267a967dcd

SHA1
b1c8857a649b63cb3e94ee653b415bb2ad27ea61

SHA256
b01c9aa438fc02152ef59a5a11486a3ffc7a8c8f2e499d6af517bfec3e831183

SHA512
a09874f7f0bec08b4b2db99681fa2548182b49987574c59247b564a2e9dac1502b5cbd5ec6772755ece1520ed12407f8ab09b130549cc1362272326804d3ba05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
1486657ef8a4d3b4e24c454300f043ee

SHA1
24aada5a1e255b92cff0fe8a7df00be0d85ce585

SHA256
5fdd78ecfd15bc7ab4e8eb587d1b40a24225a6be6e89d1364effb07ecacd339a

SHA512
d83feaba1275d05d0592cf1233ef72cdb040d262aaf5d5eaf6707b20001ba1aeb13b4bc9543f6764d0b3e45a7ae6cbaeb0750f898df1600a3a967ac31e027f2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c5fc4a9edd16dea903fd7d2d299750b8

SHA1
165347963d5a723ef066c662af97f4740cddef69

SHA256
9c1fdbc8d7eccd062589b29073d405150647136a8771b1d4e1bd3328340feffa

SHA512
732ddd288785ab4ed170464839a8c1c40101b2e322dc6e3b18af5b92f25b2813897ea0cefb4df4c70871df759416bc30fa3f2004bd63612a8d1cca1733e0b425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
63adefea07f70ddab8e3271868cd0b8b

SHA1
6dd5d80f31ee14c43271964b6c3b3de3f6300d78

SHA256
f1125f7e1cf3a8feebe102efc7e1e44aeedb4af23e1d489fe74433cc96861170

SHA512
151c4c3b39a4aa3aa06983ee6cdcc1aa11523b79bdc522a03b1bc4848ba7700c56a0c84ef84778b47a22b0683ff1f133a4cf7f4f25e6f18863a0500594005aae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
bb8cd1bdb56ffc68673639bcd818488a

SHA1
263eeef8e893877327b628d1e1488b24a01c11a7

SHA256
105f6d1d0fd6281368239f85b22ebdc89e9bdc8d5b29f0b95a151432e296c1dc

SHA512
b87c95117897911aed663afceb4f3e8774de4a140b9543b69d31cdc60d0b1bb81f54c7fa2231658345e50e416e8a3af301d34976c57f05ad3b3d796c49b147f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
da7d151983d46c20f7083a9137e58d85

SHA1
71e263b441e0eb4ba53b5f669fcb1499f49cbb06

SHA256
d1a4f042c0f0452f2de8b4d134389d07aa80c0091223c4c989cf73290b372b32

SHA512
9eb0f57927e7cf8c88aecfd99511ec7c6fc61150056cf25f4107ef104a94612f100328720fc349de19c263c1a85f26a7495908ac1c3d17b516bf55a004331da6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a1833fdb9c9c1298ca7ec4169b9abfac

SHA1
27cdd823d617f798401a4258f0b567524ab1d2cf

SHA256
16fafa8d9dbc3b0cfe099b55bd7ae8e0b718abac15caedbb20de686d5860eca1

SHA512
e6854b36bb554bf95b2da548f8fb882a77bbad9b0f4af1895f8df9816fdcc3e3feb2feedb481ac17b86fd2348cc70908bf451dae5a77674a84737bcecf0263af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
74df2a0ef5afbb3d5a9cca913c1d0a8b

SHA1
c60b379fa5f885803e83a3e65679c0e273d44684

SHA256
c48db5dc768d9c709cb939c5f42f9d62d7f92e59edbe8eaa1ec2cc0dc45559f5

SHA512
b55e3f45cc56edaa089828572c85ff6bbddf795200ef33c32cd85ee5794951fdf4b52b355d66d719687646f600518dd3e9a104c2b08ccf1677454ff01951a354

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
141abb63c662b02562cba643948e1040

SHA1
92c570175cac480ba688a4721cd2935b1e1c1e01

SHA256
dae5df5a9e47ff626f58eda3b82aa1d4b8cccb1a85bd7da2f2003a7443937073

SHA512
f0b5e50c70c97cce5b63c047108b0c5a92bb244f7664a2158884308dd6f9db44ea1e67b6c7a3a38ccafc5d36678b555e3adc6bfdd967986b2c538580e4db3b8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
1c8dd4d8fa9becf150701246dc5ca405

