1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
Size

1.4MB
MD5

68da115bca1b6ba8009d0e53a00ed0e3
SHA1

f6ada9d74bd572bbde37e4969902fecc022e7c07
SHA256

1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d
SHA512

36b9f0f7b2453a53669449ec7673a781d5ddf91f98feef3f6ca79ca1e29378a911ae247e6b20f2160d6124d8d0854134b1c7b469cd5e617a304b8de3b4334da6
SSDEEP

12288:YO9B+Vc8quMPLjg4YqLgvB6dMSJ3oecwJE97O8k4QrsdJW3kFk9huIFYPSbwL:YO9BiqtL+SgvqFE1d3ddJW3CAqPSbwL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2136	alg.exe
2004	elevation_service.exe
1848	elevation_service.exe
2520	maintenanceservice.exe
2752	OSE.EXE
1280	DiagnosticsHub.StandardCollector.Service.exe
740	fxssvc.exe
836	msdtc.exe
4436	PerceptionSimulationService.exe
3228	perfhost.exe
4472	locator.exe
4280	SensorDataService.exe
1908	snmptrap.exe
2744	spectrum.exe
2816	ssh-agent.exe
3524	TieringEngineService.exe
2632	AgentService.exe
4832	vds.exe
212	vssvc.exe
1724	wbengine.exe
3236	WmiApSrv.exe
4836	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ca2ee4a8ed1090.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3f15a55f734da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050e9f555f734da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8ee7955f734da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9533e55f734da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fb55f55f734da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ef23b55f734da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027517c55f734da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2c3cf55f734da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5048	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
Token: SeDebugPrivilege	2136	alg.exe
Token: SeDebugPrivilege	2136	alg.exe
Token: SeDebugPrivilege	2136	alg.exe
Token: SeTakeOwnershipPrivilege	2004	elevation_service.exe
Token: SeAuditPrivilege	740	fxssvc.exe
Token: SeRestorePrivilege	3524	TieringEngineService.exe
Token: SeManageVolumePrivilege	3524	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2632	AgentService.exe
Token: SeBackupPrivilege	212	vssvc.exe
Token: SeRestorePrivilege	212	vssvc.exe
Token: SeAuditPrivilege	212	vssvc.exe
Token: SeBackupPrivilege	1724	wbengine.exe
Token: SeRestorePrivilege	1724	wbengine.exe
Token: SeSecurityPrivilege	1724	wbengine.exe
Token: 33	4836	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4836	SearchIndexer.exe
Token: SeDebugPrivilege	2004	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4828	4836	SearchIndexer.exe	115
PID 4836 wrote to memory of 4828	4836	SearchIndexer.exe	115
PID 4836 wrote to memory of 3992	4836	SearchIndexer.exe	116
PID 4836 wrote to memory of 3992	4836	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
"C:\Users\Admin\AppData\Local\Temp\1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2520

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4956

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4280

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:4828

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
1⤵
- Modifies data under HKEY_USERS
PID:3992

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
124KB

MD5
0c148fca6a419e1c43343063dce3b6a8

SHA1
5c0bad6282de3f5c5421088742d7d2392c25988a

SHA256
3e76255750cd71e041cd52bbd66a4562bb5caf46cbc0e6d23e0b931af8d9a0da

SHA512
c81bf3014d8feeec13212753eeb27b46cdbc5e4e5869974b7d6c46cc5303287a26a0f75dfd41e3ba23b73371b0975329e8865a303b1580ff6271aef5f52a10af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
247KB

MD5
61dd6cb5b8ee66579cc4ab9361339904

SHA1
250d1fa52cbed43a379d59cf011ec1fe18e567ff

SHA256
c255e6c51b6677d3d50b11dda51629e8bb4aad10cb74bef4a07abaf155becb33

SHA512
0f2eee4180b528e3c6a5919be01b2ec2c110eb992e5a2839d6615e8e713ba65a6a9bee30c9f9da973cc6b70cc6df74139132760ca708f88082a51226e475fd47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
74KB

MD5
1aa3bc3140973922ab921ce4ae86fe17

SHA1
d74b898a6d780ff82c9f8ac2a5fde9ba25784566

SHA256
930ee64cdfc65f7e8447b5ee353b8219d8685adc2f0873984017d111eca65d9b

SHA512
671536a290557f12217ac4aa2de5d7183ed193b7aa5aee7d70d30bc3be3ac79731b1026c1e385d132f51d69fbc32a15706845055f80fa8887db3acead32dc7da

