af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05.exe
Size

1.3MB
MD5

5b796f528dd7adc68ca0c250c09b33dd
SHA1

bcad24a042e56e54f3308716fe89af75c923ac12
SHA256

af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05
SHA512

ce7ab030a378c73f45c111ab4c469564809e04873f917ae35c53897919b88e10b046fc39655b88b6c4d936b3e2147a177fd5b84abed5e1ee7e8176189a4de630
SSDEEP

12288:f0iB+t/MTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:f0iBTSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4856	alg.exe
3336	elevation_service.exe
1956	elevation_service.exe
4248	maintenanceservice.exe
5044	OSE.EXE
1188	DiagnosticsHub.StandardCollector.Service.exe
636	fxssvc.exe
1420	msdtc.exe
3868	PerceptionSimulationService.exe
2640	perfhost.exe
4732	locator.exe
4748	SensorDataService.exe
848	snmptrap.exe
4852	spectrum.exe
4780	ssh-agent.exe
2128	TieringEngineService.exe
2624	AgentService.exe
3500	vds.exe
2756	vssvc.exe
1844	wbengine.exe
4036	WmiApSrv.exe
1432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7e4470f0205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AFF521F6-AE33-4DA9-91C8-593A92655606}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AFF521F6-AE33-4DA9-91C8-593A92655606}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000047555e2bd8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e17e7ce1bd8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d1334e2bd8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b18768e2bd8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c4e2fe2bd8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce1253e2bd8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c2dace1bd8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094cac8e1bd8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3336	elevation_service.exe
3336	elevation_service.exe
3336	elevation_service.exe
3336	elevation_service.exe
3336	elevation_service.exe
3336	elevation_service.exe
3336	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3068	af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeTakeOwnershipPrivilege	3336	elevation_service.exe
Token: SeAuditPrivilege	636	fxssvc.exe
Token: SeRestorePrivilege	2128	TieringEngineService.exe
Token: SeManageVolumePrivilege	2128	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2624	AgentService.exe
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeBackupPrivilege	1844	wbengine.exe
Token: SeRestorePrivilege	1844	wbengine.exe
Token: SeSecurityPrivilege	1844	wbengine.exe
Token: 33	1432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1432	SearchIndexer.exe
Token: SeDebugPrivilege	3336	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 424	1432	SearchIndexer.exe	116
PID 1432 wrote to memory of 424	1432	SearchIndexer.exe	116
PID 1432 wrote to memory of 4872	1432	SearchIndexer.exe	117
PID 1432 wrote to memory of 4872	1432	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05.exe
"C:\Users\Admin\AppData\Local\Temp\af2c01f1561425c811bb29adc4734a76edf75d13e28b914e3e795bd797109f05.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:924

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4852

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3892

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f85e8ada02188866da09df5f6098d11a

SHA1
3f0e9f389ebfd97ad7d920b6b20a4c24c72b26a6

SHA256
642d99918dad36a8e11b56bb5e3362a224051bd3c68416431236c512296220c6

SHA512
894494e2ce88b26979b0ce154e3fb213f3ecfbfe9c1bbb708ccf1a873cd9c12aff8dd4d9ef84671c17f18ae0c00b144da7d506f0ccb7fd042b91f492a52f8580

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b1afe9ce7e4351039d6a1631704d4cb2

SHA1
4844200cad0c5c8e79a865d6d422f303e35c6901

SHA256
bcb5442c1b259d5377663ca7ee4231460324edce49e46d6b7da20a7ac320770b

SHA512
0b8b5007be3045ef641221f415c2e069d3845999c1e5ea8747a305176b4ab3762fa57d94e6528bed675af0254cca553be848e5ef5fbf655e3a6436f4a773f496

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d07575a3074f0d357b7ac64bcb657ad2

SHA1
f3b09ec874ce0b21dcbf1e48227eaffa3c7cdb47

SHA256
212c54c8d11796dc6d6aeb6ca40f88e254a5683bbf984e1f5be67dc0dc3f1904

SHA512
f3157366d8997eb2a77e70c324f313b5e62ba08341d04344a3ce2231bfca86b3ed5c7a2cef36507264878669ca2cb15ddddf58cf0d18e0a0f84b03b5e94c9e5a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4a77aad8c79d224ab9c53ae36c06b80

