f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41

Analysis

max time kernel
136s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41.exe
Size

1.5MB
MD5

753799b5e1464ed8c4ce0cbe2d81e010
SHA1

4511cd11ebe72cfa473bd9a51418e6ece114ee2e
SHA256

f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41
SHA512

aad5cc5986a170640de03e94469b74241b9f07f81ffefbbce86f7392e41ab5cba827042d00d0061657526116e63cd7aa81b5be1c748d7cf686678ed1965e3895
SSDEEP

24576:nNu9eVeeV0sqjnhMgeiCl7G0nehbGZpbD:NuUr2Dmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1344	alg.exe
4932	elevation_service.exe
1504	elevation_service.exe
1832	maintenanceservice.exe
2796	OSE.EXE
3196	DiagnosticsHub.StandardCollector.Service.exe
4832	fxssvc.exe
3568	msdtc.exe
4572	PerceptionSimulationService.exe
1456	perfhost.exe
5072	locator.exe
4164	SensorDataService.exe
1864	snmptrap.exe
3936	spectrum.exe
228	ssh-agent.exe
5036	TieringEngineService.exe
2736	AgentService.exe
1968	vds.exe
2628	vssvc.exe
2148	wbengine.exe
2420	WmiApSrv.exe
960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c65c2acbf93f084.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe1a037417f9d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035525b7417f9d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095959c7317f9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000467eab7517f9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eea24a7417f9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005601e57217f9d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e961067317f9d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a240ee7517f9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ca2f07517f9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2484	f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41.exe
Token: SeDebugPrivilege	1344	alg.exe
Token: SeDebugPrivilege	1344	alg.exe
Token: SeDebugPrivilege	1344	alg.exe
Token: SeTakeOwnershipPrivilege	4932	elevation_service.exe
Token: SeAuditPrivilege	4832	fxssvc.exe
Token: SeRestorePrivilege	5036	TieringEngineService.exe
Token: SeManageVolumePrivilege	5036	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2736	AgentService.exe
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe
Token: SeBackupPrivilege	2148	wbengine.exe
Token: SeRestorePrivilege	2148	wbengine.exe
Token: SeSecurityPrivilege	2148	wbengine.exe
Token: 33	960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeDebugPrivilege	4932	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1308	960	SearchIndexer.exe	124
PID 960 wrote to memory of 1308	960	SearchIndexer.exe	124
PID 960 wrote to memory of 4972	960	SearchIndexer.exe	125
PID 960 wrote to memory of 4972	960	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41.exe
"C:\Users\Admin\AppData\Local\Temp\f6826bf05edb8fd89e91df4e521b5950bc6d63ec08c62bb256ff269a19a0aa41.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1832

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3936

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4472

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6544ceb727023a6a8febb32ff3411c5d

SHA1
e8f2dbcea58e3ea73e2ceaa945264960d27dd551

SHA256
a2f0da0f7257fd40a69e8504a81838863daaa3ca0834865181320edaeb370d98

SHA512
93754e64515535294b1b07a65e95f7104a1ab4b5ca86e0341b4799b02001fe750e8a5253df3631b4cc92edbb65dbe53b63380bbc5e138432602e902089eaaa6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5054cd0c58ba0509819e7f1a7b06dbd5

SHA1
59743bc7b91efec77862a668ff48a15aba2edfa5

SHA256
fc3438aec55e3bf2fc2d5efb9f7fc791c862e2542feb35d24472987b87814374

SHA512
7cca10463fb31a096dbc970785449be11f7de7172a50ccac7143cb6a8575838b09cd0a20e5a4340507fa0cb480ecbe228b445ee76398920c9a3e4d9fe0f533c3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5054cd0c58ba0509819e7f1a7b06dbd5

SHA1
59743bc7b91efec77862a668ff48a15aba2edfa5

SHA256
fc3438aec55e3bf2fc2d5efb9f7fc791c862e2542feb35d24472987b87814374

SHA512
7cca10463fb31a096dbc970785449be11f7de7172a50ccac7143cb6a8575838b09cd0a20e5a4340507fa0cb480ecbe228b445ee76398920c9a3e4d9fe0f533c3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
92fdac1a87029f612f0f1b0cf031e3d4