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
109KB

MD5
1805c28b95a352ff1782020c32d9a8c7

SHA1
9608cb1428fd33851ac2395c4075eca668ffe38b

SHA256
85e851493a7e67e784bdda536879878dadd06927b8cacad5e7d8e988010520a4

SHA512
500f91a134db9f988f04d5941b909b465ca220b88cfde911b25de6b2aab089f4b4472b76b1008cb9fe8b18cd793896ad69fb59bab9e54fa6a3c4785ffe1a350f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
201KB

MD5
33d0e64c5f383cf2bc23dda45bc06822

SHA1
76a4464069778e9f7c59fdb28fcd7e715a99ef08

SHA256
2ebc89649827a0c8a0a61e6511fd796f20469a98cefc71880e627be4307ea64d

SHA512
7545bb8101fbbb54c7c2bf2ec19e3eb9fef3bd19e6e2b3b476d66c2432d9c9ed385a9076c21b516ea43580b8849ff830352dbdce89f06de88f37f26fc93e00ff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
170KB

MD5
515741837f7d96b20c9d8764e0b4a2a6

SHA1
0ef065317fccbd07d8b6bed35a77cfbe23465729

SHA256
2bd97168154b60cde4a54e3209e2e7228743bb5fe788ac3dd55c7798ef4edae3

SHA512
dfdd513eb0810f4be14b645a38f2e7e61b6f673c1ccf7c05dca798b6bfb7830d9fdf59706d0e08fcd7a3ffbd522cea79f7e66d84f94bf7acb038c20485c4bae4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
243KB

MD5
92395385b25a0b7e3ab5ace4ae02dfe2

SHA1
9e3c8f77afba4223e666589e65f69751e3a50fdf

SHA256
e800dfbfe6e6e4f5f25990dce08acdd317f09152d1b133140452c735ef97e532

SHA512
1403247bf18d0303edbeb5795a16c99c5bb7c239ec6a485a6a2cc488eab8dc0df909f29706dce3294dd149722684f78930598df5a4706874687e1ca79e6e757f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
53KB

MD5
97c6d52be6ddbce6f29524718920723e

SHA1
608c58aeb0da7572661d6710cc0affd3a2c2dd1d

SHA256
424f5e7e53fc3518c4312ad08074e2ff40ca70dca59e4d06eed2cc39f19e320b

SHA512
ace12f6181147ac35f2d2290b882fda1d000575121496761564a13424ac9de039e3127dd0efa363d68e702f732214bdab36e1cdefe3a8d0f19d8f4ae30cbb661

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
312KB

MD5
1bc56f663c5f3453f2a9dfa3a782af96

SHA1
88fed8612328d5a0d98a37540615e1bea86e251c

SHA256
82e37feba991fedbd5f978f24ef075d2405b0653596131533e1fe0f55b72369b

SHA512
f9c113d4423abfca502ca879f798eb0be8b1fb7a95e3b5e0695ebcc7a73df0582d6b1c0cb3bed6a4fb6f6e97088e77f4b7d2f6d0d664c116b798a63fe7ed71d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
136KB

MD5
ad189d5add6ab29269ac19616f5501d5

SHA1
5babd20b72ea80194c3fd9a4cc64ee04a2d24f3c

SHA256
82e37a399ac85fafa8e03b8991f7466c90aa3b17ef3ae1d71c13def2202e84c3

SHA512
d8dcb3f315d5dbca26b2efcc8593c1c148070646507bc208d04010af5af2cdf6cc80328ce75616710e53bdbcc66e770df397135824000753b4040311b28db6b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
14KB

MD5
50027449ce43ff49164091da5b0d68ad

SHA1
e0d78832e03d795feeddebb91ffea7a807e84807

SHA256
58c26bcb3dde4377200b475383211f2d405c4bcbf4140cc12444fc2dea1264de

SHA512
1e7a5526df1eceac99f426ec0b1c50a80ce2b00156d71837cb16e5d8e35229053bec7e3d95e06c5b305c68b73d2c8478e329a3ed4cdfeef037cfc92bfdbb9575

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
157KB

MD5
49c42b39a1d38616e0d616d5f30f5f5e

SHA1
36bf7cc4dd958929be135d09380721c55261afee

SHA256
a1eba94c15772ee50fff34c87a8881ff58d8e2b1618dd219e4dd1990e8e7f100

SHA512
681ef8270012d76aa9463ac85bf475b1b6197e7beeea5c616a640b4a39458a7e3eff15cba5b0d3ac7f01f3108f7d8cdd0e75f4fdb55383eb88e1ca6f378d8d41

