5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb.exe
Size

1.6MB
MD5

7dfc4910224fa86c7e4bdc5f5022637e
SHA1

2d10cce971f074d4c7f5ca2cd3c43df8f86728e2
SHA256

5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb
SHA512

7f3d491bb5cd8ce651e424d6d7182f165767f2008b27bca0edabc11396a8c22949ae1d2a1d08671d4924403e740397ed6c298a88e126840255723750a22ab472
SSDEEP

12288:DjiB+tAGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:DjiBSt/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3008	alg.exe
5104	elevation_service.exe
1468	elevation_service.exe
5036	maintenanceservice.exe
1168	OSE.EXE
4536	DiagnosticsHub.StandardCollector.Service.exe
1220	fxssvc.exe
3760	msdtc.exe
60	PerceptionSimulationService.exe
1780	perfhost.exe
2596	locator.exe
2016	SensorDataService.exe
3572	snmptrap.exe
1744	spectrum.exe
3788	ssh-agent.exe
4360	TieringEngineService.exe
4888	AgentService.exe
2792	vds.exe
4232	vssvc.exe
4612	wbengine.exe
3264	WmiApSrv.exe
8	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c81ac8c38ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a85740628e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000422e58628e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000198109628e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f91e07628e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000281983628e52da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004703ae628e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082f43d628e52da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e47d47628e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7454c628e52da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5104	elevation_service.exe
5104	elevation_service.exe
5104	elevation_service.exe
5104	elevation_service.exe
5104	elevation_service.exe
5104	elevation_service.exe
5104	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	456	5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb.exe
Token: SeDebugPrivilege	3008	alg.exe
Token: SeDebugPrivilege	3008	alg.exe
Token: SeDebugPrivilege	3008	alg.exe
Token: SeTakeOwnershipPrivilege	5104	elevation_service.exe
Token: SeAuditPrivilege	1220	fxssvc.exe
Token: SeRestorePrivilege	4360	TieringEngineService.exe
Token: SeManageVolumePrivilege	4360	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4888	AgentService.exe
Token: SeBackupPrivilege	4232	vssvc.exe
Token: SeRestorePrivilege	4232	vssvc.exe
Token: SeAuditPrivilege	4232	vssvc.exe
Token: SeBackupPrivilege	4612	wbengine.exe
Token: SeRestorePrivilege	4612	wbengine.exe
Token: SeSecurityPrivilege	4612	wbengine.exe
Token: 33	8	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeDebugPrivilege	5104	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1660	8	SearchIndexer.exe	111
PID 8 wrote to memory of 1660	8	SearchIndexer.exe	111
PID 8 wrote to memory of 960	8	SearchIndexer.exe	112
PID 8 wrote to memory of 960	8	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb.exe
"C:\Users\Admin\AppData\Local\Temp\5a1f16ddd5b1fe1dcc048b10357be05d8729cc537ccbeab37b54f5f4cdbadacb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1744

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:1660

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
1⤵
- Modifies data under HKEY_USERS
PID:960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
13KB

MD5
1fb5cab035cfcfb03a9c67ed34c987e1

SHA1
eed31689ad3c284d9bf7d707f61563533be8259e

SHA256
6b7e5a0640854983238427ca9d389a9d4161ef4e4ff5d992b8b6f9d8d5dfb96b

SHA512
92790deda68c6f0fe4505061f21bee8d10dbde356ead49419df9214d8c0556c50a291885b77cf4820587f02341039d56216d9c76f00328521586f32a8683a5e8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
252KB

MD5
06ec933e981fbdcee0dcc7602acd0a85

SHA1
8a205a4b01fd665f70e7be66aee9ea655347c6d2

SHA256
020d24ba9dc28300d885513e12e748026f9b875e357ff31193daf9490e121b07

SHA512
37ea3eff3ade0779838dec2bcc24ef6b1267dcd4d504414f2396f723457792b7d94289373c1e6a500b44dab95aa2031867de9494692c46d3e81a594b01eda68a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
146KB

MD5
3019659e65369144f0da51e5437334e9

SHA1
11f8a0f493cd6bd19c3aa640cc57efb5eef4f67c

SHA256
757a4cb3363d5ae74693662bb08d5e266ed5cddcb0e316b3cfcc241bbb505209

SHA512
3f6a0d2d493faaf4c758d72b9e5a1ff31202ab3918860af2db86627c7b34711940e5f0742d8035dcfc75a4a63f84ed89cc5cc49b5881a63895f437133a439674