SHA1
2618ca6c2149b1b564c046333eb8e81d4b63d3bf

SHA256
5b42c9d56cb67d6ee7f6187035ba194d8c86bb2a4aa4c7c9e75deebe1802c2c3

SHA512
1a4ffc03f4b83a2b32a6fca0be49b6e055ad404088ae2987bc33b45bebe0f6178052346d89ce19ff9256c8cd556069c54d333cf2de49d8602f7c3d3ea1e64c0f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
417e36829f7b294c3e083bc0af87c700

SHA1
2895ca9f6759c2f6e7281711d9cc9d6422d41958

SHA256
412d03bebe5271693c55cb584ae1ee9526570d1771f1793508da530b6cf66123

SHA512
750f034bfa9b12ec84514515c183ad79141599edcea429528f0401a84f5941b6f6510743b24dd886e7b1fade878a1c042208d42e58e59f9f39651cf4a3670c19

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
111fe0cd21053363db50ae12cb8a9c37

SHA1
07ceb637f70d1f003953c2169d1caf5dd37654d4

SHA256
9f3259a15f629418717f985008c93047ce0abc101f861e6eff7cd164129ed2fc

SHA512
f85a1c329bbc0922d7ca89065e38fa6b90c2f5da3c5b325c8ff015cdc7ff4bac1a087b7fdc69303820cce406ac0300110577647e1c1ce6a4c0598da162e9b251

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
25bc7d80b43bba0f1840747a1cc12544

SHA1
bcee4a845fc8603dec91b049c2a51b9c8e2f2100

SHA256
a61b51b83b597118d897ac4383e64b2908dad454fea71a5315164a0f5a21a498

SHA512
d80f87247aca70b0dc104c9f4e1ff702fb2b142d072e8792a3c3063fd1ce2ebd2fcc7bedd497c3316c873d9576121d9cbe9f134f12d3cb8c6ce5accd208c96b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
95d586972a015469a6139e892e0dd60c

SHA1
e627aa15d63ab65b4f6d9d5386ccf7f9bfaabb58

SHA256
492742f34f94070101c105affaf00aa440a8d75588933f6a87ee32d9ab5aa3b2

SHA512
bed3d3f781fcf6daefb432cecadc3c3f51563b55bd645f6683f0e98092a5c85ff3f2a724eb1b3e27c0aafb0ca925b1423142f7a1122f77b374955431f55e579d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3d92cdc2236679385922d2764ee65f53

SHA1
5b13d2096471f47087e9261aa997db3c2cc7112c

SHA256
ee15ed32a4c6482c0c863631796fd66a87cdb375343df1f529cf9e7e274c99e5

SHA512
5b8e8deede0c73b6e48b5379ac44dcfaaf5ccfc4e2b4f62ed561c00272f47ba2b41dbbf3b064ec8c1cda26c2ea612e0c9423167981d7bcbf193ec8b46ef60e7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5ac856641c2037d8f35aece514bd1a04

SHA1
2850bc69d06583b2791d185aa207d4319017d074

SHA256
ce03dba2d03c22e280bf704aa78e1e1550cdcced0818d709fa9df1d9e41b0b11

SHA512
73cde9cb92f232f6dd618dd20ac2c8e67330825a80c56f77328d8f3325c798084bb0d89a1297b9784206f66e493890e8601271dd8ff9e85436ac084b173cb90e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ba1965ae7300689f9f5f8ba103c0679c

SHA1
28da608d9afb31f09e6a946ffbc21e2493f42fd6

SHA256
696fae3e44c53756c19b235931da86e996a97918fa86d0573c5083b0c9c85e64

SHA512
0803ec1feea4e0d2b4f1b24711a455541f6e70784dfd13103b2a74efdee6974394a10dea21bef22a0a9ae535177bca1f8cb5c2d8949c79008cf284a956b011db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5da454dc02efa953695e2efe8ae901d7

SHA1
ab1cb9e18559644123b031fbbe7739e39e554f5b

SHA256
adaf48ab7e59a622ec4e4e66d596eeedda8bb3dbdfc47d80c614a4a090d23adc

SHA512
32cf6cc6e07eca097394255f32d64d54d30522c83704b23d60db56de3ff18857885ea53a504b390a394e42727ba032a6dc12f2dc50cee044bb8b436538d00f48

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
57da6dbb85d827e9f0696bc72f3c7a98

SHA1
7ecdb397395705c49faca94f950bc9047fe42f50

SHA256
dbc8ac0a33e9e07089a33e05505ea2508cd98e1ab78a6ab85d914596e8d8ad82

SHA512
1b0e6853752be913e3563157bf6725072a54a34610501ccd3c26e5e7a10db5255a417e7df8c4d86b4f289c173f6065a956236c689f6f9f79dccad320f370cdec

