7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
Size

706KB
MD5

1c431b0c9a15eb68c6d0dd0eaa71a324
SHA1

8bf74f8c092c9641e6616bc01f588b67689300b5
SHA256

7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b
SHA512

be6b27bc9b83af4645484b6327d5b8a0c1f3242ca8ee8c86e26957a4335b26c4743e5d9799c385d515d2b72c6fe849913fe9503deafb6334f895289462fcc07c
SSDEEP

12288:AWiB+tvMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:AWiBPSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2024	alg.exe
2220	elevation_service.exe
2908	elevation_service.exe
3944	maintenanceservice.exe
884	OSE.EXE
760	DiagnosticsHub.StandardCollector.Service.exe
1408	fxssvc.exe
1572	msdtc.exe
1128	PerceptionSimulationService.exe
2820	perfhost.exe
1708	locator.exe
1420	SensorDataService.exe
2500	snmptrap.exe
4852	spectrum.exe
1004	ssh-agent.exe
1336	TieringEngineService.exe
4952	AgentService.exe
1672	vds.exe
4072	vssvc.exe
4484	wbengine.exe
2576	WmiApSrv.exe
4468	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\38206e96b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7cdbac5269ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfc655c6269ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072689cc7269ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb42d0c5269ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b246dec8269ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013c917c6269ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccaa0dcc269ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed3b11c8269ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003662ccc4269ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2220	elevation_service.exe
2220	elevation_service.exe
2220	elevation_service.exe
2220	elevation_service.exe
2220	elevation_service.exe
2220	elevation_service.exe
2220	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2232	7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
Token: SeDebugPrivilege	2024	alg.exe
Token: SeDebugPrivilege	2024	alg.exe
Token: SeDebugPrivilege	2024	alg.exe
Token: SeTakeOwnershipPrivilege	2220	elevation_service.exe
Token: SeAuditPrivilege	1408	fxssvc.exe
Token: SeRestorePrivilege	1336	TieringEngineService.exe
Token: SeManageVolumePrivilege	1336	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4952	AgentService.exe
Token: SeBackupPrivilege	4072	vssvc.exe
Token: SeRestorePrivilege	4072	vssvc.exe
Token: SeAuditPrivilege	4072	vssvc.exe
Token: SeBackupPrivilege	4484	wbengine.exe
Token: SeRestorePrivilege	4484	wbengine.exe
Token: SeSecurityPrivilege	4484	wbengine.exe
Token: 33	4468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeDebugPrivilege	2220	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1408	4468	SearchIndexer.exe	125
PID 4468 wrote to memory of 1408	4468	SearchIndexer.exe	125
PID 4468 wrote to memory of 1208	4468	SearchIndexer.exe	126
PID 4468 wrote to memory of 1208	4468	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe
"C:\Users\Admin\AppData\Local\Temp\7e017a922e38b343781dfcf9f1dd2d0d3db6c5a07a3e3ee235e221ecbe289d7b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4792 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:3584

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1572

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4852

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1408
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
85b508e23d23ef3ec71fba9ce2c7982d

SHA1
b87d4b71bef3f1ac8b5e3320ebd2be651a5d6229

SHA256
7b5da5b8dc9813688500b0064e4b5660f330804505dc863849a82725a8af2076

SHA512
2ed7165b689256caa75c63538cfaf0cdbe491b41d2aee42ebbf3e592314dcb97502df6545ad3e6be5562a8174cf7676efc7dbf62afe5bf60211cbd52c1083031

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0341e147436ad133b7ca128525007fc2

SHA1
9f577a124cd7c07d1ce0bbbb22801f4952d039ac

SHA256
b817a1648884d8c6134a5bf68ea702afdd98ab4f38f5879ec194fe6b3752205d

SHA512
56f9a45bfaff811ded499c72d685d8d1cd50621aaebcfd1a76b0d43179da013b67d8af5fc7e8e958cd57a3f4603f049533add291c82509e3a027035cc5af5a1f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
54becd94eaaff3332f8b231d4b5f048a