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
75KB

MD5
f91a5309824feab0b3c9b1df752fe770

SHA1
2768163eaa2e61e9d9e9d2fdcbc98694fe9735b7

SHA256
e5efa8effe70711fb67998ed453843797e9b9d9a646e80a9d9311ce96c7d4322

SHA512
a65eace98d9ad875c25b9bc7d720195bac3b468eb3e6674f1d19678f4464b42621aa9adb36e300400f48f5b997efc55af2343073f1b4de396e3b6c733fb9fd19

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
99KB

MD5
e59764dd5bf956e37819bf1e766f125e

SHA1
d122b3a6f3019bd18a39afabc778c3e3a56dd2be

SHA256
c02f06b070b3fce813e748ed5a2c1bc717a319feafb85b382f1ab44702da864a

SHA512
3419f1a9b957cd22c3acd3d3275510bec68d94864d69df61a492787699c8567c743773069a4563315e2e0441ccd92ce397ba7169f72fde66bec2639d4f54f571

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
109KB

MD5
f867d924ed4f16031311c68d77fb3806

SHA1
90da939ffb7b7f8b9b060a3be31b5d47af02d7db

SHA256
5d29540ca67d752e080970d716546ea5f3245eeb0981576254c358362345f85a

SHA512
733663e4ee10c577f537fba054e83fe91df614ac9f70b405f5b89d6c6794ecb4999d90ebbe39ebb594aa92a187f6a5d9918223191ea6fd0e3968299c193f2e10

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
93KB

MD5
74388a1427af3b83506da518917c2bd9

SHA1
d91e35f64d0dacf92d1c6aad44d0d8b9b7fc9e85

SHA256
a6b30195b007723b17f406259d2584bd95009d7954161512b5a84b278efe30ce

SHA512
f8fd6db95066e5833030c53863630bb0c5b129e0c0be185b5c95de4435e08beca72856513d4148eb52ba4fdfa3a786991590eb08fc00d8874ed71ec87606bf8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
61KB

MD5
1904ed9dd564e7b526c7711c2ffb8519

SHA1
5c6591d3289dc372de01cd2058c26135626e7b9c

SHA256
22efb1f1e8f279e785b483a2925973f351f575cf8a3e590c11c5bfa1a7665b1f

SHA512
f74fe310a0981a5de0f5491cc35ec773f9d851994dfb91c63fbff293a7badbcdf27a767534afdd193bdebbd141aa74f5f3c7e03108c74016641c1699f01c8c3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
42KB

MD5
4a1885d55d4506d1d482554534a18542

SHA1
57b876a7b970cddd8fb3000d39b313b00d232adb

SHA256
fce44802a32242f438b3d0b5a4c5679de3f4a482e4b899df3b50bd0c20ea5d32

SHA512
d065dfee5d1fd2822c24d3c4ecb28426beb957172983ac76f51879691437b34606baeb09b0521aa87cd72963e781bb01df2b45097b948af086b24f0d345f0fd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
123KB

MD5
8263312eca4d3407d12d4a7bcd46118d

SHA1
8d1597d0b433bb854293c22b1cc0e44749d6b278

SHA256
503a410cdea473e28edd2664241d92a767cd84cc478e119a02ee1aaa573d8d41

SHA512
6898e1df014ed4281e990ad858a65484ecf21ffd266e06a0cc1cf1b22acaa10efc3d173d8792914ee4ae518007ec4201aad29ff40fdb61f6cb78bc2c136704f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
113KB

MD5
87d9d56531bd928a9167665beb9ce56c

SHA1
fa1ac2cf12c4338b51aa7d8c6d327fd79da9503d

SHA256
f2d8575086e478063d9d114e63a69305f31460b8a2616ac6d4b7e3169eb025c8

SHA512
ae3475c6422206d98eb64842f671a67038b9a4767af20a242878f3751e27d4b3aaa2825791865cf1cc5e4abbab5df7b068cea34eb3a3c7ad539467745100e865

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
101KB

MD5
3e989619b1009ddae5ad295d7f054b84

SHA1
83fff3be375ef659d0c08c8d9cfa5795f5f0a587

SHA256
711b0c82cb26ce49e8e0025b42992cce68f1fd5683a686feda73b17e85234f7f

SHA512
9919ff22341cc08532b46cad61f0b25baf2a343fa17b570a832272ae679826e4106f98867755db0b54650ba8ba1f21ab0f1c02b3a4dc9bff784c7b795fa814af

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
74KB

MD5
2e14805abd28ddf792403b8f02a08c10

SHA1
1997c9afded49b1083b3c180c111738f58d010f0

SHA256
1ae65f763d60d39b3ca3909ebd00abf592e39a0ee0177430222a6e34f87d1d0e

SHA512
8c4723e406ecc19628c29dc07f97838d12cd65beff26a4a3d0f446434f68664728d8b1a409a7540234b66e6fd952f525ae257285f8c41a8f5271b7197282141d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
66KB