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2afd38bd445d5f5afadd379d6f0d037d

SHA1
ed4fc6e8b11f847b9e36af1ec378f3e5979738fc

SHA256
461bc968b97ca1dbe94bf266b125cdbd8cb62365a948feb36e49d5e04196e9a9

SHA512
fb2c0a36b6e8342ad39b5c92a53f6b2e38a37cb74b603529447ea63ad74c02d0b6de3329c6122362752161c8608de26af8da0a89a71d67b4cad95626dc32f234

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f41450892b582f91ccecb06e04a455a2

SHA1
7c5c038eb516347d8509e9192d9f9ae7beefa22c

SHA256
e21e2b76e304d3788866b159797aca2cbea080f26eb03ec280ae9f0a0c72b383

SHA512
19e2f5b809df0931c131e68fb536568a7b0e82619b508007c9022e284aba0cc1553f01f1ebfdfea02c3983652e09a1e1ecacb650579fe24471ef770f48653f16

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
8e0569400f577578700d1e1bf07550bc

SHA1
be53062a17a6de1d38f30db20808595f0a57096c

SHA256
5b318953f87f43d0c659bf34c4ed9fe24b96779adc960bccbaa795801e9f6d19

SHA512
4b4edeb9a016487eeff77987a5c4d93d1b2121ce5315ba31c7a7ac246db73f094f5aa57ec40052eb7630818fdf66c932f970bdb5db75b911cb26e0ceb9d8f046

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7755586debfc01c943404b545f49012e

SHA1
2846e8a1fcff9ff0dab2c42a07c75a250f9dc2fa

SHA256
4f3e6fb852d5e5b363cac084871998fc891e4f68e53cb0fb2a4bf95bb0b3bf8a

SHA512
f849b32127716e8d46602cc84e8c713fde97d8a24818f65261693db2c24e57558ebdbaaecc96422753383095daf9b66e6f5b993565b9a4ba2a72623bcaf8b1bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
d6738021ac52d7b8ab4bb48285c03c61

SHA1
623f6da842683b0a54059e0a87e17be7253dea03

SHA256
1319451f47f90c9a8d10dc6653c52fb126e548d1d85672012cd4955de6f30113

SHA512
380feab7a48461d0add27920107af4daee41ed66e1e8c75a7b8539a85f719e0c17f6eab5d44cf5436ac8236997dc193117e7670451feaadff29bcc5fbb95a59f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c762f45653a87877902ad0a26af8806a

SHA1
ab4d63886abdb9313a064255527e79c9781c6f03

SHA256
649e5606d8ed2f689e3a54cad985ffab41147c7517424f12bab20e77ef41110c

SHA512
c6a0ee81e8717dba4f801adb4fbb9f7b9506911cc2f4fad10eb6153530d553646190f003107f44af03f76842bdb8b7cdbb96f23b2a6e83decb6ecfe33bc00367

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
9154d8e4c4477709e8ec017b214c9e9a

SHA1
2f627836a6ca98d1ab2589fd08fdbbf7f25b2dae

SHA256
04ff51c4c8cf7d391ac222e7cfda7ea108181d00ead3f8a5cd66d0866f525ec6

SHA512
a0bcf9cfeca03f54001d6d9a7d9d38d6c3823cc36635741f92b6b7321b94b435fb9ef54dd322a9e9b9624bbc5b8851c89d39fed7cbe2c9cb9d068666a3569f7c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
f85376c736f445df5f60aac4c110e2bd

SHA1
d90ddde1df29d07d3718bb9054abc0cae096c01f

SHA256
783ac53501e9205e7a90b756c41405d3d1407e22ba913d554f4e9adad1ca216e

SHA512
b3d1da01e7ca20c6cb73940432bb8d25a3747fc4398d3cbd3c704a7e744676a23a1b89f7655b9c22848cfb32383f6af224b1972235ee258317e4480ae5575b42

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
1582e2911e7e1fb9c530c2cf4c359522

