29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe
Size

706KB
MD5

57e1e896c1060a419a8045afa7aaaebe
SHA1

9297de1090820829fac3c54ae5d79b5b7d85bcf3
SHA256

29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8
SHA512

381b347444ade9565a5fc00678dbdc5bfee8d58183ef31abf470aada685d486081581673131e43ccb98439b84658c4fbf2aeb35c3d2d3ce0bdbb11b36df7001b
SSDEEP

12288:1FiB+tnwPEU6GHl/oFxIutNbIIrmkiHwZ98g8zcu2jGso2IlWWW:1FiBCMEUnApNbBcHuNxu2jM2I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
840	alg.exe
4092	elevation_service.exe
4772	elevation_service.exe
2512	maintenanceservice.exe
4064	OSE.EXE
1572	DiagnosticsHub.StandardCollector.Service.exe
3688	fxssvc.exe
4148	msdtc.exe
1388	PerceptionSimulationService.exe
4800	perfhost.exe
1612	locator.exe
4172	SensorDataService.exe
2608	snmptrap.exe
1048	spectrum.exe
4088	ssh-agent.exe
1548	TieringEngineService.exe
1588	AgentService.exe
2572	vds.exe
4324	vssvc.exe
3020	wbengine.exe
1580	WmiApSrv.exe
3968	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\864cdc75822cf6b9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{69188FC9-DE03-4F31-9660-69825F846706}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b822b4bfcd71da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e0ec0bfcd71da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072e83fc1cd71da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dd36ac1cd71da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000096b3ec0cd71da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016695dc0cd71da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bede72c0cd71da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3276	29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe
Token: SeDebugPrivilege	840	alg.exe
Token: SeDebugPrivilege	840	alg.exe
Token: SeDebugPrivilege	840	alg.exe
Token: SeTakeOwnershipPrivilege	4092	elevation_service.exe
Token: SeAuditPrivilege	3688	fxssvc.exe
Token: SeRestorePrivilege	1548	TieringEngineService.exe
Token: SeManageVolumePrivilege	1548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1588	AgentService.exe
Token: SeBackupPrivilege	4324	vssvc.exe
Token: SeRestorePrivilege	4324	vssvc.exe
Token: SeAuditPrivilege	4324	vssvc.exe
Token: SeBackupPrivilege	3020	wbengine.exe
Token: SeRestorePrivilege	3020	wbengine.exe
Token: SeSecurityPrivilege	3020	wbengine.exe
Token: 33	3968	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3968	SearchIndexer.exe
Token: SeDebugPrivilege	4092	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4740	3968	SearchIndexer.exe	126
PID 3968 wrote to memory of 4740	3968	SearchIndexer.exe	126
PID 3968 wrote to memory of 4420	3968	SearchIndexer.exe	127
PID 3968 wrote to memory of 4420	3968	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe
"C:\Users\Admin\AppData\Local\Temp\29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3232

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4148

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1048

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4740
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4fc59ac47d5f933adb4ab724fd7cde52

SHA1
2372ad9342005b1b7f936dfca289a41e9df2079b

SHA256
762ca7820ccb87dc9ab770092aecc60959a6bd897cceed8da5a9dbcd16071bc8

SHA512
c543d79d15d7dcfc7cc621c7e09475e18b0825538fab8154d89f9ba8deb39d1b51fbc97eaeb66a45af76f3ecc074090dd216f9cafc25ce9590693d06c1027f59

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
be9ce52a01c52db6b09320cfcecb0271

SHA1
c3dad8b319a3776debcb52dce39f08e6ad9d7473

SHA256
791f42f7b64c8fb3e1b2739cca577e1820ee9d61a9aa312f5035a462e7d71507

SHA512
8676c084b8a7a0a4ec6d206f4b1079f916d60f33fa5ef62b508f3e3c6bdaaf73a87791826b9d020e7f695ca25fe13566453e2d1ec33a152a41a0abdaff10491e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
eedf27b7e4cf0854dc17adb98818a4c9

SHA1
6489470c9c9673574f3dd60ec945f299af6b9d9e

SHA256
5c26eb5127b41e4d11b06976a7ac2b152357807d199f6ba4d1bb9a9d282c0696

SHA512
8d349274b7bbf6ce09933dcc6a45d504f80f05409d6094aafdd10c0b905b51d495fcfe3b3e659ac7da27ed508b1050f4c9ed8efeccde419095b34cc8b7b1bc6b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
512KB

