22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a.exe
Size

1.7MB
MD5

8b8d0fde81c5eff9aa23ccf61a4d9940
SHA1

832b90f739bd265b1b5e03bf67d0e2af411acf24
SHA256

22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a
SHA512

bfd5d8388a455bf8f07cb643639618806ceb6acebcaf2990b69fbdfc01d9f0c133a1740b1b57f611fc01f81075ccc74460b6e23cbbcac3fa42e1f6be32abc336
SSDEEP

12288:RF7nYaFffH7nF65PYS7cNHV1GHBbXc3ydRCYeeSIwCmo7JmJVFT:fP0TcmBbM3+hebdf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
208	alg.exe
3500	elevation_service.exe
4616	elevation_service.exe
4660	maintenanceservice.exe
5112	OSE.EXE
1524	DiagnosticsHub.StandardCollector.Service.exe
3160	fxssvc.exe
3600	msdtc.exe
3960	PerceptionSimulationService.exe
2752	perfhost.exe
4728	locator.exe
3936	SensorDataService.exe
652	snmptrap.exe
4948	spectrum.exe
1200	ssh-agent.exe
2188	TieringEngineService.exe
3728	AgentService.exe
5008	vds.exe
4132	vssvc.exe
3644	wbengine.exe
116	WmiApSrv.exe
2928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3de356c012041754.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006531f9a9598bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e06dd5a9598bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000587964aa598bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2e009aa598bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000351862aa598bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071ca91aa598bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001492c0ab598bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3500	elevation_service.exe
3500	elevation_service.exe
3500	elevation_service.exe
3500	elevation_service.exe
3500	elevation_service.exe
3500	elevation_service.exe
3500	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3088	22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a.exe
Token: SeDebugPrivilege	208	alg.exe
Token: SeDebugPrivilege	208	alg.exe
Token: SeDebugPrivilege	208	alg.exe
Token: SeTakeOwnershipPrivilege	3500	elevation_service.exe
Token: SeAuditPrivilege	3160	fxssvc.exe
Token: SeRestorePrivilege	2188	TieringEngineService.exe
Token: SeManageVolumePrivilege	2188	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3728	AgentService.exe
Token: SeBackupPrivilege	4132	vssvc.exe
Token: SeRestorePrivilege	4132	vssvc.exe
Token: SeAuditPrivilege	4132	vssvc.exe
Token: SeBackupPrivilege	3644	wbengine.exe
Token: SeRestorePrivilege	3644	wbengine.exe
Token: SeSecurityPrivilege	3644	wbengine.exe
Token: 33	2928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeDebugPrivilege	3500	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1880	2928	SearchIndexer.exe	120
PID 2928 wrote to memory of 1880	2928	SearchIndexer.exe	120
PID 2928 wrote to memory of 3888	2928	SearchIndexer.exe	121
PID 2928 wrote to memory of 3888	2928	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a.exe
"C:\Users\Admin\AppData\Local\Temp\22ba67deee2d61707e126c3a09dc57bf86388a82b847a2366ac53114ff10630a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3600

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4948

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8787e76106ea331276da0d168f9d3a45

SHA1
308e9e03ee42638966c73244085af00aee8d00cc

SHA256
a49a9a4246598dd5486d24c91e48816cf7186e35e112299246ece745a0fec66d

SHA512
b6fc2b35b3b0ae687b8b371db349375bac3ddc7e6c484384a270b5fb0f7be4f0622b71af2b33f8c3c04344df7f5ede39910113cab9b47e14ec966712fdfe9526

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
d38fac15ec8552ab109978664b79faa8

SHA1
72510956dd755fde9be480a9e334ee041c3bda93

SHA256
9999d07605e290603ac5e81092253feb89ac7021a035ce87edcc63696c534d06

SHA512
813dcc936a54ed73f653827d76a8a615deb1a0a86511255dda8c14d92db413508c3c94d0529d7cb4b6c0fff40b56b24a013809112ba1c00ab9d6d8f8f714d599

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
491c34fe1cc44d601b500ed9d1fc82f6

SHA1
00e8e0a8dfa6aa69487d8d16052a094e92e4ad4d

SHA256
d3b8fd4a72d1c588b03d2b6a56c4fedc7c2f6f501dd1b3e3aaab4db6ef4540bd

SHA512
8fbd5efa9b10c5822f59b2bb8125dc8a6fb4472a77d8f6b4622295ea94b9fb659f4da1b96af5c0cd798e341bcaed96f99ff1d2265b6ebb66df9404d022b82be4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
32a1560c895ed3703b8a433a3ce30224