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
180KB

MD5
8b13c8be26b663afe193ce5bed9e1236

SHA1
fc6fcb8639dcb6016bd58b57ae9defeb9414766d

SHA256
f4cedc83ea2bb584bfd40bf371a35a2b4c970c78a97e18b5244e5caef7373a58

SHA512
893650651fae10e8da079a17ca632d0189ae019c61a5220816d030621d024634a975a730416b1e5306ef133c50bba7ebcf3b7bed189610cdfc2f6e6db6eab073

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
136KB

MD5
5df951b377f8f6133d91f471de060fc4

SHA1
74da3e5da46ef8b90af571aab14fdc5a645247b2

SHA256
0062d8eb474a557a2eeca0c2c166dbfdc12404708fca368a69ac7b8135f89164

SHA512
fc9153a60e7790185c03cfcddb20c113fd9470d804693b98d31a5d838d8137f01bb2dd9e4799117e42cf4d16c83b6da7f595140e43d7bd6550a6619953fa55e4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
192KB

MD5
32ea8f3bd2c182bb6f29311299c4d172

SHA1
48d66052a2774b46b98aa7b7284264a75f66911e

SHA256
9f0f6b2bd668ec055fb320413fb677f9dc124bd4a3cee2efa8b2983f3ddc3686

SHA512
4fae354662c4e4372d8f002605116abaadabf97a69187df2d02efa098bd63bc7d1f6c45906162e65b927ebbb30e700477ba3d17c9d0fa32dc5836819e7a1c4e3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
217KB

MD5
abe3d492749c90559aa851ea3fd9350b

SHA1
4df7b2833b38ba979970d5a96a412b1d4ac83706

SHA256
df8ac8b341ad67e5cf30f7ba8e8f1b40ed04e5a144f78ee6f526abfbafd05546

SHA512
a8c79e775b5c00dd5fb720d72c17be7ba434bbcb2d089576d07864351080861cef30eb06d1c17b7449849a39804cec46cc498ae7e2aa5e64430161f408f830d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
159KB

MD5
b6482c7bf569ef718530b61153b29674

SHA1
abbbf9223930989a00cbedaebf2e6546744694be

SHA256
c576dadc878a6c683e7850555dc8d390079e2fda2701080eeb556a49b35446ae

SHA512
95c625209d740825f95814d23a0f401b258ab6f4cd2f164cad595f9973bb2b438e2eb3bdd22d727f5980b1cd616dac17bf5446e1dfd8f4e06fc0839ba983fe14

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
149KB

MD5
9c83fea5e5492ed6bd9f75e25c95af6d

SHA1
dc10aa8576892948a0fe52328dfbac83bd87d127

SHA256
c161d8b83379c3f50f938aada5dc11bcd17e8dc53fb30118dc7ccebc3e5e6108

SHA512
7985b9bab26ff3fab22bb3e44b7e690f76d7c04c2e527980819d4598f7aad404c444c78571dc7614924384c6274dc37389c02c2ff3056f0d6d178a4e34db9f63

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
236KB

MD5
6f9b675ab500ed3a6796597a2e5621ef

SHA1
24a5d9b718c64cfe27f15cb57f52b4e988a0488a

SHA256
b599464a096c357dc270796a1c2a7e64051c97697d1d7928a5890d03fcefaff6

SHA512
f87a88bebbc4d94af9c9adc2d85b651cbe0c7c3a591e4be5d7f57691312dd2e43efe30a4c0bf28c0c7965bb65de28acf95d9a2097f4c4687d439ee3a59af1789

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
200KB

MD5
44eaede44540fd1bdfe6bef7eecf29bd

SHA1
91fb859a6195586971ce6d732766e60ad090e29b

SHA256
c04cd3bc5415bc45a77a127702df60a6fcd10ed4f95b8c2d1df51aedd70933ea

SHA512
b4595d179025c32cb8f6d93c9740005051abf1626d5464f866c731e33f5707b77b9b94f9e5163ab7069353d89a349df305503029c0419922f10d2cad2ab39700

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
210KB

MD5
19507562c8ca7f532c6bbd87d219cd16

SHA1
2795427ace0edf239f182d2b1ea6c66959e6bb44

SHA256
534cee43039c8441e1b87e7c1a2d9cfab7fa0647bfdbc7912fb581b7af1a5b6f

SHA512
77205e64db0dd0a113e37f5499848b36cc7f6da03cee9f9a3eec045cad1d54828eca788068a2e698008ce6e9f460a32f34557a5395afb9ee9a1d0e0a86342f6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
85KB