MD5
f1645b906c8ba000795ca6b582edd465

SHA1
5dc43f4e1530b576f6ebf221f2b62625c1b2b568

SHA256
c4f775c5c8561380ee9d04160fb9405476ff9f7f2a0f6d9e025d84741f645cb3

SHA512
e9848f77b17ce70e2f04d83298779fd10c4a13081b3967b28c5c7adf676940bd6355f7f4b9108e6766b9e9b3f5a607751bf35a5ef123abcfd6ff3416efa629f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
469KB

MD5
2506c1c93dc95033b1095436489a6563

SHA1
a00369a5899d2ea5367b6a8ec7d929f2f4cdabe2

SHA256
cf2da5a540895594a62220ca4970116f050136fed7ed026f2ba5a8c2b6740221

SHA512
042d69c3700a42c702e7816ef6c7bec616c899a02c0f8ed435ec1c8808db58b50ef9fedd5b49928dbba21fb028dcca43a0ef617d10e4d6d3be85b4ce714230f6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
409KB

MD5
01079a9527149c37bead60761024d355

SHA1
924b73736acd70df788c7f033b7729cba3002dfc

SHA256
c6a1a5ca75bd0953e78c320cb365c7b54a858a9438bd7e7c0ce6f4cc4e30ae4e

SHA512
cf1a81d647536e47e6665dcfdd1369e77a40be0a07d96f9c2157cbc3918f0cff01d0c7fb09944e7e78b13cf5bf7bed5a401e74aec0619b9ac0424cb7a3e98058

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
450KB

MD5
51d8eda573420e9be08cff93fe6b0070

SHA1
4c4e6a8a58e3cea15c20d3884d2c1cbccbde605a

SHA256
733d59e8f6e80a98dc5006c71dbce4f3152cb0872fa6793305b93296ba3b4d25

SHA512
56b66b5a7bad314150584feee9f7b9f1657758f72dabf5dc1c696d349481cf516f03bc294abbb869f39b57e6c3c6806fccbd8089db5e6044adcd6831b3bfdacf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eec1343f6e2bc14fbeb50f1ae113aa6b

SHA1
7cf5724bc87b0a5ec4e4e8002f3303f424704e52

SHA256
ddf47c9818f20cc2cdaeae295853226eec80f43aa2dfbf1f8ecabc6d563572f1

SHA512
90e826eab5f89c756080e0a8b4883d1a8b989d379f82482aa1361c495ad29b62a8af66f3481a86844b6622734159e9c73c4874c1504a2c40f93b69f6b3e5ba56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
128ca6d5bb4f441db21ca6a6a4a7069d

SHA1
c50db1eac4a7573b161a123a576699e59063972e

SHA256
e6d14e33aecf98b774fca030914c50d31cc894254eaac3df37b3816633d4deaa

SHA512
c9ca02afe97606b2de8fdbc91f0e1920a2b6e8113f1b1c6359582b72d72a8c341df0949e93ecf44b57e8272ba6fa25955e93a00ac922903ffbaac7b435c4cc8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
449KB

MD5
5308005e041ae8ff1a3e612d2de4ca34

SHA1
cec1c19233d6e34374d1bc7dac45ff12485b15a5

SHA256
0594858ae452ec12b839b356d285c1de71cff694721a64b693c739a94be8dd3b

SHA512
2e02e7cffd38160493a67649d71f2dad8302298f01b90d20c364086410cff35254b01169a8ca4a7a72f07bfd77cf6a412892b87c9990828938895c148e378c72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
447KB

MD5
336688619716a93711390ba20a9b5256

SHA1
c27cbbdbbb96b86dccd0f8fab7a5e19f51262cc1

SHA256
64b3b3179b327edeaafcb3173bccdf31bce4695d3188a37820c21841223c1812

SHA512
469f1db9884a0100d284e387243fa915fe73953986087af22eeea6b43e83b2ce942e33d53251f1e8fc8d67fba2c0fd789b7abc54d207c03b46fd24d76686fce9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f0c001602282a2a6125559b80e1fae35

