ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a.exe
Size

1.3MB
MD5

e1fa078a8423a074d9aefd56ed98c8c7
SHA1

3ea1a8e8d940d662ff498b8b17613c138de88722
SHA256

ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a
SHA512

7383dfbcf7713374fdb210005ef90abe06034795d625b8f00296a7d189a16a9d71742625e9e81d26f481dc4f9359c67d75d923cf6ab8bad5c20675c9abc6cb8c
SSDEEP

12288:Z09B+VmMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:Z09BcSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2148	alg.exe
3388	elevation_service.exe
1496	elevation_service.exe
1712	maintenanceservice.exe
4640	OSE.EXE
4084	DiagnosticsHub.StandardCollector.Service.exe
1972	fxssvc.exe
2784	msdtc.exe
4964	PerceptionSimulationService.exe
3312	perfhost.exe
1260	locator.exe
3468	SensorDataService.exe
1468	snmptrap.exe
1952	spectrum.exe
748	ssh-agent.exe
2884	TieringEngineService.exe
4340	AgentService.exe
844	vds.exe
4896	vssvc.exe
1552	wbengine.exe
664	WmiApSrv.exe
3924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b6f293eb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf2e575543c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005927875243c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d73d65443c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022ab0c5343c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003355125243c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e35325443c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042d9975243c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d65d585143c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3388	elevation_service.exe
3388	elevation_service.exe
3388	elevation_service.exe
3388	elevation_service.exe
3388	elevation_service.exe
3388	elevation_service.exe
3388	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4888	ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a.exe
Token: SeDebugPrivilege	2148	alg.exe
Token: SeDebugPrivilege	2148	alg.exe
Token: SeDebugPrivilege	2148	alg.exe
Token: SeTakeOwnershipPrivilege	3388	elevation_service.exe
Token: SeAuditPrivilege	1972	fxssvc.exe
Token: SeRestorePrivilege	2884	TieringEngineService.exe
Token: SeManageVolumePrivilege	2884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4340	AgentService.exe
Token: SeBackupPrivilege	4896	vssvc.exe
Token: SeRestorePrivilege	4896	vssvc.exe
Token: SeAuditPrivilege	4896	vssvc.exe
Token: SeBackupPrivilege	1552	wbengine.exe
Token: SeRestorePrivilege	1552	wbengine.exe
Token: SeSecurityPrivilege	1552	wbengine.exe
Token: 33	3924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3924	SearchIndexer.exe
Token: SeDebugPrivilege	3388	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4936	3924	SearchIndexer.exe	125
PID 3924 wrote to memory of 4936	3924	SearchIndexer.exe	125
PID 3924 wrote to memory of 2912	3924	SearchIndexer.exe	126
PID 3924 wrote to memory of 2912	3924	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a.exe
"C:\Users\Admin\AppData\Local\Temp\ff18aebaa914f109326e6972f92d7d21d8c0a751cc7dc27cbe656feafe24461a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1712

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2784

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1952

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4936
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
5248ae78f6c398a26ab8c2b2955e2704

SHA1
28f370e1a422f5612462ae85b8081530f5f5d954

SHA256
5d75b68b45c42b2179dd92a01fc10844581310d5ae6d6eee2578a0be9404e56c

SHA512
e49c251710c494b5bfa283d85e938ef7415eabd2acd0b28a42c428959f62d1a775865dfdc9d6bdb2ec2868f47f79b78d374e77299c13983a717cbb63c07e6a1f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
596aaf7594dd153d10b402112f93e11a

SHA1
9db2e313e935af39faa6e91ce1d3aa880a9d8819

SHA256
763db5f6626d7374368544f69efa9f36b63972becbe3a876ade17d2e908a58b1

SHA512
dffffc93e8d2e05d17e532272b4fa454165a729b3963f69aba0c279954f8feccb90b18233d5b0cf7b43a8cc71f16a67bcedf1e0c0d496e2b158981947162022f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
151f7070c3b0c88d08b838540c8dcf89

SHA1
479e959634cfc3af75332f1c4db636b9b9397ea5

SHA256
008efbe9240cac5a2c1b014b571b56c54aff0b4d8ab89eee37b0ffc8178170ca

SHA512
5482f48246c8e98147bc192045ece60223b7472fea5a8af377773bf8b46856459c5cb1b28b7812a92c8e0890606e0b407f5c734b7e1b874632909b9f2a321248