SHA1
a4d3b143863c6e7196e0fdcae3b98573a7ddc920

SHA256
ce8c5a503de8e49706d605e893ba2a3a286750f48b188053d8620e76eeb0406c

SHA512
43c5bfe1f9e432164f992536d35ee1d2ef8bdf4add5984612f0471bb62408f4d9a9f3e49e4479dcecfa7e9a55e3e447ecf137526ada5eeaf9a72a0b1458278d8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
85cfa21140e4b247f47ccffb8f512568

SHA1
fc3d3f2b24fb66d6f2cc58f5214a6ae898994e06

SHA256
1eca3db97dc3a5a2f3d48a55f63c1475262042bff4a4235ffab8f0b7999f9ace

SHA512
424d8d28affb03ed28311fcab50bc82ce8ab7ebfcb146c5ae9665150b087c7d672335784f80d6a872e9e84ce5733cea31140a3ebcb28e4b8d3ce1bb8d74d4257

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
19266183af4c043b1603f46a7c4bd870

SHA1
3a12c025bf984a2600c6ed0fdd660896c7bb7123

SHA256
86465cf56d45090c5362e047e16651f208f14a924718ea61ac3342fc2099446c

SHA512
06fe45092834cc238dbc596a5bf85dc88b06c1a99f6d6fee2bff7b3019622cf6aef88e8d3fd37bd7b2d9e3295a2f82cbef774f1df220ddc53e646f5722698af9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.2MB

MD5
9c4d5a1e74a883e9aeb52b50918ddf87

SHA1
7adde79eb3d60348d68a91c3e74337ec79481323

SHA256
ad2efc603de69a36ef3f40159b3a204d04876668c2d1da0d94769328cbe2fd18

SHA512
2aa0be12ee5232033973d2341021610910245fa9e2e4e9dbb5fea9f07bb08d2abd5259653a3bf2f4c9e7c856178e73009dc994a7ed1b29d6287b2a37a60dcdaa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
80357776c771736c3a273255d1c6b3d8

SHA1
1977d04bc810ff1c849e79af873cedc7f0a6eaee

SHA256
7cabac0c4149daff8702732a389a287697b13b1332c3ce141e6c732686d2f52a

SHA512
be890fc0e6cc441e274bf195bc03b88a980fa00fbdcadbb4371ddff9dbbef69b0d658d51ea8b19a2bf8f6c77e99119704194a544b5e695d171018a4909439454

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
8a2244dc8874c4f6cd3ec7597bad5e86

SHA1
e68b05cd06ee7b292ca376b8f52e93f61701d56e

SHA256
a3390313598ed5efb8427a5dff470001a2bd8837c0e88fc949dc6f2da7ecea64

SHA512
00258c62f5066f212596a898b1858eedb0dbc7fa12232249f5dd007589a3dc5f89a8485ce5a1f09e2139124a795de1b2ba4a32e87e59060ac4906ef6022c70b4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
5b1e3e3d67a86f1a15862515b010efe6

SHA1
a15f076a58af5939feb231e7dc3776c8f604d6fb

SHA256
fcfe730097086830c3b67ac164cc26772195a81bf5b73280148ecad633a7bae1

SHA512
e224ce56af79f7d2190d0f8340bd400333821f5bcae170d0597d2720a0cc12c8e7ea89432f13abac72b5d1880a704525fdfc4498028ec72e4c5f3448e27e2d12

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
146c8f6b88c4bb7a378e47a14297ab01

SHA1
61360588039f957f402b8b713daf19f9c90d099c

SHA256
12e1bb703732017caf23eb3b60564f4622ec01b7206dc1ae2e199277c8f1a8f9

SHA512
2562cc864280ea42f5d3827e7a7c9b4beba99a173b5a1d4866a448dab4a5552d9b20f563c02676d933e73c405bd534cb8d100a0d44fbb7d6c85b1eb0e7f776fa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
e8c270b1d4d3a13ea4ba6486ad0d0f8c

SHA1
77ff8ebc7b516c2775b3c9d6db0a168adc8eb1e5

SHA256
939a5db8a8ea39ef0cc3a73e00218b3e563fb4ba3e17d690ffb01fede93e2429

SHA512
c4b333228370fa1c160fa953164a3bb6a3002bc49f3ef1c487ac8389ced4750793a916b0b1e30b37b7f297e2062493781eec73caf9f512652387ac8bbd09d66a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
5cfe2fe9b667a10b0f7178c26188743f