MD5
a37e03a5f64ec993005b0642a33cb879

SHA1
bab70aa7c093655e3504b4a821ede42384b07f43

SHA256
97814bfe2384e0e29821e7c79e842e0870619019a3af0ab5fda8642c4a061d91

SHA512
03e3b771ad7491e22d0e8fb8a3fbf4aaef0bd8c8c8629d05768477c6c20f9fcfb5ace6dd22e599363f664741c4a88c1c1b82a18e1af26a9415bf81481ce9674f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
140KB

MD5
02ce24dc23c7f56008c25b3c05082516

SHA1
ff2280d1390d471ffd0f022115070650b0003d10

SHA256
afcfc4cdcd2d83d650750081b80004522c00da1e820a96e56ee4523a34d0b0dc

SHA512
b4f6b41d489cbc76665e34242e1d0900ad20d1606352b6a46facb3ab8b4e43d992a60e298663d7a4347d991e83c396426d59ece2648d46c5d02a1d032bd2e785

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
100KB

MD5
07411c4334055a4b82373f343c0f38b2

SHA1
d56be71c450e1f83994c7ebcad5ea5f7d835f049

SHA256
e2c3dcc4e03485d13e41d1d53c64e39ee698c646c9d479735fed581214900e79

SHA512
7f7d19c565a3f63aa148f9a40aa321f925008594d84f97d291a22939418cc355967a5035b71804186d4f599603cb83031bc64f1ab205fa6dd2f840729c016ee3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
130KB

MD5
0cd9412882c356a0f3f5339526445e8e

SHA1
1efb6c9b3a5400a8290332c0fba165787bf12dfc

SHA256
d572748cdb934ca5b1ee05bed4bf05cc8a0d34ba8bcdb6f2674af185b4239473

SHA512
e3385c0139378ce5802c754ccab5633f64f67b104b5fc593d610a0fb6dcf2b4ad6b9641f594c1feea96031ba564314b0c19c95caa4d68916f44fc5a273548bf8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
38KB

MD5
850cd2089ca9199cbc70785d783ef5a9

SHA1
a2eac503adefe6e2f44274d74e937a0b44a3495d

SHA256
081c865cae64aa25ad7f1d3fc4c6a709aae338075215587ed4a5f3af25eab5b4

SHA512
8bed5902ccb211c8510876d6123b467e6bb4ac519c7994deb3034d02f48f0c8815edd4138c3a114c2116c7c710d82f66fd5d017ccc107446b7202909bfb0a281

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
46KB

MD5
2c56f97d5d7125ebe950ca932cffa467

SHA1
287cd47d4d385dd962e8662eec8b1ad23e670d93

SHA256
c053af6b3914b02ae6ba6e3bab211d43f1ab11685348315fec2dc8ec79602bc1

SHA512
b00dce71b7d3c2341e4308fa125d6ab96634afbb06c97b06d1a12c1a437b79b93aae16570c35682d5fe7de558f28ce599653d61a3491e0aa64950dd32f9cf2a7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
85KB

MD5
463a965d734c41ab6ae2796912ef5dda

SHA1
5d1d8c7706073392e02131489fefd6cc35010ace

SHA256
17d18227534debc84e8af89234344983da4bf4791b5bef4eb414f28da9b9f5e3

SHA512
a0f873b19cf85b791f209ff3706af9499a77b6eeb91702c85be34e1559deec5071c78c12bf4c59e0e99f4d00ec5eaf4e6b24d2a76cd3d152d741fe788b6803fd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
96KB

MD5
2de017d35b75ad763d19ef7e18df577d

SHA1
487541fbe2e7248e0151a0f1541cebbd99cdcb71

SHA256
91f2be6fb6daff034ee1a8b756b83759e9dcc26ff83e39ff1b28c52c9fd0a969

SHA512
218c50a0d2a8f98d1d664cf9556f88cbf964390a65a5a538551ce9fbf11ca4387048dca12e60f6c861a2967eb811a2ee9dc8d1d40f402c11b6a38722f7a6ad72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
88KB

MD5
ff0aee92cdbc031a149c987624d5b93d

SHA1
82ae14fa76b5d65ef89babf076b1966cc27ad550

SHA256
616956659b1d4f5961132d240bae2a1daa56cf454de219de2b50d9091c14ae05

SHA512
e2906ce4b03ea78c550d262bb6c59834983a421e5f14104578aa1cd24c24cbe8440c39ebe088fb0e732dd9484ba0c451d36431e2522691a547294722125a0772

