81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe
Size

706KB
MD5

e58839830c226a7280a777d6dfe7831e
SHA1

d8ff0ae9423c531e59af7a6acca8cf104f9881f6
SHA256

81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80
SHA512

3895fc5d98c17ee0abe98f48b9c8de3348a569cfcbeda0999d3aa5f0425484984420ee44238d79618f3ee2d826331b0e6e88531787578d8fac5ff324393fa34a
SSDEEP

12288:rWiB+tNFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:rWiBe8NDFKYmKOF0zr31JwAlcR3QC0O3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4192	alg.exe
1020	elevation_service.exe
3724	elevation_service.exe
4600	maintenanceservice.exe
2736	OSE.EXE
696	DiagnosticsHub.StandardCollector.Service.exe
3064	fxssvc.exe
3756	msdtc.exe
1472	PerceptionSimulationService.exe
1000	perfhost.exe
3188	locator.exe
1984	SensorDataService.exe
3228	snmptrap.exe
940	spectrum.exe
4380	ssh-agent.exe
1588	TieringEngineService.exe
1740	AgentService.exe
2980	vds.exe
4584	vssvc.exe
2640	wbengine.exe
5036	WmiApSrv.exe
2608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exeelevation_service.exe81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e7af7d841f063bd9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A187A4B0-CF7C-45E5-A279-8E9315C5F33D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000682966eaeb5dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12785eaeb5dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093dc38eaeb5dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47936eaeb5dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1036	81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe
Token: SeDebugPrivilege	4192	alg.exe
Token: SeDebugPrivilege	4192	alg.exe
Token: SeDebugPrivilege	4192	alg.exe
Token: SeTakeOwnershipPrivilege	1020	elevation_service.exe
Token: SeAuditPrivilege	3064	fxssvc.exe
Token: SeRestorePrivilege	1588	TieringEngineService.exe
Token: SeManageVolumePrivilege	1588	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1740	AgentService.exe
Token: SeBackupPrivilege	4584	vssvc.exe
Token: SeRestorePrivilege	4584	vssvc.exe
Token: SeAuditPrivilege	4584	vssvc.exe
Token: SeBackupPrivilege	2640	wbengine.exe
Token: SeRestorePrivilege	2640	wbengine.exe
Token: SeSecurityPrivilege	2640	wbengine.exe
Token: 33	2608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2608	SearchIndexer.exe
Token: SeDebugPrivilege	1020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2608 wrote to memory of 2364	2608	SearchIndexer.exe	SearchProtocolHost.exe
PID 2608 wrote to memory of 2364	2608	SearchIndexer.exe	SearchProtocolHost.exe
PID 2608 wrote to memory of 4304	2608	SearchIndexer.exe	SearchFilterHost.exe
PID 2608 wrote to memory of 4304	2608	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe
"C:\Users\Admin\AppData\Local\Temp\81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4600

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1812

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:940

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4012

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2364

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2f3d718f26e5fc4d0717d9f448a2e5a5

SHA1
1df876124d99356d8e4910aac90ff9205dbb9d1b

SHA256
602360a2fea52fd92bcaa47a707175204758a90827ce0c94cdba7487c7ff8670

SHA512
3d1d6484d3adf6cb22434d57c99ddeacde4d3ee07e20321113eef942c1474328de9c70751380178430768e4edb863a402412e8c3b689a67e2d9e7134813ed9d8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e52bfd8a116fd8f748000ce3e7503e91

SHA1
777816f3ab178a0f039acf1fe13f0a12faf2fb2c

SHA256
540acb2a916f04a1be4178593b76dcb458a3079aa8ac7a26700635ce6f1a594e

SHA512
b5f65f18cee3054162f15fd9ae2d4a1afe909fbad06cfcfc0f9f2010146300c99fa6d4a376c5e775f586c3eb51152e612c88661baa2a41932088d7160f36794e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
de2f1a411d9a27df364a2c13257dcb67

SHA1
57d93e2088557ca6efa394ee3fa46b670642ca9d

SHA256
7941d0dff377892cf24650c6cfd497f2f1197bd94cb8d8d3b677852e5105def8

SHA512
69ef7a61020fbd84656fe37a16ef1cb00047928bcd233e65bab175fc1d3cb2669b35282f7d2c7adba90a9dc2d1f3872a9c5064fd1fc7644e4e1d9c40b048e906