SHA1
d0bd32d458d2ddcb6e1453daeb21619593057609

SHA256
eac82d128186fd2929767bed1b7416fb53450c0ee7571a7dc0bafb217419e477

SHA512
03538a2aa55ecbe33f9e88932ac2acf82e4a5c8c63b5e6240dc179e7fc42772afdacac4aeb1e1a98f76ebf3b9b73b40ab11668470521375755164e79a8ba9fa3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
29771dfb94dcfa2f95c596a72d70ef15

SHA1
1b35ff6d562e675738987df573907835a9cbaf28

SHA256
48fb4a63c9823f6c27bae48719c6aca3eefe249745a89cbd449be53b0429bb0f

SHA512
88a33fc6b7082ec41a2ad6d82ec0f51e017bb3a13f840374c2bdd7b43661374ed86b1c58b48f4f42b9ddabe73445a17a2d6a5c2818d3057017b48d0397787738

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
a6f05cb964502ba5b2eb7695a97c6da9

SHA1
1dfa948eae95da88c8161ffc80adc1c9dcbfcaf8

SHA256
44261e752431bb73ee9ace9d33ee9f6495785357ca21e906d781c85b570f84c7

SHA512
564616851cfbbbe487ba192954512a7b3f441841e2cbd2bbf4dbc709ad96ab15d7eea821392d362c6fb1f0db47af390891189e4e07702032b750abe4f6b9bd1f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
b86882cbb64d0cd45c3a62b99222e616

SHA1
c0e9f3ab05a587dd7cc43160101240eb0830b1d2

SHA256
8434f25649ccd616d686c9809a48d7680d0504b282b346127499ec87e9df3b0f

SHA512
8f6f63c006ed8f7d8405c03bb10052c0b03ee65db45aa63f33fae729beabfc20c12adf373529a93960002e064bbe1e0336a00eb838f0265dee882c9daa003ef7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
56afc46f42c14cc68075c01b884e749b

SHA1
3995ad41397c00da40b3631c769a2059886a11a5

SHA256
5d026b1f24a05ce4d941ee715d46615d36d884a2b59e295f2ebdfc8f4eca87f1

SHA512
16095a041bc2c9af858ea018e1826f6f24bf78d9d7aa98d6bb9326dd954a17714ee1ada60d4729a8a9e896d8ae380aa90e6c692822df241bd1a4a59326ed731c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
9ef33a4a6457a22f45068cecbf6b65fa

SHA1
ca41924bfc682bb71a04afd1ae33c11e796fe081

SHA256
8bc2c22234ed860876a7289036174111a99390c62f5c5c53493bd9fc9f6f4b90

SHA512
61e3472b7571f0c9fc28f59db33ea725d97c6972cc4c25f989b3e47cd9284d41fedfbaa84cf5f344162faeb1b6efaf59d1c68b25f05444260a34248bb581dd71

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
e21e4721a7cbe5c2c1ee4820413449c5

SHA1
ce3c6b4c108b92d8e5abb189fcb4695521038c92

SHA256
49f7b9718d44aba1b72ed392b401d8678ea556a5e71d8dd5980e2f1e1c04c9df

SHA512
842960a526f785c08359b194c3efd49f808700d9d7df4736a996dc39cfe3c8530bbeb490313396e38b3d0791a4dc02101a5a51ad0f7ce5a8333d6be383acec81

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
1.2MB

MD5
89eb5d7d16eb5f19bdd3876bdee326e8

SHA1
4f76237dd341da527c8611853141927cc65d3fca

SHA256
ea441134f2f7cbd1dbcb77a1fb51ad46446d727143cbc963134e93278835dfe8

SHA512
9cf1e5d432ff27f13732db96f578301143943fdaaadb3959e7bb5115e881ce12e4ab5684e100c31b6801e00adeb723b096971c30f79f9ed4591d4074ef07ed41

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe

Filesize
1.2MB

MD5
731d78411d957105884f40b22982e551

SHA1
6b23ffd2fe2769c0008640abce4525b374e8b940

SHA256
d2f4ae4ffb4b3c6f9a49ca811051ad3de3420c51ffd8436904096cf8ae7cbd8e

SHA512
b7c9c0b8d1a8093e4632869c0cc709badb49a154961ef86f30a64155cd62a7bff7a1937918aa4cf5ce2534fb18b4c25a6159f873b819bd9a3cd2c7499cff5cad