SHA1
558c99f42a3bbc13c0b2af8210699656d4d50d4d

SHA256
db30dfa22d8073f50b233178ccf978f0483f6aa234d35f1f01514dc8b7dcb88f

SHA512
c31f4469d7ae71e61180f7e16acff993f857a4bc823a22ef2255dee4f8c753daf739ba96cc44e2bcf3ad37b66688e2bb43fac94abe7d9ac12421ba9aa9dc329a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ca0c5493e8a06ade5b4159471c770857

SHA1
2c4034364e2ac89531107740b9d27c778266e4e9

SHA256
b81c6f2dff5a14efd92d2be3c3ea3e5f1ef5cf992cb4a9a1dd85750e4d887292

SHA512
68abe8e1d26efb45220a9162206365cb9c14f845d85317d244c792f76608fc2b79efc5d9545d36fd8e84879ba83b3cef04eea57440f17665693d9fbf3858ce65

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9dc8a1ab94324161678f6cdabf10c8b2

SHA1
96271d274378b4a41a3c336d7fcfce449fd7c959

SHA256
f8215ad42fbf4f57856991175afcb5c8e89db699466871f87efbff31b4970084

SHA512
f267a95f1810838ed5aff793693879fc031a7e4c3a1249c05ba44ad1e75d014f6d96e0802ecb360dd86602ee75a10916447376bf14ac6ec17712e3e9834114ac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
b233562b777d47b38a52de14e6f105a2

SHA1
96b7c4e830509e1f018e0d0d45e0d568ae66786d

SHA256
fe0907cb1274fcaf91e960d62d75204ce05dfdc937c03b7c545cf8bb66e6c729

SHA512
d4694689fbe1a51c44d4b6de4f0ce6c7695022f0ee2cdf4a040a783551129e821a801d227c00c05904739a080b68523e967988ff3f11e61009e2e62e4bd6e70e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ca3494e984344edcc82e1ea1223d13a8

SHA1
ec7c33cf7445bdd5de5cf664827b19e7920108f2

SHA256
7fa70f5141c033cf89bdf21db0b1965788e9d5ce066d42540afc4f9e273e3f6e

SHA512
55d1e1f51ee99efe698f61583c055641b86dd0e7ae5cce70bcb7ccaf626e4f0e98f7b3d23d8f473c5c01ca410eed7bab265d16296f25a8cb1ad3493d1c224670

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
9f4b546371dee8dbe36d9e0eb96d51b3

SHA1
f6b13cdd5111fea3582b339a67962f583c495c46

SHA256
61687ce9a0dfaa5cbdce3429385e6878b27924309849bb8b103094dcadc5247f

SHA512
93727ecb7d803f80442e454ba8c408341aafac5eb7e7d9bf2b2c87f701272e9a4640e9c7f363d096998e1a37fa6b5a89786c0f5e7e8b76183620873b6cd0ad66

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
aaa4f736ef9f2cdef1a4b49db32e4fac

SHA1
7a6a923cedf02bd4e181c3b25818d24e0e1ba7d9

SHA256
1c4fcf853ed33459c3eefdc4cc9e80a87f8b6ed67e466315981b7a9250c3f2ad

SHA512
2788a4cdb4faab091ef1a4884153f092ce2064ec9e04ed24038d13922b718580eaf54596d3aa61633dd607c870132907b84d793ed23b7ca51e38fb2f6c273be8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
6e5b75e58495af072e9e0bd479550b74

SHA1
79d4cc75030173ad0c0f10ead0fc1add6e9124f7

SHA256
6aeb1f93982977a0c86eb74352707e6a3ef0aa40d3822926fc15b6fc4ce51978

SHA512
aef78729b668882684d843bc8ad063e3a5a52842de5ba33858edc28e8c1908ffa73be43221bee9be749256dbf20a030b19d88106ebbf4f57c984e22b1286bfcc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
2271c455c7d883f03a8297bc0722258b

SHA1
a3d73c83705081ffcbe29227cf8f833383b7c502

SHA256
315df61628deb1631b95b28958d99c8b1fbdf1dfdd846b5aa9a16cbd40181823

SHA512
cd57087474a5edc4eb6d6d5e94959229b4685c0fd9775f52778b1995e78ef28141ecb5ed3c8ad917b62e08b3f99cbb79cf223a34456b25d72483a446e253d7c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
588c978737089bfb29bf7f39f587421b