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b84e312f41f0f181a634357be53a5e84

SHA1
ec236f3dfc326b2d5e42ec721ace8717501d6de5

SHA256
4163a5caaf730b8b35567fc6e292a3c2b167f883204e33bc5080ed7c295751a2

SHA512
4b62db0ba1d1debf7c64de8aaaa38824b892a8d8fc5553939293cbbd5f4004ac287fdcb5d19086410268b27ae9ff2a54f7aebbf0e7a39969508b363388b81d81

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4bc1c746fd5abac676c2dbb7c36f4ad8

SHA1
721dbfa316fdff7b5f9e7e682317dab921566df8

SHA256
eea686be0e83306c2dc3f6648547cf0b1d248a2da2cba39f4a3ab559d5212a24

SHA512
7ae69db5e3d0fdfb6723e24e3c035303455c3e42b7713101d2d175e2598b163f3cdcb11975137566bc7791be94d35868b55e6a77baa111a17e0d48b251dbf024

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
33adf721c68260d2ab42b85518292a19

SHA1
ad5e2ffd69c82cd677f96639caca01f468c8a976

SHA256
bb4fd2f6807b8fa6996c7e5d28741d64f20b0d323de6b8baccf398566a2ffaa1

SHA512
472c26fb928ec60f360207311105f493784974d129a2a155b2bbdbcd7768a50ecd8c14a0d8d547d56196b8ab10fb3d4aa21cddcbc58f91ce5dd4543d97811700

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1903833d706b749ba86cb62e41aa61fd

SHA1
876c0a7e015740f8072f9d209062aafaa1ee99cb

SHA256
8b75264669c8917b2bd2b2e848e66aa5c1671e49ef8a0677fbed0e68756e03d8

SHA512
b1705b8fab3a77b6a19f1e6b7390e10e9bf2d747bdfd0aae417f667b22c5f57512b32a3f34ae8b65012ae43f788d4229eeb4f9a90438fd531b3e5b4c6d3ef43d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f0667de6ff33813008a284edb6eec280

SHA1
5ada86bcfb198cd520202054291c0557165836b6

SHA256
2c7fa2073a0cbd13f4a3ffcaaeb9d8c8271a085adb3f3a0aa7456704907b5b0c

SHA512
2980318f6ee20df0b0fde571c306a5ef77744ac77ea119e36afe323ae2f7dc2a33696b8d717d1de8a01affb46e3e420c3b559d17c98b49771d8694ea9ada6edf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b0fc817b819adfc9730427a0c8ef7444

SHA1
0393ba7f4d3a1fcf11e54007cbaec5a0cc289bee

SHA256
407f6850b1d2662b79be460f3c3f0b286f274d79e7a21782b6ebe8cfcb0375e0

SHA512
09a0efed62d417b187f775732ee53e1f5eaee0b252b25ad04794a05ba67b2c7f4f85c939806503607b9bdb61215ad6f129c1e2183e9e4d8033d8dc983d4ac0ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
344a6f286172ebc07123bbaf2885f088

SHA1
befea6aa7827c0cea35464da9790043816340254

SHA256
367ee5e584b009120b32e7dd2afc77291a1e9c23042c0fd92df26d6aaceafa63

SHA512
f4c3b9a438b398447d0600b1d5d87369796f7e531a0f9e575d6c1d48bc61b3727a044f94d0af6e8b13f90ba909fe58f093cf1e7e5ff3ee8db00ed0464ef8036d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
31de04712f05bfb1a4aa3e6ed8e43ce2

SHA1
652fb6b776d4f133329de538ac436f85363f14ef

SHA256
c65752acf0588f11f5242bd9f26b75590ef83552b16a012303be41c2fcf1cf11

SHA512
d5ba58976d117165539d0677cb5d5028de6e73fde76088efe899486e7b64ee500de16ef7656fe7b660108c46aebefa86ac3e493b55a132755cf8c82d9ab5b183

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9b2113a433b62fccc706b7eb9f3d45ee