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
57KB

MD5
cc9e11f510deec00f0001f94a5f82925

SHA1
b0a3c0613b6a3201c465cf67831153c578c2a7a3

SHA256
2b014e04ae3df62388fe9ccfa00bfbeb502d33375af98ed6acc7d2180ff26711

SHA512
6ff03df24551f473d9dfbd30453ee8d7e05987bc2531ab63053e0b4c8e99fab6150d6261c4e075880c37dfcb86f8f11a719092084da916b62f517c42a42f1951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
80KB

MD5
6b77837ba70913b8e5bde2dac1635aec

SHA1
33943e7049e3cad8644fc9951f54cb37fb2288b4

SHA256
9a5e6b61c1ec02ab8acba7b7dcc081b28e8856fc4e6be3a8008c4d8a213ca9c8

SHA512
3831db0ed63333a53357a74867f675a624e5a6e65a0fa39a5f9e50e19202dd0d9497f9a061cf0ce06ccd7f0b530b47282e29ea78d988a59986ce44f1d3c9c9e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
122KB

MD5
18ebb7b13cf31a919d1a4b9b2d25a3a7

SHA1
3fa44918ff20b767f3fabb98ecbee78fc642f509

SHA256
ea15f0021e083dea209f9e63c962af03b4e73ff2dc6386e80ab11a23d5d29118

SHA512
7645d56d42f1ab26891e2f7ff3c3545d53cac43057299563fdf9c8244589a1e59275a80fd492802e85cfaa3c94f9d6f4a3c9806ad9d086e097bba25ae1e37500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
77KB

MD5
d4bbc701c734bc67837420f8ceb9800d

SHA1
d22dcb3086b8a5e4ebdd463238081f1f6c4b26b6

SHA256
0e6f13b33f1acb2fac0461e9ac33ca5511a95a49841e8fe50f50a077c053d32a

SHA512
5ebcb249b6750945e3e8e5acf99031bcfdad05c6b06a84555f7b2c79dc8a8efcfe317f2c73ca45711f9ef45fe3d1deff77d21d06b4767a81f32123d794c24b97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
133KB

MD5
7b94bf5e06efc0abd11ad1e11f22a969

SHA1
513b996f1c03fed9108de507264997216aef5c78

SHA256
3401299a529542e5609a7f692faa83120ec50d11610eaacaa8475534384ea4f4

SHA512
1d44978ee8976a83b8506fe2a1ae18a3f9e0cfa8c0c2661ccd45c609c84f39950132358dfb64405d14a57996e4461e570cc7e5ba61d2a8fe7d6acc224c9638f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
38KB

MD5
66f63a316304e20c600c2ce1c0b5fc71

SHA1
d2816c82aed74d6a2792feee439a533991d632b9

SHA256
d6138fa578dcc33ccf68bc423dc731b5376e9d6abe4a85a16c8f8b29c8ff3d53

SHA512
031c3e0a22ac3b3ccf8bc13ad21677477c2c50f956caae04c09f6ba14057765fa6de77bf3542f8ec9b465805e0853194d1da6401c4156adc3a09e79bd849fd34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
93KB

MD5
f9705e5da2dfef0576a9615383f7ea67

SHA1
ca4f8765a26d28ba7f94a36558f95561448161de

SHA256
ad3fe8c2059b0226bf125d1f83769f8d5ce27d7455c6857accd6d742f8a6d836

SHA512
fbd1a2a80fffa0822ea5636366e56f621dda29baa794fe3e8d2a2e17194c58719e5ce4dc78348f18ad2bb6ff860e1a1d6d954de2df8d1caaa1d1d261051663ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
141KB

MD5
5a58d36fbfddf3d1694a68e6ef6e94c3

SHA1
7748772a8cf26d987c06d4115776dea0c5b4110b

SHA256
9f8ce356ed9cb587abc061b4c5da6db1b3c390699882f7892cc77ec2c9175115

SHA512
816706c5999d6dd0ec43367650b4d5eba9a70339e6feefd483ce3c8b674e1e53781659171cb8e940f66b74f702bc5ec57c0efccfb8fd18cba9f8a8407790b2a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
79KB

MD5
ec1eb2126e491f0c84ac90b6dd3796dd

SHA1
f22307c2320a8edee3fcf703dc6827df1e51b38f

SHA256
c7a44b335ebdb79f97f76b09eb80296ef7eef4d0cf6eff1eaa647f115e37e0c9

SHA512
abadedf7fcd4a8784b9745f26b1ee967850f5b78e58c84d3626ec220e7a8fff6f621ea79f8bc5b4ca355bc414ffffde5c9e4c9c552b8c524db32984cc8cad601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
115KB