SHA1
ea197dd52b5489ad8bdf4714f57c7c3378e28218

SHA256
7747eb6078369fd57f4745b27d11c9549b681153fe499f37f3390f58222ca0a4

SHA512
ec6b3e44284583bf3b87779ab3a56e4f8b4cf781321a1ac0fc0e0680d47698b8eaa439f59c88fd28d53769e295564921607f40502a943f1ff9c023f730e7d0f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
19b6d279a89e86365bfbf6137de21777

SHA1
81015fdcd08e5f45221eb0866af89adadacc7382

SHA256
c96e370e2c683642ad1c4eca13b37077862f073387e2097ef147b5844c2ad6f0

SHA512
8876456e4df2947cba3c1f320df94e5ee90cfece1bc942a6b1e95f4d60f541be373dae360455e49d873c0edff73e297f709e164c86d5321cdfa828f188ecf465

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
1d14066e2c7b4074612aa8ff40850b17

SHA1
eda284e4eec80a24ebb85009d52a09c80ef8db53

SHA256
4a2400d825454a3ed8f9c5c8b241d2dd5517bdf2c059e95d6d318e090063aaa8

SHA512
f35971bcf39c4a351bc602068d036370a0b42b05026dc51c190c65c5fd254af299c032e233d5c3088503b1925962d240cf861db48fde1d88ba7062300c36af96

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6a94804e031da314c0d00e6d4508baf6

SHA1
f3881dcbc33b5e90edfb5d72e4d4c5560b6e5b3d

SHA256
6d090ced912693b01bf5ce02d9c5dd81af7be88092e127debe223556d07603c2

SHA512
4e28bf891d3b18539312fed0da8ea1363e0ca94f57478d5636ba14302a854a22d348dfa600d09d75efd4c70640deeeee1ff371fb4435c3fbb39245ddb16fc1df

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3b930d6608e12c7cb768b313dd708743

SHA1
3eb435f2de189cf8e3612d2f5106c6d7016fe96f

SHA256
f13b9924e7dcd41fdd1de3d7069869cd2c2b79e54ef0ddd9ab61109d17f1a41b

SHA512
01fc6645ab898a82e1adb9111423da3ff0c24588efef31f12f7c5f88719d91c1ee890017de66c79453da9fd345360d97ba69f274a95b4be37807a575701d6d2e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
91ebd59ec5a8b109c509854843bc0969

SHA1
4ea71fa06975beaa4f4377206c07ca633eca6bc3

SHA256
ab55b6613e4323379a82194d1b854f778ea2d1d91487f7f37ffdd38f98cace34

SHA512
64a02c7fad41f5ab32419f23b36c02c269bf1b72fc79e2f2b7e7279bf77baca3bf0aa1d1acf3964acbe639e874ffd1f8f7cafaf892d0f6e2efb52b90accebb41

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
17d31bc3942d91a9e5dd25c441ed1168

SHA1
57646cbf2a3fedf0ef5f87c49b4ca73d1ad88a9c

SHA256
f456c272c0632c68bd80189110b02bc15a444b6467e235d68a73cca75382f4ec

SHA512
92e6591634546148e9a085e029898b5296daac6e6bc5595a659d4f9dcb80321076991f980d3015612ebcffac5fe7a43d5b9547ddfeeeabd7422266b5ed8aea57

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ab8f61956c9529211739b03292dbcc0f

SHA1
c0f6e2e3e5f405da578ffec17c0f291034ca55b9

SHA256
271b1d0f46022497daf64924a3e8b572057cee8c0970530ea8e1a44e22fc45ca

SHA512
a814ba25e00864b4ffd19866db2567389ed0622675da9d542e4bcde98bbc0002656bf61fd0b0ddf61c2820c97b95a3c2e7098bf2339df53244e1c7ec0d2f8fbd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1ab06be34c22351eb6cf7aff1c4e4d87