SHA1
c5dfbab26443cf2775463fa9af02013b1bb448ac

SHA256
3ce2ac69c82b001f1f6c048e451f47b0f1d9d31422863bd010646452132ba77f

SHA512
9755f96aacd5576d8a0312bd51565ea2f8628d76cdbe8841a7a5c6e5527eac3bfee18ffc54dfa3b39aa47ee6f5205fc4f6cbf4de08265244c7b4718b7ac9487a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e6f98db7165d287e68ecc6533e3fce1d

SHA1
05b7da269ed7d589151165319e99816abfd252ed

SHA256
f59cbe5e42267a486c3b11dd3367ac045b3f67186d46125e3d6f45e963505571

SHA512
7617c2b7684873583aa137b02e7ad8dc4f6d9c3575fb1af75a94d1ede07c7fb6712c0b6f8ff733b8ce8bba02732f6e60bea560932d09faf4dd444b9626ee728f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
edc7c47769ebc97f9558a4ce6470b202

SHA1
75e380766162aea65fce15772ff2da47a2ea3d7b

SHA256
58b2d81abaa525ea404c690e50d941a335d1c91f7b3bf8ab6309e1a4931b8a17

SHA512
76f359d1d0f7ae3784a2c181c667f125962f9ad367f4a48b0cc77c4632c82a09fdbfb246487145a5b102117f678309397963ea937932b7b5433c581cdaedf5d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0844e93b15b85c4c67012662ff7c3d90

SHA1
785b92adabed4e142ca67f14e3fef45dd874cc09

SHA256
4817a4e7f481537bdefba4e8a3b2219a16de2c3855505a452c8d121d1408f418

SHA512
c08cfe0ed9323adff16a034bf612c0c189a0431306c3231c6bbc25d616268790f46bf9f8affa7321e1f46f7577a128711944bb6b541f3abf4c613a22e6c76ccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ef5eaa73bc6c3b53f51bfd08e1b62557

SHA1
e0b4b2f647926b145b8726d7409cbdca391f7fe0

SHA256
811f26efa41cdc5400ca35a4a31d618f0fe922e16bcc849d253089f1cacc47af

SHA512
306eef5ec223f5e2a3d6cdd1067e02096e43928680db1c3e67a9689c8055700175290d88db74cf06d54041ed7461e2e7ea0fb83ab021d27f82c9ec13bcb68f77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
564c5aa0649346ccee15553507df8c16

SHA1
20f7130e1d9766b1006768d45f8a8727aaec3fce

SHA256
4807b353eaacdb95d815c88794113030c6720631594e5f602cc2139ebf336b17

SHA512
9045111403d471c4ad39c9c495dfc8c5b4fb2981a70ab496c4137a91376f67aa5cac3255b87bc8718944e95c7fb9dcbda75f35e99c4cc510e9fb20b97889a1b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
721580afc3ab9901e739d8cbe117fe01

SHA1
b653759f59e9e0da0a077a1c350c93b8c8081de3

SHA256
fe78f643d6bcda0e16edaaab27a7dd0ad74f0784c4c89ae34355341c2fe21100

SHA512
0119785b54fb2f84cd78d67c2f5be111d6b8dfe7b377a9687e3d4a90cd5dcb234e6fe1b36a997cb0c1b1bbb2732e7ba44a988d2eb15af5b696173d312871ce2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bc72049d80109e4ff7046668c384ac47

SHA1
cb9a03c361027d0bf3b1e12e427c952a16686496

SHA256
02fdf9037f685e275d541d205ce45cc66debcaa445adc72b452da7beb9ad0bee

SHA512
61c3c3e44a09b103f596e8958d8a4d6eac58585b7755853c7058a4e8d29d93d5fa49b8bcece7883795829a5e994327f6fdb65984d8fc86b45876acd9fc4785a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f99fbdd13ea3b13fa4ad7180dee58560

SHA1
ea5ec0e3f6994259538e332087bfaa147baa6b1c

SHA256
4e0368d031a7c0bb1114d95d5440f4dddfd9d5af95267cee0d37b9e7564af645

SHA512
9dafe12f33d60d5314bb72aca3aba2368291d937fd19c57c0dbef24f814d4b57970764ca8a5ef096e2f807cad1e0d755cd9ff225c8a84425e120ee1fdf45b723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9b5181a0c1a33809f1de35da5d5b6cba