SHA1
35fc0b5f70784ab27af7705b8c48b3ca6bd65663

SHA256
6454b5ec699d673eabfa566b23282529b365ca29540d1dcb3ae1564c5e1202fc

SHA512
94c559417dcc46ad8f43e217f2f13dabb631f492ce6a100003c77809e9427f74c689129771667d5d3cc8b4535428388fe23fbae80c54a31b186e9fefdb58826a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1bfff737bdeae44cd24cbf1c849045f4

SHA1
ae183717d7d05839229a7d12e69280e5d889ba50

SHA256
50b78bbe11b317fe1c2118f0d218bb18093346800e5bb7a1b953a6947662e3de

SHA512
bbb384673eda2a1988aad7e7389beb798189d916d20cac987d4ef8eb4616891e36dcad6b04dd6a6ca2e696aca0b0e822763d6b7baa232ea6ba116e08807d4160

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5d33bff89ee516b121d546e6a362ac4e

SHA1
82bf3d7d9292f2c623240a0c329d176406576675

SHA256
0ccc67c7ce5c8ced3bbb1f0adf6aa721d7a4c5b7c18b976ca853135682144c54

SHA512
a627e089c79510071fa2d7d4eedacd76a978e45066af27f1bf8a53bbbd0d33485b16110461fde4b2cc39ae5f4b5effe10c8a12f3b3411f9fd26b983d1f3fcfb0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a1d8f7636dee548cc83d8e770cd2148d

SHA1
5077cf8ff25c6864c10634893fdd4fa46d5407f3

SHA256
d77f434f630f21d9b074412685a9d19ea0b7d3b24b96741d78211c0be12830b2

SHA512
feffb572c98890bfaecf670cfb415087fa95a8551d17c17dba419f5fc70422a520080ce60ac83feaacea2d9273b124affd5497b4e39ddad34c42929f786e6553

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a235e437b2266a79bcdc1bc48a5b67f0

SHA1
0a5eb98d42401f06a9c5e185971c18301ae8eebf

SHA256
2262e53f2e4aae8bb7da8371104eb9dfd6666f705206bb89b628b5a864811440

SHA512
513eef6c6c51d64fa1d688aea74b08270a0c601cdf9c5cd3dca52de46611403be78622f1411d124d9d0b72bfd745d0d67af52f8f163068fb05c808cd3895447f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
209b32afc2172752ef5def2e8160ca91

SHA1
7119a8f0450766d5b7f4117dad74d2baad212188

SHA256
7f42e806a5310af90c5ed7556c5915cef6e8fd8a6c69370850f8f5384114f635

SHA512
0c862d54d020308bff984ffe9a9d94f715f438ff8c5c36560f9176a106588019a6ebe0910e03ead5b665882081a8fe5647623d31c63d4b16f80bec42c2c87caf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fb969978c95aacbbc26af5f06834bf4b

SHA1
9790367de6e179472b008a3a7f4d4247e38457e6

SHA256
77d456fc738a45e112e62f09d22fc6c6661caf3cf0738bc88261ccc22bdf3f2d

SHA512
4b5cfa37f4727c7300f30d78ac55774f57e38c76803a9d3695e188167c9181228d600f9eea59f0cec1b6fb79b0435d2e04c61500c0f665f08d1381d9b46b669e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
64c70590095beb628ec994cbb44bc737

SHA1
aa4fd9461833aa71f3ec97da26deb8b5bb7e028a

SHA256
bdf97ef0f160f0da815315d7163343396f0bbc958268ac4ccb16dd9b189296e0

SHA512
b9a2c72cad8f72436bdcd624696a6d072aeabeb291c32b25defc972a26630ae821a0e77ec57176c9be6541dc935f15a223057f3440888b34f5e7bca705954748

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9614abd7798fddfcd8ccc650aae8859b

SHA1
014e6d16113b93a92ecc56c0da0593093b1200e4

SHA256
d91eeb0bea677c5b10bb0e7b7da66b4beb65eb458785ee1d172ae9995b58862b

SHA512
4fa6b7cb4c86ed517b5fe009973f2bdff99574eb74ff018806dd3d01087eb81956c904f075c683ec418e6a64205bdd3694f3e5dc93df082a90c98c4651066630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6f10f1d9884dd20f4b7a633892a11d38