SHA1
e2d97c1eca6e104530e4fd9576656f197a33239c

SHA256
b3db75ac61dfb09e0546f3c437e0147d6e8273b36cb3115492233cfe494d6c72

SHA512
1f6e9ee472406dba2f5cf412e2b994955b375658870dc2f8a579d9ca30498270fe6aa76e834fd4ff4f0154e9ea02f71bc75c315dbdebf446caac326ef5bb47e4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
80969819942532e35f608369f63fcda8

SHA1
c24747a791361da87fa207d9ea410f93f905d72b

SHA256
a50a60dc65ef46a33a6a109faeb76a92de419e91fef2743c6a43b67173cb1a16

SHA512
f92d4467edf86461de589c88980f9415f8b326c2f4b0941079acb89df8e93dfbf6c179d1e6f4b070fac9503b4728e63227716d2d862f440bb66cce433f35a9c2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
dc66cb4580ea1e6e82e67d687a16238a

SHA1
2ec0c9eeaf91cf7032f783599164dc26e46dbf08

SHA256
7241467bc4accc9a128d490f04f1d69f777ae3cdc3454502343439e4eb4af02b

SHA512
7f32aba94caf895ed6d8a1a98406947f3bcf5a4d1e16486de334e2f84610ec45280a018de7898fe57c955204f1b8f10ac0056dc8f621a160ad0f641fa9c4c845

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3666a0eeea4f8b6f98e12e7077476c5a

SHA1
63785377f3f064514966e92de4c91fe2fd4108e1

SHA256
8dee3198beecac1805cd8ec7a22b2f560cce3d0817aa7a2309b0bba25a08a337

SHA512
432c8f68a1cfda2e52120d0835fdbfcd6efbb113936f42b87923a13fe968c1dc5275164cea349f78d0fec275498fd1c469968f2909a36e5182118af9dce22e7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0673b5e0260e0c021a931fe20bebf338

SHA1
716a394f54320fa57d5ae19a92d6717d83405064

SHA256
6e45d6bcb4274982b7a1f531e98e8c3c6a81e8e9b40940ebe3c29d196a8cf93d

SHA512
0229a2d8a93d8829cb7d611d92966c880cb5e57776471618972f5efd8d27454799ce9b8662bf51bec16f04ac6fce716078e6a31a9c2c8c82e0eafd78b22f0234

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
023a645284f850a2d3edd9e91c608d0d

SHA1
3be4b94658bb8f30fc8f66d2005288ea736c3aea

SHA256
ea800e2b14eea679ed319160c524175e13a277a8a5ab6f459384a5ad0aaf9805

SHA512
2fb0b879ad2e49ea55337034df8b706accce283505ab131b78407efe6d712e72618ec6c8c0602735c30f277ad9a56a819d30210ed306415969a7ba500612faa8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3633931de9c6c15edeb63646d8107dc1

SHA1
849b1d0f13f67b8b93998e8d6e0e59d207888ba7

SHA256
7b5409b044690bffdb5c2ecb6eafd0cc0f883bca035754db6125d6c4b3c11280

SHA512
c2c940a4d9e0c946d16c1e14f8fc6d8d4dc21a09ae4cf7324cc6332b48a75b2c96677236f9a2e7f6550cfc2a658eec9ce95a7777f1f81e929ef654f6a123c4f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cdf83bdba4bcb5e21718832846512f2f

SHA1
485bf6e3e1797e00baa61aabc8491f11743dc4bf

SHA256
6eacb4bc835e2e7f138ef2fd74baf492f94268e09681f692b2a445c13b449f2d

SHA512
7bf94566b2e40a1731babbc25bd5e6b41fddbef0290f8c8b456b3188341d050fcba716d1ab4c9e5476a8bfaf62cf595098c37195a620d389ce470e9a66013458

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a8c32fa947d6aa56f7f1bf6bd7e64351

SHA1
87d02a70137a1cc087eb8cebd89787555e327ca1

SHA256
54779be7ecc59ec49c92ad7e8846e616eb74f1b679aef9fbfee182b7b025a39e

SHA512
1e39718eabeae9349eeb05c1412175be6051bee1615c2d1f3b4b7c9892c0223d9ba70b6d57d372f7cdcb6f063b8bd6794e249fe3e22270d7f191bdac31a69058

