e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 10:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824.exe
Size

1.3MB
MD5

839fe17bbc8c893cc24b9f0dc049c70b
SHA1

3d4ffeb1539ec4413f594e6d4dd135f05ef55e32
SHA256

e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824
SHA512

615cb904d680ef245883a7502039f8d8180802210b67cd2c4027e12ac16cc7197bb2240605c9d6acbe3ca2456a42589175f50275758bc5248ec0c19f5c2c355c
SSDEEP

12288:SFiB+tfxaCt5Wgd+gkvMQDabQ82kbj3BmfWBEHN36h/98QPK0t:SFiBIxaCt5Wgd+Z0y6n2kPUfWl/9u

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1164	alg.exe
1760	elevation_service.exe
3048	elevation_service.exe
3924	maintenanceservice.exe
3988	OSE.EXE
3156	DiagnosticsHub.StandardCollector.Service.exe
4848	fxssvc.exe
1392	msdtc.exe
2772	PerceptionSimulationService.exe
2168	perfhost.exe
3056	locator.exe
3180	SensorDataService.exe
532	snmptrap.exe
4864	spectrum.exe
2124	ssh-agent.exe
4408	TieringEngineService.exe
3000	AgentService.exe
2756	vds.exe
4188	vssvc.exe
3980	wbengine.exe
2072	WmiApSrv.exe
1948	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de7d3d967a240f41.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\CompressRequest.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_153718\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_153718\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ec96643631cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a197543631cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c97edf44631cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019fedd43631cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056e5a344631cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b328e543631cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000425e1e44631cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f9cdb43631cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1760	elevation_service.exe
1760	elevation_service.exe
1760	elevation_service.exe
1760	elevation_service.exe
1760	elevation_service.exe
1760	elevation_service.exe
1760	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3604	e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824.exe
Token: SeDebugPrivilege	1164	alg.exe
Token: SeDebugPrivilege	1164	alg.exe
Token: SeDebugPrivilege	1164	alg.exe
Token: SeTakeOwnershipPrivilege	1760	elevation_service.exe
Token: SeAuditPrivilege	4848	fxssvc.exe
Token: SeRestorePrivilege	4408	TieringEngineService.exe
Token: SeManageVolumePrivilege	4408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3000	AgentService.exe
Token: SeBackupPrivilege	4188	vssvc.exe
Token: SeRestorePrivilege	4188	vssvc.exe
Token: SeAuditPrivilege	4188	vssvc.exe
Token: SeBackupPrivilege	3980	wbengine.exe
Token: SeRestorePrivilege	3980	wbengine.exe
Token: SeSecurityPrivilege	3980	wbengine.exe
Token: 33	1948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeDebugPrivilege	1760	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4624	1948	SearchIndexer.exe	119
PID 1948 wrote to memory of 4624	1948	SearchIndexer.exe	119
PID 1948 wrote to memory of 4404	1948	SearchIndexer.exe	120
PID 1948 wrote to memory of 4404	1948	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824.exe
"C:\Users\Admin\AppData\Local\Temp\e5cab1e11f519c1cb5605ba3b29b3e2e0be815e8bb98885ffee51f9401c65824.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3428

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1392

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4864

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3084

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e844cde8c03634508e32546a7f9024f8

SHA1
ed869a96e02e2f2190d52209707891529012ba81

SHA256
724a57b659357cba979a9d59ca58a3cf39afc02e9939c8fc785bdad7ef8fb688

SHA512
a4f61bba30571bea7e212cdf95d1d7031cb62e0443dd0d497408e4b056f209837bed0665a8179f35c44133c7cc7fd13f3669a9770dbeaa0fc1aa18ec216879a1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0ef6d7d0fece4a02db59ec3354908311

SHA1
9e0705a8eb679d74e20a2744ac61a6c442f1ea53

SHA256
a932c99cb3f6a9894a0749aae214acc4d58efff131dc2909be71e47cd32c269c

SHA512
879d3fea04fde0cfd20745cc8f58682395edc93e649e72992cb6c69f7cbd8b31fc6f0881ae4068f047984cded0109a3c69b2702a6db92c070cd696d9d3d9b478

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0ef6d7d0fece4a02db59ec3354908311