MD5
f5c7ba55113f68160e8122d33d85c2d7

SHA1
280a56bc8796b5581114efb06f88abc4539f4766

SHA256
402ab739eba12b640ee6291f68f148d8630b29dd5dc42466a8bb5c35fd2e1643

SHA512
6f3d19b27edf3e872b9f934db590943a46ef285c61475f20c6aceeb454dfeb36c2a1f8b25439cb9425986496637fff2fd21d8332936640a351721027ba8ccaba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
38KB

MD5
585fc31b13949da3310d3ec94e42461e

SHA1
2ddf8927db7fed21f92c5d4b6ee1a69091954c59

SHA256
726b639d82dab23b7031a791bb0a0549599c345f5cc919206ff365dad98eab38

SHA512
509c508d3558e2f922c5670e81559ff01973ce8273f529d41dc4a62e6a2bb3b6ab3a2397bf16e060acb56330128e5812aed1abc8157638a1e220bd91121b7a4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
65KB

MD5
9670ce5a495a73107847841585e1ad6b

SHA1
04769246c769e4c55269412a075ebc2c62e29acf

SHA256
bbe549ba41de680318b400355fc4fabec45930798bde80b032ca5780f4b76de7

SHA512
27eebac4688a3a76b891a434e8265b2050781bca9f644816d8b488c56841745c273c6d585ac81e2fb3d5f9139a8ea06f36d7a76da0ab015b80c8068ee4ce0659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
62KB

MD5
a9d18c2bba99e5092ee14f7ec59643ab

SHA1
e1a4e0dd96282e17f36b1e11a2a29c0f27ae8e3e

SHA256
d1d0ce79285eb30af688f818ccb5b7d7b2af2de1bef6cf004afa98b25cac4b8d

SHA512
262b19a5f78187952f756672a235bba560831fefec4d2896b0bf39118298f096bb0c62a9d4e4d3369a27570577ecd36e75b98184ee182899f28424f1e4104c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
9KB

MD5
8aca56409f4f3e2221f15227b939f70b

SHA1
d0f916787e2a0bdba96b2fc4ece732032b344feb

SHA256
60d02ce1dca7bd580e268f251c0de0d61bbd7b67495e32d3fb287e6d50db12f2

SHA512
1ade12c607c660cd9c00d2949ed054e7208f93c817a42d2110e9465001da039c8ed17080bb0520f033bce18ef1b4db26679217deb1048376bc1cad7cf635a379

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
92KB

MD5
189975992ced397834da0b95639ad028

SHA1
b8fb7507e15121296321fbc4d8b0303b16e6bf4e

SHA256
47967e6caf1107d044dec79b250b2e1472c72f84a8668b1ada653801076ebc45

SHA512
cd6d30d55b123cf7c7ac32764dac1282c7adb18f2c3f13ac3d847d37879318f824a43cfebf64650d8f6faf02b4099ac65be78b0366a16926aeda45593f3db182

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
57KB

MD5
7684beabb353f9dfae99a27adba0d33e

SHA1
a696d3e159df92e86c905b8e688f59395da40beb

SHA256
97319e5c5d4b2e343320110307987213437e0151d322d722371426eb3e5d88f3

SHA512
4e828eee029576ac6705a93274b2597aae1c9ba5ea93cec78893190f8cd4b6cca02fa77da4496451051559ea5081926b4b38d96e1c3b255df25b6ca64639f38b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
38KB

MD5
a4cda52e9544e30e3dea6cc065d67a21

SHA1
4bbf4d14ec7a227a7afb9ba64bab80c0281d5800

SHA256
c8726176139ef20adf99e3e6877a2eb88a8ccbe77cfc35fc2d10857a6437b9fc

SHA512
f7d2047532451702f529b4bcc4a0003db54e91f4e55473dc23422aa838f599fe88772cb62d3436685f0b3726d92138a2863637181c0bda48412722747852db17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
39KB

MD5
18234160d0a0a8bd144d237d527e5544

SHA1
42193b1c9e37aec229f7b792189a61dcfcfbaaa7

SHA256
b9e7d6fd6c529fbde847133ebfe088f1c09dce6a9e7fed00b4e8e244a4fb8430

SHA512
2fe4c53e43207ae3adf0fff26cdc5ae6194d5c3fc6d27c62ab37e3f6ce7e2d05c540aa4f66a895dae07348e32c27b41617b550e3aaf2fa6b392d76e580886d27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
34KB

MD5
9d06333c0013180b96187bb97f96e628

SHA1
23c76e5378e2e907b8a321277ae93da2848fe695

SHA256
52522d5cdc62d118494432ee8c2af96e5def7074b688e72368ed408c20b48909

SHA512
ceb3cf193f23f0ad621deca71052dbcb8c293c4b4588483cd095e8dfe26f03113689bf7f3028deef1283d98a0db9259699af8d6c2f4c881df5602b81b87918a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
14KB