MD5
da087acd17179fe855afaef2612488c2

SHA1
93b0a501b3aab048d4e0c483417aab39372c9b78

SHA256
95c9d27be21bbc14bd9c1cb02a3aea8d53dc2990eda7e86d9c700fba1d72368d

SHA512
a741cdf967246e6d3ba0896dda3d2d5d5b02a0203e101581504678573ba68a602d2826a082729539539572ac0a136d3fc263c9731784d087884dd2867dad0d69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
143KB

MD5
9434634c11fe40653e663f36ffd9b267

SHA1
a76b57fbc4d8c0585650d7caf08a70f3a06ca64d

SHA256
2c796c1df506267757e7836b62d50c68157129a23289ebc2e5f4d8fe7597af98

SHA512
0b117de19c1b68f5fa203e02990ed58afdb5fd640984ba4690705e13e6eb9d898b3cfc2406321a757eab6e5257447a90db184167ef261a8496b16312328794f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
151KB

MD5
ff81acccdc4a68cc0632636506bf0887

SHA1
3b55c5deab8e5729fe5104cce70eb0df32010728

SHA256
a575685362f926c818d0fea94df369a47c2256981d8152a1e9f17c1685daaddf

SHA512
28c019af96bdaa6a6fda19085dc958292176163f18de269430539b3508649b5e70b5d263fbb27019a22bb0b64965a5893aa0fe3bcf173b967a8d1186e43a2945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
25KB

MD5
2ed6b169f9fe79cadde28e4972c6d3c1

SHA1
3a647c6662b014ee2d984a04b41b60ece86d122e

SHA256
a8925319bedc10077dfec1a65993560a531274a9fec17a12886d101abecfa564

SHA512
41d56ec6a5cee2d3a6b57d7f0c5088cc4aacf717727bb1cdae9ea31d942089c0c89ddfa1aa632a87a810463964d586d1f6f359beb739c0657b0a79bffd839e96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
96KB

MD5
a673c460067069b12d3bd9dfc83bbccf

SHA1
c1de238dbe690d990f427af2c18cb894cd57163b

SHA256
05683ef09d327e189d71335e0eb25ef597ef36522a460e5255dca86e930573a6

SHA512
cb634f66aa0e9cccc43c111bca0175cb49a7809d015a5fd333349eeb258ad0a6c7bf75764083d5fface8de694240de0c6ade98c760a954df9656a78242e1d6f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
92KB

MD5
fde5b1d00602d0a588adf7bb3a49991d

SHA1
e0ea95b0a79134e0b37ebdc85a434ee9c4e0936e

SHA256
1fef72cc8da3de55510b5499c005b011ca8a1d7156f21f434b2b7f39d2030944

SHA512
276cedc549d6023595275e46bc313b87127466ddd2779c5afa3c99fd4986e3052b6beb58090463b3c30f3acfb6588d61a695fda930f01027d855eda3423b364a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
60KB

MD5
422c651875e4120a88b90654c4daeac1

SHA1
30ff1af2f6318f842cc8baee1a63e48f4042e50f

SHA256
506d273285245b2954e5811a80c143347328fe4c76c54717bdd040c221ffb88b

SHA512
885e91a9bef98d9c2ed389f5e1d0a1e2151b21269b945350cad97319ecf2751d830bea219776c003619ce30e0f3e6eefb546d1f03a6e2f33c26657cf28d51641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
42KB

MD5
92311c944591dc637015abc17f5f685b

SHA1
81e5400f5f4bf7f89a0d6dda755717a79c3edebe

SHA256
751033267c97e622dba9ed3c09e741dee4daa49c4c22e023bd78abf0691074d2

SHA512
9a7a351a7b2b2c4afe7e51b668d365b60e298ff3b363152a04780c04faa3b8e8a1661faecc9db38924aedab4d76464ffa356891fe32252506a4977c1433aca1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
13KB

MD5
5b76792ff17a9084a46594a68a08b82d

SHA1
97a62bfb93c29b23e4ce75fa2ed8e8d132f3e091

SHA256
12ddaa4f33a1d159e5eabbbaa90af76baeecccd0f1516765b8b43d67f17b1c53

SHA512
7c6f6256d3585b59b91e2e0ac958f0e3bc40f413bc4e559b158344e2bc41c6f0129cfc3f41e97934d5d06a5c88513b7a6a224228c560ebe165abfa32da7e357d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
45KB