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe

Filesize
1.2MB

MD5
dd1705f4de6c38ebc29aee45a87aa94a

SHA1
0910b6c61db64914e5c7def431821e86709e51eb

SHA256
4ce7a5768ca20304fa3e01b254f11e3df8ab707f7f864a60cdd5a22ae99f6467

SHA512
d9757f505e0088bd24fa3d1027296b4ecba51c2873826012f9da057df3ad4b5abe6f83febbd0e4e7761657f1ab3f13b325deb9fb120fe5d934621628501d5735

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe

Filesize
1.2MB

MD5
5ebee1eadc244652ce3087e8182900bd

SHA1
57205f98bdd7aad17834dc72a0b2f9510a0682d5

SHA256
448ba75e027adc171ec7a8263bf4a5810bb85b9aeaee483c3c97239a675d5164

SHA512
b82dc72917677f9d34086fa4f807e0b8fc43b77263cd900928d5aa9ca78af6818a55d1c073088ffa80d79f83272a4407306c97bdfb546324103a66f206d39f06

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe

Filesize
1.2MB

MD5
7277272039477fc1cf1015e68a69d6fa

SHA1
9f20418eea544432a75a20054ef86c4e35a08e45

SHA256
c8ee7866867fd6a1cd3ac53cf0023ea616c67ea695250104f9d6650342de1c87

SHA512
d453b5401675102cabdd97af97920487ae9da42c29291bb0ca09671cc2aec18e4225aa5d38dc60bc24e875d544e9e233cc371a29d893fe84b20debef8ed6711b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe

Filesize
1.2MB

MD5
742722bcecd1a24a772aaacf30dd02a9

SHA1
e2a8bb0f871cb172689dff59ebfd6a74ac436c3d

SHA256
b244bc8cc9f5f1924285c93f4ee6d6966e3cec84d0a0f0d1d64b6e2160efefa0

SHA512
c3b34ed577eb5ab65b3b300e6af3b5c482993016e17227972eebe6d6adc6a3845e1b02e8b7085c94c34c2e95b3101711e666c819be1452c753716d3a80abe4a1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe

Filesize
1.2MB

MD5
e63cfe869276c5ffc95b3ae0b1e82b72

SHA1
46990ae2d7189e0d53c62c8e67a6e7ea27fbb4e4

SHA256
4facaa012a0d689415209d7b7dcc4e402d77fef1af4a90c6f475f5c3de84a20f

SHA512
6b9a161baed946b87e9fc922dea74ec271c8e3b25879485dfbd08f7aa18642c5b442de41e9edd98ac608175465552d104c49bc914d81d7254d9947134576d0a5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
41e71a9bbb34049e59eff9c1875ec6ad

SHA1
93b21bac785572405b2617263eb360c5c339012b

SHA256
8a4365319f3ef269185fff8994870cd37803e3ac8f377f8274755235cfe74a8a

SHA512
8ff21a76fd7e8d1c805dc834f421fd199a2df25a63513f83b02094e50427b1f6f5fc8563d5cee68bec5f9067c766b6282b437bb41f30bbb07c5a84e5cc858aee

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5de926247163be8b86e803f67d9a7f7e

SHA1
65fd4df316ff658cf695a3f31ef2b9128dc0aec1

SHA256
f421c82fb76109b9fbba89d9abbaac374b143526f4b3fc28e3f5a3e0ad16979b

SHA512
afcbf001655b2efd6b7dcb42ca01f0c27963b6f406de71f71cfc7a7bcabd02066e25c23d14fc61afa3a004f34c42b058d61c1d640357f9fe50b89a919281d890

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
15361699bce3e87b598f6de6543057a4

SHA1
e03277d75447224b1200e8094c2a43c72fc76de9

SHA256
afb9bd3e5cc006235cc402255d84fb282d0698fa85692ec8d6d4575e682be9e5

SHA512
62a1935603d69e7980a7c21b3d1b166c769f3d4a2e8f55ada91de706288a6350946afcddba2b9712b88cc1b015ab6ed1cbf6504177d7616af364717f3fe859a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3cdaf8bf88aaaa410f969548fa2b3ffe

SHA1
c30d0f8b4b37993646d05fda0643d7850cb69093

SHA256
c3de90d6814af1f0e3f5095681eef1715dfc36a80519640fbefba5c521aed2ee

SHA512
76a7af69f2c5012ffd5c06dd0a94a735a7ca7cb1e03f610c650c94e007aa252725dbfa2b1c46f3f00c4124caef47d7f2f9bdf5a56abe9089bafcfc699edfdd34