SHA1
5809992dc79d950efad8a4db6da1dbe4082a598d

SHA256
c3575ca5b45716a74da0359da8abd763da1142d34bfb27fa969e3b139c8d12f4

SHA512
ab610c4d2c719d2ecc1f413c2af0c462ead1d0ddd04bf7bd1d3f7f439b34e2e71685a482f7bc005e319acc50125b19a565edd12b46f0183f46b39727864bc093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d3544689e1297aaab141b83b1f3af9f6

SHA1
a945e1b5dc4e2acb51fcd3d743d581cf0a1b93cd

SHA256
fe6b152b1b7d920182742ff98d02e2d9d149aea80a48a27dca4fcf7483abe52c

SHA512
c3b4abbb206eee1fefd6bc461a3bd042b2a2b1729a0555982690d2f28882526b77502a5f51608ce4d7537c312b1a85464e94f2e7783f51e4c36b77b97022d400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e590692bff2bdead7d8a1217242b481a

SHA1
ea462aa4a1d5fc9ba86f4222b31782885930ac09

SHA256
d29db3e07fe975a8bf3926fef265f3fdfa22d2c17aa336f999c50a742857580c

SHA512
6d81c7195779118702df82d653fd59ca0d4fec5483b396e1c733f383ca9a2454e0907f43c669d2447a89cd6203b3454b2c0f45a617cb11cda2abb40fcb8b31ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
359KB

MD5
d8d334eaca9ae2688ce10f3541d29130

SHA1
4a5ad41be1215d8e1bab81730d61282b512eb1fb

SHA256
6d37037175fd5c2a96214043180a1e0224165986faaaf678a6fc2e0ebda197b2

SHA512
5c74ba710becfc87153dd58b62b8f6d8915b86d610523ceb8f09eb417875595dcf31e29bb339fe7f665241e64436eb2ae88a459aaa94ebb1b0e7528ea4ae024a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
385KB

MD5
dd2f17b6a8f396b07dea5b2c66b5225d

SHA1
d870275c8d1ab2f3446d5702bd78bb532129b9bc

SHA256
c91c21b5bff94e02dff189de1e173774b17be020e9ba004b79ab0dace9110be7

SHA512
319b609dc3c91c0cae7928c389f09849a1e01657bd2a07c2320253b286928115e2b86985c3bbf5f7031f44dd7ffddf747bfa90f0f2c7915218dadd175fbb9ac7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
384KB

MD5
39089c2bdf0c4d4f75180ef50dafa9ee

SHA1
c84cb34483eff10c9ca8d027ab80eb3e27410bf4

SHA256
f5b8317773221ce59496493d49b601fe6cf6de251c5dd88aabc5513eebdc0c0b

SHA512
939e50850326117eb5b7654c9e51ed9798e76aa41eae16a59ffc0871ae1b80a781d7f3ba84142dfab7062b1401a003d65fcb90c6272c88e5350df7e83d2adb3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
286KB

MD5
570931979b7ce036706a8621ee2b1428

SHA1
172fc83ab823a5608a69e24058921831b0d99135

SHA256
8b818080c62f880259e7445dc97441e159bbe7f97c684d5c2abf8bb263d46908

SHA512
85b1edc1741bc50e18b671513bfda267ea8ee5dd2c6a3b9f1b25c828d237d9ac44fe51d9939c464d5f700eece0a0f90b81c9763a2b607935a9cf2e83bc48071c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
384KB

MD5
1186e415704582bd6a1ba12bf7992b4a

SHA1
ff7494068aef201d40e1c629cad513566cc93a40

SHA256
32f581c48145c7b4c987fdb3a5844e6de4c99a7150ed157c9edb31b13c5fb5a1

SHA512
9e4a3281ae98203a37a7d01d07d40d457b8397187e505bbf4681a8aa99614e24540198511c7f0d2588f66d187f36b590fd74594e389492e2278df488b11ba655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
320KB

MD5
72bea4696b0d09db61846cb00ab52439

SHA1
c41d77dbf83efa31c663945254861d29166f4e8c

SHA256
40d67dab5e4e4ce8e2d5bfbd071570741c067f61551df83d8cc427de179b86b0

SHA512
213a1a217e5b3d642d9f2c5c84fdb15b5cabc160c8a320342fdf0ab77d62fce21a2235fb8ab68f3be5425746f0852995c03567e55b6917983ed0d7a29d76e30f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
376KB