MD5
50ec25984fbb3d380bb320a6c9c8579e

SHA1
8ab6bbf932e5f0ac4babfde9a6ad56dfe196657e

SHA256
047c9f93ecefd42cda0e61d551373207d85fd45d3286d3bea0502488e9071731

SHA512
197b99621a3fa2142dc346337df8a9d575a44304cdd1e555b7bdadfc2c8f49129d559be8e4ca01c1fb3e2e15a23b42d9ed69fd0479c541b70d1a85b96eada872

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1KB

MD5
bcb65fe3776520f61bf8293a2027721b

SHA1
35400e37dcab62e438d8e75604a3ea889afe74f7

SHA256
bbabcf131bf1da3d063fd23fbbaa977beafdb51c7e175e2d2a1543185eae4c53

SHA512
9e7d2ad9345fcf4cd1031cbe661dc9abdaf0987168da66606fe1040444c36613858f7365919580d3ca1bc3c952dce5b91a505183b60f2a97ac5c0cba7a35f6b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
20KB

MD5
3682c53add6d39ce14ff0d65b2f04f33

SHA1
b3e91780194b4a5616f2e4563585faaac888a439

SHA256
f7e0fa152ec426e3f7d3d03b9a32a7bfbc308fd629914992e68357857adc5a23

SHA512
3b4a70bf27df75574ed530e2616df3f5a7b52f010a3b8d13673777c6c19db06a0b446b112b6f8835d4cf4d92f8a3e0c7b9717c9c2f65cadcba18f4663121e64b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
96KB

MD5
9ac08be6f5334e0f616a65f076dc09aa

SHA1
42e43f6b9fad88f54376cc360c9222a0c776de8c

SHA256
d9d8164d9d2c435158d2c6edca867f9ff987b371fdf77f5522e00769dfc05c49

SHA512
d9d50324139ac422ca94793f67d1b337b16454cd1b9111fcec5ec9cc40997fa002e1fdce3f9133038798359c26e3cf3cb328747ca9a808353b567c827ea0eddc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
149KB

MD5
7ca06ce6822cc6a12186a7d0f762416c

SHA1
11143276585773f48b48d8f8358916358e024118

SHA256
65ceefa39c56cd078425245df6df13e211ade7e493b216c42e0586f2c88916dd

SHA512
4d8b5b0e2eb0b44f9bbe5b5837ff4f6e671838a3aaa61cd49b0db8764726d773e7a46782314a571f679a7f652033e55d632053b609be61b7670ad3ca72d05d48

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
25KB

MD5
61c7842c2feea3140a410c3f6e760e07

SHA1
8ed2daf54263a0687e358fc773cb09b5478a28ad

SHA256
21655656eba3994822ebc9b35a6ed4283709ec9c464bacbdc9834a1db9a22b0f

SHA512
86aa62a51f5b9060efcbc72e33cc1930cf4d38eca494aab0acd7df61c9a64948c462d366703957ca61b8d9d82b3ee4e76d98083c0fc96b39ab599f0f44c2967e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
120KB

MD5
73578d3307c161c60288e35b3c5efb9e

SHA1
b994fdd7a8949d62f6e86288ab813f5269f174b5

SHA256
531829d242e667be920493442cfb8a645467e5782d039dafcebcc540c77dbed4

SHA512
5a611f3a6e925bc8f6afd2b463c0016ccc096a288a2a87663bef705275f3265124035fac21d9cabcc9787b46497035e2b57d0af5708a977bbc12f036313eca2f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
27KB

MD5
6ae0a25aedafd2a8d1e7b53a7b527969

SHA1
c3b39b58eb8e9d06737492103b8f495e6b227bf0

SHA256
8ffdd790ecb74b7e26580e3c0260c7ab23900595a43ca995bf58d1cf6d462188

SHA512
5f1f8525679602d007bdf753da2bac340bda47f78146add65e437d7c293f656919d135e1f8cb6197b90a0ab4785956bd6a2d17a323f0ee6a741014d4f1dba3ef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
168KB

MD5
ded2c55b876dd0503d5f1f2ea3508c87

SHA1
8455bbd1d1ea304ac9504837bb28f9e47abafb64

SHA256
d4e0f43ed8762752d79975bd711a72e9565f7e0b690dbffda11986eadb364d83

SHA512
7e1c7c30e6a42ecd748ce38ae54a138636d4a32d5ac221b8c5bae1b186213db98ea9646ba2f880b0494eb98e466ae1e92fe9aee5be0d1e1b86588ba22d927c8c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
184KB