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5316ea46153568ce83ab1917b9aad57a

SHA1
9488ceaac3342e56fd17eb10ce01fde4510ca62f

SHA256
634867321a04b9a29c829005bdaf71a87be8e2d198b9efa624c0688169f89b94

SHA512
8c330f067300d543dd9ecd83ae45a2df9ed6654b47372302c2ac8f8156a623a1b00880da01bb237705be7aebadd20a860c15b57b68eaddb825a488c6ac232587

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
cfdafd9e890e9b3022ad00e7feb52a81

SHA1
b09da28e18723a3069a9623e5dac219d26ddb01a

SHA256
444bbe8e214da5677635e2dc6db6f7f7444bc7e91c8c3962005232abb7ad1bf4

SHA512
2cb89ee3188c98f14363a8183949cdb37993f2a8fd90bdb555b7246cb5c18c4068dd78f8867fc6a890162633ec48c2a5b7e3c7a78a97cc36838239f6cca1ecf9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
54e3750b0580803eacf9e2f4e469214d

SHA1
52b15db2378d11f5f2427396961d96ff2955d1fe

SHA256
cd7b9f0e7255209d37732206396400a884aca214914ce10e9c53ce861cff042a

SHA512
a72b511fb0c78f31cd154810db43a386fb9bd1c003fb328025031321775ea3a71607a34af7ba2c19f8bf12a07591bc60470d467f1845288554044f547e6b8b6d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
e34ee44f7579d6eb4532f25b6d7fe747

SHA1
8d26a182a4f59ed67d3021eaa7dafcdaf60845fe

SHA256
0d9978414b51baf26d0d8c54164834f761185020e93f659131e12cbac5c55f16

SHA512
dc945c04587693dc79ce28bd79d8a43f3d4eb73ad4863fe8c7f9916890958ffff1445d3847c43baea5c08871670d9f8931e2f3e3598799eac8d0ee012c7d2914

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
833864e03c7ff10c6116c1612bc4e807

SHA1
62de80a6301025f019bc5b30639d4a2c96a93910

SHA256
91cd7db151d57af88cc534a7a08118f69f505c6dc654cc0574defb3a30bb94d8

SHA512
989094ca073401ee5358ca0c0f92c3c24e96bc20ea0f5fe52cad2d542f212e1cf9da2e08f578e5290965d3e09961959893cb6a3439e34ecbb99e0b616fc75cbc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1363145d2fac06de480cd8c1bcb3b0b1

SHA1
223c4e4af78c1c3a918c7031d4b9e75b7e04e7ce

SHA256
9dbd3b5772cb16b501936fd15fdac383a11bbaa7cecee96ec8304080edc2fd03

SHA512
3af0f9d0a659dcdc6b19ed262db513fdb595794011286b448a9b11e96dc1faaef38966680275425d784d82ce35a81eeb2eeefc28fb89ac99c41824a3ee048445

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
bd0397a5b722363b29a17259f1ca4d0a

SHA1
96e9bfd82d7a72687e4460a41501699900e032ed

SHA256
c6a261178a4330bb89598e533287617d5443d7404536aa59916c36e7f7224cf3

SHA512
a321ce009e1684ed7072826aa2c73d1513e7673b5e7dfa08917d1877cc53d39fc0d19d6aaa5b66bdaab34f06efc105a13393a1917b1d1c563b132d4fa644ce7c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
38351ef0c49a5cd7982b6770d9b37c35

SHA1
a25e6726672bdde8bf80d0892d9bd2cc5ca25e9f

SHA256
93d3ef7eb601addf4997ed3f1ee2a81395e2bd96d88dba12fa2ee51d43a0617e

SHA512
6849e2d6cc539b81835bd5b871eace95eaa72accce4e61c45a7a2d44b9ba6e4d31a40ad0f7ba864db3da3b1e471843f0d2436462cd6f5df70d78381f2102d893

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
48d69780f485cc62600f7caa6e37a5de

SHA1
8bc687c8fad47d3cb0e22d81087c07f7f0620f0c

SHA256
b2f01243bf1dab4512d4216ceaff31b4f9f988e0cdf4696030d499b49c3bf608

SHA512
18ef36f9390394b6988093e6bf2eee91428b9b1dde85fa2baee7a7f7d0fd92936eb78db2d5cbdb0be8bae3c58ee0ec1900f95c30d9cd5ea17504a86089af7b25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
417cce367fd52aa721d36283e4bf7d50