SHA1
caa2946e2a4420ed26a083fb74114c2697d8fa2f

SHA256
d8c4860530e9f51361bffa7d85290e5f449173ef4008613403e6b2b1c44c0b73

SHA512
c386bb0b16d4419d536823d38054b252ea7b4879fff81d6bc57c4909eb2f61282405519521d1f816fcf3520a8306283c31b4e8a4618ff38b244cfb514f18bff3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0819723ca25e9be5293b589408aeb4fb

SHA1
5519b659eb1ee61d0e60ea5c7af283626bb16ffd

SHA256
2189feeca2992f1cc715c5affc67bf56f33a223d0f1264ef79a8c60a5efe40cf

SHA512
5c306ce4281f21d2b239fa81d0c176095647bf787fbbf0b33f7a81c6e9b0b8e6ccd8bce17532552767acc962994e4fc466d36c5e296b2672f894002b57bfa0ab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
2c2b04cb4e266a2a10aaa6243468136c

SHA1
ddc64799cc013b2fa5b9d8ba98dd66d992af3f24

SHA256
064925a477876b55912ecd58182d0ce1f3f08fb88081f7ef6be45605568d364b

SHA512
7c282c65202d6cf6d763d1af3bb8838807a7c4f7e6247627bcdf7bd709ef79bcb0aad0dde13e41bdadc280d458d8e2fb712ef330493ef4776545a09c6fe655ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
66c35076c90934d7b6112e4fcd96b6a9

SHA1
a12678e784140517883903c65bbb57e3c2a4f343

SHA256
88fbeeed47ace06dab8bbbf3c00d00a53bbd1d82a46e46cd3bfbdad06a99e0b6

SHA512
b9bc4351f356edfe5208aa4f55627f5588251671c551f1f3029299c90e5c3f0dba22b8130653b2eb55dbf9ad27535f0091b0146d02b5d4ca028e084f3e3de620

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a420860606d37d4d3276859cb7f4c30c

SHA1
31cb5ef6279dd5e87272ea33bb75ad2a94cc6e42

SHA256
285e9612830517a2bceec57748659aa864b10c350c2b74f8ab4c7dbc490fb60d

SHA512
7646de1768b34b40afab8e22b4c45690ac55f7989e6de51d9c3da5ac41a2252e8df9950ffc49d3c51ba7032be1b4a7a2270c50cd7ce8e0b0123d8a8e35d308c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
0db964282c0bd588605fe79bd550dd40

SHA1
64492d81357f64478217f409617d4fa4b125c077

SHA256
31e586741499c737d247493909df72b42c2283a77c2c9977fe532a0581958fb4

SHA512
adcab23b4a8c4de12be6cd24a39e5af0ea7e5d936912abd7bd390dba71e4257d6653ae1dc46d336af7ac308def43d61359040c76ffb5b4c01a869183118804ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c95c70f515db51579c81b6966564b704

SHA1
bd8d26d66f17c71a505f448faac463ea08cbc6e2

SHA256
6da9dbfce805eda788a5109fbc4ece95e0a134c9b0739a0f1745b3344187ed92

SHA512
6e56ece97b826a5e7f2b5cbfdeba12f6843c2942187ad6bf2864c27ced796bded881cba758b4d62178a3eba19a672b474aaa9b48a49ea212a8e420462ba406df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7cfb195c1e5a5d4f80cfa1643d2c2894

SHA1
7874d23966e9179614a70373a5f5c0fc5dab184e

SHA256
65b6940849e3dc88d511b5b5598a113b09750088a0dfa3b8ddfa1d9dcae801f8

SHA512
f0c40489d308476b14c6e044747e845fa15d2d4920537080179dcd9463438bab42e2d6efe324d2be1c039a6435467447ae0829e1a3feb1e1ec37d318ad88f014

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
889131caec30e2e808908e31a1ee159a

SHA1
c5a1f0e9a0cebb588ce3cc3cf5fe6df8ca071e19

SHA256
0a94d5a06bb477aad4e7b47c3f4862c2652a7bd3f56e6c09ebbb38d232a93d23

SHA512
b3c68aab7fe5ebb0dc78bfb4daac1eda2e45979698650b129856afbf801730abe63e84f31f76a96c70c65186b365804066b8cd57f7d2c666031b021a63917139

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9dbd472eb850499dcfa1c631ea0050eb

