0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3.exe
Size

1.4MB
MD5

434d3b084a2d409bbfcb849f50fb103c
SHA1

5f17a0fabf9974191b0a921abd7be561f8603448
SHA256

0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3
SHA512

95f855bf1799e919fd40b33d33896f00a414bd560fcb0a5fcfd0b40b6191020552a5dcaad82e7ce51a807d9f81e319dce18d2838c692a2e6f378d8953a0a6a06
SSDEEP

24576:La9d3TcQ7IwaxVirnlBUKZ408vTZrX+lgdW:+9d3Th7Iw8iLlBUKubZrX+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2852	alg.exe
3148	elevation_service.exe
1344	elevation_service.exe
3692	maintenanceservice.exe
4604	OSE.EXE
2632	DiagnosticsHub.StandardCollector.Service.exe
1324	fxssvc.exe
5088	msdtc.exe
4016	PerceptionSimulationService.exe
3664	perfhost.exe
4528	locator.exe
1804	SensorDataService.exe
4544	snmptrap.exe
2376	spectrum.exe
3656	ssh-agent.exe
3672	TieringEngineService.exe
1448	AgentService.exe
2108	vds.exe
5032	vssvc.exe
4212	wbengine.exe
5008	WmiApSrv.exe
4736	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8f21903712d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cc81736728bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000875feb34728bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087d68736728bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4212e35728bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043ebd534728bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042e9f434728bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb5c2935728bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b493535728bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3148	elevation_service.exe
3148	elevation_service.exe
3148	elevation_service.exe
3148	elevation_service.exe
3148	elevation_service.exe
3148	elevation_service.exe
3148	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4832	0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeTakeOwnershipPrivilege	3148	elevation_service.exe
Token: SeAuditPrivilege	1324	fxssvc.exe
Token: SeRestorePrivilege	3672	TieringEngineService.exe
Token: SeManageVolumePrivilege	3672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1448	AgentService.exe
Token: SeBackupPrivilege	5032	vssvc.exe
Token: SeRestorePrivilege	5032	vssvc.exe
Token: SeAuditPrivilege	5032	vssvc.exe
Token: SeBackupPrivilege	4212	wbengine.exe
Token: SeRestorePrivilege	4212	wbengine.exe
Token: SeSecurityPrivilege	4212	wbengine.exe
Token: 33	4736	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeDebugPrivilege	3148	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1416	4736	SearchIndexer.exe	117
PID 4736 wrote to memory of 1416	4736	SearchIndexer.exe	117
PID 4736 wrote to memory of 2896	4736	SearchIndexer.exe	118
PID 4736 wrote to memory of 2896	4736	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3.exe
"C:\Users\Admin\AppData\Local\Temp\0068ede075ef8d04c061c0ce87218f0386d57aef2b829ceef02893daf1d781f3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1344

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3692

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:64

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1416
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d7ae9ee6967277d5739d83a76cd225a6

SHA1
760d4619f50596bf771a78285f02dd649f9f818e

SHA256
41435b3018fe71d13db8834dbbe109480d8db3ed98eb05c5e76fb156537bf06a

SHA512
0eed8c94c2b488bd5c641276b7895787f8d3e88f0cfed6816ee6866d8fcbd792b1f769516ef10642eca9c6aecf1a387ce1430ac1ad9cf75784dd175d39df8c8a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
152337b92ef1b77855678dc95a150a3c

SHA1
381113f7276067090625d4f7a3c162196b7daa94

SHA256
99cefd4507d75905059e491cf130a2068ee346cedc534e6c4d9d0600c47bf245

SHA512
d319a580df4caee8c1f2faf1c83862781c0ce857ec257ec37e17cdca98fd995e0a400825c52f00980cae93caf140eb63eb1050df99bd6e98d47bbf1967c65341

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6e95d27f55f379328fd690f80d84751d

SHA1
c9c3af98043821392e7d204c31d414b9d8a9666f

SHA256
c897a721c0250c94d58b6446c0eaf1edafa93d7b5645cf385f13fbdc7937f3a9

SHA512
67d7e2071968118a19032f9ce53f96c2e3e24b604dbb0d3a9621f3a2d0816a7fe4bb57fe1d2358cc98b44ecccac77ebb25eab60bf502c22e8c20642cdbf428c3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bd770211c554b90ec223d068a270430c