SHA1
fde21854c2c9a221aa8c528caf87dc8e67c590ff

SHA256
7f32031a5c928b1b9d37ca28eecbb45d4f61bc14c24b7e2c724dde6681cbf8f8

SHA512
f2249825d5199f573c62080dc52ab175a10c137fac53c4a885f8b0f1dade2db5ad954f410cbf7fd73dbfaed1411a5601b2d8da4e4251b8128d067ee64b1d95df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c5cb3c38e199ebcc9aeb54f91e3ef0f9

SHA1
1c49cc716a98576d91c35b6e2698e006614201c4

SHA256
8adb08835eb73b70428ec109775eeabde2904a6ca121f71522db6810f1179502

SHA512
81aaf991e211ba358a2feef4298522afcbf2b572e9db1521f5a136ce20ef561c15c2bffe8dcf19f3d57be2cdae2f19ab4643d82ff134e7cd488d42384000b5e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d5cf0a99b8bc64dc7350f3475f2e2604

SHA1
ebdad887c5e1f836407ff9179d88f1ea25b6a4cb

SHA256
839ef7c416e8c75bbba0de8b8620e07f2c9636f3b9e9b985f26e85fba2dde08f

SHA512
51d5404e41cabf1fcb7fcc36cd3d29dacef7fa90f80f822c49a035d7542502e5d959d5ac6bcd455d2da9919b36585ab0398d9a54c0239f83a16a02aa85a64629

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8c7904b0795cd145c83d7a3c8af5b95e

SHA1
488f0fcf382f054493ce069993a3fc29ede14c30

SHA256
8965b189a51442284f8c26ba2def2fb01da743b7d739a3fa55c1cb178f0e4ad9

SHA512
56de7b8df24a7d5e7611b9805627b69926cda813e4f1de4e0bbf5f487d20022cd1032fcac630acdc3f0127d379c0f8367e3d596213d0709c9805f865b150c4c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
49cfd44f5917fe96c099917e774f5a90

SHA1
add063dc5393b5d94112768cc8606cfeeb4a4e11

SHA256
bee428f85d0296c407f42da64476054bc91a9668c0c97162bf17aafd7a2b238d

SHA512
4686c95af137d4a9ab9c8c912d0186ab221675b73847de4e4788fc4b12e1dda2373ccb38a4594c19f7326264dab238f8937b492c1079d6c50175d04db4046a01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
21edd02f5ac811727c3805bc930ce524

SHA1
96a89de52414ab2b565f574fedcd45143e674d2b

SHA256
ddcf07e288ca83a612455635e0bc2bcaa5fc8eef57e0dbd9af676854afefbecb

SHA512
e75dc1bb94d397e80bac811756ccd2ab44ee52293a8f12cb72a18b33147192852d1a179ae62e0d3594975f21eaeebbf9a181dbb65407f9169121aa9d26d5bc57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5c7ab152873613e7ae5f3ae76e8eeeb7

SHA1
e7dda0451b6309cfa5263ee99d9d3b2b8b1008a5

SHA256
c2e7546fd2f5fe9b29dcef86225b75a3b075de3330e195b2a8aac51f65add30a

SHA512
f7f356e36058edb06924a7702fcc1c89471ff9033f68cecb79bade39c9f1cae998c1085cf370a7bdc2dffbddea7d842005c3a80e3fcfff5f319ca2b7ad8603cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ead1a3f980bf20949f6e49ff4a148c3d

SHA1
ff7c9139487d1c3507b6b3dfc31c6a1002761d30

SHA256
33d49266311811452315699018e1c9c3af9304189f713d55da2145b8c13ae20c

SHA512
6ce557490b38ebb10ad75bf216d0a663db6182dd87b1267259c37feac9dd99cd71c26690cd70674f2fa8ac18158bb25282a10885a5ebe5fb57fa0554684bcbd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ff202375771025eb61c6a041335cb8fa