SHA1
96feb0d58f698bf87a86d76e0bf2a8da87b4fbf3

SHA256
a56a09c07048f68566cf4b5feb45931f7433c45dd23d9d1296286904d0ff51df

SHA512
8ccadb0a10833aba8a9a6dc78566a8441a404cca30a6de78f8df26937501d2f1e32634f90ff8019d005920d016029343efe28ad2b72e139d4e2dca0a9995b835

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
dc48a1bc6fb0928b756baee84e3cbbb4

SHA1
5fe5c0a8d70a29f36ad8380c89499f3a826c0332

SHA256
35eee66000e0e4fa3e2a5d1e1a8d337be3d395ec80ea3fc4af6ba9b58a1f0ebe

SHA512
60499b64d2b467044fab5e794ad5269ccf4b541daa31f98ffa35d25718236b5f7d25f61af9e034074dc3abb5ad5f3a2cf8b89c516704707f5683bfadc149d74c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
49133dd22c80118828df55bf91d2d930

SHA1
7e1bb407bd80889ddd971b73b767b2b144a66d7e

SHA256
9b6a4092f926130bca4c52c79890bb6c7fae53d8f8191e8d53c21f4fd2b77f26

SHA512
66033e352223d6d06b65cefb691bdb51c35fdf56757d29815971ed6d5a30ce719e22d61c30a6a552ea344fe6db647559e5c7db77244aadaf62bfa42bd86d0187

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a84db60a2aaef4cbce2b5f89330c38b7

SHA1
01e8ed9f9f29301a9406e1d4d640485987f563f2

SHA256
37a2197a715798305fe8d61e36924934d80b888c10d9e388ac4485563e643fd7

SHA512
f181d58b212c60cfd2796d9c385032fbb53d1a55f63ee87886b8f690461374c0abe01396f88917a37aee837493a1cf9817689f7a1f6cb772c192c94a20e917db

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
d83fcb138d41fd66ea7102ed1f66140c

SHA1
d63900addf8d87c14c43754e7ea1d8c0a35d8008

SHA256
b5c40697c0bd1a8f64ecc253e9d1d3666745f15e686d254dfb9aa437e8f101ca

SHA512
366ae0085aa7a08a8ca5d5264c2fcd7aea380641ecc74f020297b7e41535f275ac0f2738adf1032aa943b9460cef903fd3d968fd6dd8940013d309aa671dbe2b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f0e7e527027d1b5970be27434475cc53

SHA1
8446696b361904c10a13a2d96aeb75f2734070c9

SHA256
ba3cec5522052960249459d49cd1ed14adaf9c9141343ac075c9f765016ae06c

SHA512
520f56984efd54655e69e8a755155e9983055aa255b1175ad1cbd7d048080def0ea9a1871dc7a449fa45aa8daf2f13a6c6e09d573ded16684512e6f2572dd712

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
b13edef21929c43319a9ca8d2f6dbb97

SHA1
df585c8eeb08aa561a8df0f7f13c8da168d2aae3

SHA256
2a76da150f93cdd15aec7503ece5053e0c125c42ea860f2120d9abd6b448b59e

SHA512
7a381cd82cc53bf50c1c690dac66a34493a2b251782853833419aa04f5a1ffc3cd71e3626ed2b2c8694aa2d6b3302e97fe0e2ab7d58db45711f90cad2a63987d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ef690d3f8d2553256e05b8f6512a3370

SHA1
73fe37c2f6a85e6d946917b69561d59a08d31f69

SHA256
8a6e328340b1e887a587501523018db3407552640e978e233f8544eedec16318

SHA512
a1ff33b83d7750069e46b907b4614d00a9abc384dd2efa3557c80de3cfac0b420cf1138c33dd7cce0dcaba56246991a92af251732d2d4f2e738ffbec2f5e11ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
46012b86d1fd4da6f864552b9ec2bb2f

SHA1
076ca5ba3b4618013cf815e9981cc3abd021c5cb

SHA256
84efc6b1fde0c79b0e0dbc735bf4a08dcae88d823775a05f126a279f2d333fc6

SHA512
402452a2a91a6e59815a6cb580ba43645b01fd55d48cdca096f3cd4a8960b41697d063482d801dec4f6ece9dc21c1fd826d92aac484cacf4e0befeafc1b2af7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
2d42af9caa311cb4f3e8572ce6599eea

SHA1
e2edac2c2ed9b0fb731a2d17723c66f3fb507e08

SHA256
6dfbe8169a76b127f7f3f343e545ce753fec8ad1ec8b0777546350007bdd1d8a

SHA512
9359e34ca19cb1dbe192d0380dc884a95b6ede6bebee6414e82cfee6561096d009bbc475070e6acf7471c8f783b96dc3a8be8c93d63abdf9ea453c789caf70ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
e74e27c42d7a61a66b09810d12014b9a