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bf30296e8c89d51f653c45903eb8b590

SHA1
ced1b66d59c1983fb5a5d780d8c4537da937cb55

SHA256
1d969e19b5329daadbf4a8559d1b2598542c9851f17709882efc2acb59346080

SHA512
c96878624f70d889fb06e5afe6d93ce2071bb7aa03ef6292025cd1b9022dd9e8f88ac49f81d88c3135b078ad65a30657482489a7fde000dbb8cbefd932573cc3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ff457c505aa8251eed288269c1ab0921

SHA1
b4e8bd967a1e660d5a2dc7399abef649994c9cdd

SHA256
17bee748140c5c52ba15a4986913800335a2eff830b0d69ab1fe864eecef32de

SHA512
54c6d832995c32257715c2e6d28d9b6575aa5b426c497014d613b89918670fa27e8d8658300ba298648f2cb1cbdb8b09e2b3eb98a2abcda59d154921c7ab0d52

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
10decc97329e01042a984bce256b8ee7

SHA1
cc327a2d58e0b69d48e2b362d9f528e99eda066e

SHA256
6534eebab5d013ae5aeaf114060bf9c80c9bb301a2b0f6c71eced83a3755ef49

SHA512
86ea5059ffbd1e611ac072784be08e4c819d26d11d5796a7df62da9c22d5f57d6c0f095190db80211af14e1923b52bf1776f2998c57dc43b6915ca95a0f0c266

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6703be88698a847769e282fd49aad127

SHA1
71de2823b6a64dbc8f97e98e844a32ed8fe1ded1

SHA256
9ccdbc54ebc073e6658116c0f877e8e02f00ae7a55d739bce8bb32f0b6633234

SHA512
b419602b563f277694bd71206301fedcb9f79b1b65446ba5ad4dd5d34672fc9aa91491d6b88a1fb327f68d98f1fafdc91b2a0098f745791ccb30e9992055dc66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2ff3700555f012fa92d27462ab2e636d

SHA1
f9aff45151678cb961776461fcbf38b7ee325646

SHA256
23d21dc827a77f69c34ff4434cafeccd7928de60a425e501e78044a0585f6593

SHA512
e3a7c0eb695cd6931a735ca501dfc4b31ff33a07199566c15cab50448fa45d6c0159b4f41082931a40c30cefb5b731be632fb03da0f876b2ddd862cd10bff339

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
babd745ecb06d1b01440a172b49eb3d2

SHA1
3513484f8ce573ff429eff4b4f823d51cedeca6f

SHA256
30ab40f7a4256a1b0d8255ef06928b2d1bdbe324d5b238152b3816e1bb78599e

SHA512
6d113b96d1128da4368d2a9d3994df384325fc019c7d936948fd72660dee1a454c8ea619f3e402ef06e7b6bee36bf78f6e178d55a017d466b3be0706c1e0a9f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
324c74feca8bd753e1f67577a6abfab5

SHA1
2333f3622c52882734c4a775f1e3f9edd025a6f2

SHA256
35491117b543495ccf3a1acf1fda87feea9c86b665c2cec2e4730ddf017c27b3

SHA512
0b1286fc0bd9d8a833a6107416d0b0e9c780db608b206ea38f419a1b64a271793f5c5fa1a7c109da93ea8b64feda13af303a4a6f52126f9b5ddbcc4e222106db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8d89370fd2296478bc9086af193f9251

SHA1
0d75e3aef071b1242d266cfd14d3c5bf4e793c20

SHA256
69aecd346b8568944d06fb7b6cc57ed8f74c3a0f15a959ee0798e5078b98fd3b

SHA512
d49e3a515f80c3ec97d55ec0127017f80785d402b0a17369c3eae62183c9467e4ea56595282f8333e8df1de51b5031fbc831577dc8e0eadf96fe4cd36b9509c9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0a8a563df855cdc1b6d28a95d9db9dc3

SHA1
92af6da66df6204cbfd8704aee9c7eaddc410fa8

SHA256
51f0e8cb04fb09e46d2a179886b67cb977210343f13f07662460f9f162723922

SHA512
adefe586ef3c368a6867d63a2b25776bdba4747bfed6de840ea1a230d169c6001b4f0fd95d246b0beeccabe8ff2f12fba9c04973aa7dd913546a244a5905acd1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
25696cd08e78dc1ed5fd8a3a62950509