SHA1
b0038d0859ff5a1609a2143fc50ff83bd8abeaaa

SHA256
d7814688074c05493dfded5081147b32e7b4d22701ce24c6f845d7855bab5587

SHA512
ee41254640d0ba3ed96d560d5321457ea14df117f639adfe8912c20ffd902c979fcccfef9f5faaf05d141e05239513713b7ba794f3b6d3e48b351cdf01d826e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
10d8e3afb459ef44ad260ecc9d0dfe10

SHA1
30d897c6015e4151645be6ced9946b9200086a44

SHA256
2683f7ef5388ec4f0ea827da632d3bb56cbd5466b8d8335a8972ac89e03c8ea3

SHA512
071b6751c1cf54bcf0bc9d7c4f51802324627fd48c76cdd5e783332075ac441d84b189be032582353f16141f76970662ef8814112c86af7550b7db85ff1366bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f30450db3b0c6d60973c782072dfcbb6

SHA1
4fe7eabab20d0ec774298d6dea0094fc70214575

SHA256
2655475d767382a518235ccfd05504a29e255c081d9f48d609a742bc2f3f01c6

SHA512
38bd3774c32c51abf518940a564941fa48b8e57238a82470b7b1d8af5a68ec829f31812563d8e443e5ae206533c5c7a940f1c5bf28baf823114aa4b9110e47e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
930d4ad02eb51ba394348fe3e8089a65

SHA1
a82cdc8c80285006f40a62c28eccc1dd8a72548c

SHA256
68c62f80793ef74f8058a3a3af3096a548eca481bb3c82e6f1e15cf672700b81

SHA512
aa91082dd7453c63c28d8fa46f7b5ad565d7398f959ca02908000bccfc019521a422e68ee35fafa70b67322b6edcf73571bbf05e1f8d65c900325ff897757821

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
dc96b08cae1a85f18d9b67b1275be3a0

SHA1
a33ecc866aa6aef486082efac7b98e705d20d515

SHA256
c577c92428f07bd7c9f466c4bfac0b117680b0235a2bb5abc29fac112e21384f

SHA512
6be899bd459b5d3c525f4bfcd300754f819476f86e06ff4392e7d5683781c3123c37bd5d5e26b2d0f0ec39fcdc5272c2ddbc6d1afe6a9e0a61047041a76c448f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2bbb1b080cb16763eaec9b61b866831b

SHA1
e2bb03fb371af503af81be59783353a1e65e1e8a

SHA256
7fdc5fbdbca54c736bb6d36854d9dab29a5d6787fc917b013de996097d7fc351

SHA512
50d37c0a189885ba4284b827c1bbe5aba0122da61930b7c6495375508dedbb7e497b8a13c14559a22001fed519cc715394227df76fdefda4a3b84d9e9d643619

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e6cfeedad82ea9eb2f23d35c91807720

SHA1
7e8f7a15e58e09e511bb81932b5ba9da5d9f1dd2

SHA256
f4c190d62dcb03cfb9d4c08c9f3bc6e6d3447f633a90e0307d6acc4020f05575

SHA512
94affcbd304f2cf8f8884d2ed34e815722f091470fd9257a7ef39f4d87e4595cdd63ff2ca0dd56a524fd01e969379bf8ca1ceda40caa4898e925a773e60b3093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f6c9d5ad3e9890674842c889b40bc01d

SHA1
b9ccf2239d518308728f3375bbc29f2c6ca39e55

SHA256
a1e9281a3de6098806c7ca13b03b7b13d4be2fc92fffdd1f1390e722b09678f1

SHA512
616cbdbae18bd1fb7a9d1355cc45f91d3bc0e9572c505f4e55323c4af155b6c04d5c287de4884810b6b10c650b4bec9f9a074154041d636108ff06f43d2fe7a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
a1750d237a94cbcdf7f110598e986986

SHA1
2f9337565d3efd6150d57b05e80389e636c199d6

SHA256
c31130a8b8807f167afdfbf0ca160ddc46edbbe438280d18b9b6119f1fee6c76

SHA512
af246593ad2d3b89468802f141003022fe78b038e725b76ab915c2a302f3574d5072e2478e19c8e1b0bd5181e5a62f68c4c3d47e53e028e6d2085cafad1a675b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
bbfb8b2de923184cf198328170d27959