SHA1
faf925410bcf5d3f14b2ed7c5fd06fea4e1165c6

SHA256
999a329c1959f8d62e03942a0fa0b1ae4033cb563f5b7ad7bae4f2a8279cd5cb

SHA512
6810ce63d9b63580a569c4243baf6fc3b4c4c4bf166dde9a41e4509205037e804beb2047ffee6936c8cfcad322234e8875d01fbc66b1ee8e604a6d13bba9eec2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b3e8cf5006715d2d026a0cc23521be18

SHA1
6553e0d7866a88934b74a49b66869ce250b3aae4

SHA256
349984bec400ecd166da8f4f2bb5db767a955e12c327cef25f944d2ba13f68c1

SHA512
85dc734ac87d43dbfbc1c26e41bacac8c2be1e03bd32c561efce32ea7c1db50495e2fb40d4181bc3350006b3ca87443629aeda6da5504cd096f92522be8efa2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
b5fe407e20f1f8d8cb1ff94347e37500

SHA1
2029b294fd72096493be269c7a6b06b70860ae78

SHA256
9f68b272dd9d0625dc51cad297bdad53d7385917475a0ceb8097b34d9c302978

SHA512
86cbb3471e945cb8e15882f934e6e90291a8175f05fdbfac3d72bcb77500bc2f31b9cf6e546919b2c5cd1fdbd9831a3f38715ee34d9f7d9ef87df133f0307607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
edaf3c40219a0489acb4cd50346182fb

SHA1
82bb0131fd74da7199ce52e1d8fa3c076a1ccc37

SHA256
f04cb3b63905f95ac9ef83ee452274ab0f248aa004b493e12f9166dba6c42ba7

SHA512
481f3d2bc042285a0a8d0276e777d0259925f0e422041f1b00fc466df63f64ec5bee06a7ad65cbee143881c6b73f9892e5bb751c901c4a00318cffc7ff84d5ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
501bf01eff2a07d9a0554799ede1c7a6

SHA1
dd0203394d0b2f58afa1cd7bc5ad33063f689c2e

SHA256
3e922037e4a63d152252fa71a61834737f892e9390e85662ea83d0e24ebf9442

SHA512
b52ccd00105aa39b9aee43e7d25b6b2caa619b43a2db603f754ed723424a587de69f767fdd1b3777cfca98a8d94b05fe499f5a9392df135c22a100166ba54537

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
8ea174e128b86109233ba403560b1c39

SHA1
1937e3c8a0a6aaf5d959e8d61c969a2942bed842

SHA256
6e0919113d4865bed4de5b69ec0d8fd0b60b890c95d0325cad761114b91d7cf2

SHA512
86c95db155d5f83840cf7974af344533bd5e76c46c0cf6060a2a82153a5ec2a7439354819d4640acb75272ec48aadbf99242fbb70b6a8f1b7019aa8c276d4290

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
8fc2e2338f19585705ff167a06c37b80

SHA1
45bbe27347527471c9b1a100b57de03371aab99e

SHA256
621ee8fb37159fe13ea71ed24c1715782280c3eb04763108b6955df73e10422d

SHA512
e15c3796ab09074b46938bfab8438b606a2d8283f7779235a94ef2d0d8a570037d9869ec476d890a8c0816f6c0cffa55178e12416105ad28099d8e87100bda9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
acc1db6607efe16ccd24b88cd1f163b7

SHA1
71b2c17347bdce485db8dc64507b9b31168a2752

SHA256
0e10c7e01239ed3d678c4f5cf8ac80292a8e4851b2e240783aa3b70b045a410c

SHA512
f4df5d6860731e48a691bd0e1f2a0245886f814309371723ec19a41d6cfa2d5a5069c4210bcf019d234df3e31711f3383e3323d01a1a77de6aa0c0f8acef1b70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.7MB

MD5
39fbc90c8f937220050e63f4c069a546

SHA1
de55d32e7f21509e7c8f636b845f1bf3799bea22

SHA256
b3e04478ba0e5b3f47552394520fd29fd3f0111404f64e3fa40d99c21d4ea8a5

SHA512
040440db4880d1ec93bbb1d56b23c6bfac9158d83fe5da5dd59be40bd860302a64d211e4a174239f5701df3a493442dbdfdc4c6c7d42a6c79f711b1924a58614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
bc9f34c438ad3d72e26f832727301c85