SHA1
2a2140463adc43e95182308bc0554ba846191f43

SHA256
e6d89b9893100b2e6a53a210f7006e60528ff280b961e538fec523e0d4a080ed

SHA512
30c05b37bab88dcdf425eb394edd7d7f7ec14ac7e493a6ee99a340a259cadda31666646d45dfe886c48f5bee92ae6854091a4a9d1233fb6bee73a9926954ccf5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
4375d59d177f6ae8c1213a66844fcda5

SHA1
4b4f57cb6f27da86526a7c4d22bd07340b8e3d27

SHA256
6e7f6ee88a96bf8cc018f94ed626a8abc671b98582906da9abb9ae1562d6444d

SHA512
a6fb6c4e0cc97f63de3a3a42bc05295b2720a9647db23ef731975a7d41e0205b105b457d035875674f14a355cae04c7d2cccd3b7748ac90ecb1112c574a41cdc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5fcc1a580970879d7a429a4ddb9b7093

SHA1
f7bc8471407b77083e535626428de3f7951ee44a

SHA256
bf640557f0ed5108cc74b35f8175ddd9a82a660abb26e10caaede18979c7fb64

SHA512
33edb590dab8d3757cded239744561a31143ec61025ec4d1fde801a446e85412c24b278bd6493e02014cacfa2f676d9000928a137cc1fbe3407a93d4792e7611

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b307bedf2b2c20ff6ae6c703a839a033

SHA1
dfa8693b48ac5a7b2963a8973d45cd5a625fefdd

SHA256
2735e10913c17b5b0e1f741fe20002d13844c3a66afc6b858b453cdea836c124

SHA512
53a8b7ce6a8e9d3d4b8167682b98c0bd65aa3226acf875a9f159f38f5f5327370241e50fd4fd436e148a14f4af47b8828ee4094bb917773894b5d4c5d60dea3b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
85aee466d610b6514af23ff1fa8ee974

SHA1
c8f56d691df1868a413fb27b93cc933028e462c4

SHA256
ad7e751245e50053a16b1d68d92c3063d2be7a4c007a45dd412dacb72f8ee1f6

SHA512
9b066f5e865bb91dab9a40acd88ecc62d44c6fb1f87f99cd178a2cd13b8510b5e91fda82f38677ce0dbfb0ab9f7dfbda5aff6da9403da668c609b23c4aab80bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
40a9658de1a3c55a721593027454681d

SHA1
709983014546388c789ec2003f11994a372c345d

SHA256
d11e757c9920056537a9a0e943652d2c1f93be99225fe3f62f7172ac4ee8034f

SHA512
6e301f1497ecba82defced26f37a967cd56229dfafc76370e9c3f18d5db8b2d7304670cf6fb0a6d8f052ff68e183be6f0aba5ab39cbae456cf5be573f59b866c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
9a3f3a03c26eb58473f6aedfe465134b

SHA1
b738556efc77b693733c0d70327773b88afc0a9f

SHA256
c8f990ff303bc511ff9ea9129a8001c4cad8d42f624198fe2d263d04a1ae513a

SHA512
27194a73ed3ce7b92eb890327cb944d807ce26c9a4ba81d0e1989a057195efd8971223ae148061edfb6890fc1a11515c6294416f4f981035aa02e9e78f092c12

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9d23e71c9420dcd93809bc4938f7d6c0

SHA1
4f09286c27ddaae9058d790f3f851dc25f7eace4

SHA256
ba107951738347528d59350810497aeb720dbc9ab17921099d278454632b51d5

SHA512
af7dca6d71d7d8e1675fec0b3e1047d4209faa43f177fab76635e3c73905f1acccd189490d08518c839d308ac0f0b60360b09ea06a8a6bce0cc6cdf9ae495170

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b95da3f0d95bcd4c838e79dd5ed1eb6b