MD5
4cdf323edbb66449c9d6b9686395dbb9

SHA1
4690df5040ada463e3ef8938c098cae7fff28d13

SHA256
f622ab9faa4e479623c72bb22fd771ce23bf9f99fb6964c795c602b6fd9c4fbc

SHA512
5377b5d5489e14ec2e959a1f7203be449da43a5afbc4d5b88603bfa43b040951b1ad86d63e0066b72194c173d99906c8687afd4b8adb00eff774421461461ec2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
277KB

MD5
0de5f2192293734b6502c6081abce165

SHA1
20c7a7592407d062e4a92f37bb97cc3a7503c8bf

SHA256
0649d681f03e0da10d10ae37d5ba17cb0e5ca80581da0768d6c9d9caf23bb69a

SHA512
eb0362dda30251c65c151076c687bff3c64eabacce8daedaf8e4d8e180c980184c5cbbbfa25112fe0252dcdde66472cedcca08845c3b04d6ebad4e5b475b69c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
320KB

MD5
1f03beec8ea2c96298384b71f9f605d9

SHA1
5eaeadca35c78fea7ec41be79e99a2831f2359fa

SHA256
e001a1b03170fb21ab6dc6090205794bdb69ff9a4f904aa26afb4ad19b63ab9c

SHA512
0e928a18544840320ba0375bf167672c2671141d6e88bb2708ffdf7d985a2b030ef23f16d79618d1b91c201895fb3803f2fab99ad70c15878f314fc5fecc89ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
292KB

MD5
a43033c934609e9ca3f6cec6bcdf4000

SHA1
d8b6d6d12123d27acaff5bf0df4da5660a9343e2

SHA256
99810a50412dcbc316e4b67c48b33958d836610dadc2b05c7c6ef0ae69b3dfb7

SHA512
94e8567c465e6a46a33a23163d16b63dd832df65d442bfdc9932c1141bf4d6054f2a2e70ed4980aef8205e6dd3b6912c3d08cee94984179f59ff0bb8dd2297c9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
3211fedb23d6d6ae856bb1496808cf1d

SHA1
7b2683a32e30a58a9c8bb1d1ce6c1f3489ba4348

SHA256
1f0071dad24e672c2d265293f2fa273f8ea4b8454809faa2fe047217ea0d6cc0

SHA512
48141f1c30aef919e5f5aa06c2e8b341999c900167223f77d5802f935ab74da327c3b29140f65ccc9fde0fee5b1d3ab61a5e9db53d0cc3e7e18a80e082b01a67

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6b1612ed58f641a41cfd9a9fd0b4093f

SHA1
fcc06f2d5d3c7c47fef8fac99d0a9ed843728a7d

SHA256
fa8501226c6ce3db15263fb8cbe643bfad72b316756809c9d1e705f73407ffb3

SHA512
09815c8dd5d9636736ab6d39b936bb5fb5efdd0598276ee0c4166e1925c6906d6e2a6b1b4e419264813943580bea12fc7bf1218c633235b024a32af10a66bfa1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
351e2099868d0acabc951b5378996c84

SHA1
1caeae7ac96650cb8031cd2d2d23c508a4db2b32

SHA256
2d8f892c6be6453df35c907323f326efbf19128e009854b5f1724d68b7a13857

SHA512
f0edb1742f219919c4934035d927ec04bface003942ad8d0577fc1cb38b2262c1d86bcb56400c7a6c1563fff53df3ad4b9b019f0b8acd8f50765d3abdd1e3bf0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b420b989001ff710d5d939ac2c51d509

SHA1
73d02e29f55ac5e7f7c7ddb10c8c8234420c3dd8

SHA256
7684ef3fe22eb5e47d0f83938439cf40d00d5838e747ea590efcc560258463e4

SHA512
75c575a3b55c1a62032eaa42c0852f337e7f0d7fca34bfe2f402c5c74b50f7313048291de491616b161b3c567fe19725c76b6a80d3e0582ee3885adfe7881c93

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d91e4958367272baa3fb6e6c4b2335c8

SHA1
884d054d66c2cc9128298e7895e3b52f2af64125

SHA256
b20494c61769394dabc014f3d8b8bec3c6e666c4178396870b79021a8f319795

SHA512
14fee1220d693d630fe1786b09fe74d8e3063d452811d9decffd1645108fef80e8b5c5a7b8c2638663962a9534d64c1002925491254f7fdfac4cfd3e3f2371a2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9490ba428f912cac5c088cd87df56974