SHA1
9e0705a8eb679d74e20a2744ac61a6c442f1ea53

SHA256
a932c99cb3f6a9894a0749aae214acc4d58efff131dc2909be71e47cd32c269c

SHA512
879d3fea04fde0cfd20745cc8f58682395edc93e649e72992cb6c69f7cbd8b31fc6f0881ae4068f047984cded0109a3c69b2702a6db92c070cd696d9d3d9b478

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
2361e90402cdd8e635c6cfe1f31d2acc

SHA1
8c353f72835f057737cd5f53bfe274157b0ccb13

SHA256
bfb901b21f9778f914ce2718459532f84e1c16073090761fec3d5d20bbe7d166

SHA512
27078d6e2d9632f220b1746f4326afb974aff58cc2a78cfa07a1ac7872e49956271401789c7ed4d01e344c2d9bc36deec53fe4bd5624ec6851419ab7861c60de

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
b392639b0e12d30368d9b03f4b32d7ad

SHA1
de36caae9843cc9f37fe1f586a6008a51d81ef72

SHA256
79c7bf9726cd55d9bd7da2eb3506690fb6b8e70208dddac7e546984b72caeeeb

SHA512
3257587282bed887dc95f4e2f6a3b7276dace506b34a19487ee814138ab8819c5fbf2fd706dc4a8992db039030bcfb599fe7c9ae95781b0766444b24a1bf52d5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
f7610203d670e9f63f412e50c4fac7c7

SHA1
39f9d82b058af203337ce2923a661648b520c726

SHA256
75b43857184e2711151feb9cf4142318eaa1519a496ef37a10e07889c9f6e867

SHA512
1908c02b2d57b78c956c72148051af250fcfb1ca8bb66a0cce40e5d1a19ae318c5e327f8253664e7fa5a98ea3ab91f73524c4ceacef778d142d20f6ea23d8c07

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7f054f893bb96ec403798f188dacf240

SHA1
21b551f429c570783b9b386127980f06260c4061

SHA256
12f75e11f6a850ab84736e9cb11b359e6e26767b1b1a885bbcc0427cf516f9c5

SHA512
43640e05348b6e40cd2366a05891f85be8758e225015ab626ae9b8dcd76f9bd04658d238d17d418db6f3bb7ae12414437bf4d1384b011e5ed6c31327a60fda38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9bc787c1538c35ddfd06ba3de98ea204

SHA1
93343e117c13fb9cded174b62bfb0f146f852ae6

SHA256
d8f880d5a86a57dbc060f105729aefd60770ca6a1f1c6e53de2af7ab745fca05

SHA512
94f24dd4c621e89880cc51ca0dfff601f24f744545d5b0a921ea33808f667d58e053e0a648646063d8c40a27d97b3e4e4cec7bd14eef1c3cf3f6873788530068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6176500925156f92cf214233c7c5ae21

SHA1
82505553b214b6bb726f4e7bae3c208f1810fbf4

SHA256
40aef6e3e619a35be14435db6dd806cf2754e2f8aec5133f3b4b36bda6990b17

SHA512
97c46dc19571532f5179491f43c54f423d1c34aa32ada646cbe648d31348df98b271743746eda3faff626623c0edc4fa203c82f26487d1301c3edd7479c77086

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5177e037febd5ed86b881695efdcf2bb

SHA1
bd45113337bc672eb9abf0a3398db6eb81291850

SHA256
4a85894eafacb218be8ec194e2dea34d828d6aa24b8e3d9d4987cd9b85adadbb

SHA512
7d191517279a775b6acb0ebed4abade21fc5502cc986897226da7e49a86b598fd4042ffd5a36c2c6b1949f05afe812be491fe07420745b37a456659d91702cf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
598a75b27358d5722f305bd0c314aa5f

SHA1
89c0c8e9b7df0b5e7d74c4219800b2cc66ba7a79

SHA256
a4dc2fc35ed62c8938c41ac1deb3c4faf3fee63e42da3347ca1f96efe8bd6f13

SHA512
6d823c1245d8c303a45293027950dc3d337d1fe4676f351d6486a01f7b0bead6bdb764a31b94a6a3021ac64bbb477e664c2d4c3790f84e8265f72cd02e0c0ee7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
23c017f9e162d120ccd8d483ae09548b

SHA1
a9e70b52927a3c66419b5d258b146b3984fb79c3

SHA256
d38a26deaf5f21c346895514858eae85c6e8aab22e17a27f8ed1bf065291f9c6

SHA512
5d8910fa5bd9c8ebe58132407227f20e81744ed9a1568fb8e3554ef7848cc93935bb1a42b17589e2275f15fef4833cdd64a9101070fd8aecc0846402fab24eb5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9c0d8371cc9ab4e0133745d4599fe69e