SHA1
b78ff8caf8cf15a4924b4af6788cd01e2e5af970

SHA256
45f3f23b112b1bd4232bcea0c1c9efd6bb95379ba2f33eb59aa95a2010df9c93

SHA512
dc8a02d021f69dad935e475c59f0b15c673b19be4ed0e46276341f1210a89f81b9a0f56b540cf8a005e362aca613c262fa4f0a37732e8bfdae95e3f0ea11ba33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4549bec3c2d0c89cf8af6e592021d4f6

SHA1
a456174cf210b8ef8fb6499993987a052744b094

SHA256
2a2bf962cbcb0961337b3b8d522ea85ee3a4d5d51fd1f7e2786babdfc88a8425

SHA512
290788b8a47a34e1b7a435776a428d246cb94cb16d96dbffc13435aacdb38f71992a719558cf4e1849db50a99ccd83ee1e3bf913f72b69c71c9d6f370811ce3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1a4fa71581051434cf8df36172e87426

SHA1
044d7ff8fd959b7c87d254dfdacec1170153fd99

SHA256
3c098deea16d42bbaa4d0bfe9e9266e96fd7a380440e69c8ae28efc557aea8b8

SHA512
d661a045784ff598e6d607c2d087fc3225161bc5ae58dbe96692da3332506d46e35b9a83503d9ac21d39cae8fe66af45a0feac98540a4f276f35dadfde76ab82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4a618aab2a46363d6a634e0ac33a692f

SHA1
7d4be59a68f73bb5df3d229ea0154cac1632f95a

SHA256
6b57f5d3339268852c0e0562b50c3975be3cb13c7e10d923fa0d8b1c3606657f

SHA512
bb9d02109814f6112c070ff55a684c5772ecca598d0363e31c9953d9933f46961da8e71720b0695a390dfd80be89f3d313f3444f49d6035049ef0244f4ec7a98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c4f42921b749d9760019e705ffa98fce

SHA1
7a5c7ce2fe753f739812f7e1ed9fb61f510e1c4d

SHA256
a8482d0840e5a2b07e3130f3c19766cc6f982b4f541472417eb7f3aa5c63701d

SHA512
c781cf2da9f708fd2c49517140eef9aa0eb9a7496516924a53db5f5a5a73bdd165b7e8ede7d4e2c1d2eae1d1222e6e6f40cf29ce58ffd1ba0876e2c8c2847a80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
18c9b8603b96ea7912c8ef7a657525cd

SHA1
a7cf17969b30da080dafbcd729b1a67223471df3

SHA256
d752d25d0d3d3a6b66445a040b934d322fd461cd1bd1aa4c12dfcfec71181029

SHA512
193928dfa945de6e9ed265e3820500ed7912e5407b13b2263a7d6f5d9b59e1d627c26787e63b89044bbe6ac70401eb9cfdb605c27a1201e58b38681ba7be4016

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3ed6ea73efdc0aa15cd40fc3bb047cc2

SHA1
288c3b5b3c953f4dddc99b2405b6a4e457f8afd2

SHA256
90e4801fd53b3115ac0e8227f9be78ed41983d4e7ee4f8c78dc3c473b7350277

SHA512
c68cfb5160a7955d7854539d1cc6a3dc20be1e731e89403d17745aa904707d8b146534d70f62d320c62dc311ab3f10050f710433dea0199219e7bde0ef6ad213

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2b1034c8989395b0c18cf8e0e8c59d0f

SHA1
263deed5da3f91d402bd1ac2d11cbe186f714cc8

SHA256
1cdf9ef4fd625e420422375785ba16b2807cd64d661d5bacf0fda7aa8f3e0a23

SHA512
e4483d43b011e9a42c32aa5f034487d3dcf45980ddaafcead352520df2038c040175e007ea3a02524dc7b915dc9f0917a641c522644bfbc0dc0d435598d12299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a5ecf9f948686d45cf7494fdc6072992

SHA1
768578be2ad30431f049a83d6adeac6656624eb1

SHA256
301fcd6d5e3a81779d48b7fe0b2f403d455d0b3639430f046b96234744bc1e8a

SHA512
a2e93239251afb90ccc20b01c6b710d628da58415ac4cd1146db016b51fd06f42184b0232893665187ba9e77c56a39f786b2ad70b689c3f7ed6b6db085924738

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
57e5531567e439691d2d609726189f04