SHA1
bea0eb069d30b5a5bff5e5b1013b3d3b7f1b66fb

SHA256
9bd810ad4c3c8dbe7a5d96cb1f630bb8f931bd2bb43ee72aebc0055a8d169303

SHA512
af030c41033b3d5b99348cd165466f86d317a9c160bd8f2b98912066e7aa04f37fd32d12f6e5687a4c3ec25c420114cf85124c6ab3e55adc615461f21d87924c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e48c3fd23498d0d13f931000b7137bb9

SHA1
7949b8a4d2b4909fb0d4f5f2267840fbf6d45450

SHA256
aeaec2647322180542ae4afd13b43f7abb196e26bb93942778e71280fa0936f2

SHA512
6659c8d17acb17537830b92d81bf345ff7056cebe3afe03038de2f201b6ed3ad014c6b82d1718ca2c29506bf5e56d2597029122bb8744a3e788cf09b2ca8ce0a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
39f2bf8a6d0323fdfa87d4bfc59624e8

SHA1
206d6c154b4a6ff1c27a3b6a21b99c250fae60c0

SHA256
1eb3c2f8bcb949240552d5fd6f4c0bed430fd6f1bb55c269c0175eac18de3b66

SHA512
b31b8ac23cd4dfe4f941562089b6a7dad0dfacb96dc4e4e4061c5719c88b86754571a21fe1b0708acb52d1041395c0c712c835d55996af4a4fe87ba6357022ba

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e6fe9743d2e69db2a7b4fb67a6c35f42

SHA1
4abdebae01dbd71027391e2767bbfd4f10dbb750

SHA256
e53a4e6a3d4d127581c63c5c9c6630029790080d13ae09255c41ff9b4fa5aed5

SHA512
636f8b3c7ec123684768f9ef80edce7de727b4e900d158ea66c2f959e08c5b663657a967ee51c6030f44c5d1b4303ff115b6e65859cf4c174d1604f94d87a8d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8eb8cbddb917f55f8f9808eb2026ebea

SHA1
334438b26cc42a836bd24441bfd5a9789fee3150

SHA256
7c8853a7601cfb6228356844947af7539dfec7f254e7139758a41b7d5b6d4594

SHA512
e6cc96118a67a44dc744a72de9be7b88ec8133aee81df6097fa34f9949dab0b5ba429c03bbffb3e12a6496be85b87edc32fbbb596c91895450b4b7c47121f3df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5cf7384f9ba25ebf5a3308aabe433f2a

SHA1
7e331b42abf40719b49509f22ee716eefe82cf0c

SHA256
46b8d44b39cf8ea62e56341d7f29627336b1e24961aeb9ff1532d62faf3ada44

SHA512
16f269414f70b50d3f2b4fa5e90a311bdad4ef2250674f18fe20d9e2ecf04d9a69ee82f52638b60dcaba1016857b7763abd4e1179f9344ede1b3db9f40f28ba0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0b1cdf1e3ee23f9bcd7a77dcd559fef1

SHA1
63c32c7a16a1b1ef7bbfd64c18096fba28965393

SHA256
6f2bcde99362eb4a65764d2f1f087ee6508a86b0c755c4a32b620cbbde71613d

SHA512
129a4a3c4286ef8598167a5435d1bb1424b5b2acbaf4f65e3117f8348bf1cf5129341c4af3c57228872fc64e76ffc671a16ef54c74ad422a5a9ca34b0848e21a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5aef6533ed36a374e9b9f3a8a8b1a014

SHA1
14faff4162bbd2ca27f733391ea7cdf2f56e71d1

SHA256
215f836d388ed852d61c7e3fbcba42bd8533549861c4245ec39e596ed711d1bd

SHA512
fc53e17835f365a38ee0096f5dc9c149e8cb1d28168c5da8d7d7b1d4c013861c3964448639165198a012a40b552cb36b6d460ccccffb4158491bb75d1763a75d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
604c483f896621c7f6ddc579da6c135a

SHA1
6023fc43ef11cbf06e67f09d8d41c631530715e6

SHA256
3c34ab711ec0157c46868054051dd68b2415bbb30ee3c3911ea6c6296ad25557

SHA512
5bea743fac0c9de09e40f1db71f0bb1ca09f6e0ec3690bd2e8c6c23fef60e3b267069ef6e2a1e358ebda20adbd706e1ff7bda888f784ae5630102aaf38328015

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6928b30b0655e7baf0abe40e1f79923e