SHA1
fad9f92967a433a2196e5733996de6abb54ee007

SHA256
93be8b3843632ed046095bd66bd64b9323450ebed385dd1d3fbae32f87b36456

SHA512
04014168dbdd0a76fc462708fa61d04e94870ba4fa9803fa4c0cabd9b259300d1def73c90a48f73b07ff4ec0fb258d6353e068f8317eb3f615beb9a4b32502bb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
1df1162343ea85466e77169a1e8d98e0

SHA1
fb77e50b12dd1f0ee0236b9731c10386e251e5ad

SHA256
593238f88909bb8616a6de5fabda05f1056d36e062ccab9dc78c39c34c333c81

SHA512
a933b95c4b0a59c8487e4b0e61f4330ede6bc261dc68f8d41ec9879ba66ff622e5b918f403a3f6328205bc4a3673bfaac3d2d3d94c559abbd7a5d3c8ff723b12

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6fc33d0bcd4a792115f67f3f4b2aad23

SHA1
a566b1b63d27d0fd7fc993386dbb21fb05b4f791

SHA256
81f62bfb87183d6653138eff6771e2d8344fee38d6df0d71a978383d89a64670

SHA512
ee1c7fa315acae82157b1f26e976faa6a685a686e55053e1d91cc986da6c44879b49bd89f3bc2445f24fb81b5f0abf12149caaa5536e5f9d4cebc790346d3e7a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
57ca2b15e7f9e06399786b07a295286d

SHA1
29f095cb4aafee438fe1e5025c30f3229f348b05

SHA256
151e0ebb1de2a41c1504a969867b1dfbb9329996daf6e0e12d1fcc8b009a7167

SHA512
4733f954f8550a880139b966f57b62af1f445adf9a6efb142c92189ba7e1978a256ba6dfe21097878242210aeabca562ade996337246832cf121df3f4f9b08c2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
13c9cfcb2377a97d4a0986a2945a4941

SHA1
aa1a7914d835aa72663c9fe14309c5d1e63585ad

SHA256
3c8c8a4b2c224d6fda1befff4a059b45f95638a4b04b796864f37ace7fd68d60

SHA512
7b00c4b72a9130c3454b4ca6dbe981629b9eeaf03e12bc87b6778662991232624d971b1227c568358e3f38671627eceff290bca0b81b8ecbea0df9876db36cab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
059c7db073e195e5bad50df814b79848

SHA1
6a650482984bbb3d60fe7953610c4a49fe410978

SHA256
641c91f45fb3678c15ed2846f006259bbd245ff57ce32f414aa8b4082289ef9a

SHA512
bc185e34b851e836e13b6129d390e97199c5af2dd415fa2c0525825f206077bd79fc85aff22fd2804d3bba3e83a847c8cf655e2f2e61f7ecf17260981b5e5ac4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1146b2ade183fc880f04644822551cde

SHA1
7d6fbe50168c83302242ca3234c863ac2c46aa2c

SHA256
e79022f0753def903ceb38f96b021554ab19242ad25f4b9505e748e866c71922

SHA512
5774e22674499036e884d1744dfeb99fd05f7388d1ca9de044a1b4368f230782d1ea18ef6ace932b3df6d01d9c67391cac089f2b6ac2c32bae6cc0f01b8ce2b2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
62d5bf0f862e779a2fcfa1463230d6d0

SHA1
87fb173a2525e20c3048c98707a1a11cffe09afb

SHA256
2f7f2209cfd78ea3dc28b716918e3c895dd75c50d58dae34148ce3255545d2f0

SHA512
f3bd0227fa569ddc96cdb905e035421b9e6de462c52d97cf5f3702d69f572a6697484cc94b1d616500823f66e76bd4783474a2ca3d97054516ed29ce6e8b6225

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
497979c1c6951a95606aec780e14353d

SHA1
8989b2bb88ef1a69f422ce73c7ede380353dc884

SHA256
f9f51a34ad103223b5b563b07fd089ad014e1b0600e50676b2f728b4f34886cd

SHA512
37a3a8eef01396864a19461a5d1f17bc5f5105515a47af8ed1793732db8ccd80c4910d80d88076a97bcf8b927fc6cf2fb94d8099460549b000b3e9d0501ee8fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
897a95d96c42f4244513fd675f0a9839