SHA1
8356738461c8cd71903b30b0351659329aa99fda

SHA256
09fde09ed4755bea967b4ff871350aac62c459d43a96b56959fcf5fbebfe5136

SHA512
036d38ba7982e93a53dd46b65504d9eae48b3b24aefa5b79ee590b3b6e4dc025bacec98c9d15f64ca0d2da7c16cd9536961985a52fe9270da86eacf05941d589

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
85be9547bba6e30df179bf8d85737e93

SHA1
cdf6573caec4b3738b3a2c24f65ba34dcd6b1cee

SHA256
d676268d6b90279111fc1a467384729482883f0130dad5bc34c9aef475e11711

SHA512
787d7cf21a8a26f21b4638f7115319501f4dfa867de4e1a38348034bbdc919d4a7a189e718fe8271fd96c9b71a6cee7f97109ec2072b26113b968a24c4b2ac13

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c0334bcacd2c8896f61bb5d1e6c1397d

SHA1
ed45a26a253fd9c97f024410aafae0e7562c10ff

SHA256
2ba983fa0f4b9a52598d5b7a2bc8aee1f2875f79a4025811051064653a73a5fc

SHA512
1f4e103059b2358f2a0d9aa1524ddfad6fa6aed565fb22ea0dbb00907b905ca5412598dd84e50d7d74af1731027042fc63d8ae89c058340f640e837f3ccd109a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3f39d9e1a8eb91cc1f38fe52392c4b24

SHA1
95f2ca10d203948ff1aea6fbfd12b2877d735495

SHA256
07a86d0792be29f338e6e44e82b3ebaf67d7d1c3bd30f27f178aaa660812748d

SHA512
0f02d3921e2c8e34e7a8365645cd9c9436ee41a913e8da107214d90d8e472b5e062ebc9ab5d40e8513fbb64520b250be14c11bebd8bc248bc2efdb3ef0b854bb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3fb2f8e3307bfa8afe061558dcd04ecb

SHA1
fdcc3d1d3f3f5ad18842d647bf24dfaa5467bc54

SHA256
d1c0f8f83e80eba0ed23e9780efe425cc6b50994b880727b90820997ec1190be

SHA512
0b42ddf84725a753752961385c3e65b36576e34eb2678712df754a79aa45b8159f5616316824beada46600f0329e9b3f94455f7510be2c7cb8f5ac5ba1018cf8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6423c8271c2669d53afe3dde3eb4034b

SHA1
54a8fc2c5c5f93e2593b08f89de8e0b40cd34a1e

SHA256
868eab4ce885e27cb9e4b78c0c559aeb5ecbe878c74705b53cf5e4690ca5d27f

SHA512
d29deca26a47ff4abbefa874a957271af7f80cf864a091879059f3e765774213d18ff2169d21abe774d167252596017f14f12c0f3e4e4ff71b49eb46d15a1506

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f325d292b7b887f000597314f11ebe0b

SHA1
171466f9c42c818877aaf88df82e8f3e10691df3

SHA256
ba9553e7cd2bbed660bf7b96a7baf16a4b58959c02bcc16272e656d2477bce68

SHA512
572d7360f0c3b28f279b9af19ba8c03157c3721b267f200c26f29c2562ab7d4be5b6048b343eb115cb803bad0cb07116993fafe65f154df39eebaff83caf3ab1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
177748feb292e5b57c9bfbaad6a9755b

SHA1
51984181a33436394e0b5bf0fcee5e5aff8248c1

SHA256
80dec3b63bf4f5faff7d019451b33f6d3d6b7552223f65758fd2e4b803eb34f2

SHA512
9898ac22b4471d9db732bbe1dbdaee36f21870af805f8c49fc1ff4797af4f55a6ff3302f3fed2b3e6275f14f0d12a8a1148d3531e7e286d402d24318f13b63ee

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
74272260fc37d72deafd953dca8fbce5

SHA1
9b0288891c75f8f3b2eeb39f9e1a0c79bd298892

SHA256
dad86e82b7bd0b18dea757a8f8700783e63fe56d0d953854bd5a759dd381627b

SHA512
5139c7ef1f9ff2be3871f19b922dc911100d1ce378d63d8de42424e05d07a4e32590b3c2d2b7697d639c7783717e466e7a77138ed7f6bc782acc9cb946701675