SHA1
2337da635e83cb581e801452add6072cf90c9e52

SHA256
6232f18920df3238a7b9dd56a43ea31e8b99b4788380b9c200cbc61e7cf0d96c

SHA512
ed4c8076ca92440feea31ec47f9d779415296820b39b856c6c5f6206f80430c1f7b85525b2d5768f73625dd916e8e3fd092ae8e7beec451833939dc1ce7ae324

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7a8966920d5c8a25263cbed260c0b997

SHA1
1a59065640973f98063df11caa383567e70a8aaa

SHA256
7de14c21d2f5948fe153a563427f3bbc5f0133976c121d0f1764a97e6da9e6c1

SHA512
262c2a9ad766b5a9ce71bd1f46212c23cf304862c99f178ceca96ca19d59e3dc37dc6d67fe6c868b8c5c4be385fa39913ad9f1f44543f3037408e774859ee4e4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d9d762f209a2a71d37abdadadd7639af

SHA1
becd198e43f45da2f58eea5bbc179efbf9373018

SHA256
af2df30e264d464cd1516e3753794c95a493043f2f3661bb5e1f97977ed8262c

SHA512
a101ecfc46c68746308ff936f0f5112870e7c6619ecdaa03d51bd4f6ef6d784d868b14c18f7d76361ea758743972d01779d4b334b29852d5f849f208acab795e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9dfd9b0f3f727dca2b13de1191aac1fa

SHA1
ea1ec87ccd95bf5725032d23757331e3228676b1

SHA256
34f34d0ea42114fd2a7f69df172840056d427ff0b59059e74ef212d7bf7270db

SHA512
bc28e86072dfca9ca9ec2c9f15450e96130ce5c7fd527c9af37e55ed3ca96fb5f32fe8ac303c34ff169e4aed2a09a43b41746f1b31b53340cb891f8c8fa4f147

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
4b29b2a31e1bee3c6fe9b11a217641fe

SHA1
bc2d865d01af67b51bd0507e58e1e756fc3e79d0

SHA256
5f473f51dacc8c95541752a010cc2de1e7827ea01b85978e88c3c3df865c518a

SHA512
2310ec00f70ff662918ee509f371554ac857b7948a1d0658be87187a618d1c64ad2f13656c5b0a925f9758932075a26d0e007fa37581a3f4965e43f2d4b273fe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
595ce00f01ad88ceede2e90f69bba6af

SHA1
73ae629656efe6405e8feffd5d836f9aa65c9a84

SHA256
eeb09c0aa7b5fd4b2d88ac9cf92cdc84e3d39d314891ef640429eb5c5f95147a

SHA512
b1fe23be8b4900d023d49ce22f916a0cb6616802eba0f578e9787c5f5e25bdc782cd10f8c0d2a3585d0c2ad0348fd71561a70e15604784f6de4349f3d3c2f5fd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2351804e481c7736ef65ddfdcff1b52

SHA1
a46f8e5e59c9acfbed3f89f14ca4dc5df8747c9d

SHA256
a36308f4c36b8c625050fed2a4d3cf9634282440262f9a5c87523e310051412a

SHA512
de687527d60fa4885cf55d575fc22190ca71cef1b395d41d2bff9950971858f8645ce9bcc0fb1d20144f1fa6aeb81adcaca1875b38a20dbfc8f5929fe53475df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
740963c762a49da2ba291345399552a5

SHA1
bb373c6bc18422ae8660c9b7f08cca63dc233ad0

SHA256
4fd69aa45c9939afdbf2d0e839525242b75a0b2564cf084642858fe6971e9b4d

SHA512
fb57c3ca8c840422f2598f5577a0210edaaa596ce10528d17b2745cc5c460345c8bde4981ee557d10fce44689f03f92ea5bd1b7b564f4c8d9fe996bbda6164a2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1033220952101bb15398ed65a0888aaa

SHA1
c30bb7658123a05a80e76e48fb29eac1224b935d

SHA256
dc1b96a57d3f6397d2d314b1265ac6d7ff2281b96b992851dcb6fc8465d9afaa

SHA512
03dbd867fd0b6ed51fd5f3350b91f66cde342c33d3ac4e8af83cd5e692016c2ca28257dbfc12986004639e1ed3848042c1a4a57803eaa8289ec9fa6a586e2f3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d040689b55be8e5aae11885dbd5cf335