SHA1
f57adab392419488f867f9a9aa4888c57e8c7267

SHA256
840baa0c018ddca7fe63c9e62b8a96ee7ef6ac7e13dc732b3c6bfd7cb4671038

SHA512
48139dbbb95fd3d0236d75421a48d96c127e5eb5e72808c1b19a18ec6ec721db7e7864634ee001db79d5155786cb8ed8c5968cda7376c393156ce04c2bb5dc5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b3fc38ef4b9faf29fa75a1219f249783

SHA1
261ce14e05dcae6748b37c090a9eb59e9645f2ca

SHA256
01dfb12b8e7d00e8642e576de0587015f6fa364fec3c0abe83a20136c3a54b03

SHA512
5335f53d6e8e8f99e0c83b54ce0606b6e8b339f765115120fedf0f2c6f0e56b0659dd4cdcb5f1e2f4bee919af0c10936b0f22e91ba0c4490bf4669d3e3b0ddb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
22a4ba5341ef5c2ad40cf8ccb8ab0c93

SHA1
257fcea526685ff5895b6ae3d2772553b102a0d8

SHA256
907495d83eeda0144a906631014bf8a6d18685dc5bf9de3e7371f78c86ae47fa

SHA512
f174f06713a1278165fcef8fa95cde8bf1199dae58b31a817b3449bd1c2a469bacb6faf15ed483a7749c51c3d4217d9c86bbb0e78ec223316b1883cbe401b2f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
9187f12da1a3da98a1c4e1381a1ad1aa

SHA1
02074cf6014f232285b369d877ccaa1302d33b35

SHA256
a12ba074ca84652347e3a9b305565a50ea01c08db624d214684b5a2c23eef4d0

SHA512
1b35a2bbd80f4d59bc2f601c50f4f9b536c7f546d88c1ae16ab7971cdb4c017ddeea44d202d80b9d477dc2aad95d3155c4cf6d5da96dcc7b29481851d44e2b0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
5b5dc1c976342721d52af7d71ea3225b

SHA1
ec82b1a0bddd1a4545b733974f8bb517c5b38a3b

SHA256
0c5e28b4d7292c1148bf2587e1f7748e7fd7f256c28999779d73ce8b6412cadf

SHA512
4068614c8a8bbbeff2633982d6ddc37b2b9940802e6686a704bc87955c26a3fc041f290b85973f08452ea35cf560dd3a46997d2718ba8ed6ed0461220c15d113

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1c0c1adf6099392ca5cca11f91575f63

SHA1
f123db3061c7db1c22fdae4415aaa31678991ee2

SHA256
d0513d773575fa42c4fcef159903bf89a9f0e9472b19448d40568acc86b08f5a

SHA512
cc0e61d4d9428c1994270211c752d0ec13dec032dec3783787285ebb0b5607f6684e3925fe9286a2794cf587a45bf03da3533c8feef3579cfd532778da9085c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1e0e8dc4d06ebf4f38ce30f50671b1b3

SHA1
f5f323c17955b7e4dbb6a9aab9444802adf767b2

SHA256
02179178f2f82355d233b15f1329f42d7329e6ff1dbaac936f24fef214054c32

SHA512
8ed62046b323c206a6bec95eebac5011d133a180ac11865b5c5b91c8e21cb46ff66f0a911ce0ea372c40c8e3ff5162fb33425245d50d985a65267e9745626f95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
67fd70e61cd04ae40802bd9e94efd88d

SHA1
e9e05a84899d24372ecd0c7d8bd71d0dadf0fa51

SHA256
3026a8bd9fca58c8142e2b41e3c124db3501a2ea53881e5a6532b920ca183e78

SHA512
104c2ea53790105562fe88b8a741bdbf02c2fb9f43101a74806c98d2a131d6498514b0f4afb2bed25e54d7292e5cb1575165180c81e3de28818b9d44219c7705

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5c5e26beef54b0d8b61e9a175fdaebfa

SHA1
cbb45ed7237dbb3ec5534f0dfe69ceb2d8a5bf15

SHA256
0e063de545b98b847704ba73bf4f117db57c3fcf53fd6b7615b6dcc394cb6b4b

SHA512
937aa22aaed069c675077a3656e02e01a3c2a14bed610565d7c739921adcac180545dd5187d4f8e5cd98bc937d5138a680b93b6693ad1dd193fefc1a9b976e2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
c2abba62bb7fca7bf5464b53f06c9386