SHA1
b7e2df36a48f9832155c3e1c7fce3036957032e7

SHA256
d14a45ab04e2d1d83b96c0d13fd745559e256c17a0b48dc43b723018a70e9d83

SHA512
b1a6d8a994c3a26e09baebb093f9b9cfe64733d6eb9ada97418bafc27045081387ec884f02fc3df564a296c2b70a2d2d316c786d0d06f680fb70a098ac4815ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4eae828f7fdb572dec56c29b1483dcd9

SHA1
8a9e0b8eea210aeb45ccfcaf5c6af62dea335fd8

SHA256
c6cc33b72c6a8b795c99693dc2209516a0696f575967ef26542bfa4e9b88e9bd

SHA512
c3a53142ea030ec04d67a89dae1e85921c12361f8b9fd2fcd5cb19c972aba310ea4740ebb393108973ceb9d76bae4bb1520ccf3dcea30a0ce36e7d3d69a42eed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
54e2284c14108e8282bb7eeb424ef662

SHA1
ddd293d7a4a7512a49089a4ab825fee27ac209d7

SHA256
5926003322cb7a448985b3d3c38a206d2cacddd25c6f012cd9daed9d7c527a0e

SHA512
795ece2a499b2a580f7e9006442893c3a39c33370dfc74ef394b7f027a680835ce53a779e98039f60dbe24ce2c06e3e39affcde598f0e2781b4bd429e267f600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
be7bff3625ae50a469ca6ce654a3be0f

SHA1
40766752fc2f056fc5addd843e629b4d868c9e63

SHA256
efc47bace5b07138bf5992034bcc677e7426eb27dce653b687056ca63043f0bc

SHA512
25540adc69b23b0d41399fe9fdba6a532ce19f8ba7b1a2ac3a01fb4ed0761fd31e543ee602e9c6acdc1c570288529eff9f0fb3b64d2ce93ac570b5f3f75964ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e8ae88918347a7252f28a4484aede4a0

SHA1
28a7d7f6a0f03f3c3359aaae2ab00a15468a7323

SHA256
cf85187f8061ca23fd66852f4440517cdfb00285cd40318e4045fe766472fe41

SHA512
d1cea65ceba3514168cc6a5648e1ac713ce299d3e0c66528e05544bc6a3efbd7537e07772b21f42e21f9aa14cf88725ab0f97de5a38a17296512c9c001b3f962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
15b46c3baf2810a9ce8599757806b597

SHA1
abfa46cf71a31b9d6513789d28e4a3d1fd79b56e

SHA256
9cdd0a47a52379b474e2415a49d52cf5e575faaf45cf97fab1e48689b4bf3c48

SHA512
9f25010033fa13753057f15dd824edf213cc9cc0a7786b706f5e231e743a974277ffeab0f46ff28458cafd28a88ce17227bd8de3461c7162191964a4450c0906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
22bb43dd88f1e193ecff38171dcb8d53

SHA1
73b649f67c4b9d885b086cd8384408b1a85aafe1

SHA256
3cd65bff261a9227601ada6ae1c674bf14af64f8ed70d0940cb20c6586821a7c

SHA512
4673b8c102835421f7772789a8d1c77495060c33202ba8516ce1ae7a5c47109572b79c01e2ad5f2452fc5919e4b8e0d8a50c1fd2058271efbb85008be979da9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
832KB

MD5
139306eee0b9eaef8e49d3461a58f541

SHA1
b9509b7d474049853f1995b4910433d7cc61ecc3

SHA256
ed296e20443fcd264d1a85960d7657c4ee656e861b990ecc9b3bb0551806296b

SHA512
cc0cb3b64236871526cdaa41703328286cba35c2dd3e7cb97a1f39aeecfa27e9854789d63fd45b6f2db8e5c927de08d9168a0614a2404d5651c4bfefbedebff8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3cb0604a99cc8692aafd51ab03513a05

SHA1
a58861f5121314ef5742ed62238421f850a26f23

SHA256
0b979f1439d472dc220db22285d4bb34c9643bc2292530772d461b7d41908a85

SHA512
b17e6b4fab5f3ce0d5feaf94ce75d4ffe28a68d0a356f579bb1aeaa3ab024690fb3bf3ce288d518a7b6380948cce4d6a19aefaecb0b90981490c214c9a8784aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
483e0ba7e026fbfaa23a04e7a0608b87