SHA1
076324e487e004af92d92f108c69977c69dc70fe

SHA256
c13bcc08fee032a9e36e9f0636c036c82f1a3464314c5ee672ae7187f1ad4bfb

SHA512
452f5fd2df848a6abc4d632b96f34e095090fb3d45dbf96eadfd8f718b55c9350e5a594d8827edc37b3419cff2fe77d3e9f976ae3bd6c99529675d402350ad25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e8ee126f715a3678573b93616a5de25f

SHA1
b9ad57980a8198f9f1d7ffeb7343b6e0987c05a2

SHA256
3a4a6dbcad8b2e77662054a70fc81a9762d478f0bc832bb1cb98f4e2cbbe6f8b

SHA512
a72cbaa3f4bfb111b68db8674e1727f9ca37df42e18076e98eba0e94c8875e8beabae1adbcbfebb8bc6ab5f91df5bbbed7a030fb30720ade3553e34551c80b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f9a092634b580d4dbf05c53f577ab7e6

SHA1
a93cfd4ba25f78daee03b9daa67c075383edb9e3

SHA256
5f026d3bbd4c5ccc6e2755f7be5e4e4645991bcaf6e5b877e45d9a54b0671a3a

SHA512
8f096b22b8f98b8614cce7729f5560a1f8e7d7cb37c2a0840606f7728c69e02bec3956f314dead290b86ea5950a9b550c8506fc1401134f95f898e6d936aedf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
93383d8879ce6ad16d4c0c74cd2bcb0c

SHA1
fb64a7c9173fefa62115ca8a76f82f25b87a5951

SHA256
e9e1c4231ad77fca8ddf31d988b0e2df8dc09d8962fc5f3a00c1552924561d49

SHA512
6f1422a8b265fdeaa38fe3aa688857582769cd606d59c5585331a24919ae28cd066cfddffe1ce3f2bf6dd67bf9f01ed36554891ee5e47ee347c80e0da841da1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
bdf966577322b8f8855e7116221740b8

SHA1
bbe466ec95d4a800d9c2d21cd3dd354bf922af5a

SHA256
02573e832fc2064378cfa7eee19feb53e3563d8b35a3d75670d8aab19dc5e004

SHA512
112b5018230d55d78b009421cb3db65795713ce2f80cc41597f87010d7ecd326c6b2918e3183110bab976c2e8631681e3d506f41d1e61b3806bdaa5fd1c0ed92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f1615cd0702e335e82241e58c785b3a6

SHA1
3bcc694a54c1571f1bcab51e8ea11fbb8040f649

SHA256
665777cde58edd2ce896f79c3ff5d889fde65db9e10e07e5477c02ed9745729b

SHA512
0719d8cdfa2de0535c223ab67c12817f170acb68256b23e81afadb1ff8453e720aa656183653bb32346f51dca885e8250e5c702b7f574345d480ca238e3b75fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
aca79030ab9b2e7d2fa35c108e92a531

SHA1
767b9f96973a26cc9708ac442ae62f742d0f9c4e

SHA256
c8f30547749ccdad16ab288d8540b2a8dbf804838af399effb92f8d988019879

SHA512
60b6ca259a83be145b9c20f21a06a409669c1a56b692265d8fe9e0e495932fc9978263370a1b2e281c0d53231a1a291dc9d4d1b66cadfe3f5fa0b2a60662abba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
69b0cc15297a864c4ddcbc68e7b1750b

SHA1
10524b2a610a8aaec566b4b4aa886b6daf8bf4bc

SHA256
631f97ffe8fd3c301d5122bb438ac01a88109e536f17a0068947f8d5833d1872

SHA512
cc52d613b64f28f6dc41a510c0f586e58aad609e008785609897fe9d8fe0fcd8ffdd7cf5faa1a2a93666c12cce7e68d04a52637aaeeaef7d5a48879d96e33fef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5fae0d1087ff562c915517e9c22128a0