MD5
5da1884b7bdaec06ad133ea9c39962ae

SHA1
3cb9d65928af72f7b05d35197dd820f434cea02f

SHA256
2bf757294f16592c5273f06d97020e0f6bde1d7d57b40a6a2885b45df4855047

SHA512
13638173ea11b3c4cd43c91ad65f43b6ba531ed52ea4dcb603c5e1d80a928eac6ba8a824623225d295712fc9ce942e9399ff4d941e110726f5ce1de78cdefd7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
85KB

MD5
2d03f8d55705c42dfcf7eaf6a2c966e0

SHA1
c6689a4f46530ae45238b9bff12ef188693b52c7

SHA256
1c31784f3533f39086f2ed3b4604be20bf96232ada454b1c19093af4d9cd9447

SHA512
d8bc3b506cfcdd05e3ac266f2b22dffd665c6a834c25fd39f7497d08169f2b0baa27bcb9630288ea34dd3ed3180c6bc3aa29cbf0e1714894389e2d0a6df54679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
45KB

MD5
f14f295d65e0487743376c7d248c9cf8

SHA1
d4af40b9c709732ed90f0196533258b86871b863

SHA256
1bdb04abfeb2bc10cb9a73ad73888dadd808e0ba8cdde2256b91ad11221f08a5

SHA512
37a6b5b5b6e4c9f05357f52a401db68b874c58188b97f6908c183a93456854af6babad5238c5d2145c36fa996d063d01a45f916cb2fd2f97b235b22a88339579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
42KB

MD5
3813c25adf24452eb527482cde48edd1

SHA1
8f415e556f792d463e88f57a468c77cf4147d5d9

SHA256
2a8ff08e4ac7ab5b72356be7bf0e6c9f8416e7616a9184e7e0eb1e2a81e4aedd

SHA512
0d4a4d80a3c20efb14388748d23b117938513e939605ab34d02267e166b3d91609c5b3b210cd08b5bd5a0f98b28b8971d440a0d2e79d62a84ab082a48619220e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
29KB

MD5
8f4f2a6dbe53d83bb55e1e76037e0de1

SHA1
fb75016397e1dbf7344250ed595c426a07e71add

SHA256
7d9e13d1b5bc6032bb044663c8fea6232b4d1d4b1587133eacb292dc424e1526

SHA512
24c2d2999c2e4f2980502d2192f61cc3fde1bc69a8583427c8efd24e8f93d82025f279bf190cdca8066bf47184eda60df413617a24484783c323f50ec839a4b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
68KB

MD5
96dc8afcb2ee9d46426a109e95707b5f

SHA1
5b217398d60105fc2535dbaf3da2c3d5ad1231ab

SHA256
0306319c06fad8c08f3e219a024f55309b5e1f3154648e5c8b4d86d2d8563ee2

SHA512
4ef7f581fe5effbd4638e011473fc03b76b2b8207011c98e3f04d3c5a503d46dc76577479df8a53b3602009930807bdc91ab9e9058a2c6bfd936b0b37d2d0bb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
29KB

MD5
15c0ffdc612c4c992d46eb55095f70ef

SHA1
caf717a0acc7b2b3f1dd7e3d6f26ebd1f88dc2b4

SHA256
ebdc4b68a9eb491206b70dda3b1a2aaf35cc657a11801f9ea741568593c4ad2d

SHA512
b544844f58a72d6e8aedbbc295854f331b2d3163f69936515b537627c4ac25616dccea9b1f90d372a0f80e3ef8af9aedfa7b8cbc33f1143f6c2b921f52e9983f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
85KB

MD5
eecbb827e6f7406aabe50ab0734bf5e9

SHA1
94f6ee50e492186d20855268db4e850e7e5012b3

SHA256
79eb2e2185e33bbbb32b02c49364774bd6b39d808c77ea8e6e41038b59942998

SHA512
f1bc18aa99fe8be480435d603a58dadcb9eb9ef0068da4b16b0244752a988634d7defb00aeb54afdd2ffdc45f9f7f3d7b5fbe134c3c5ccaee12933c2a056e14b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
25KB

MD5
256c67e41445696ed8e1b61d4f9a2af0

SHA1
314d251a84b2ab99a26d293116f13641c6a0854f

SHA256
e34e034f4ba806d22557467300a94338461c36ad7f91aa457dd7f24ac5c91441

SHA512
7a97c30a2222f5affedd85a7fe3f41da070dc4ebdebab3e6267a1be5f80888f815d516526058952d84e69e593892189e924d452240a3c2b7136b8578a9c668de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
63KB