SHA1
2cd183a6b19eb347a21cf8c23766860a6230a51d

SHA256
6caa07891c9a25f9ad363fdf74e6c38758595f96b879951b89c43a577bc86f88

SHA512
717cf64f10810560b08a66c2ed9ab9e2e17e1d289a7bd692149a338f2db2af6611940a1c12319ecace86696c7e32c2c3380308cea332ee0ac61ce9f09de9cdb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
104aacb8119abd7bb41d6904003fffda

SHA1
47b423aed74209787b421cb2bb3083d580078378

SHA256
fdd89e93b96cb5f35f56714eff7fccc2bc63f4d5106f9d23b071c428483c8a00

SHA512
c4cc874837201ad9939e4cc5b3266830b4225089f2b5c28aadfd887005d868f16e4b413041a65483a00d3d5723b7247fa3e9fa70534a1cf768c34406077f78f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d5fb75fe8627adcc366899e56ffa7374

SHA1
4b260567c8f1689975a8f1c1698c0e0433f1da35

SHA256
599e613c8e9039ec20a85571562b9a061eac1bae100ac9f204dbce6aab5bcc67

SHA512
a6fcdcff8fd0abf92f6747b7f3f14aecf5d8c46ef2b1527c1e74bf131f04ff16306dbb30d6e8c66fece08dce3021ab05c5f15a4665d10d5b2036e3dc808ab441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c7bc9c89e5e648719f6a84255a3fcd43

SHA1
24e12367e72da9ca5905efa9d0e0b925999e6b73

SHA256
a86cc68ae7f26d1c884b49de0416b10c029e1706225006b61cc0b452afab2880

SHA512
f52642dee610798e6595465159b37753330aa9e976d796ade1bf512b6b327a6b4a0632d0a84eae60b62e94040e7381c8bd4503d5a92ee591436ab5cb4c909c1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
9368ef55845bfcf6f6200fd2a2847e7e

SHA1
da2d2f633e48dc00dfff5b76577bce023713768a

SHA256
c3843fcdbc2fb46843bac438110cb5a64b3bdd2feffaa41ecef6f2b8e69305c0

SHA512
966fd82e660f3908b0541d87fe97889f6659a4d11b0f4e677bfe9c7ecddc8bd694a2f86a04ea376fabf339ac7a8c110afe68d986fcf605c3065d22511c65a0a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b420283a2836164e74fceb9696678a8c

SHA1
6f12c71f742bab0b12ba5f41cf2ed750f76207ff

SHA256
61b011426609b2f78b9dddc1eb1e1061aee1768ee29bdd100f69f30f96f95970

SHA512
c7cc1195b7ec09aea321f59784d923eb95e0495375c6959774df2d98ee8132a49d946001e55074759c417fde9bf6c3a9f1c1eb11559b93c9f783803e02c264fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0957d9cc0ad4e0e289e0207869e635e9

SHA1
d9f6882f9ed0bf71e3e0d85a9345248df03911d4

SHA256
92fb8e5a9f94358625b7996d66b1b9f6e7e1d5f7c50750965040b7b9a0d1c660

SHA512
a0941dddf62bfd798a24d4c7863e44f10b7ed7e0a5e1b88c3a69feae8f9182c81c14819a1b08b67375d5ebb6bd55b17bd83e55afc5bd5f9b60170a9c7e01c8e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7a13f6527eb35d15e5f88fbbf7ea77bd

SHA1
6ff7c6dca5dab6aa3e7075fa52f0f6cbfab53df4

SHA256
859390edb012aab0ff7505eb975535949e4aa564cd92907ae2fc1265cb2b2210

SHA512
bbaec17fbb9caabba024e5cfcea5c5e57a8e2874cd12c29b3c95c4b2032b9facc696ef18b9860b731879ee24fbd28916126e8c86edf4e50c3e95ea57cc1d5089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
e7532a6118f4b9a3cf69b9a478c9a813

SHA1
29aca8420f32ceba75a219656b951295c8d23d6b

SHA256
fe6ae9c508e40c62103c3ca4cafd6020e1b79589c5493a0e2773f4ea7968cdd7

SHA512
707c1c6221b35d40c983b03342ed5eef5e941659516df07fcf0844adaceea04307af476836e4f438cb03f33363afe191a3afd794c79596b3e23cf7811f166915

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
780d37d11760f68163bba184861a602f