SHA1
df692e832093f7925b295d66d6a18c9b5ad8be5a

SHA256
78a49ceb6ab8945aaa7c0f9d3f8f9cc62ffe371709eda8158e14641b5f06de93

SHA512
368292ab5dc83ad1daa18b3a6918e3981e41669575e538e9f8fc6efc4edde42b652f0d2766fb9945e795b818f795e2c417176a815cc884d582f2246e3d875103

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
de460bc833ba8722e0b45d0de0fad5dc

SHA1
2c9663ff3e9c3780671f491e14cefa9ae5b6f6e9

SHA256
b4bc5c640ba1e776f514f0b1d8754cf135c8b005a4d7165000bcf1b88b53ffae

SHA512
d0db5e694733bea829418594a0d8b282c8d3cb3312d7551b2338a685f37611b6f6ebd27c51661dad2098094cde32b6fd092591bf3f4ab663f776da90b661c4d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5936304297f963424c75d8621b669bb5

SHA1
40eaa708f45d23d271ac321ab81ef78433c17e33

SHA256
7e335eebc13688f57685c863b717d1269bece42ab8b213b0454b9fb1018f52ac

SHA512
8b9e93fcbd570ff21aa2ae487b30f7f3023aa2ef1940497eb65e21fa0fb9e8c69fdf0417d946885efc418fe512fc522eeae2b18062b5e65a03348d2fa4787bb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2d6e17c51d7148141fadec81887ca19f

SHA1
e578a842b23ce0c6e815cde2e1d1165b473edf21

SHA256
c6761049a78a88b94e427487bb6111e79c1f6ab96c1aaa7d1fb89e4f9a317a91

SHA512
7fc9e3eb7e8966588e51b480d53e78ad827662bad7781bda4c3b9b17bc6abefffded297f4327e278f90c8fb59316838dad8743a059535ff8eb0275e4f91153ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
188f8c993016539fe8d4c4844f5541af

SHA1
5cf074838b1ad77e892072f63b652c80d4db772b

SHA256
5dc872b9c7f1d06406713232f9d9891609ac2262acdb72743ebde0f749974499

SHA512
67439484b395b2c0363d9abe40b35831a760792ade2f5ce7faf724a7b2d4d19817618591666e6f38dad37f90d737d7a9c5762cb375bc54a0c04567a2333cfe9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
efaaa546cc19c426d44f4d29f105e7be

SHA1
1a1dbaefb0fafca6d223075e33bdf0ca8a95192d

SHA256
2b73d31e090b73fdae31e0aabdad06c78754383ded1364073e238d4b0b5a7a30

SHA512
1f087329c08993436e1bd66799e4f6f6ae2287aec98a9611dfbc27a80f47baa4213d0bd9ed45dc50a705ecdf0a215b87a269ebdb6379c7698f4699a9a1745d83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d444952890c35278c0f4f1900d1ad232

SHA1
b2eeddadf51c2e63432b57e44937066c1d8fd591

SHA256
c463f2e77f6b42156dcc6b925a73baf742ccaa9e2242d9868bde7447373891d7

SHA512
294b505947a68099269a3ef73f9634be52f9425347bb863d3813ebbbcd3966f4b7a252cf3cb16d5ae264f66aac9d8e16c45e8e53311d315d525ec1eaa120930e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f93a799699866fcd359fd8a0004e0147

SHA1
da3e8f7b4978128082ab1d254dd9cc28268a121f

SHA256
0a3b255cdc3adf95cbf6b19316fdbda278c456a0ec6aeb440c63afd14edc1fdb

SHA512
84a99dcc5af5daf774c770ac0dbcf9e44013fe0752b0670c4e6b4cd85ee7180fe3025ce96320085f2a6ec0283abd11189257058d0ee6e2079c88b08347abca81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
369063f724983c8408f4a37369dd3fa0

SHA1
6af9a9cd4f74e98c3e8b4482ff56d02e90d24e65

SHA256
5b683d98866258df49704f195037d507b2d2eccd88b63110d7e7a30f9c38b3ce

SHA512
90dde33bf4216c99bd153fb20502dabc86f72c263151fc4a8f687ef003f022c12d9cae17b9357405918cd8146d83b31cd99d68008b4f0ab4c7baa76cf12d1e7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
e6456aaa43389db94b88d26d707c9675