MD5
457fef487701ce9053f08c9e14de39a3

SHA1
0c15d605e63a2412052eeb1b857c8097f48dba1e

SHA256
4ff16e3afc05397cd3870d49746e37bfc9c0cfd967704fad35aa1c981ffbfd65

SHA512
bc29b2342b513cddf5b372f04762724622e3fcbf43b02d117bd10601ad171cb07966abe0b03dfa8461b4cb50c1d9deb3b6c163c291e6ec38d501aff69b4fdbc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
61KB

MD5
cbd19e63b5b62bbd9d8066550635377e

SHA1
6658052f8cfbbb7d40f7294390a6a6f319ad247a

SHA256
0a760250192f79079e48d45596682cfb277b055a36c78db16c635b9291a84462

SHA512
8695bbff0aed630e9810be52fd4bbf54b9a65e89996560c895de32a471fcd341e2eab879e911e4722fcf87fb62314eb81b1407a1b2dff687e33464324097753c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
35KB

MD5
087f59cd58c661b8919a65bef3fa4f4e

SHA1
d2f99717c18ad3dce96f26f870a5584655f5480f

SHA256
cbfb2a645a5e5e24bc166ee423cde034d5dd67c69d5c69a29033257f7b58c6fd

SHA512
81ff440103cdc91488a9e71ddc92d3cfb839e26b525133d53d9987780b3c12462fb738336a7e9d6373468ed7538007c2d7d95196cc0a0b5296cffd0d7d557828

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
125KB

MD5
ab264b4b6ce7edf45cf01fde32d2af0b

SHA1
fd3a50b4246f5c38039369bb18852c4a526ab2d8

SHA256
b2895c23fffc9bd10228d57bea137190d871ab71d003aba93fedb4d967d49406

SHA512
70421d730d8309ad9f93f17d8bf878205fdfa20494cef2f00715c4b2e8e21e723af9051d57b0acaa4b49fba37c80fabc78b67d212c8c5263da08b7b7486ff4de

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
396KB

MD5
ca3c349280f47a5afada32475935e038

SHA1
3cf5153ca05161f11a2cc987e4b13d9666ba6201

SHA256
4ece7afa329b10d0cb9bca5bb180d487fd6ea8f7776245a1ad7638020284855f

SHA512
a964075173d0ce682a1b2116fcb11d6c1a0ae830f8247009e29de94e6189cdf2c733b7975cb46ce99238a7449af82d0b7fa0aeddde579ce2e13c0d367259e6a2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
5KB

MD5
fae7b2deb71b9332228b1404a60ad7ea

SHA1
4f14b4418e9a8f6876ef9be8d71f03533b136d36

SHA256
06576b31c24a35f38aeb54d2e5b6a8b2818251cdbd20e33338c81c4640cdc102

SHA512
8e5f2ca2c8992f2515e1a13535c4e7e43d0def03b2e6d361c20f1b25768bc3fd7d80230d6444307c8880e3454637795392600a7f40c7211887eff11ec33f407d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
895KB

MD5
8f34673ea6f817f1c6286fa5348ffd78

SHA1
02e760a8a547156f4607d830c07441d797cf2573

SHA256
b7e5eefb63d67cdccb8b2fa7cd17953942b4c924eae708a326c67e3f85811a7f

SHA512
5dacaf14ac1a51f7d6920605137547c25185a677be8a18e5e7ddae1d9caf6f9e8411e324c48b760ec812e1899938f63899168647e7ca037a97561c6ee127115f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
129KB

MD5
46fdd75ffb08b7726ad56c28ea94084a

SHA1
cf2243e240487da89b23dd612b557b09bb6d51ac

SHA256
b6b00adfe08e66641c7b5c8a34cb3f966debc0f1145f0b14d37f6f81db90c2b7

SHA512
a001300936cb3e76f770fee2388549fa18e760683fe72adbbfbdd8baf034591824764a8b421e3f30b4ffdd0cf2e54da45a08573f8cc3639f84403f3503c20f4a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
286KB

MD5
b8b1b6ba74c0ce182bd94088860fa8f4

SHA1
af8c3c90e3837c3700c46db50bd94de36e5cd627

SHA256
13d301d2cce9d7f6b6fd65e3f0e4d789a707815f138de0022fee537382c10559

SHA512
02718a4563aa820d85f8fb5a7c40770b8212f76886e37b6f0d8529fbce83e61ee30c4a61d13f8ac759f079a0f4edca6f04b8cde93e981ce1b4215308382e583f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
140KB