SHA1
c2a1326cb8cd909a6c66d9eb91cca63f239fe623

SHA256
d5336c0e53a2bfb153aab70ac3fc09f6bc94bbc3aa94da7680293a7fcd7b502f

SHA512
1eef868d5c4ac02eccf06aa082733f9aefac42ed3ffded5d265d98d5e967e55b43682022e78e83d06c8386660081fa608b59d7fe617f5c6f6fe8e1ae5f075b32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
254be54e0b147f2b357f710cfa8c5f48

SHA1
99d1398ee2e312a427fd0d9515217590c9137bab

SHA256
2b4caa46a4407301bc8a4a9c6619bd6585451215b8b8e424d22f3f06e6c9914f

SHA512
4856b89bc98056358d0825f6e9be2857a606d9913ac0283ce85fff41605b9f23d73b8ed045724ab7fba7f85bcd130379dcfc109bc8b777e1ef8f4c321c33505a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
002feef53679baeaab02a3da1d9f8a15

SHA1
5c538206bf4a0b732963fd57477d7e756838e373

SHA256
17e4c2dd46daca81e776f4483d5d37ac4b66111f0869f0fca7331a0c972a3577

SHA512
12944ec35b7e57b1aaacd86da154b42d27214a99ab18a87c5c311168f7d10ee2d6a91399018bd126ea4dd324763078716b26424f1fd1a379c799f89e78cecede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
4b46f01be8fc9db51eebe062056edf48

SHA1
29dc5809b2354134364a0a6227d8e736ed3d0d6e

SHA256
8a95266dd442adbb47b4282b8397ff7b380257e9be3d04b7b9952f0b29475f07

SHA512
3d4821744fa590f4f35a11ff14d8db85683c1f4d89ac71a22bcc225d3c7b5ca354d71f75f8f172ebcde556b9af77dda27a64b9058f2c3ea28a96064fa78c547c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d4462dfbe7076b0e68645b3faa029852

SHA1
06f3bd1cde4a351ee070f629f7b4e91d2b05faef

SHA256
da51201e4ebb5cf36ffbc19811e19b94211609fa29bdf0a8462679ae42da1096

SHA512
8f728101a283429af61954857a87bbd18f3ca74542532a8c7527e2e73c017fe214355fe288689e30f35bfd8e2ab42c4e1ceba85b783dfc04ad71624871d4ed9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0fb5a2ea892e00d668ed98089f908722

SHA1
181e432bb08671a16df571a98e8674f522039402

SHA256
a7b2b01ccd7415b4e94db14c7641d6385841a59546323eda3b0795aa64bc96e4

SHA512
b2417e442dd3d09aa7ea50952f710b90aa50e2a091069929bc98499ffc4766e8552db4be73577deb7e27060f4f1f3f6a220b8fb9a704f9e5e4916e86d42681c0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2faf225011d461b86fa4f1652cc64f4e

SHA1
ad2de5899177fafa3e23a17feec64762479f2139

SHA256
61d9af58f3aee92dab7f8cf711319b6c47f69977c8504c40cbaf2091b5d742fe

SHA512
90e58dd4fd3b99f5ed1e792fa9dda4892af34ab91d6fb6696c008dc1c682f9ada117a0f0357e1dca74362635d43e20aa4b1b232584ed7cf3a519c3b6e064430a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
5b181356cde657d37f566436de77630a

SHA1
5b33b281b342dc578370b0444b7c5acfb7cd3512

SHA256
fcc72709de79ebf6f79f5fadf4fdea33fc03c3207adbecb230c94e2daccc6aa6

SHA512
3ab70a8308d391d7bb25d80bdfb3ddc8d77f4f1045459488e86b471b35bb0e38d9890fb1326e66e177eed5ef407c98db465811ebeb4444d6e2559e3d12bddea6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e23531365f8982dacf61a4b957a89c0

SHA1
26e358bb49d9690ad1136028bb7dc2c3304a7a8b

SHA256
566ad8563beecdf65aceb73e90468f9707e4dc2989f45dcab14700aaf1895394

SHA512
827079fa96c2e688e9914573d3cdd94962bd6a658e29a6eaec15f563cfa96ac44ec4300544477fe4126da0fece84c3bbafde58bf67985fda5485408cf8eb394c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
934ca1e06117d899e91c8c11e98a2b4d