SHA1
74a19e07a5f729eb1c46a9e7dc7b4718e7328936

SHA256
e6ce0a0834d9d7bd69b9a21cc6c994cd8a1932e20103a4098c6ed8d9c389331d

SHA512
99313fedbfb8743cb9c14b78e9e3273a644328715a4b681105c4e9a5206037b08524dc1af2dceacd83cd4dbc06701dced0669dc125908dc8da6c785cae995d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
704KB

MD5
f566786b6f191472e5ebadf62063a8f1

SHA1
0166c6c4c33f296bce26b4bea502e3c6d493a830

SHA256
6d8921f8b99bb25b90e3f5864c3c0bf1ff301855a9796dfa6c0c9a382df6e645

SHA512
3ceb399f16ee4aa41fa419dcda732b84ea3e13e2bda112c2a17281f8fa4edd9984e40bd24b9b7e0388b1bf08e54c2e87ac771790497d54151aa11fbe74dd086f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
efe49819be90ce4f3e4c270478bbb713

SHA1
c2579b632dbbd8f0d33535ef13532b3680492ceb

SHA256
6bdece56f97fd181587d6d3d6f1ad18249f13aa8c23c614b305ef038199bce24

SHA512
4de0763eca4929b8f8da56bdc93d671db55a667958e904d15f4118f0b70b174f0e89df304240edbafec20be39c72539e5cd68088363084b82317de12dde51864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8409bad5c7c3187953bf54cc409414ec

SHA1
d652c2390fef919f2587694e9d2e9d98a0a4a859

SHA256
7ebad33c54011d9e95f20ab2ec591facd915627f28215c30bac7422ccdbc4788

SHA512
ac4cba622f9e6b08460e7c71e21deca9d9d38295074a2c40a0b6ebc05d42b4481f5e70e61e609a9a5b544f24858151663e397f1aa1c3c880b434ee27ff68da63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
640KB

MD5
813bda54ee18815593ba9b4a03b51c96

SHA1
7929a5d23572fa567922bf2f0556275ead4ac4a1

SHA256
f7d256bcc326ab0a7f6968ec6a5afcb6b2ee27b131922324e9ad854c865a4705

SHA512
9eab8d1e34572a17c23c5e9c0767760091966e75c9572a0541fff10c3246a1b50350a441d1fa0f9a47d4799a0b394848050740432a2b35c652cdaf62b298bfe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
576KB

MD5
2064ac9a40394e12113ae6e8fab6be1b

SHA1
55cee053fb2a7b863eb55f07b75b3c478213cc3f

SHA256
4e1a97845bac1086cfb937d9f5bd2fdb61e1ade928cc1858b12e348021fba29f

SHA512
937eb1c80ad4604bf6fd60d37d4d5e4376c22fed95b02ca34abcbc77c31b7ce6ce4ce50cdb9181a5cb223f020e080885b1e70ad488c4eef82bceab36ec780d1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ecf3061b3a7a3be342e6cd45d48428a9

SHA1
82fdd345ba72c1a574199087aa62a269d4054518

SHA256
ee8b11ec6f56227e58bf284d5c9089ae234279691c41491365585fd7e246d3ee

SHA512
bb8f03d1aec889763b384429e4ca146e2f967a6febbbdb6239168aa5cdc33bdbb191e576a0000182920f1ac0dbd7ecc4777d0b59327dc1d506b4027dd13d8fa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
512KB

MD5
8c14def07687f467e246d5f9440ca039

SHA1
fee06e74aed3ff8d240e92c483bf276303366964

SHA256
261dbd1f9af8c7f633fd0bdc1be90e19e53e4522172b63d6cf49831cbdfeb6b1

SHA512
c8218660cd417784d5f8e7089f83550969db6aedd8180d9b0740f1d19d4d08116c635bed1bd9c0e626f96a078ab7beec7253f9ada6c5b404127ae2d100ca7825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
512KB

MD5
d9284baf2c023b17b369363eaa455a43

SHA1
db92a9893d54c9019d556317f8d521e00d4b9c17

SHA256
c932cb4930731c25a247260110f8c32ca24a6f81c2cdfb2620e79585b6f4305d

SHA512
279ba9177de5d52cdf09e39b391a4e64c9c71d29fce8b27d86e61bb78ba96b0038f331b162d26f2776f4adf83f8e41565b1da95023a4501ec80af3db20b41028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
576KB