MD5
c516f33f5ae9bbe919b235b2bb43dc9b

SHA1
8ded51aa7f7db43d6c4c564b7533ebbe9187dec5

SHA256
365ac08bf5d9e89708e46fbc7b965525469bb5093276fe31c4e78ababcbc7bf3

SHA512
043d492c510164297b01cc571b4e1caafe4ccf4ce238cba9eff865be862afdf65bc66933a8bdd774de0a1159e16ca2e3cc8208d459c29b23b150f2974d5705de

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
161KB

MD5
9122dcba565571e9f1f16d6823bb5bd8

SHA1
b7dd782ea02722205a11f3a09470d3bb1956c78d

SHA256
78c1cd1260dd738a6a370af0e4d87f708ee435e1cd1720b887f026e6610d774c

SHA512
7c6835ab83ef9f3af99b883d7be0c65f8481ca5c8892b0a7bec23a261a0615d2eefbb2bc150392a11ad6c5059b281c84ad3614902318694d0d7905c48d7055e2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
97KB

MD5
9b86c4e0543cee8acaff377e0c9f0db1

SHA1
b6621a62fd2ef2cf534902e4472f39180f35ba9b

SHA256
c97102e6af2b73808541d0331286f439eb92d24844c282e5ccd2c84862a0a66f

SHA512
2bcc1fdee80e2739d09a935536fc94450ee4978cc642447f43914b2b5d2e017d004a17aff396bb0d37a4f497ed2b83f0034dc10ee4cfe816342da016e4ab5ca9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
93KB

MD5
f1ccc8fe956c072f36d21eb386366780

SHA1
c7f86600428ceafe3715af2aa7328b0a35de3f44

SHA256
778f9953677eef7495fbb8d7e6026e419773c291d092e0cfadf515bf69cf4072

SHA512
4f09ea4cb7bc0e1ce047504634c013a41811a78a5a5d75e083854adbe1b04086830323df79b79428e0841ce8eef56ed63998d2b3266f61fdfecd4e0c07867d10

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
132KB

MD5
83bd4e9da66e54b1cbdd190dfde41fb2

SHA1
1b7e84d4f1348f07b1a709aa7a176e208dbe33fa

SHA256
421e1fb80cb307946a310ac35be6a6f819da21875f01b97e4c0dea117a9574fd

SHA512
7bf060a8f3e5c345fdff1af1f1097fe7483d4926f64b5ea49874ce286fcc90a8d8b0471ff27ca31e8404dc5fc1a6d5c74c31928264f432a7af754ffc12cdc0a1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1KB

MD5
5407e4729e9c471f61e737a9f6023b0a

SHA1
e9af2c68f2487ddab341bb35c424ee28d7e7b935

SHA256
83985aad7c3745e31a19b2161d77bbab39fd644104f9f34165a97277c05f5531

SHA512
05601860b66adf75c94488eb7762f44f7275adf969264b7bdbfa891694db692d3dc32f6b964d7056ed01c65ca41d8569c75a80b329e152a9366e6850ba37cc70

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
115KB

MD5
8eb424e97672e6cd723d72730bad4d87

SHA1
b54845dd72f497809796d1e645754b01c0194276

SHA256
44fcaf5f568c32dc8d2256161aab6ee5d23eba86a55a938cc77c874b75c791f9

SHA512
529ac84eb02d12637e03b8e08b35edaeb9395a44ae30159af5b3103cd803627284c938771fb43695c784f0eabdc137c236f7c6d3e02580a6d0efe03c228a765e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
45KB

MD5
fc8f8792845fb907e8872ce8e3134ef4

SHA1
2101ac94883afaac7398cf878f1cb4f8108ee9d3

SHA256
6d91e9ede053ef26a9d85156a5278aae543e5006b10192c22f3995872fa102d3

SHA512
a75f20f4412f1f3c00d8ceac619e6c2945ec5453d0e9579407c88e5500a83896fa04dce79f50547268e9523dde3ce3391e1f18d9eb748c6d5fa6c16cc4da80f8

Download Submit
C:\Windows\System32\alg.exe

Filesize
79KB

MD5
df21dfe5f765e2d6d3e5662ae0ee2d9b

SHA1
f102369628d66fa55319691c2af84e6c087e22a3

SHA256
3d3c6dc0a0af05cde1d2133c9c5c360771f0808bc571f0e60f7a4bdec1b60628

SHA512
c7589776eea4c860b9623cd0ce9aa4050d051829513089299424f1b4d55f79a105d1ce3244a4ab06195b0f2f84d42f484826da87aa07fa7e3368e42612e4db13