SHA1
5615bf8980a817982d5d1db6058c3924cae09462

SHA256
4a0bc2d277720727387dcf948c9384f74d7add6cbf27781802ee854fb7679cbe

SHA512
f08d9e504c9416a0328574c6d9b09f94db7ac2bed860593fb36116b3c196eec7a9c2d93845ddb8300ff66ba7b565f3803fd0d2b61c0b2f9ab890d8680d2727b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
5cb940a53848edc553e22a6e7c038de6

SHA1
d29e9b9e796ded3c85281568f5a66e72f2b59d75

SHA256
82dd59a6005cdd39e48b30148c995940a32e54681cc45491f43d29a18c023a95

SHA512
717fec7efa1dff37920dcf28c7e1a67738a3ce9b2491567252db4832f50731ea96db504f16763884c22e99ad7b8f14c79fe7e5b2a2e1dc68c9d39ce2e59af243

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
403cd3cc31491e06a09a4e85836d5b91

SHA1
a60312b2e4f615472cb9901c03cd7f1e90d3a964

SHA256
99c7d481bafe83eb0066b8ce322664775f175a640f57e92b5e487bd9f7e9e22b

SHA512
5b5141583e2b296f7b81890715aad48106b466a9728f3aa7eeda863e1c2a1faffafb26c878e22b1633d32302f74fb48feb70ca71afac5eaa5aad2fea79f0713c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
72a8c87978bcdf06f66d0ffe871a45d1

SHA1
d3c3c712d4eac75f66af4d4be184e1ae2dc9642c

SHA256
dc3678b56535acc084150b7b5fd75994575a210b8de2099e183429b384854722

SHA512
cdc2d725e9d0e0aed8ed3f9f7a4adc846a9d51200db227fbe0ecb4b89e2f166a0fc1a118d2548b61c5c4610d3b14e4374c5f29433deb9936060073f43e450095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
302e8ef3d4faecf27784040adc9dc1bd

SHA1
012221e9ed125925137dece6d848152de74edef0

SHA256
a6ec5dd56c2fd4f064c992966a962a350d4df35ad092e5de0ec0e54244e0b3ce

SHA512
6a4edf2594006297049b0b330766c5663ca715a2bbd889f2d482b92e3d6fdedc0a06080c0debf9874ab859a8b5b93c77260df4cb29ca1237e26d315e126bbfbc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
28d4027d9a36b7ce079a7b7b9aa01bb1

SHA1
351eb8ea403363e949d57cbf3f57a6acd18c2e6c

SHA256
cb7d164331d757425dc11899dd9f88c220b9c62e8b6960f7f08809191f34cf0e

SHA512
54811db9e81d9455e2662e5f48a56b098dc8aaffc012af06bc7ba4bd4edcc37bd1a5ad982fddbf81ee0264d6ab66ce57ed15e87d0695abe696f962658dfe4ffe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5f4980c3e9d9d00d348b94a067df0c67

SHA1
c715623dd8f5f122703d9a39a599bd16f83fbb2a

SHA256
1e9a57c3f7f175d25a58f305dcb7ebdfaca87ce31877822f741af3a8c07d88f7

SHA512
f5d6e878297c718ada55c637369ae1e4db260a3b819e0a9f3fb9b0ab61b62ebe8221165d8caa1c509d9499cebee6bce6e4ebed5ccd20cfe771985243f12bb034

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
130ae7d0ec26026b37b72161136b0487

SHA1
804eee70ca844a89c25552bb01bd442f7e6a172d

SHA256
9c1d322e7a6763121e80520106c957c8d45034ad5be0d2fa4b396cbade3387ef

SHA512
fe7c8adc7aee898d5588ec0a441a49a741a7c700d97689819f80c0734340e3c2f569ec41243943a979a058ee4f6fe3ed2935ce0bcec0a33ea446c81c9fac6e5a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf059e29870f94c286a2cbf75af901db

SHA1
e35f60b985dc7848bf4948e071f60fdd0f09b796

SHA256
419422ce34b958fac02229e351e5d8dc8dae3961d632852581d175cf4db1e405

SHA512
4a2983ef5c2ca495f80d6e25999154fbce03e47cf40deb506d0cc29241dcb7337ca2f5fc68c76b7a3a8b936bfc5640bb8135cac6c48a69ce65d68efc2e7b15ae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eeb5852d95f9e37741bb30436fb5e708