MD5
9b062c65a5000f663bf2829d5a6482af

SHA1
fb993050804e9dd2508bb952db68b5423cc0e109

SHA256
7f541b8fb5f0c835f1bbcaa474c4e5c9b70976ecd5e0cc6818c731331990f04a

SHA512
b63fa06e3416a8f22a8228d39935bf8050fe5f683726e3c2e13e9b7a24c7c924d119311befd003e6a6937d333d257156e17a7649a22c72a6ea3296a40e12a98d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
512KB

MD5
37595aafb5590ffd2a00f360b301ac06

SHA1
699916b8b843960bc77de51ee77f17419dbcc887

SHA256
1ad28da19996d43b4d9b5ccf8757fe790e69c2f5514734709ca3050fa0063334

SHA512
4d22dba4f8f7a8dadb7c76c7ba5836fd6cb7a5a165afdfc49eca8e7bd0757619fcc0a17840ae6097f2e88a447c68f5b5c8ab47a40ebb90877086e1d69373654d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
448KB

MD5
cdf4fba186341aa502b277eed98c3ad2

SHA1
79db9d66007265eab77cef5b036bcb2eecd2daaf

SHA256
4b8e9b1205bdc4f3f5f2272c6debc09961035743e9688ef1e27f6e4cb7b9c83f

SHA512
663c69cc76910a38fa1ea62944507f68e79484938a8fd74ecb6322e1b4b907a1d3a6b068757e1746b35192d2078ce27090e92953607f5b839bf09d0908ab3065

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
448KB

MD5
15e6f307b60920e9105d7975c076a59b

SHA1
84055b8c52bc699a80df60e41df4707c64263091

SHA256
28422e9936e1d50f9aa37020a4be91e0bc51088a0f19bfb7c87d28109b98211c

SHA512
2886f089fd92326a9c9bee12e4eef025c9577af0fac849baa0a91ecebd6b720044c8f4ca1fed50a6fc2d3f5d41aa3e3c287d54697ca0ff8a0ca56ddc02bee836

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
6fa296838f3cbd45db9fa9cb59a4ba02

SHA1
c13758a80307caf84a0fd263f255021ef6889a57

SHA256
aae885f1d558afa735a0f574edd158fa67a07048a3712b25d62d07219cd53db6

SHA512
6ff4e625c6b500c0baa3b0cb4981a408bdabafd159cf51dc8639d010449fe8edaeed68fc12752508a6687cb29ac3f424d98114abbb9a5d34745e6c27741c8695

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f76f72eaec06b069cf847ff023bf420d

SHA1
075f2ba53dd9269876b7bea0bfa8fe310291bae4

SHA256
1dde8430003b122eee3e6e5176d8290b65fb61e2f59c5b05caec4cb804e5644d

SHA512
01216100a25aaad9c3d0f42ab70b469834d9ee17a3bdd32492dedcf6c678e510e0e4852e74c99fa4df894140944f3224b5c71af5b1f8efbf7fb03efa9769e7e7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b8e25cbb31de5cee016baf20f41acadc

SHA1
e6ce6cd097d02e6037570ec04d3b829e9d27f624

SHA256
d9d222230619953a998f7e8d3e5edbd9633f89669e117189ebd97eddfe3d4d96

SHA512
602024fa60c907827dcf4bbcdee70ba917e69c9658863a34db56b89b2260ea7cbea8032c42a9bd192a068ff98acc6c8f1e571bd07d662997b92ff736cfa57272

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5d10d58597f65cd411995dda093d857e

SHA1
ea50bf13515d68469a76ea2cdaebeb2e48752701

SHA256
0c405ca2af2a16a953cdefd468f30d968aa104d605510fbf276b80361c34b1b0

SHA512
dc4614f336d2a629951dbc436500290e5ee17205300c965b37a7fc7ffebfbf499503513f2937ef9fd70bcafbd4b2c63438538fc31fb64f13cc66a095861edf5e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cc86d6ab8f1cefe1017a7081e59046fd