SHA1
dcacde93fa69d1c46f0b166f22804d6cee0473a4

SHA256
8152b19fc55821a0a96c738457ba8acb11fbefb99fc3ad2cdee2fd607925bc3c

SHA512
ff3c8744a77edbc4b2a0e97d1e94770e4c4bc0c39d29c65562a93a50237bd23dbae769ddd107b35b6c314ccba91c012add14c377defb42e5ec85b4c83d4a25a2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a2d12f948bd76908c99e26141df476f9

SHA1
6a1b2983ea1c633204d6fb14cbe847a1c33392a1

SHA256
57df3950b360525ad88bd68d78c17a0f987c6cfe8c36b537767ae858bc3ccad7

SHA512
a5b3f2ce6b8176471525d09117d96ff3480570dc771403ade757dfb29bd2f3f2791198ff3c103699161a7324df4de566fbdf49beff85d3fdb2004a1cb3dd8c03

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
cfcc970fa4babbd74eecd4325a284d17

SHA1
32c0b662daea86e65e259cd080d6821bc554d1a8

SHA256
f6216bcb39cad69c00ef23feb285fad69e1e562f0b20ceb134c3f2f9232166f3

SHA512
381ee3b25f256a9609195b76d2682d6667dba1dcc84a5bc6ceb573501a49114cc7c5a201cb9aaa3dd7f0b367c69de5259ece64e11f2c835ac334bcd7e22093ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f5423f45ed01652e2127a7309fb70f10

SHA1
605c0182809c63aaf8649ab8bab4cb4f8d36829c

SHA256
970adc08b2f4c7ef786a1414fc86c7feaff89ceb4012a1164845700251a76df2

SHA512
ff3ecc08cd72b2ac6e34bb298f8cc8f73b73046e10ba4b30bec1d749f68512dd79ef53ce592557a84c166a235e62b4c3838822df88645a1ef823fbd63b3efb63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2e8e413cd28459de19fe183b1bcb8dfd

SHA1
c00f228e65e7bce7138dabe73a10f3a3dcbac012

SHA256
2f13ac025e2cec0ad1f636a2fa871c757012f418e319a473616ead594c25e707

SHA512
cf9a2d1b71be0ab1f4676dc95a31a40c4575c4a100ad07dfcbdf408068973066cb65f68b7918de02b5af8a5882bd41efec698ea406a4b1531c53e4c5f889069a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
29f8aa9869fe4260ca02657fadc2ce09

SHA1
daf3c4a49c1e7e8289ef2c13d610c1e7f3afed63

SHA256
5182a4f4127f68f27ff19ca417b50f614768b908b2c0523553a6bbd9b3253894

SHA512
4adcbe21f645c65268e22fc6fc026b0ea6185078c6e19febe19a332730fdfe6d9c3b16f0a5a6a42f70f4fd33bd78f904e24dc25fc0e529abe401ba519cfd490b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
468c4b58e4cc927e55ba41bed297b4cd

SHA1
c80acb8556f2590284529e4a838598f5e2d33d3d

SHA256
3aedef3b4b9b51e9afb4ebfa50064209f7d8848396e05e77e28d10887974c0fd

SHA512
adf35c7fde2d15186303268b9fe579c995a8a202ef398f9a57a7ae92a7dc59686649045d53428c7c6df132624eabb63bdc27ad645848fbe100368847cb900652

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ec0745e1058d47ab4ace8ccf375d6466

SHA1
9923882ec2ce61bbe2c6cce00a7cb512a542bf25

SHA256
94e8d488513769840e800f6c557a5fc29ece7ed397e1db1f20251097ea459270

SHA512
0a92d100c49f9b99e6255ca36d111108e12b5d8e17d729848c05f1feecc62f58a27601e46befd7c97411ddf266383cd478d50997dc81c6d3affc45d410facd84

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9750eaee4f2a062290753807dd6c0e1e

SHA1
52029534e88bf49a37efd6cb65a472762701667e

SHA256
be7f2f30dfa09ff248d9ef3be6c6d6bd486a876b0364f9035a01e11eef37dea0

SHA512
47128225d064a1c44c8db63c6af397faab403a363604dd367d09ef11169c0d5b16e1f99fc65feb917983e05e738e4f38a0bfe4b97b4b86e9750c61da0fe78ea5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
855fc21af5ccc4b1984e0dc87a346f7c