SHA1
bd02528cc64f708792d28f35ce4f27b0eb0f2d5e

SHA256
7fa3841b9946db5ef294e2133fca4ecf29e3130e3cd2c7aca7c953467a5faf81

SHA512
2840691e6bf441525260398f50f8f5a3341f937584d39eea5aaba89da99a2474b31a9843ed23722cd19c075331921491923a8f2748d25df5de0d4ab9b646f5f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
06e631510bed1cfc7068eaccd7468c6f

SHA1
7e78b1c669498f59669ef4d73573af999924b06e

SHA256
b93fc39abb84e19ecffdf49e20933a549bb293662726d4fe11d49c9b2373e27d

SHA512
a63b10d9d6cccdd5bdb36c59cd748faf333b03e6afb89dd6044339d2b51c6777eb979db625eca4b40266a347e30f5a4c66680e6ea6ce992969208dd409c1a75f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.7MB

MD5
aa5b9b5dcc27f973f165acb73ee6038b

SHA1
6466f3c9d6921704a9e9b52b21276c26a2904492

SHA256
8ed782749a8dd3ef1f08e6731cc626aa25be884d2dc36d9cb31eb77462f7dc32

SHA512
63e6b3a8cdf6e9942feb4bc203f0cbdd63250e6a6697f6f2578deaa14f1b4532efa39927a04d803d21fec7118041df91a89404148bbea28615b967d5d8d5ae8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
30e91c5baf5485a66f58a18a1d0952df

SHA1
b98644aeabac8a2ea422a7e377857ab3a5bb5a59

SHA256
511faeea791962b46b1a2ea31ae6a0fe80e35ae7564921f5033697d225b565d2

SHA512
d5242be2368eb28bc8555f45b313f1cec7c1c3f3af1f85e5ce3c7c6471f6f2bc0d854dc13e174e37e2aadcba6fc385d132e869aa05ac36b9ca822bb2863b4ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
2.0MB

MD5
3a2ac48611f50928e51b1b9e00e04fed

SHA1
fa25b5d32ce8d793f57262a39163d6ec16b6e01c

SHA256
1af2216b5911b17c6f10c9d738948e9f46b04d983bd85b55b5f8da194feae026

SHA512
a5ba954c1144dae8f2df4d8e15e081da30cbc80fdffc4f4ba325b4c091ca1d7d9ef47973640f2f451bec5cd55daea63b4506febd7ce396798ce16a495fa13706

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
5c8784c35f32b444a34ea7e78267c345

SHA1
3cb8778260ecf490152c5a978f3610210617fe06

SHA256
6a6ee11894781f523160af58dbcfd2eed97cdc9b885b8c2ac379929d7bc9f26e

SHA512
8f53ff65dcf59c4382c195bed62fa871a87c66dd242444fb2b55faf64dc9c2aa7ac99376794c5c4bf98ed7fe9e97e522c4b21ed6ae44c0d5ccbf8646375dcfcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
4c5b364110519539fa4e60327248fcbf

SHA1
3a435e64dfa7ca1373bd06ca83baf7ba8abd1c58

SHA256
77ba255dff279df4a75f2338e6c22adb9aaddd9edb57895e782c2db95bf6024a

SHA512
b39887663bf5551f2e82d14b1966f810ec3a9505ca3ddb21374e2c10f4fce3def1cd81f3bc7b80f46aed73718b0fbcbe19cbbabcf0036306b0901a2fb53b8630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
b4ab7df108a96dfa3c474ca273aa7b55

SHA1
2958ab3044c8277defaa4d702e0c62e4d2dc8865

SHA256
00b88cb3bf5b3a95994050ff16e360dbb8be44b5fd77e395382a9723c0918a64

SHA512
2ddd33a4021f3e2104fe7b31570e8536729c276e4a3cdf4f238dc861de92648e5c16a4f9d3013ace02f76008e012a55b275c306fb6950c7fa27d718d4f300d2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
41b68b734ae9235c4c85b6dacc669c7e

SHA1
dadada1cadc3f19e04af87dd9eedec9a0f8f2830

SHA256
ceace9268c9ad3c2d67626dbd227fa0f313cde6f3bcb51e112ba83f0f0e37919

SHA512
129a0e0ff3349def95577b2ad675139fe3c04c699a3922c553c5fbdcb2e4d5a98f888cc28d939e5d1291f46d562bf72f4f6d72d14776bcaa88fb535c287c33fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
1fd9fbb019b5833c08062447be31b1dc