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
29453bdfa16b0dbd24136e4a05e6e13c

SHA1
943de3afe87616e65b1482bf6a2a03dce2babb23

SHA256
056e36e53a98a63585a61b2500cab5e5d8683c890bf3ec082d0883a44c4da900

SHA512
66293923f7fb780f3b49145a00b38188846d8d8425a68261c7976455de49ee3ce432228d0a483621701c6bf939d8e90a22b1068e292bb5b4c3a48c19a14e6a19

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
8a1272e396c985c9fa62216db4b6f328

SHA1
35a58f15455512e527a78aafeefc932d8b79c485

SHA256
a7aa6163ec927d1574e6f8292e00c41601e4faededf2177222d3c531686cc59c

SHA512
31a251e0acca56ca9a0560400d43d8163d3954943ccd858a6132291062e819534e31c9a156fafee04f13e0a9611fa0c6b7fc8a7800f17884b8f99f1771cc78d8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
8a1272e396c985c9fa62216db4b6f328

SHA1
35a58f15455512e527a78aafeefc932d8b79c485

SHA256
a7aa6163ec927d1574e6f8292e00c41601e4faededf2177222d3c531686cc59c

SHA512
31a251e0acca56ca9a0560400d43d8163d3954943ccd858a6132291062e819534e31c9a156fafee04f13e0a9611fa0c6b7fc8a7800f17884b8f99f1771cc78d8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7b2e530fd9394a8e3104370b86d30c2d

SHA1
8fac9e7418b2df3fc2f7b25f0fec02e3f1dc56bf

SHA256
2528e358c95fd80efac39eaf4e47160a5c646d5b0f3a43ff5097f1652e7b041f

SHA512
2e9031bfb064e815ba20bed0afcc1e55cc3ad88738cbeaaf5f01ce54bdb96a7d940f514b446a041dae5146023024b1d4e38fcb76b592c20447b16864bfe8ef20

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0e2e405fa9ae08f1c70a65fe4fce2caf

SHA1
f76f8c2fc3da7cc63e7885f73ea5d37f8bdd977a

SHA256
769b221cbc72f44021ec5d9f0bce1b4de7a999ffd20927b8e8ea6dfc64f701e8

SHA512
91ce5ab8b8cfbb6ccbf4e50bb47f5d3ef3d8e12cbdc1cff60c21e8f38265bae8dae7dc9de024723d96f5a9eaa9e5037384ffa545389d588b6fbe9d2035b07317

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a6d000901519fe7dec59a0c43deed190

SHA1
326ee389bd7f1191b4a2f4148e025f47b245f7fd

SHA256
ae68dd04ed68e844d2c825e87e1cfc9e4fcb97f006a4a5cc2c10a18c44f5b460

SHA512
be748030aecdc1de1870fd76ed9c038985b117fac7dca899ce933a2da9daba192c962d595a0dc32c0d4c37ee21a4757fc82b0efb6bd8eb8f4ceae414137cfdb3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
65814e617584f33d18d781a2a97be2b3

SHA1
83ecd22c527d70bab4d4eaeb8fff68874b319a44

SHA256
8a059533bd5d6edf0cbe08494b62d2c34215f81d47a16e5c1d1cd550ee4b9782

SHA512
33c3fa2bed0e604d4ceb47fad76ba1c25c40a3d08c90b5f356adba96459c23619ce6f88e83d19ba592b19e8c16492cd6fc69ce290432d008a69cff71bd76a055

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4ca78ffeb2e198b734d5358473c38b0f

SHA1
a802c9384ab023d2da4da589f5edd3831025e9e9

SHA256
9838a65c509ec58b6c3d5a936182e37c6ea0984ce62c7b69271f63e681001db1

SHA512
251c540931622df19059a367e63b33dd161c49dad34254595f28203acf78878e7ac20cd3862bb69d448c921b3822773e61147d5262358d7a33da8a7ccca441b8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
18dc5e7604722e1676d1f54153022c2d

SHA1
bf0bd1635afe362a6d0950383001a181d3de5493

SHA256
0abae97bf617db062ef1c6cec4d316032834bc477448c6a0f693ca203619382f

SHA512
f79062b1fcdeea44c2145619bc43a7dbe6c9b82cc2dc0d4f68c88dfa045ef533ba70e34f2391452738318faa5596b11beec7ae11b6ae6c4f92ec82bcb264c419