SHA1
50fe9e9a1bd7d4fbdbf1efd8401ca141877e8690

SHA256
42f42f9241dc12f4be9c409a486bb9ab06f3ba917130ca07fa8046088ac19d98

SHA512
e5f08f195406a4003a5ce758c7b53c0f15eba0f4605f17a2026e6387ad510a0d6915ac80a8d4d32e69fe1a2844ed2e77a648b9d64bcdbc5fb88983b69eb23d89

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
01e8cabb49a83688bc48f441cfc63b9c

SHA1
51a5b7561c70759bc7fc495371c400f14bc4b201

SHA256
977d60554d7c45656b68a78525278a7e6aee041908a14dc0de49cafa48a86fd0

SHA512
568c365a797580d3c9f096735ec6da740994d1c0bd28d1381ee1656ba27220f1ab417bc5a54c16ff862a225430ada7bdf7ad7287e6bf4ad5a6dc03d3a7f41731

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
faffe7937f07247f5bcbdf94426318f2

SHA1
0d8f5de138f9fad07d7d8ad72ee32ce256d941c7

SHA256
46266ba53aa0c0dd508526c77ad637aa05ec4e2952a2466e03772aa99814fbab

SHA512
e965d07e571cba20e9480707c6b9342df0045bdc2cde7ea186c9d01566177df9920ab72a48b540c01f580610c53031c4ff06f4c78355d16c157fab71c96ce8d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4ac6629d823bc68aae56de156ef47250

SHA1
def536c173485b4a0acabf228495606aa8e5f73d

SHA256
3c010688dd0db541aec74d903df35cf72fcc1e00b17854b658f6cdc2e5c38d9f

SHA512
9410918b0839f1534021be560c820449c999e463fce58b364b9789f0319cc291b2ad25b73712321ce471cef90e6c868887a969a9292530b299bfe8c229f48915

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
457a0f6f85f5b400eb75d346ccea0793

SHA1
9892bece5efddcb4c6803f97483831009a2d904a

SHA256
a8d2ba2c85a74ea3b92a6d251c731ee663d433fcdef7d051918d0e0f3e8999cd

SHA512
418a926579d58effdfd0d249ce666cb2fb4afde9ee881b63a314f59def6da2e581dd0aa798ab77e4cf504e0bbbb035b4235eafe0fcc23ff229bc0b380f5dba7e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e273891f68a86e67d0683d73c831cf2d

SHA1
99a04b61d5356e664662a679e02bbfba28aeba19

SHA256
17afcc31db6800a72c41487e91b71303d8a2d8e4d9175452f8d1bdb9ed7db195

SHA512
40f016b90c4378fa9505f24d19dc7e4f41ecde3d4697b58596b0546276a8512301a6888a67f86ca05b055d78ebdf10cb6eef63c79c8c89c11d2f3ca4a8541762

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2137fef315156839449a6478c1d44496

SHA1
0d2028cb1edd073ff80e1958ccffb18a21338529

SHA256
77266fb999358d86dba1dc6132102d82327c9b428ecaad070a76a5b2dd37f897

SHA512
4fcab32e962daf92cfb60067deb0dc3dcc18aafbe0c797042506ec02710fc5a4ef544cc0d7de3b0f0d4d5d29bb73ff711ab3720874414e44add0ae300a3af6a2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
029f3a1afade4115334bc791f33be5cd

SHA1
26b6f63113c6a44c2042208640c8ce02b0a6cdc2

SHA256
4870c76452d9bda2b60f8fa32e4f9dad4435d12519d9a9706299ec50e3d354bc

SHA512
39d7a855073bbe74eaee07972dee0716ac0061c86f2bb4d8a1bf014829dd91a0da0df800d66505e878310ae3d237bddce30e2fad0842dbb4e7d49a9d8a460486

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
94418c7a00db95f61031f14e111b0d96

SHA1
208f820b40a4851cc27629abc35c642b973e0255

SHA256
52d225c8755aca323d2ee74b7bea131507db8e720a2c6c8c5eddc3fa6a3cf459

SHA512
52085accd6b87da5dd4ec9d46f86262173e62f531963d7c0ff14242908c29d3d46755fc99a1497f3253c199af1d8c1bb354f1abc4224a06f5f5b202e5823dbbb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
73da63fe9355af5a64f13fe1c0918400