SHA1
af4f5e8674221bb1ca01b9b6e8940b3a0fdfd345

SHA256
de407025efcf0a604af817603cb5fcddcff6a62fe5974a707ba4f4f7fcdecbe0

SHA512
200a27078ad4bdf9658bdb535d6dbc2360b43234d9411afa1253eef7c08d34e6f1ef063fd06f2d298674a50c68e529a963c88eb1686da0c546302b8696d67f35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
e43d72b9aed283121ae0d126badbe25c

SHA1
db49d043cc6531ae4514e54d4e8f87510108edcb

SHA256
194a74d0d6f4a14490f4ba7d9265869b112d6b6d8fcb3a00547feb3ffead4902

SHA512
4554f4a5c5c2343fdfa3ac3e2caa1ccebe05131066049ef2b23996a393160b92d737952130502dbf7018055beaade093f98a574ead7f936d6fe81c9c9b2e3c99

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3aa1e0eaff33ec538a86f1c7706aa327

SHA1
6875c26867483f41907d271a52b832b41a991abc

SHA256
907902e1c67a970e6b701b73abaf6683559392cf8bbe60548ac3c13f6578d8db

SHA512
da5965040dfbbc0b7b7f607d3eac87a29299fd43dfabfd652bfed82b66d980414e2c5ae1a8bd4bce99927a3eb6ace708d8bd4413eebe17e6b2191ede16a0ff5c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
56d22e6921121851d92cd500d2acbbb4

SHA1
aed37b3d8eea115e64c53644d4e22ae897e11d48

SHA256
fa4746d9816daa5259a111142153f5f3b0d0628e8f090e14e6eae29df0f6a105

SHA512
20edfc7a819299ff16fa5c0330d93e8b0413fa7c468f5c8ebecc5e4d7169ff5364d74cb3858f651c521cd2251a37e2339269b31de3113e98c17d27966af59cd5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ffb0f94b854dba6d3769cccb0c0b6672

SHA1
9b531b090b5c79b4141668fa753ea12b5fd46bda

SHA256
693761a4e4e8f0033c7ee36bf000f1ee3d2e1c230277e0c98ac5f5e8c33b7442

SHA512
4f802c5c7add32da0318f6da876abfec3b4f403d7051166bdeda3073241125343782ec842febaada141e4930ec72b53f4466d67351764ce4a2c4e8d375447e4b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
1a914368153ca05cd080d39d8befb6f4

SHA1
d69289088cb24f42bef1f1badc9611d451c43c4a

SHA256
47755e3bce545dcac93ce5371a7a1dc18a2998de08c9da376d6882b5222f90e0

SHA512
f21fdfe1d5944355479f4f0fc4a545e7c4ffb53357b61142a227e3e79861678d650fe50451d76a9beebad5e55198ffad09972bab0a8f167b2056848fe1b7168a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
848815b1eb529492a5b0864da91f3987

SHA1
909db48d67eeb9df2454e011bb192389cddf7904

SHA256
cf4db0e1cb0df4b08559cc8b9f4f2086fd92ba0dfbe42055369a4d3cd9d2ff84

SHA512
80bae302da220d2e21fe84c5ebc2f6bc5f917de3082e061d1260a877027eddb4109fcc9def76c3caa59292fcf86907c40dc0562aa37ea5ced441f1258c79dde9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
b3eeab8c090f6067c7f85710ffde7eb5

SHA1
090c51fc00eb855ffd81b29c8842a12936be3672

SHA256
be25ab5a866c4d2400eafccc65e55f2820ff82ef6fd9667c5d5847e492bd228b

SHA512
d7bc6cd03e6a2e9db3ed3b7419a9f96dea6eabbb90f9cb85fdbee9da0ada368ff1476fa0a83119e1ea65c5a1428b80619a7ab40d632ba34f3f09fa751c8f4469

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
8ea0f304e767a1d9afb6ee13baa70e95

SHA1
6cbfdf70ab479688321cb9f48738a14e7e642371

SHA256
3e30c57c05be7f2b5604fa7bc39fc51da8ede043c2886d67264c8cdeb79f2ea8

SHA512
48f88394ad059bbc716924d52304a2c1c17d2d83a63340751ae0df31783babed663d7cfa8699b4c9e9fc4d5900154a8208197c79daff2efe1214c431efb86e50

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
74a126d4ae507da23595ce6c31c288a5