SHA1
a7049dc392a7b1158f25e3987640b653b0b7374c

SHA256
b9669c81320cfd44c932b0d9e754425eec079dcbd0dabe82ebe0c1ec0c151479

SHA512
d7d5ae1b7d68565d59c253b29240fb4ccd4cee8d6dbd836d5f98d52e70534c7a815635218fa133850a78307aa2b23dd765654b7d5ee6b37938cb81a5640cf549

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8243d91738916fb73ff795495fd07a5c

SHA1
b4cd3b59a1147be646fa06f26b51d679379e1315

SHA256
dfde56bdbba27b8ce9c754228f166f4415530786c9aba452932beafc3ed1acad

SHA512
999319cd5a5edc3a3ddc44574ae687e839899455fc3f021db96d2eac94363e5cc5e828dc178938cb6be0558213a2e0eb669266ed84feb46aabda4de6dfda41f9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
047dbe8b37989cdbfcc62ad5f478480f

SHA1
cd77fec50d76b1908b3a6be4487c4c772edc038e

SHA256
d82ca3a28f441a55eac28422d90627c6d09c3aa1eedcef6f0312917bc105e3ef

SHA512
c5954474c61f2406a2dbe07d328b8780cb07bcb466cc59b88e43e2a50b677fb9309053ac01e6cc9bc8015c721048e9a1eefec8fa3cf1319256193c76dd9ef9d6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b73353877c260602e781fd38ea5d1192

SHA1
a638cd743d946f6383c164a4d99b2d8627505d80

SHA256
abfb3f064a6887d1be9f3609d0668fc5ba1f954625d299ada7db4bd1106f683c

SHA512
6f0a95886e061a0ed96b571d67fe168082d80a429e8cdf739a9266385e37913bd48589776515c1b4772772c43a31ed4198429e0b58d3e296298acaa0a8c25a0b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fd63b8c446098626cf329a3335918cb5

SHA1
047e795cf16c71c79849b442520db7ae33ae5585

SHA256
f6c0042c5c4594dce7ce1465a591b2daa582faa99ad554cafb8347667ced22e1

SHA512
b221f84af02525f71d4e388acec7916862fceacad556277b13af9ed958518853dd082d755f79c5803b0f0ddc2d791cc9bd41e311ea0a9a4a536500a1229add00

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
31071f8105fac4cdc01c027456eb72a7

SHA1
b9aa3e7a1c035bc3d1aef339256e339a1af9726a

SHA256
df87733baa2107846fc2eecb88f48b9175b95855516544c8e8e0f651940a31d6

SHA512
d0076686b651137bdc3e864c10979376ff0165c143bae71c0506a876036047c37ee4020ecc382c33dfcb9ea5c68336e3d38a99d8d3272c65fe1af4b8750154c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5dec274966da5aea2bf9c5073bca4b6d

SHA1
aced82182945ce73f0d919d2fb5f141a4f29e7a8

SHA256
f1f30e4e8b6fafda8668297dfd1e9f89da1ed239e1e4fe8b58470faab766fb31

SHA512
5aae2ea3c605307c778565924ba430cf9f43a067b19ee139f07bcefe4ba703b0892c00d0c3a5556bcf67666067e066ee6c22c2ae66666e48b05a53eef7c06b01

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0bab89a3b06e073e4224d88c8c6df051

SHA1
86ae8afb9f1af545e0ea623824b372c9cd65ba4a

SHA256
808ee4e4b82a044edaca639d0d02b42cdfa4d0c4693c17e60c9b4cf1cf96b1ca

SHA512
2056222d06fecde41437a51eaa3f22aa1e56226c96c300dc5549e7dab4604320c2d577e40b9bbd15b0fa827695f45f59882c2f6d5a5de264b7985589d493d328

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7c3aa958d27621cdbd8056129b0ae100

SHA1
310e5966b399e32e9c7e1402f5524a053a1eae52

SHA256
3d88f9e789739897df9393220bbc65f58d052ef62029186394a5b84b7742259a

SHA512
e27bb8ea68ad08e73527d757806690eb6a11c266b3d67508e8c1628fc9b23a2b24bdef8eafa6938d18fcd7c29a24a5acc5587145333fc678a10406102076e79f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ef34d5c9447c561f63754fefcaf89511