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e070677bb3452e31aa8ca455920a4094

SHA1
9544385083f60aa9284710603e0e4d1756da6fbb

SHA256
66e0294aad397b523022125ebf51771844610c6f215bf0969b2e069741568985

SHA512
f91746525b5b6597027e428f06ace2a2cb19997edcdb2850d97a0b8182e353f8118d4d25505fb40ce6a4fa3ef823e6138366b2559775725061012e37569c6ca1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
dc4a674505eb9b7710d7ee01b2845632

SHA1
765ec8b5a605bcb9323dfba6c6713b36d8c639f2

SHA256
310fa029b0919d1ce8a1ff22b5404d92ec7d28fbf3c67dd526ce0ca15283d9af

SHA512
b256169b4d2dc330bb46712dda037219dfdd5b64c32fbc7ac580248810b9a7a2c69b2090dbcca34786ee9a1338329e64144f9124bc10e19c09bca0a6d9d8a5fc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fbf13a3071432bea21f9be77fdc55a4f

SHA1
076d153bb4c6a3415e53df100c6b623dbedcdf97

SHA256
36510010a8ddb3c26ee779af0ffc99b6e0af69f1ba240c489e6237d440586f57

SHA512
060d2858daabf6f34211bacf7bd5330c1c4aa262374279c2beeef329a63044e964bcb6b49a04dd3ec35704f45f04c0ac3000f855e8002340704b49ab353e54be

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
89da831abbfff92a069ee02bb4505c50

SHA1
c512192313bfa22fa685857681c03382a1d68b9c

SHA256
a9b548b8276b70c5587fd0a7da67f8d3da645acd7806cf2ff7325df1988c9272

SHA512
23f5a4fe43652556a4373a958785f7c280b4508d181aa6b7651065e8923019c4d892443e0766498d379b7bccd7b7dfd1de2d9b3486c3ec2d8bc5a8371a434784

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
db49d17c6da53c310c2b41cd87c084cb

SHA1
404ed24f3067b6a5f6cecceeb7889faedaf456c1

SHA256
331d3338afc8c80b200a25d35d976344067cc88afbad5b02e80368302390c0d2

SHA512
c7fade5663722a0add741160cdbb23a07ea4e3c4783bbf2b9c12fa2926a354d58e91d62aed7317e109191bc545ab37a12039e6c79fe53ee62b2137640b2ec14b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a4ea2ff9b11b810c02859d041c1d9ed3

SHA1
901fe8514a7c30ab47f88fb72db46fb27e58f875

SHA256
e4aa7f2dcdbf7c69a43e2040f16beb2bd5ed9969810295bf21394af307c8f877

SHA512
9db174a0e7c09a3cb096479a7032f3eea62f1f96b3e982a94d47e15b89b360ad65c2deca85f0f0838306c38f0aa5b76cd8dac8bd007480092f1f8cf7ca031c5d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
1e29cea410f4eacf13389def3f569838

SHA1
dae1bbfad594a9633c899c84c0ae515209bdb85c

SHA256
335c120c53dc7ca5ebe036e6998951d627fa842c735221e967abfa36b64a0fdd

SHA512
5221dee80a0d254057078a74350f8fe47000d71a13a9b8c9c7181969862a0d586ee302a97d3f1d3c38a33be1a0761bf5de1c17716c7e6bab5d2f5d241bffe3eb

Download Submit
memory/228-370-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/228-360-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/228-429-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/960-464-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/960-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1344-17-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1344-24-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1344-69-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1344-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1456-368-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1456-304-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1504-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1504-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1504-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1832-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1832-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1832-66-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1832-54-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1832-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1864-399-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1864-333-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1864-343-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1968-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1968-412-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2148-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2148-438-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2420-444-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2420-452-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2484-14-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/2484-12-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2484-8-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2484-0-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/2484-7-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2484-1-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2628-426-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2628-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2736-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2736-406-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2736-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2736-395-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2796-68-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2796-199-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2796-71-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2796-77-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3196-315-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3196-255-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3196-254-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3196-248-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3196-247-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3568-284-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3568-273-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3568-342-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3936-356-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3936-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3936-416-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4164-386-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-328-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4164-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4572-297-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4572-354-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4572-289-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4832-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4832-276-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4832-267-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4832-260-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4832-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4932-87-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4932-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4932-29-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4932-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5036-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5036-382-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5036-442-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5072-373-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5072-307-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5072-317-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download