SHA1
733105b887e9e88c826429e0a1c09f08a555ed38

SHA256
025ee258ec5af6581b8b2ebee6a7d1bd978704a14ec86e5ce42abb4b6089471a

SHA512
648ffea894d26f0bab63d52c0a0929713b8a525c1c658813c40c941355c11e5dad95f1737dadba2ed3e3a80d90a9d68a41d58fe39fea9e908c411b681c512c0e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48379318b858c0c0ec1a75106ace05ec

SHA1
405b05d5bccafe8294e6fc0433f9d01a5d445b06

SHA256
8ce97860f0c2efe0de75b63363dfba938c002d1a3d17fab120b5b5e1c0571d5b

SHA512
d45610e098a836f1433007ad24da5f95172276667ff835f8edd871907918498388355d543633d73dea23c6acb597eb170c32503e090d1efe6f2e02e35a2ba1c5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bafc4e8f3caac44f787dbe1f7e39724b

SHA1
8805670020a878909065ccb6cd095b7231f5111d

SHA256
0ab9ee5d4afb0a739cda4f1dc7a73a2d242771e1a6784007aa64376d1db4d762

SHA512
fda1dd284168370dcb22c2ecfb929cc3194879978be39b2ff760df657fe570b7aba0ab7eaf74251b28d31a14b0dd2e8e25184b1d5b4ebd393a8be355b9fc5102

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
432c2a296ffbbeff8594b2dfa7b20fd2

SHA1
24b8bc3e5d7ca60712e0da27ee428d0a2e5bc5ab

SHA256
ea3e02d4fcf82dc16ba32046a37a26ebe7eea6fbebbf88102507a65fe50b2e9d

SHA512
51b718f8a696c8ccb1ed70b4bf6a12e8f6de544d0a7d9e9029820e8c21c5d1c855c35e365693a5540d22becab1f3c4c379ca9d3063df146e5869cfae219701d4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
8d713b14b2daf54c4f575bbf38d30061

SHA1
a35422c61bf0fc52d8036d540a04f61bac7d7cdb

SHA256
48fe7347df6bfd13ae3f5905f629db948bd701ef0813fc6cb9e82571512cf1ec

SHA512
3e92f0741da6c64b536e709f66d104e99ed08b2a3f0c7f9ae5c929b848a0ebdc1c446c546124134bcd55d5070f6891eb927a280e95c1d45d73dc8adac0693c20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cd7232fd4491f16493bba8853a863119

SHA1
fc9b02a4bb925c652767648858d282f951317558

SHA256
58a17fb90581d13e6f605c01b548dccb5b691465dbf15cf74a48f08828dde4e4

SHA512
3133a582070c770a06638ea6ea3e568105357f0591dd4e9a9b09984b412eb2dbcdd250b6c576332071aa2583660a4d57cd04d18f9dd3c95ed0baa7d16f04b386

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
7c929074a0524a7475049b19c2ec6136

SHA1
b40dd88d8638712ce715466f09b74d4b1b9d71bc

SHA256
48cf5910b5a0ca3b94004da4cb3cdb20c8ded03b1a997059d77a7d55954f4eaf

SHA512
83d82f6ef7d3785163aee7a34f0bc3a63c31869a82b9e7f222bf17897db08585b9481a481d06b827c346db403730bd95215cb38cefdfe7260877b88590981d37

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.7MB

MD5
cd427fe201caee83f3da780ff264c72a

SHA1
b1d950ebcafa6f5fa6fe8a6d782aa28d76d0c763

SHA256
1150d3c6826be0bfcd2ce550e99673a9fbc5280ae7418660dc64c550235f77d9

SHA512
8a002d9fdb993534f0ea2b2329be5c1937d4b916127310d847a86469c5de6936b5a85b520f89739673f3504c14309b8068dc2e1747ccd17a7fb16f7984a301b7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
6d0ccdcafe3d1777aaea1029d8640290

SHA1
24fedb31fc8dfbc7ee92ddf5076b6240e008d75a

SHA256
c664d3a854da5fa4efe4b71f970f7f29bebddfafa40d3d45f4d34e0fb6d0d124

SHA512
301923c7537d8f1611791eb595fe895fb29c905583cb7609b4fbd511818a253aa68001b699c7ee097ccb87f5853eee5ab1baa6465b8a3297cc9a97ceb38b46b0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b9a1a257401f19bff9c077ea83247e77