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
277KB

MD5
a1d17439fb1ad3cee97dfb024d9e40bf

SHA1
58dfb335b31f2bebdd55da75e5cd68efec5e4797

SHA256
60e50d11e1120e26b3390707abbd3926581186055902ed5050c257cc9d799483

SHA512
f6ca2252b8f41ffc2a6c3b647976603e45d0cc4db76151ff84addccac93467e3f34a374d5c337557b5ad1e028cf7b375aa8cd6dc5ec42a6065ceb3f5375e75b2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
194KB

MD5
ead1cf7a3a4a0edee916d3257876c8ad

SHA1
5a1dae2983775289091519b7581f863ca39a30cf

SHA256
2ded1298ed1528aff4068157e6c26e53a0a944779ae57dfd404b5c79082e7721

SHA512
0e9d5bd6e43f3af68b73825a552e3d2a1ad2615c0c1a05e3088a4706ff6426bc2b0f953ea1d615cfab285fb0ff2d749d45e2410c2512f8b6d7d87a3ca05f21cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
41KB

MD5
7b6da8f7b2d47b1cc8ba0d2eeb2f812d

SHA1
5317f1356a1f0ecca0ccd4b91dfcde89b290dde4

SHA256
7d0897ba3a2f3430ebb86fd397a2653dbf3b6b0aa8efa53772c0c042a739ee23

SHA512
2729174a0b83b202883ec8b2d2718446a6195125cf8fd781ba75255cf6d9778561f421b43bfb284bef92ced53198c37b8838e6b2789a4929b82bda9905cc17bd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
65KB

MD5
177ac393256121d1b0d74db55e13b4ed

SHA1
7b49a9b0da2e8644e968bcacd4aaa5cb2d11f744

SHA256
deb635c7b5cd71ade525a6224cfbc1cae7e5f741817add9bd09a17d2858ced18

SHA512
58c76717c9fa9daee4b5801bb22b0fe650b39ea0c4266e96031417a49ae51e207edb9ab26ff3b353b4c878a5a21ea84758f5bb3b09f5ef1747653a6a8e4a1b6f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
72KB

MD5
bfde374c08fa29bbcff0ba314d4b242c

SHA1
a99f1b676e29b7b746c2a6785ee14191e47b5e32

SHA256
0ef3da0cc781b07ab1dbe464156ce61f1f387d346f7668fe29fa4d4d3c18332f

SHA512
9187f53b38cb9687ca764433aecc6ff64f0721db973db4e817f72f4678487428d5ada903353d92f401705cd0809394b9166ef524ff233f92280e82babad5cf65

Download Submit
C:\odt\office2016setup.exe

Filesize
159KB

MD5
ef5db57a52b02ed6297a63a075c644e5

SHA1
19ddfd860498d57d8db9a188c9d5fae1e498ec31

SHA256
4012db065796e3877f59abb807ddd45bca0cd476284e9dc4badc189ac0d40b1d

SHA512
7e003989e14526d59b59c665e97c8eec71027bed6e5a31735f8bec7049fce653ff2141acea010193d6711d5388446785874b4bc938aa9d7f7c783a732d3737a6

Download Submit
memory/8-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/8-467-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/60-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/60-295-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/60-348-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/456-6-0x0000000002410000-0x0000000002477000-memory.dmp

Filesize
412KB

Download
memory/456-12-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/456-1-0x0000000002410000-0x0000000002477000-memory.dmp

Filesize
412KB

Download
memory/456-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/960-597-0x0000017E8F940000-0x0000017E8F941000-memory.dmp

Filesize
4KB

Download
memory/960-595-0x0000017E8F900000-0x0000017E8F910000-memory.dmp

Filesize
64KB

Download
memory/960-596-0x0000017E8F910000-0x0000017E8F920000-memory.dmp

Filesize
64KB

Download
memory/1168-63-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1168-61-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1168-237-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1168-71-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1220-254-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1220-263-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1220-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1220-268-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1220-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1468-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1468-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1468-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1468-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1744-359-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1744-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1744-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1780-306-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/1780-362-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1780-298-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2016-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2016-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2016-331-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2596-376-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2596-312-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2596-318-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2792-594-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2792-415-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2792-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3008-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3008-14-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3008-220-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3008-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3264-448-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3264-454-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3572-338-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3572-344-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3572-405-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3760-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3760-336-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3760-279-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3788-431-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3788-363-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3788-372-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4232-428-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4232-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4360-445-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4360-385-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4360-378-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4536-249-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4536-310-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4536-242-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4536-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4612-441-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4612-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4888-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4888-398-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4888-404-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4888-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5036-64-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/5036-67-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/5036-56-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/5036-48-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/5036-49-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/5104-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5104-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5104-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5104-27-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download