MD5
d634bf472fb94b58f143d5e9feb674a2

SHA1
9975326751a062259d0dad42b9843f41db9fc600

SHA256
7909cb319f4cac8991c42a6f95489af171d87e76d0fe48ae835ada4e5579309f

SHA512
e1bf646c8c752e4964b5a12da62107f606faa4d4abeceb0398f8641408281a0e97b8b7520653ee1acb211ba9e224713e9ef2b0c7606b86fb9e5ed0ab8522c908

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
85KB

MD5
05a04d8c8acd5979ab9c7b3de56d072b

SHA1
64bfe8936c21e9369b8c3454e80a8f4364b00d85

SHA256
fe9e1f9ed7698f0ad37e283813b4c76d2b21290b638ee840ff259f6e492fb0a5

SHA512
33f5998ada8a5603c8eafed27307d68fee2fcce29e205cdff509e742bec49aa9e5e3266df22fbffc3ea774dac1bf4652399eda4840fc18e327385d4d8751e0df

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
194KB

MD5
ef009cb6208c1ebaa9083bdbba8c6667

SHA1
d0b47cbed324610c071a21c11d1bb2f7955f52e1

SHA256
5cb4a89b0ce470bb955281fb87b797cb7002ab08bb574ab699c83a3d68327e4e

SHA512
01b2b7dbebe32f6fab60dde8a17d8e0ad304c0c2e069e9f6ee47b228c4f3cd33fcb0c718a010d9f163dae1f4d1c6d75951125977510f07e8a19672a697cbdfa4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
57KB

MD5
90a30257f4a31bd30fcbec721537fd1f

SHA1
4ad8a193ba7f4792cce5516a2ce99b98df04028d

SHA256
64e68929ff49a1e872110c84e619c2f164b69915c9d030c80f345095cf9b5033

SHA512
ea59cfab7ff0bb51ec188e0a72d4c5a4a5d28b3d8c885ecf5cdb333545c86f190a8cb1dc51788f2ba17879b87b1f7dffdd5536e72bb22bcf52d06017a3107f59

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
186KB

MD5
fb5eda38c10c6520cec282b8c8e7772a

SHA1
037cceaf5334e07ba04dd1d8c25f983692615f72

SHA256
04083fe1372da33cc680145ffd333993b6608ce1c5747666eb9d13767f9ba795

SHA512
8bada3502e00c0e8ab30714f175b5619af55195deddd9f95d7d36ac1f32ab06d574da0309d5be0821dfeb1f27307265805b860deccc309685c3702be28d75d4d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
89KB

MD5
65ff6e227d45f3af441555dac2b6cd29

SHA1
79a85692cdf0768c41dfc6249ff58420a0b0fcc2

SHA256
13ec574e2ab032a703563c26962d01bf1dd76d60d4c79ea730520d3c8124fcd8

SHA512
5097e400b886ef47a8eec2144fe4be0e5967ebb1a420c246441270d4c19fd72d84f81f63e34991a15812bc1f11359a36fc9a85d45da33ce1588a87514b52814b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
78KB

MD5
164f9727c7c7b63047aab8f276aba60d

SHA1
77453f4abce0f103e6b060ed3856079eed946100

SHA256
51623c549ffc842b0b3d1f41708b49d07b719190b7a5fec2afe9f6aaea3d2463

SHA512
5b49da3c8df7c73ca7238ffca37a2b427fd455b28dcc7b3ef15d78eb569d2af5255d2661ff8d34c0ba0046f12b72cb69283a2416a4eb65c0d8852ca2251d9afd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
48KB

MD5
fe4b5461d3c79d6a61de5d2d51df5e9e

SHA1
d1d81b0bc729f757ee370b94558ded199b247965

SHA256
2c4a5c32ac12dfafa6d717b3767ac9f67b8df5ea96932a1cc40576e699d072e8

SHA512
241b413ef8dc9c2a144243598dd186271ab9142681bc9576dbc4eb6bcbbeffa9527cd7ac861a2b80b8d377fbe0d389b38ee0c366724652fbe13861a9881b7d89

Download Submit
C:\Windows\System32\alg.exe

Filesize
256KB

MD5
54067eab263e35ea0608c007b76ddf35

SHA1
0ef711be4438d01a548a51f8cee536c1818ee032

SHA256
fb28f237efb43e3a12f215988a47c29fbf3acdd39a4bde8912fea15f95048cf2

SHA512
7b2e0630dfb89276b03eda896bd9bb0d2bbeb91c8a48e633afecd82e8e862385a5ea62d31a2d939fa6fe2351a531fa293861cec79b28067c0b27bad2cf956500