SHA1
d5e458e33ab7739e0cc70f52b713f728def23c92

SHA256
221f51d5e8c9ae9a5705b7cad11e93df29394113fe8588e6e35dee3cb17156f9

SHA512
0bc76e8f723bd0e6807f7da11c0f51877733c4773929d32562fe14a1c77573d6a087023f17a256868f9c2583f6c6b90dd32a7efd65c61cfeccee75a862519143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
fec312506e1502c18da03da26a555000

SHA1
424b7437322d4e120137c6abf0379a1099eabcf0

SHA256
8582be579707770d24940eb8ae5e449ce202fbd4c7a5275595fbc768080bc041

SHA512
45b9efa96131613b162d8902e6651242779ca520896dc8e64bce9e563d20199d1efc07e1c03c937eac1c558b7f3c5492585eacc27c49438e1f86d7ffc0b9159f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4e231abf44c9d2a9100e504ae4201e6d

SHA1
0fe36f33a1b0b01e17fc7916ffed67669d6de18d

SHA256
c454535c29546420db8358451f5379a628cd975c3a0b2b8e9492802595c82036

SHA512
119ec34e3ef4ce41793095aca82f9352e3d79c7234d99f3d682639e47fb2f2933039f8db61bf309a2de6ecca6733413b9ce598f7f61e0f6b29a4d19da77ea67e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
513ffe75fcf4480c676ee2ea3c020ec7

SHA1
dbfd9fc0a1c50623d997f8770a06c6ede78e8fb2

SHA256
9730e5c20956a9081385176017bace5c6cc227d54be2d4f86f076de1ab86dd9a

SHA512
60acea769587a030f568bb8a81acb9ef17b3e8432d9692be62352dc1c6badea97305f7cda8f121d5b54274fd457f315a7748db037af5a00ce690651b7969387f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2cf9ffe531a992e27bb90b2fa3b4a2e2

SHA1
45cc3f5a3a9dad48bfc9a9b17c7a6bb61b4759f0

SHA256
914bbaad1c6f9f2182ee88a209079ce359006f45c77db5cfb57dd57a44a2ec31

SHA512
5ab4fe0b9f4d8d8ff17bb798fe01f078846ee993b696f0decd2027bd84e5d8e5c59b44e71be5317db3ea7bacc723ec60d6411724af3ea75a91bce1822de74f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5922e19cdc4954ebb5d50239672ad735

SHA1
99a2f150c8e677b22cbdf9e4506c3035739bcc00

SHA256
6bc83c72c8b9c3c9f4d7e3256a469914948a4753dd677dcfe9c4a7d9ca62ddec

SHA512
6e252b59500e5cb55b8155b966c47ab15f9eed4197658711cd2c2d79655938a78a710284fd138b25e991ab4784838802b3dae147b3a56f92809a7d16951ec94a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1b7899902f78768c144964afd0f66f24

SHA1
fb6f1cc1d12a6c25fd0740972ee9f2f72144d17a

SHA256
ea887fd9bf0ad03a1e64679aa37666955f9a38dae8d89f9605302997761d1144

SHA512
f1ae5c1058099810abb7564941a4930421a0fe50b8434fe661dd5c72ef8b5311dbb0900c30bd9d33ab91f2607ba38819220ba596866f91a64dd4909f8597ea1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8c0ca166134034fe86df0fab78555fe7

SHA1
56b35bef0f77e5f069e057b095f6c37ee9707304

SHA256
f2a941c12df8857f1641080e1ae03cf6f98b5a03babb95c9d4fb24b92317b697

SHA512
4f9f9337b5b3cf75fac6429c3152aead934aaaad8b77a86d68457fe70b70b2f5b962f9259cd0085b7d24a26ef7e7e5e2d027e6e093efee0a58dc37ef4df09270

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
21e0652e7092ffcaba1d1416ae89a04e

SHA1
b830e484a888735150afef30b0941ed3f9994694

SHA256
e96dbaaa8cf5ddd29822ae76dc8e6b767af0c0f98d4cbb4ca5bb600267cd2ff1

SHA512
bb2d59793eb368713f853a07b06c477084e18218dd24d74eeb8e8110f884a3e9dc43e797f8cf0e9a58b27e6bfcd7af14659f0969eaf205c3aa242e1c8c979d2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
1d9e9642cc1d1bc01bac0e7b58ef7255