SHA1
f5101c86753d6328e1c99402a9e63589d4bb463d

SHA256
34afc88e03444d3bcfaa5dd32ab10bb4f84e493e54f255b137f375d1b674b45b

SHA512
c45e7a73f6ead85d540fe9a3c9fa3c6751bd2d03c9014a5824db39796f9983b6a4864d195618a32ebefcc91667018a9ded3dc9248e9b54b540d207d0ed523cdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
ccc5421b91966faa9d689ebd2bf3c5a0

SHA1
c3b89999ac99616d4b807a930bb19dd1230c756d

SHA256
8c157ba143783bcb706cd93a19211f69e830a02f067c6ef79b524a34c1f92c5b

SHA512
cb228ed0ff15a0b2c5853bedc77d1b79c94ca5c4bcf536700d4ae7e79998a50909da7302a32e17878e4c9c46b3c94e880ba847b4d2e1d20b18aafb0763415ac1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
5133417a78dba45d66cf9b84428602f5

SHA1
cf7d128de97716b9ef4374febc7e14337ccccec9

SHA256
f783ffa9352a89fff0488721b4a9ee9d2696303fc8443538d0f894c9da3cbb0d

SHA512
45d5c10fce4dd2d026f4af6b9927b041bd1a28ff4be82146d6a925d083cd0ca35fadd5cfdbc3129713f3bbe91f1cb68c0947fddbae9f0970c6ef16b29b943025

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d2ef585653db3e5fb22776a432baf4f9

SHA1
b185541b9b516c1ddd73d5723a5d116281654b5a

SHA256
0959a3d20adaca833085ffde85881fcf4fa91a5bbfd99e215c7af44424278d85

SHA512
f70e2a4cc9ff0ff4afac502786234171aac7d5d50de4ff10e8aaabf00eb4df2a94cf5bbef6d179e9f0f70e2b6932681aee565b42c51ef3c4225e201fcf7aa712

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
222a85b4686f71975e081da434ac6517

SHA1
ec78c7bb60fd084cc831dd2a0442a21e1021c654

SHA256
488fc44f025e4949b33237e98c572064ec1dc72e8f856e7d6b74482a887832b6

SHA512
c93cc8ef8e716cf1b3354d3744a0c8b6198584002f7fe3ce7d6337293533e082129b9c3417e4b517bcc0d2672bcdd7fd3cb7f159a4562c7606139ea9affeba67

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dbd4c57771611617b257ba23003c644f

SHA1
8a144cdefa7d004bd24052593c957a90431a8391

SHA256
62f829469a82fa38fa530f94ad6fb53b792b30c073089159e9aa8dbbd8957a1a

SHA512
801b399ce1d693acc943c3f85bbbe430ec6f3900e5310057e524f47568d669b0c6329ce103caffbc7820e8c21c6452ef1f3f49c569e02fef8720eea9a1cb83da

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
9792c00dd571cacefd391e0ba9fba560

SHA1
6e23fc4af364fde2ce66679836533183faf3bbbe

SHA256
fcc036ac8765b0bfa3897e87153b9054bb28a97470e826e0fbaa96376ce59287

SHA512
7dbdfa24a67b2c307b5b3cf0f728575f70d8fed1a19febb6d5ea5d495e59b7fe484d98e63490b1c804c1178450b6da639f8a712fa267dd94932b596d7386b591

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e623a548ef113ced0a11198cce47ba7d

SHA1
59f739d5607cae5478bdde9fe660daf08d380461

SHA256
2256c2e19c2102297625e3be884188c7614f12db4e2af92ad19d06fbd4147745

SHA512
4df91bfc3220060ebdd6bfad3ca2a11dba20ea96dae915907fac0b94141d387b5c61c6906575ec9e89ddf9e162c8950272ecda64e10fa9c163dc12ddfee7cf81

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7fc8d7399bf6096e17c05f30689ce8fc

SHA1
40d0429cfbb57515b10755c167426d53c3ad63f4

SHA256
628a8c53bcada15910abcc32abba4cb38ecd225bc9b16fd29e5f4d764b9dfba4

SHA512
6e8b88baa5d19d9f75fe1bd9a7f512110584bcfe498c02b45449dd9c875dc62540d5e6153b40dd03cb780cecbf4924a11400dec7a49a92ffe6e1c2091594422d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
63de0bb54cdb6ea59336890ea63b676e