SHA1
54772d3f4019ac7c0fdbfa05e96c1b267e526486

SHA256
cb7cf513d480a277a0c897095750b45809726033049a44bd73a1f7d39966c65d

SHA512
4bf23e84a51aaf2e2caf7e99cc7872746d2bb473eb1db7b1f32d21902e7202176b7d74f251885142dd9a4134baa650b12d9862f53c62834ad9871f9cda5a9391

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9adc2a9f125b8cb2c2b32093cb42ce8d

SHA1
8f10cbcbeb7314ef4dc91a85f19e62971ad9a219

SHA256
8a55bda323507fa9c162265f43818162e067e2c7fba7a18d5f9de793c31d4b77

SHA512
e166f6c4968c74156fa7e1bb14d80c8c711070e337d94450046bcd8f1b17d4e585af548091fc0ea5f8a50d54163c6166661742377a14eda030016d82a9bb8805

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9adc2a9f125b8cb2c2b32093cb42ce8d

SHA1
8f10cbcbeb7314ef4dc91a85f19e62971ad9a219

SHA256
8a55bda323507fa9c162265f43818162e067e2c7fba7a18d5f9de793c31d4b77

SHA512
e166f6c4968c74156fa7e1bb14d80c8c711070e337d94450046bcd8f1b17d4e585af548091fc0ea5f8a50d54163c6166661742377a14eda030016d82a9bb8805

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e3cccaf8041e2b81f9701dd4e2b87669

SHA1
cc252dd9a7e2b6ad80add41ed7e75d93062446ca

SHA256
b0b2bdf8d18e110fa82b2455804bcdfe13c59169b3da40d9dc20fdb15171b342

SHA512
eaf2abd2154e7277c0d081aec9270953e8f6f2bcc9bb6add9fa9674b26910cdb50203d9eb8721449ba1be68d65153f8b5ba819dac10a75cf5e01c084f7c9a1df

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d81db93334312e43046795bafb2af502

SHA1
4787d47d15e3c7c80604ef1af34dfbd5d794e77c

SHA256
327f650295dc01ef421e247fa08fc9d02f5a4ab9b59bd5b1b324307e5608733d

SHA512
ebf9f84ac2887bdb22febdadecea465f823b4cd76edb1481e3974a45e372353f83718dd3e68b82ba5c187c436621be3f6a99b6347d21a32da50e9c67448a7527

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0e5510f9c9fa1807d8e2056e4e7c7f60

SHA1
14cfb90198458e53f65fae95d119095b45f48bb6

SHA256
09d9f7f0a952b76761491dc26c59d80d0ec001330308537957de34d6b9a13a22

SHA512
556c32fc7aa911198076ad01966b16c8ff03ed9a75afd1dae14853cac911b6f56660fbcc6dac5b5c5c92cb5f3341ec95d43936c37040e9101e56c90fa60e9feb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
06eea021c6a73e490e085631bb37da4c

SHA1
9068e4a784067e6da50cb66dc3b7c077513c858d

SHA256
aac369d70fa481eba0beb0c5d65b9d737b188f97d6a3feda2e20e4a058e6b6b7

SHA512
7238345a07cc8a355c00102007e41e832cd7215f8a7684c8633c6315efdcf0f56f6a296adf30ad5be5212ffd762aab64d666e692570ae396479e6e793fcd478b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0bd16c3bd6f6e41c76675ffc24049148

SHA1
1eef2835c87eb16852f2211d01b7a5cea05547db

SHA256
5f7344b9102479cd2147b0dfec7cc5b220f7b475a673536b7b05b9a39603b563

SHA512
34d6cf369ed18632e64c25928d16aede5fa153f19e9ba45de71e49828473ce3ac08165c012bd670c5b9c52c8298d13f2b87d8614e9dae4cf6b7baeeaab93cace

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f0ecaee89b545c59daa4082e9f4e4925

SHA1
00bfcd465c4fd37eaa53b13b9bea4099f8b8be9d

SHA256
aeb426a96da7cd2195a1902c1a3dbe5f3f61409b32d2bf91f4f239445fa841e0

SHA512
4ab825db32bea8b8386991aaceaf35698a8d6cb1f79f97c3f7770f27888bf9455ee9686a44efdce7038cd8efdbe2339227e755f20b1e830cc71fc944d3c13750

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6c96453f4adc81e94dd5197b19170d7d