SHA1
64018dd3ad9c8256279d86e30562f9680c4ad22d

SHA256
960ca475b654c0cacd068753382db4734164456f650e2e6bc0224882c88bdb16

SHA512
cb017914db19257046da6361faf33ce9390940ce7c13f1f553fdb2960413c98841800905461cb1f010d7422c234b000e41f989792107f4db53bea70045fa3e52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
67fcf49a5c127cfed8550dc18e519ba6

SHA1
8a63d4d320e6ba581d1a6f2957d1f18cc80aedc6

SHA256
013f70fc1125e97b50c3f63f063b5b20aaf3cb178ced8f60e71de4f9b36971ad

SHA512
f63833175cb481c0de4872015043b3469bbcfa36b0f921d42de4d0e06b794c8a740b4b65923aae3ce2497ffc52fce154a764e5a283581e7955eee0917f54e116

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0e0c5dafe7db8a1ffc2158b7ac8b52b1

SHA1
7a3990b8a056690403017079aff2182292a53b07

SHA256
4df85443d95b533ed6656ae66d308f243320cd526cad052672048a2e767c6fdf

SHA512
80556056d7be63f0ac4da12b533913a78988ebf8d9f3b8c1fd5ff2f7557d6dd08718d5d8481930fe8efc2101394a1b5b97171f200a520c1124d3afc5d8b288fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
183503efcf8e8e1c577c8f892ea89c8c

SHA1
c67758b530f2b2f693806feda6a6def8ceeabf6d

SHA256
0abeb51ca6aa60ab0b0939d4be8adc711fc063ff3d0c14b900cadcf1ee59901c

SHA512
548ea5bdba76758b988d5bdea5305719c3b092aa4b49b717f2b9baa5e996d4f64c2b38c31c90f5d78dd7f0e61e2ee66f17478cdd781d23e179f68d680bbec922

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
d764ce835e0261577c355c64a94ffabf

SHA1
7bfc565fea0679704d71752bfedf3e51cb9c56bb

SHA256
29c0b885e19009aa7d431dad0d1cad9ea188f44fd6994dcb4d8bf50160ee196a

SHA512
8530757f5437691919b6c7249687a7d2a0d9b5dc8c62c9808a866f76b4794e1a6423dd09be652a12ca4fa79f708345f4aaf4ae1608ed2b31afcc94cbd5c64bd0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
873a09900603584b365d7c795852f5d2

SHA1
fae004fb17374443a61fd855603e0129178b2f7a

SHA256
f8bd973f67c01de8f65fec91e15b9f5009c7bb00d5b0838a372295a6a51f144c

SHA512
0bff8e5e9017fec7c92ecd3e7bec20e887c513bd58781e2b057e057ccd41bae56f54859d1974e1edf27dc09653b8d88ce5817b2794aabdbe12a0a83609a8cb7d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c72b1e0156471d892a8d594120c6bcff

SHA1
e819b08f9cce9cc79309676cb4bb743673d97160

SHA256
94f309f146debef393e050956678e9b628c7c380c454e84c6d772ba0196e19ec

SHA512
a9306bb8b43999f05d57d22af897bbc1aa46a9408ff6e13ac2bf071d1be74b0204bacbfd7d714283f85fc08b6bd66b6bf771f293a32dbd1dff5fd6096ff9f98f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
142e84dec53fe86f1908f7a9d69a2cf7

SHA1
d3c2cfb16799030ed81c59e9dc4f6b60b442e4ba

SHA256
f3d03ea96717d5b9b88a233365aa54dcc01c43da086f509f9807414a7f46dece

SHA512
c94d4a6b79cd22381e21be4295de15326dc2fa37d5beb326572b7a6850716db8b184c331c03373f32f9a8a0926d01f8d0eed172e5f8b4fa6737a6e7258d67712

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c5b3ec73497ff53c961eb26deb1d6a76

SHA1
4167ab2062ad305946d9d217fc9cc9545994864e

SHA256
a489ada80e8eaec7ccd4b73d7995b8f3e745324ec63d6f6c1d8261a2a2ca5643

SHA512
77deafab9802da58f2c3109bf5d80bf17aa443333694754c3aa646c4b09db182d18025422d915d01d34d46a284f5581d8f0a714a729181f0ad21fbe56903527f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8005805577ab2938d1fe0c33119c8e30