SHA1
38fd6c607bf14300e84ea431ae10c426ed60e08a

SHA256
08bc34bf8506d8a9c132cc5cac055353a53e7d9128ae961f196da81bc20b6abc

SHA512
e9b8e27c371a12a486743cc80f7e4c81012d8e0be48b2dd02a03d6633521ff7cd5a713e4bf9b5cba8aaf8288a5bd9e0968703c18f63f99946932329fd2d48576

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
fa6ca1ec6a1af92892d590de8cb928aa

SHA1
03d76a7f20b3e4fa8188340c218b58ca4b90a50a

SHA256
1b59e5d1c57c0c9982b73eaa6899c0948c0e09faea7d8097f28f32a1709c3574

SHA512
bf941a71f261ecab7ad60b3a9e6e942a713bfcab69fcdeb3bf52b680af27872511c9247d6be071c4d8ab57bf55ef1a1eb6018b084e68e0c87611768ba63f0d2f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6479ed10da450ceea530ea4b0a641251

SHA1
f37db61923f63fdf1413c3b410369148e5552da7

SHA256
d360703fd972ef01f197cb7c1a861244a50109ab9cb0432fa24138ab68d4c32c

SHA512
e477e09740b88814c6320b119f02c661095d473b7924212e6bf9a873e841edb9ff5d2e8120bd24da7434387c6dd2375ca4aeb1e0475a90cf70d7fb5def1a2e85

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a6ff8c7241d43e96c44b7a656c7ff519

SHA1
c49ae29e7ff0c83da0fe4faa88908bd305cc77bf

SHA256
e952594e7bb5edd517270e68f787d32e4845df7b7cdd820fb26ec68871317b15

SHA512
63af543f6e6c44e07e39a6a3a28c34fd07af1655b83e930ae27c3ef3ef89d1488a2c7c5959ff64e26f51834f8453fdc0fcaec0a59f26a04ed0735a13a28a1b8f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7ec44fbc7fa0cc190b13004afba0186a

SHA1
a5fa9919ae089158c0582bf8724ee7dec99b2e8b

SHA256
b0f554c7ec88f5e0b43feacb0371d18e33d325b22a08f4353257ea301c1ce6d5

SHA512
c4042fffd08e18d67d74f8071e91d190799e273739e39630961c615cb5eff5d03f08da7084a3de809c63f6e05f94dc4aa0c8218b4ef1a09be04cee0a0d000a45

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
52e7afd74437bb8fcf19e23db5277b05

SHA1
e5bad86c16ca1e7f2029654a14fb27e672561db9

SHA256
cf08864bf3bc7f01e5fc0c09321170d9bead66a88b718f55e6603daa2499cdf6

SHA512
bca8d339cef4c4afbf57fa2503c37978337da51fa2c329db71565fce5f9cc8c140e4791b6b172ad6d8e7bcff8c220270a9517290d24a593d5e4185d21873cb08

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
109e7563ff144d0543add1b80d2387bd

SHA1
c72bfa2418a7944a4b189bdd5fdcdf6a778e576a

SHA256
8101a0a5832530cbaf3e82c7f5cc5f01b4bfa7a29cd1c6d0e67848c3b3fd6643

SHA512
21246608246b73a8973afa304684c9e28481045e8ca479be36e7de84466493aba94a4b70a54a956c0a65687e23784900ac966cb7b5dc5887c7cc1b3006269a22

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
65d93e885a06ec04a89ef2cce1de4f2d

SHA1
244ab1cec9fd1bfbfc107fbbb60be092944ec1ef

SHA256
3c1f8ba750dd693652c222c8d2eaa90f1d71b6ec08ebbf96a643f3bf2612df4c

SHA512
4936c3f92b20bf2f33ee851036cfa7c2e616004ccd622b0be78b0071114325dcfd723ea217483669de552fe50d0e3b20185e979adda20da6828fdc5a58fef5c4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
13d2f8b46d9e7e96c4c71087ab5875a7