SHA1
c68dfd9cc3b6d3ce6d7fbb1156f7ab41f7b748b9

SHA256
6fcdfc0a63e8866fd24371e652c6d05c717f4af73bf0e4d19c8986b802904087

SHA512
247717fab2eae5254fa82619ec254b901ff124ad471ac2a1aa0d9f9072679c3f94bdc0f10fa805a66db1eeaadb9221ff2a5c9aeb582656cfb3c3a4e226787fa3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a2c4aacfc93cfcc4fde284fc81e84155

SHA1
a0abfab688f18a4aca9002ba2c90da5633406f64

SHA256
360a6f4c95ffdbcf0dc01785e4b469be4b07c6b08e2dd47e8a4d15ea54866668

SHA512
c644686ffcce2064ac1e6b800bb9351beb5f8ba7efa39b6a6c24628be2f69fb95545631ad85171f9164bab5c769ee0823b77e2cf3f1880e071114c163721b60b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0de34c93e1d1e9d03876a6caca01c692

SHA1
6b13eaebf68388fb6ae46617c82e82194b119d69

SHA256
8047a41667c9dfeea342cab026886b4bf5918eebdeb1e9da386c700e7e106a7e

SHA512
0444c29132b2fe0b89f35f2c48d33b0690f0f25592c3b86c42fd8466a37e98d26a7e1c0863e2fa017c6b7413f230bbde09f0f9c981f7cc13490e7dcd0106aabc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
79369ae23c193854d08c4d0cb8c88bbf

SHA1
018f8a362fc49f19233e0ac28f43c58abc43d69d

SHA256
7e6ea2d4c617d35429708bc0263d350b89338cbacd5c024d8208a758de427ae5

SHA512
d2824d2ff7aebaf7dd370015f81c467a132b5c1d16de3ed7d7a7b64e4f9d04665d06c746209e8f5e30e350f6d4f11b66d95e5815e564e9ca94ea843123a93962

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e86f9d84510c382de48e6a8d1018e7e6

SHA1
59a82718741d8dce3925ba16a867bca3d48a7e16

SHA256
434e09515bbd773344287366dd2c63be3b118509c01ef3d278043c86fd2f6c25

SHA512
4dd0487fe7ac0ce3bff3e300679713b0336942b8de55db595f36f7697b62231c0891ddac04ab3830c78ed2787c679586d8883ac4a737a22b3418714765a1bd5d

Download Submit
C:\odt\office2016setup.exe

Filesize
2.1MB

MD5
b4d8f7187c622c29753b850abd129190

SHA1
b4de27aed8ac2f62a7004c106f3352126ef8ed6c

SHA256
d01ecf812c02950f2cbd3f44c91b55f88c8c9a5ef3dda812159e03d76d353253

SHA512
dfca21bbd6b9a9afe9e05bec53ebd0881c9510bd9a6c47dd95c6346d0c0ca211f74064f0087bc1f9d8abb9a36505699f615be84e18d4ac966b7e01b9c1c83fb6

Download Submit
memory/840-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/840-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/840-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/840-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1048-357-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1048-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1048-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1388-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1388-295-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1388-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1548-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1548-385-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1548-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1572-243-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1572-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1572-249-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1572-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1580-454-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1580-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1588-398-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1588-404-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1588-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1588-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1612-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1612-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1612-319-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2512-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2512-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2512-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2512-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2512-49-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2572-415-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2572-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2572-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2608-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2608-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2608-345-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3020-442-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3020-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3276-1-0x00000000021E0000-0x0000000002246000-memory.dmp

Filesize
408KB

Download
memory/3276-6-0x00000000021E0000-0x0000000002246000-memory.dmp

Filesize
408KB

Download
memory/3276-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3276-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3688-272-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/3688-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3688-253-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/3688-263-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/3688-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3968-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3968-466-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4064-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4064-64-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4064-71-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4064-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4088-372-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4088-364-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4088-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4092-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4092-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4092-26-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4092-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4148-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4148-279-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4148-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4172-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-331-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4324-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-429-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4420-552-0x000001DCC92B0000-0x000001DCC92C0000-memory.dmp

Filesize
64KB

Download
memory/4420-553-0x000001DCC92C0000-0x000001DCC92D0000-memory.dmp

Filesize
64KB

Download
memory/4772-37-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4772-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4772-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4772-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4800-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4800-304-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/4800-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4800-370-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download