SHA1
e5d67bb1aa8ed8be0972d8e9e7d9b7396d329ec5

SHA256
f299bf0ca9432a284d4c84aa75147c727e551adea379819f8bbc75bc2be5439f

SHA512
814023363ebb7f21abd9925e60dad44940993cb08daac1db639d79ef5f6de48aa7ea357ceed84c78a402d6fd4724110738d7415cf19df0aba50493648006a06e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
76db7debb7fe42424bb1815988548d7b

SHA1
d62283a59bcbb23873fbd0b66f7ec5e6431a053f

SHA256
1a26bc5a63a5389f309f9417a8545ac073a201127baaef8f9e5c821007b19473

SHA512
85aa0fe3ab6d60771871688980f101603b745c72183159bf8abfbe1c6ad392ea663761bac3debea78efd30fe6eadd462dcda179a73e02b99f6a6f473a51a4b4c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fdf83c8ca18dab704a97765bb521c034

SHA1
73bd6afac3b65affb4dad205b23ffbb690e2566f

SHA256
761fe1bdcbb389e4e9325cbf7ff08f0ef0e2081d2dc6d77d8d175d33a4204647

SHA512
9feab6fc14fd690c9c60cc6cf8850280331c9e08ae551ac68857f4d32caa5bfb9faeb2c4ea3c4695fcdc3de44ab93a2d5b462fcc1bb7016ff716067aa55f7b70

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
12dbab43848a2af9bcb7f0b3cbf9389f

SHA1
86d68d317925c05200a75956bf993ea2ae19d202

SHA256
f77b803214a5fd8d98f35b092aaeee0a653b388bad593c8739bae9c556ef939c

SHA512
0281194129eb1c6d7336199956ca15ae6540f2236a791348d073a66b347152c3aac047fe8fdc5bfe2342dd256a838f8837f99a59651b4319256259244152b615

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e19e0c3aef90db5c7338604e2cf2f32

SHA1
5385398e02454fa330ecbd68e1859c2f59c322cf

SHA256
baaefa8805f04b23a1ed274404f98f8e893e9dcf3efa18eff45a471904c3831d

SHA512
433da15f624acf10f7965945aeb63d62bd18617d49ae683af2f332a4d0f143f37f35004c03ff74a32bb096060d6a942a269eee4348c7a8d30d2453a0f94ca993

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d8598cd883e14bc3b8ed0543ce2123ef

SHA1
dfd1c841897829a2db42c3447fae3fc9211e98c9

SHA256
90545100925025b9f3595b84cb5b29393424b93eb2c72581e902c28347b94a73

SHA512
bd672a65c70b0940591cbe998f459daca7fff472aded9b4d9194002c045d5826301aa46a5338d048311b8678819a222c28901d8ef4b39bf4ac42797e2c174469

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dc5a1618fa511876df2cf4d3cd53ae44

SHA1
ea93fc760f8b940d3a2c0470f1014375b97caab0

SHA256
85e7b8a035354f40b90a143b3295e7ba38c3e8dba0bd0c417e3bf2699b83e9a3

SHA512
7717fc410e6a9340512512de51f6ec0e31dae84bafe16bed1d0b02f5f1adf2c6c4b2a389f014569e6ca2f9ca00534737404c501e5516d439136eb563313b0d28

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5f852051cd2318005a239f7750ea22ee

SHA1
deadf50bc017eacac49e766dfd3abe96a762ec29

SHA256
740d1cce4958a43341989014029139329c57d5b3ec7493aa85a1051411933dce

SHA512
89b98cd43afdb3b52ff3698ab7c674b804db63c636417865ec2605990a4db2c2d319c1bb5cc99a179b000bc219b1b4c31e749de169a65d54f9cbab6cca35b463

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2f03749731dca6c21158117dec3548e0

SHA1
445110adf475bb10dbfded3af0d7cd884dc60a7b

SHA256
45fde3fd09fadbaaecd75267588fe4fca39e3ddecd55db4b354d17a9bc27d711

SHA512
7828afa9bea62f3003736c654a82e7c5c35e1fc62e679fdff7381d3d78110a034aa7c2dd1e1fdaae81b9c95b25dcc26ea461d730c94cef996f6dbcc964599e5c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7e7f6642253ac9c079e6f7f18513be6d