SHA1
84cf70070ed79a9c244d153f44c76e8bca67f10f

SHA256
7f513342a4bed4ce287a7b00ad8516c3ca8de475e123c6622ce774d265ddade7

SHA512
181752709d6688303bc67f4da6d66bbb04f82e6b1ed164dc74d3a09e2e570fd84f8f63527c5cc89356a3d95785675d9277d7fc832f7aafba4d1629bef60ef583

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8500b41a6a2fc355b43e7b7909a2693e

SHA1
49581c4f7c779deebc264fdd1395dd3e1b5c08a6

SHA256
b6d414386bb256cac292c05acea3ac194b90df9fb7bd0cca68c7a8e165d77d34

SHA512
d801da3d58b16eb7f203ecfad69d9cf599ba15c55d44a3cb8fd94d68b8bdc1c8f1f4996b8f25a40082353f766e513286692c671ada19a565e7d6330457e780d2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
972c7608332347990c822164a708233a

SHA1
90b2777fba7fbeb4793e0e7a079202b28e85b359

SHA256
c1dc72e408a83a7d4e4cab91d01a2bb0d04362f269b17b916b596b54e9993466

SHA512
14adc8ee37bae7cf625a2a1ca6ada9dc3b8ad974bd6bfd39fed54a31ba93bc9b97b8a67295b192b51cd274558954ebcd5a97af25d06355e3685553c3e0fdfc40

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8579343a74d87dd027ec89ca45f8e40b

SHA1
fe0df84fe8d20ddcaed228bea70ea04151f4ae57

SHA256
05f874a7f4847680d384d6c236ae3dca57cc348bf2642a467b3195d2063ad005

SHA512
bd169b983c578bd3bd442cab6e70924da76295446d28a5e447476dde01d45641f73483600b7ff1b6950f032c71b1edd32a11bbc5e67f6d78f3202ee672b0796d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8b5ec816b4c3b4a504773abc8b34f8fb

SHA1
c05dc35a6842157e18f3ba19dc8cf891321c491e

SHA256
6aa81c4c9190c5bd57e3ae0666531ef7b9e3554e35ed430dfdd95adb0a369c49

SHA512
2fd6f6aa00c84ff50945237f054c89b9bd09fae8941e08959fb1a245c698561695ee597853992ad215affa2b76f0b7b92951f7195a59f323e50800cd50a835a5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6327b14c1f2871a613ec958e9f2a3675

SHA1
1a2f064ca24d26329578cfc17cd149ec6867d28c

SHA256
362557281bb37dda0781c812975d7bef058addf91f99c483dc33e23adb2cc997

SHA512
14680cff265720ecb5d2ba0ba852b0307241ca3ca84ea7e3084fe5e9f915bb715a0b52853abead1f63400e57cb6b519414f73984786e3f8c91017828cb4da54d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
592fa659c33332ae36995e70b5636582

SHA1
4f796b4edd8b0500c6fb0a3ab3cefcdf82d0f4cd

SHA256
c06ff63315e30b35456fbdbb4a37c967c209c77a0dee149f8431bf0d801b3ac1

SHA512
ad5849d334b8cc45e3f8270e95c68e69c6099796891e99e64532ef4f65ea695b66d6e2a5345fe8e302d4ccfcb8554e0202ff9bfe4e9865a14643bfeb3b00ea24

Download Submit
memory/532-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/532-339-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/532-400-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1164-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1164-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1164-15-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1164-150-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1392-280-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1392-337-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1392-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1760-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1760-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1760-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1760-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1760-35-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1948-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1948-461-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2072-449-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2072-440-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2124-366-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2124-356-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2124-426-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2168-365-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2168-300-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2756-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2756-411-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2772-350-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2772-296-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2772-287-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3000-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3000-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3000-398-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3000-393-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3048-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3048-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3048-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3048-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3056-313-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3056-370-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3056-303-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3156-244-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3156-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3156-250-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3156-311-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3180-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3180-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3180-324-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3180-539-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3180-392-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3604-6-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3604-7-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3604-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3604-14-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3604-1-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3924-51-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3924-50-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3924-57-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3924-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3924-65-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3980-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3980-435-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3988-73-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3988-64-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3988-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3988-238-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4188-423-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4188-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4408-439-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4408-372-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4408-378-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4848-265-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4848-274-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4848-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4848-256-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4848-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4864-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4864-352-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4864-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download