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
210KB

MD5
0891638f46200a7348f45593de2ab585

SHA1
73afae3a32efb6601324048145607dd98b550f1a

SHA256
262544e4d4abcb49c184153db516202cfedf5690e63e24d2414e1ffda90c076a

SHA512
6a36efbdc2f0e01d51de3ed9bbc4e21e9b1d1ecfccf35392094824e23a611f755abda59483c7b6b2fe3ed4d9ab4f690228e5f353b2905515569909d12703949f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
129KB

MD5
8a0688ce82158357585361fdd5bdc93f

SHA1
4183e53a13be8f693807d9e4d57d7fa056a9495e

SHA256
dd3bb852c05f416ca8117cf379be47c7cb561fc58e10bca2275290c9c396e4e8

SHA512
184619d85e68ae1cfe8ee60c7025e2a76eae9785f7a0bef3f652cc546c99e68402f92a3b0acc834a0510fa4938087853cfd07a4c47018924a895bdb5496fb177

Download Submit
C:\Windows\System32\vds.exe

Filesize
253KB

MD5
3d6b46f30cee8312824e05818b2b1442

SHA1
88f2b35dbeda9a9219635caea3252e6d60b679eb

SHA256
e0707cabda1fefb42fdb4e7df9bcf18e80e969b60adc41e60cab5d472e1d5e06

SHA512
b23a3299f98312a1578c176cee08a24518d02a8bd68fd3eb3320e9fb8282f6cdcafa46d768f852681ddad2a4e1fb60e26c1dae1afc9cebac18020033b2a79caa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
166KB

MD5
ed64da073b645ef54135a7be27376adb

SHA1
2f00f865292e3af40dde052e937540c6ae2014ac

SHA256
ae7e00ebebbdddded514427878c82cd21b7a2e5a5bb26d014fe60d48297d06e4

SHA512
b8c20b75703077726d80833ed20bac7dc9ee22f41445492a31ad841b34575bd16ae2cb281d80b706eb303bb78f64a3f0c5fde0902cfd242e6d8474a2177cb5cd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
24KB

MD5
76d4dfec15f08cf6ae1a871071919c48

SHA1
ec3ab305a28feeecda7fb72eb505f0abcbe18196

SHA256
111d8ad332c82e25823910818d26865367589e739f17af35a6ea6fd91891556f

SHA512
7dd888ff20ab80e239c2c4609b9d684d33c95f67307ecaf79c3f9fcccfe48b009a654e913cbde328b57afabe5895e9420b36a4cd6c3f59a430d82748612cacae

Download Submit
C:\odt\office2016setup.exe

Filesize
92KB

MD5
fc5ed2b45f64eb021c3f28c2698425fa

SHA1
5ded3dde4fab3fa6bf52e1ce4fa8c1f4334a93a2

SHA256
036eff1b5961259fefdfd043773980086499d34115171d63abba05db7431bcb0

SHA512
983456ca25ee445d55fccbf8a126182b29a267b6c423b2f5f3bc6b4ef37eacaca2d4b58c7b9558c7944912b91b0eaa7cc852c408f73d7118afd8741deb29f27b

Download Submit
memory/212-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/212-430-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/740-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-265-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/740-271-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/740-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/836-339-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/836-272-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/836-281-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1280-251-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1280-244-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1280-314-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1280-250-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1280-243-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1724-443-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1724-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1848-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1848-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1848-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1848-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1908-346-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1908-408-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1908-341-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2004-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2004-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2004-34-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2004-27-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2136-15-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2136-14-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2136-22-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2136-227-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2520-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2520-49-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2520-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2520-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2520-66-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2632-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2632-405-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2632-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2632-401-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2744-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2744-360-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2744-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2752-65-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2752-238-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2752-72-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2752-64-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2816-366-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2816-374-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2816-433-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3228-308-0x0000000000790000-0x00000000007F6000-memory.dmp

Filesize
408KB

Download
memory/3228-364-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3228-301-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3236-456-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3236-449-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3524-447-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-380-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-387-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3992-565-0x000001E18C950000-0x000001E18C960000-memory.dmp

Filesize
64KB

Download
memory/4280-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4280-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4280-332-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4436-297-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4436-350-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4436-289-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4472-321-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4472-316-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4472-377-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4832-417-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4832-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4832-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4836-468-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4836-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5048-7-0x0000000000740000-0x00000000007A6000-memory.dmp

Filesize
408KB

Download
memory/5048-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/5048-6-0x0000000000740000-0x00000000007A6000-memory.dmp

Filesize
408KB

Download
memory/5048-1-0x0000000000740000-0x00000000007A6000-memory.dmp

Filesize
408KB

Download
memory/5048-17-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download