SHA1
83ca0b2eaa5e0de3549425ae3b5b04cd974a45c1

SHA256
569695cb10f510918e87259dff14cc907579b7b0511e1019eb4ff393ad402d12

SHA512
bbfb72c35021988766cf3a7759592adc93be7d1caf6625999bdb0db01adc2a0e4511be515672b16d2480380f667f1514f51adbc1df64fc79657a02456a112148

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3e63db6584480f4f1637dcf991054e86

SHA1
546d3d6b43e8105270065c60ebabd1b66e7d954f

SHA256
64da9c55da91477d487560badfc4c90a62aad3289d284a49b45ce76398c8feab

SHA512
00750d72c453b1feb312d138b85194b8447d0553b0228616e1410b17a1601513d70038839fd07c41dab5c672fc93a45b146cad35fbfd402dd99d957d1568bcf9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ed578edf50af371f764212829c9fa281

SHA1
bd01695ea31449a15205405101c399412e815fa2

SHA256
5e4b6fe6a88823f81b11e2beef1bc6f32fe7183c42c94024841c21034ed71ba7

SHA512
c1e95434245735375e50b1547276e713c27e6c45018a82a9e81dc2ac81e3aff5567f2ac7e70d1e83c060ca0ad9772888b1075c456fa5f16ea5ae55ce83a79c0a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3003a82a5d3a43fbd922b092588c0dca

SHA1
bdad1d0eb7f95b52f0d8b2d251fa6f4d81402c73

SHA256
fe7a9a9bb90358966d01b8befc674d1fb44dc41b3d6e9b2d2356523bbe14822d

SHA512
275ac11bc03f4549a2e8c88a98b4cfb906efb58b52f5532bf8591c3d52406f6b68ee0252ce13f83047f7d461ec000012553c53ed6ad26324073c7ce396603bb0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b2a1c6cd8323f13f9c65b47469395ae3

SHA1
1b2b059922d11f395c5953945bb86bf1f20a2e6a

SHA256
7b22f7f89b8c1cb3ddd8afb92d971e9126ec791971baca7f473687e09d4ab6f4

SHA512
6a9dd1c2157a94f0dde1d57b6801f0bc2f527f85359811227ab597a9fd9bcd62e3340333e69d4969dad5a16c1f93ce63331808fae7b802e124ea2d2e2597d6d3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
abeea88b5595cec30c3596df87f7955e

SHA1
1f8051f25a13b7baccc9a9dbb27425ccbbf07519

SHA256
16e0290dc9f159b6e693becdfcc0931826c0debeb4c82397cf00482c472418fb

SHA512
f9a236f64d33c53cb73631be3ef03e4c67a732172c5ac79c5ec083e86c3966296c52210754f6b73d26b664acb31f5519f5c4c92e5d30406051f397e53f8d2619

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
b8ea16111901ec5669196779de83e0ed

SHA1
3066b1fa03cf09fb9738f82e8f71d661239b553d

SHA256
6a01276597135e5f5f5a91d3d68562adc24a223806fb26043506cb14c1e75be8

SHA512
78d2af5ca8406f5a041a7a42e19fe5e92947eeef618edd56ada5b5653ae5d860cdf8210d811a573a63daac122f16aa22958037d682b053286fbb0432df99f9ce

Download Submit
memory/760-252-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/760-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/760-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/760-246-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/884-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/884-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/884-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/884-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1004-545-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1004-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1128-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1128-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1336-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1336-595-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1408-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1408-257-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1408-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1420-526-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1572-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1672-632-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1672-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1708-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1708-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2024-13-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2024-21-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2024-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2024-122-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2220-31-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2220-37-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2220-188-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2220-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2232-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2232-1-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/2232-6-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/2232-7-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/2232-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2500-527-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2500-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2576-636-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2576-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2820-422-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2820-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2908-41-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2908-49-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2908-199-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2908-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3944-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3944-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3944-53-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3944-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3944-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4072-633-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4072-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4468-638-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4468-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4484-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4484-635-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4852-528-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4852-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4952-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4952-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download