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
838753372c701c32868ac6e8d2b220d2

SHA1
fe2b12623dd34398053c08bd7aec40a8afcdd36e

SHA256
17b5d90493d65a07930c3a434674b67971c9d4c8e96310a1ff8d55227447c891

SHA512
32ada469d852652ab6cd3f8837a64cb303c17bb27e49da8881b11fa4d5c219c1b02f8d11295faf8e89d37a7a0121255aeaf91aadde38a2926bac1bf7f20dedff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d8838aebb24a314367d46babe6d270ef

SHA1
2711d2b55614a6d906e62953d251a0d57f842910

SHA256
a79680d1c94b4a5ca0c46215d7391142dbedcdd1b918b6be765fbc65dd1a6c95

SHA512
2a0e5ad74f56b92de70b25d90c073eb8bb470544aca863a9bbbcffc454060c0d3e861d3f30ae593982c525b0daadd6774de5d0220e2753a4e067590dbfb250e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
66837761970a6a48e95dbfcef0b98a21

SHA1
9a778555b33640396c237d7dda2f812a8b375d00

SHA256
3d5d09c8e8765a5299578cd69e31a5cceb33843ed988a5411407d18626ccf0c3

SHA512
cd606a1b0d92be5c65f68d042d5533c042fd008fe5ba1f281ad74801d3edc16d0ab9c2cd3bbbf7d7ca3e239839b68cfe787650eab1ee69c793d0d5446d581484

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
24893c6e3a93cf7bd5a115b372ec9778

SHA1
58abf43e0eb76f7a1dc744fcd680a1af0a039711

SHA256
aca94dd132223ea7ca9a17a066463179ec2e919c717b4594e9f101e1c4057bab

SHA512
9375e9d4487e8f436688f1eda48bb9f21ac50242680454ae859077c9a287230e008b07c9aa233468d50b88b44fba3f1176dcea355db2946de502bafe7c17e446

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
24d129dc54e446525d6ff05836674a5a

SHA1
bdac88fda93eff1a1e353e7d0ddf9ca48e7d17e1

SHA256
c50045129e2e2c01370b7973afa33b54955725734068d08c31b0f6539799621a

SHA512
a9327dc57e7f77a9bc380e161cfd889c04e22d5f7e2505e708f9abe09b61819bf83442f2198cffe5620ab595126a89084e96bac12ff8f3946cc21f759ba3bb77

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
2a9ad3a08268a95545125065575855fa

SHA1
fd5bc1a66677a7c0587bae39de94127162ed533c

SHA256
a39794a8887f1523383c40dfc85003952f5fe95242a0437a6f3c764947271e09

SHA512
31981a36b9f77d448c47faaf606514d1ce6df9c437b4a4636b2b2d78a3ed219ccb4b4551a9195de2f6dbe16a3332ba9c32ca72562d15ab48895b19ac48708f33

Download Submit
memory/1316-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1316-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1316-67-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1316-240-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1316-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1336-432-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1336-426-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-451-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1556-458-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1712-369-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1712-436-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1712-377-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1724-274-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1724-339-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1724-283-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1936-410-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1936-349-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1936-342-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1940-65-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1940-61-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1940-58-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1940-52-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1940-51-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2296-316-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2296-322-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2296-380-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2348-289-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2348-352-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2348-298-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2376-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-389-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2376-381-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2708-439-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2708-445-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2800-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2800-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2800-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2800-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2800-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3116-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3116-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3116-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3116-35-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3444-418-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3444-411-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3868-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3944-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3944-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3944-229-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3944-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3976-408-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3976-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3976-407-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3976-403-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4080-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-423-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-362-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4132-258-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4132-265-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4132-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4132-272-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4132-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4192-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4192-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4192-335-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4408-246-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4408-252-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4408-253-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4408-245-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4408-313-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4452-302-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4452-366-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4452-309-0x0000000000850000-0x00000000008B6000-memory.dmp

Filesize
408KB

Download
memory/4452-375-0x0000000000850000-0x00000000008B6000-memory.dmp

Filesize
408KB

Download
memory/4680-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4680-16-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4680-7-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/4680-1-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download