SHA1
cc155884ce678e7ea5ce7cbd9bd7737c75e1fe8d

SHA256
5753ac48e2d8fe4c20705fbbf0c67a06875a1c7e085d6ea57e1c31122eff075f

SHA512
38958872c9e7f56e91430abd6749bd2a060d7913ea1e0dad6597ebb7066d4a757bc7509180447de19c925b9be6bc46b2ab8418a0b3bfbf69144377299d78cda4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
bd87da1a4e72777257021822c3b4e550

SHA1
36c01e3ff19a32fd3174d42c58e1a0e5406d169b

SHA256
0bc26da3b78fb3974032e4c2e5a57c0e6453bd6ce894db3384a372406b781d28

SHA512
91ef8ca79ba7610abc15e5bf7adaf19b329d7191e57d0e88f40e4f9692a08e971bb08aa35543b6df8bdde26b19471532f0601ef799c53915f80908b6634474ce

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
82aa1ade25e7269c12fcfc0e4313e69e

SHA1
3a075dd22cf3bb30ed64069b6357154ad6e5b10a

SHA256
bca403b6fb1074fbc20ac80df0c28fecf59e4aa4ccd01336c4b911be55dfdb11

SHA512
1d3aaf066981b302844af9f2ef8ffac949ed859619de376d94143bdf739243155ed239e177c1a8ba78ac06c56e9a4b949ec732aca7ecd9233ee53227e5e75e4b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
98d0cd596303809bb279ef6226537f68

SHA1
05d12b89e4a7c263d1b91c94ec41d5b443c38c68

SHA256
94cddca71ee7cb53598860d3eaa5781be106de9843435d5721cef3f1d06ad4c9

SHA512
13a2e4020f22d7b3d4b9b9034b796a38f34e1c9ba204fdc4ce7fd2c9f2339b2c70518782d01fa32e273c18b7749a51e93d17062a989de45d6e9c7b48b757dab5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
38a7f9a7203df7a9ee04eb2c2d867cc4

SHA1
44f510272db6d87d0058c02ca7b92f1be6296539

SHA256
c04c27e2137e8915e8cee64bdaeea79ee9c6c4b6865b8281314e94c3dbd164c4

SHA512
d6bb07c9ec4ac1cef369bdcc4a64f92be13ab2b6fc9d224ae0437e7f94d8b78e18c24012db1799ed32cff00f9018a84963fb3f97a4b6fd1f5b2f32880b32d00d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9024e9290f7ec4f4dc0bcf100595a104

SHA1
a130cd6298a38b77b1b612ec0950b5bb1306eea5

SHA256
dd870136df25b29352cce5a0b57b5b2a53f6fba8cda8c66d6039ea9f99ad7084

SHA512
8c8b0b3029139a5015bab57d8a663cfc7b3306e7e75cedde70cfa547708c92ad290be0797114c2caad0d413f960c97b8298ef805ac6f778e7cdbf23b510bd9c4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1dc6c28135804d5746f1dc87b1e3a943

SHA1
ea40b3ba5ec61175d73507e6392ef0646c494aee

SHA256
d3c4f8877893b67aa759812166518d117452b0c758247fea023fb8285a298763

SHA512
f4f7a77511ef0dd0897068618b7dd236ae938d03a78831136cd7740af7906b1e86a73f28cdf8afc293473a3ee88bc5b5cac3d8b7a822d16f088df24bd559228f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a74fad18ef836d5f31461ce4be89399c

SHA1
366fcba195ad9646d90f0a0d9f6fc6caef614eaf

SHA256
ab9846ab5d635d267c56a9053472d2584e3b5c2aafff604eecfe33c94dad7bc3

SHA512
b6dad5f76ea37dd709f1f6f4c13eff1f5795cc9ea807ea74a73d86cedb7f91d748586204e21ce531246ee8fe4ebbc178a1780e46f75186cc305050543d48d78e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
eaefdfe1e777633afacc3755605fbd5c

SHA1
1a97b2160da2879033d29f0b99f7bb9d4648de67

SHA256
78bcc8456f561fee51afdcce4526ba418cb4635792f10d6bb1e4fc6f73cc9c81

SHA512
823e5bc636bec81a39fb396ea73a9621b2468e4c9b29621c038b9224e0cc8dee2b5263fab7beb2a62722bd496044669e421d6b5bc9c0702757fb93d747cb98fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f0aa41f356bb753a55efa1724f836726