SHA1
189c73905e2b3e54b71bdf08a63e087121df9ba2

SHA256
6cd54fc0b5451978f48eb49d455fdd30d30968589ce2e6fa35e4692651b41376

SHA512
a4c77acc943d279cb32ef462b36de53fe8d011537b7243bf9a39144781e0c150d4f792bfdee5842b3513ae5d9ff1da90cfe080949e3d2aeb29bb6a04454e8920

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
388845cbbfba1a86e13fa56b9d4cee2c

SHA1
95e26710a7210a14afc342daf5f58f2e3f3c2cda

SHA256
e7e109e5ce51b79ee8ca1e28e6d73fa4347d9895ffe77303b2494070c658eff1

SHA512
9063fe286858b75b4a554b920dfca26e191f7e4ddc4f490356bfb2e7c2b94f3c3dae95b066d33284f2b2d28ec6855d77ac559a5d9b49863ffd885b0f11fd3821

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
913560991571303a1ce981292a655a9d

SHA1
7b41ca77a5348b23a7fa3968964156759049f2e1

SHA256
b78e3a056b5396946e4f20ed5bf9c962d3670bf2df849392002018b136c0bc56

SHA512
ee1cd8a795211c7ea75535d2cd13d0b5e727b8edece62e0f778c391b868c356d0093ec695311e392034e27e0aa2141df88accd73356ab80f24c9ac06896bbb29

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0ed8712b189203d3949e1c25a3e7b3a1

SHA1
d077e7c5b4155e3298db48b02daa31562ce2c59c

SHA256
220ac4bd6482ede6ddf74b8309e27db5d81324fe609eedbdc59e46e0fe640e89

SHA512
08b1a8ab50ac84cf9fb9152f6a328625a44d0844ef5d57031a7e16b43817bc732293c0fbb898b603fb09c0b82e93370e1b52c4bcba2213465e6c18d88b15cdc9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
742f70df470b66971299b7c65443c94a

SHA1
c44ac7bd8daf7465a548d72532774eb86b59418c

SHA256
94b34e9447d0d9fa82c773658548068b0cde09e61eb38f8311362cb3c03bfd1f

SHA512
5ba827d58e65ef33776aacb3305c336894b89a2f4501b0e42a78ec3798c7b0cd50b7f04dfa93f2fb1feed79b83ef6346924e9ee161e55d1cc3baed82db8d3526

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
04795753ff4121a2df34bec3c23ef047

SHA1
b6f49b8cb7e1c66fe40990588a2cc423ebca5d9b

SHA256
f164bebda86b9d7f40401db108750aa3b4665d58024bd5d4bf8be839e3b3183e

SHA512
779b902a7e48e1abfd554397ff07ea1e4c06462828dd98f452053ec20b40e2cc66645debf4559b69cde2e35a12d2d6a5de130f96303bec8947e574809c7a5935

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
32d34a2b99061ee7efc0281ae0617728

SHA1
68faa0f605c76a1794957c0246be826c5d51e3b1

SHA256
dd24546844b0dbb355a1cd365cb6ba7a1c07ba46dfa165b899f0e69d4e42f419

SHA512
4db73cf143cc629749e8bed97357c7868b88df4c1107660e6acad72a3a3364e015c232cc8fa540100af724586b4a828efcdc230b7d53b2bc8633dc74a4e51c6e

Download Submit
memory/696-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/696-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/696-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/696-313-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/940-360-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/940-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/940-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1000-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1000-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1000-307-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1020-34-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1020-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1020-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1020-27-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1036-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1036-1-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/1036-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1036-7-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/1036-6-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/1472-295-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1472-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1472-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1588-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1588-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1588-387-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1740-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1740-406-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1740-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1740-400-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1984-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1984-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1984-332-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2608-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2608-469-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2640-444-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/2640-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2736-66-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2736-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2736-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2736-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2980-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2980-418-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2980-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3064-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3064-281-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3064-280-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3064-263-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3064-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3188-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3188-321-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3188-379-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3228-348-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3228-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3228-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3724-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3724-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3724-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3724-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3724-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3756-346-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3756-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3756-276-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3756-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4192-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4192-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4192-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4192-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4380-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4380-375-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4380-368-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4584-431-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4584-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4600-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4600-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4600-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4600-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4600-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5036-450-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5036-456-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download