SHA1
899cf9553bb28e6b72fb0b5a6006c69f094408ad

SHA256
b27f52d3fdca215174c5979b0be8acef6d446fdffc4fe0dafd86c1026f14bdf0

SHA512
d36f58e4e74247c619494eb257db2ae38922dbdb0ee42dfa6dc8e2450f423b9cffbc0020d570c4106f2248b724c20023d1914456c1dc77b8b7d5aaf85c829c59

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bc23d6a06546fd67e91cae8958c36950

SHA1
1cab1e10a1a572081ca272f468264311ba0b62ce

SHA256
2f23f31955ebd4679d82b47e4962726f3eee518cbcc53a585f753a879f9a88d0

SHA512
815641a3ac332f45b74ab7611c84275ec95c62900c37da70a9c31a32ff47dabccf48a59740e44ce1499e25629184a6b0085522034568b49526bbf2a68555ebc1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6c99472b3fa5959c0c33b4c2fc37e7ad

SHA1
845e2aeffb0e215e96d182cdbf47301c17d1c85c

SHA256
a33eac4652de7e575a09be08b92a059091768c453f1a4fdb0fcd5291e783be35

SHA512
79511af4b81623b9e9e72b902c8226346cff13d7db14299804354c6e845ccfb8ba93546a4e73fc295861b7bc235cc929f69c71d10c3071638db0f80eca91331e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
09b2e97326110014e69017a6f4ac3322

SHA1
19445c57a0819d4711c695015335998b0d10d8ad

SHA256
3d18ae445240acb0382166096dd9fa84e47a0221544f86a38db89b7f0feb4dea

SHA512
ae4431e2b228c24b9e287060ac013a3fdebb92562a5f29275654ea8e62e06ed4ec3f012d029708db5727f8218195b4c7110cf54dd87b5d51473ae6e03bbb970c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
73459bca02e4082c86347f5f12ea9311

SHA1
b023a3f29487ff9e85b7cbee35514d7ac2b8989a

SHA256
46806c91fedb73c058cf37aa627b2614fb15684baeedccc842adb67f80eef83a

SHA512
0ac38b5811b38f4d1cec9a45b2beb4ad2cf4a980f695ea10816882911048a147d76dcb158bb8ef636c19df7b0bc11fb50eb2712ad7a2a05e80b53092a824c825

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3d3900cf20c8543c84de068d2bb16c74

SHA1
2fdd98398498da48b753d1ce66fe96d086c9ef49

SHA256
cfec4cf87d046e3602a389d02b1b1e6f1b42ca91b940028da7c4a9cb24319ed8

SHA512
290b2d3ff7392e834d90ec0d0759c2bfaa1f3654fda9867a4488a87eeab1fb659fc607c0f08357948de26854b81b2a1ebe4b9c4aa886bc68e11d350383c14691

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
5a2a70db6da7265f0ad4186fefa1dff5

SHA1
5bd92235c1fd4e8b8bbdb0923246821387cc4b0f

SHA256
a02ef954af7d48a9814e9e71273335f37dd5781bb64de6fcb5781da98e880faf

SHA512
54215fb33752f657b6fec01ce2bb16096c1eaa0fbe7f806d4f85187b4998151e83d9f50e86a7acaa14aa59e6a905b11e45a1a500846295a1ab92c5a8157b5d94

Download Submit
memory/664-601-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/664-431-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/748-530-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/748-354-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/844-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/844-534-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1260-308-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-427-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1468-528-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1468-331-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1496-222-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1496-51-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1496-42-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1496-50-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1552-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1552-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1712-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1712-54-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1712-66-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1712-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1712-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1952-529-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1952-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1972-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1972-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1972-258-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2148-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2148-148-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2148-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2148-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2784-391-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2784-272-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2884-366-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2884-531-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3312-298-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3312-415-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3388-30-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3388-38-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3388-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3388-39-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3468-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3924-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3924-605-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-247-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4084-246-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4084-253-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4084-365-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4340-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4340-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4640-240-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4640-70-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4640-69-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4640-76-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4888-27-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4888-7-0x00000000022A0000-0x0000000002306000-memory.dmp

Filesize
408KB

Download
memory/4888-6-0x00000000022A0000-0x0000000002306000-memory.dmp

Filesize
408KB

Download
memory/4888-2-0x00000000022A0000-0x0000000002306000-memory.dmp

Filesize
408KB

Download
memory/4888-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4896-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4896-535-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4964-403-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4964-284-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download