SHA1
392f7046bc9ec233a70e7b7bcffe4fff76251c6a

SHA256
031b0a82313a9dd74ebe22c58f09691e14890a9b7247c4c9ed41e9dbf4db5201

SHA512
8b83670097185243143195b3a087e97b2697b66d0a7127fbc3fe345acdc2d6aef07564adf78bd80d74a52c95d0ec7d2118a5bbbae6811655c74f6ab34261d66c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3cba869840ce20ef5ecb06a4b942febb

SHA1
cf60cc8c6ffcc4844d5dbdcf18d0bd1a67df4d0d

SHA256
8e2ccbdc8e6b3e37cf9238385801db50a251c0c175a538e67f3c509bee360651

SHA512
a48e6f6fdeb67316b81c560d2fd0d3a7bc2e7b2d08acb91b6dd747629546995e8c9f72c416c6022acc58eb982ce9ef94cc7de66e07a380e4761933c768827bf9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
691d2bed6dae39e7365efe3f525f55e9

SHA1
05f52c660d855250060c31aea9446fdb89c18f9c

SHA256
30b6989dee72e0642c50844ce31741ce01057e70233d4e7d387a10333067cced

SHA512
8906d0b7ecb0d8263b6a628972da901c14ee06571b144191f21775d10b4f1d9bb119b4846cf77ea3c739bd75715880446c8e2542903a85634b9b904d5f2d3516

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
7a585c6c7ac298d511dd75a77f055493

SHA1
2eecdf02d828679621c64f617d8c352710b264a3

SHA256
4266e2f63494a77982e3294d2a8444e8ec71ca7ccae6e05b63a51cddabd02065

SHA512
b909d941584a6a5de8d9c21a3b2194082594fc2977a885d902d4a8c5b2e0bbfaeb5809dc396da721dc8e8f973d8185154d8275cb80c48a898e3e528de401a697

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d6035083f5e53f19d57df87a8766dde

SHA1
92da3c8d4e23e2b0b37dee57dd5eeb7a4ca2eea1

SHA256
f0556bc276b826fd2ce4613d934f4002b34453bf2e23ff085fdd7a3f45eae232

SHA512
d64b93a56e4f29dfa8756231750c8e1a6352acfd2e3b849c9b13db7581a5fd6cb80824d03ebb1df56fe008e6dc7026dcb0232fc812d31657e8dadfead0060569

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
ad936a2590a0ab380767460655fc409d

SHA1
cbd5523b4cab90c389698b75bf0863221f1b5389

SHA256
4712a1b49e5fa48e953447e798774bb7a1465e0afa6c040a572ca394bc5b9a6f

SHA512
fad8361103de2567bd2e0660f0f877653ba35198afe4d2a057a999783ba033b0e836667e562f4de8ae30976f5ddc283cf8a2cad38624e93c26a2028c7334dde8

Download Submit
memory/636-255-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/636-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/636-264-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/636-270-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/636-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/848-347-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/848-408-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/848-339-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1188-311-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1188-244-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1188-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1188-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1420-280-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1420-272-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1420-337-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1432-470-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1432-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1844-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1844-444-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1956-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1956-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1956-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2128-389-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2128-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2128-380-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2624-406-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2624-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2624-400-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2624-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2640-308-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/2640-364-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2640-300-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2756-431-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2756-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3068-15-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3068-6-0x00000000022C0000-0x0000000002326000-memory.dmp

Filesize
408KB

Download
memory/3068-1-0x00000000022C0000-0x0000000002326000-memory.dmp

Filesize
408KB

Download
memory/3336-26-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3336-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3336-34-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3336-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3500-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3500-553-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3500-418-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3868-296-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3868-350-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3868-289-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4036-456-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4036-449-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4248-66-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4248-49-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4248-51-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4248-56-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4248-59-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4732-387-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4732-377-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4732-314-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4732-320-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4748-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4748-332-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4748-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4780-373-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4780-367-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4780-434-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4852-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4852-359-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4852-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4856-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4856-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4856-231-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4856-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5044-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5044-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5044-65-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5044-239-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5044-64-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download