SHA1
f12a81798ef21b2bf9725dfb805cf849c420082f

SHA256
4bbd5ff6acd226669f0758a5de6db6992667965cba4ff5c52acf47a1dcc3e088

SHA512
a9b4ada061de78fb69643d6c171fc2702bcf581036ad2895b8e7291b666b1a2fc80d79b42524eb8a4bb1546aa923c8ee9ffc4472b06bd52f29892e46a624fd8a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
a402469fadad4f394c0c38e33310241a

SHA1
7b9243ba458a45fea4c11ad47210afc6b06fcd56

SHA256
48002da9dcb9efa06bac37e069a6cbf86adf28ee86f67e12735bc8e562963597

SHA512
cfb8733e1ee1b25df4f319ebde91be72a494430b0e509455b3d7fedef492837966a98da154f796362e6ee628ac31c94f070ebef4f950db99bc4ce620a34de12b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b7ddf1f99dae8a3eef4b87cb0a2c0108

SHA1
ffaba854f4308e8ccbceb391299083a364305120

SHA256
bcfcece6cc21c34484d01d87d77086d54237c17af532d4782e11d3f3b933901a

SHA512
81a8a45dcebc5ebd95f341c2614aa94f10a4f6781c54bd1d0374dc2da6050c4be42e7578da2fd335c3b12730bb3e4666731326b50029c6093603007336034227

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
397770c41e238165f4a251f812faadb6

SHA1
d066a2aef50139b17167839007281d21be940406

SHA256
b37f9273aac2fbc1e3165118983c1f793b2a2db063a116c322d16728ce0001ac

SHA512
ffbd400b5f2ec0bfa0fd98e0129c0964fbdc3a0ffc27200ef64bd7f5936f6a48b8dac07be3356e1ceeefa4cea1da96a105847d600011856fbcdd51b5af2dd0ad

Download Submit
memory/116-456-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/116-451-0x0000000140000000-0x00000001402AF000-memory.dmp

Filesize
2.7MB

Download
memory/208-16-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/208-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/208-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/208-167-0x0000000140000000-0x0000000140293000-memory.dmp

Filesize
2.6MB

Download
memory/652-347-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/652-409-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/652-339-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/1200-376-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1200-435-0x0000000140000000-0x00000001402EB000-memory.dmp

Filesize
2.9MB

Download
memory/1200-370-0x0000000140000000-0x00000001402EB000-memory.dmp

Filesize
2.9MB

Download
memory/1524-312-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1524-252-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1524-246-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1524-245-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/2188-380-0x0000000140000000-0x00000001402CB000-memory.dmp

Filesize
2.8MB

Download
memory/2188-448-0x0000000140000000-0x00000001402CB000-memory.dmp

Filesize
2.8MB

Download
memory/2188-389-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2752-307-0x0000000000960000-0x00000000009C6000-memory.dmp

Filesize
408KB

Download
memory/2752-301-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/2752-375-0x0000000000960000-0x00000000009C6000-memory.dmp

Filesize
408KB

Download
memory/2752-367-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/2928-469-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2928-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3088-1-0x0000000140000000-0x00000001402A4000-memory.dmp

Filesize
2.6MB

Download
memory/3088-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3088-13-0x0000000140000000-0x00000001402A4000-memory.dmp

Filesize
2.6MB

Download
memory/3088-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3088-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3160-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3160-265-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3160-273-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3160-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3160-257-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3500-35-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3500-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3500-27-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3500-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3600-338-0x0000000140000000-0x00000001402A2000-memory.dmp

Filesize
2.6MB

Download
memory/3600-282-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3600-269-0x0000000140000000-0x00000001402A2000-memory.dmp

Filesize
2.6MB

Download
memory/3644-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3644-445-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3728-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3728-402-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3728-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3728-407-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3936-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-334-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3960-298-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3960-351-0x0000000140000000-0x0000000140294000-memory.dmp

Filesize
2.6MB

Download
memory/3960-287-0x0000000140000000-0x0000000140294000-memory.dmp

Filesize
2.6MB

Download
memory/4132-431-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4132-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4616-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4616-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4616-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4660-66-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4660-63-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4660-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4660-52-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4660-51-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4728-379-0x0000000140000000-0x000000014027E000-memory.dmp

Filesize
2.5MB

Download
memory/4728-321-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4728-314-0x0000000140000000-0x000000014027E000-memory.dmp

Filesize
2.5MB

Download
memory/4948-361-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4948-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4948-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5008-418-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/5008-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5112-68-0x0000000140000000-0x00000001402B8000-memory.dmp

Filesize
2.7MB

Download
memory/5112-67-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5112-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5112-238-0x0000000140000000-0x00000001402B8000-memory.dmp

Filesize
2.7MB

Download