SHA1
f6401caf2afc4c115b494244de8c5a20729abbdf

SHA256
a65f038e2fba47ece7e15d6391e2270aec5aeada7ea07e3e515062275510acc0

SHA512
c8202a5f648e9d0031b78460fec5410a23079ba41c9cf8d694c8af832ff15fc398232bd8c80403f6e85f5ede70500c4c66ee537a94b664e9b34bf2e03741ae7b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e3cc260382431416234b6ab4664ca213

SHA1
9509ac8764cd160ab8fe9e6e24d0dc11ccbeea53

SHA256
b3917889d132ec3e5d66d0fdd2ef27dd1425523692b0ba0a9c53f48a4e1ecfbc

SHA512
2c34e5f177a46170443f74a1b5333703d9c819795dc01ddbe588101ff50b286c4195e7230d531b9a21da5ef036bd388b0f434cd9471048b9039c7c9a81b76e91

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9ee35f31a331abce80cd436fdcd017b7

SHA1
7801e9dc82e5582de4441fd39d31dc6db784983b

SHA256
dc58d6483f01ccbe22cd6c8bd5db01fec13d0d24b52cec9999db4787c3b7e105

SHA512
24a4e88703624fa8fd9bb587f35f08d8d0b77d8ebe7cb950812ff82a39373e804622f2e62a45ea12580439351fe54840e0148b10b3a5fec3d5f4bf6a6fb4853f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5951c32ec70d68d14824a0d041262af6

SHA1
cd6253958eda62d0677d39c2f0d29318f53aa8f1

SHA256
5a91d72c403ad701c5c755f99ae95f181596b65df00c49e31be7e872d1e5a538

SHA512
8a82af27f77d5fd8e9008e15deb735a96c1edcc40deb832f7a775137eac5770d5efb69b9c108730d88981b0b5a507e06848572860d50731e187ca42ac147193b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
4b4b897f917de75a1a79f5e8190e4b9c

SHA1
7e3ad8699773a651aac1af3ccf4be993b6ccb5c3

SHA256
f6e09fec863e40e2c666333ebca2878c400462cb0c8ce377bd7d8439b8b2272f

SHA512
83fb0456a02650fc76ca368dab22f79f257b60f5f208ef70783616d28f5dab2b3888d7814f840ff387ea6dd5d6fbf85b9e21f6c3ba818c6852f2dea763f37d31

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
895f527d259495d4dc5083eec29b601b

SHA1
bf00a6f2e7efdfc7b17b582d0130d3050d0b121b

SHA256
e52facdbad252af11f230b590085238802b11695ee72dfcdd4a312f8c886c56c

SHA512
131d84bc31282a0d67bb8a7f7b73c7212d68f6a818b05d98e7fd48b2036c3b2ee0b44eee96b3ad6e009e72053c4f4a2126dda2691cccd9b08aafdcf47ea2ddc9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
14c94264778d4af2aa5cb838bce337ff

SHA1
bca6208ec5494a896e1fb7462d0dcf3813d522fa

SHA256
b0957a4a306ad0f6a21fc1a1b6e4c11c8b222250aedcedd24e15d905ddac6f2f

SHA512
309accdb22ddfe3e41402fb264b0f6b2310b0c0f2bbfa8bc560e4cfe368546e2906307af5d825ee6a146ff45da0c929150a95c52f414ae9d43fbf6588f5e2484

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ea0ef4129c882797f07fa47510df2353

SHA1
32b3a345700289e2577cdf82ebf275c5db8caa43

SHA256
2a3f76ff99d7e4276129dc649e9f21b9048c3b51b1f2d65da62ad0ae0d98b1f2

SHA512
e6729dca042a1751b3bad3998c425f19e3b93f6408d923a3386c95659b5c63b79fc85cfbe080b7d3e82277651a2226c9911eee0444e11e9698a4d331b663dde1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
954537ddf1999bcdf94c27c1b5e48c90

SHA1
ddc7eb828ad66c69f905ef6980ec3dfd695c9640

SHA256
25e86b4e1a0f4dacedff1451a9070d07646df03d5bb2b50f3506c2eb26eaec91

SHA512
73cff17fef37c0e55ad52d608532fe0d1d803c6a752a35c7061324813dc01d2ba3a43857af5646744a514bb56eac0269aa2c973c86b29c49bcbe8b56ef56f388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a5ae1fb861ea2a6913b19486d3ae6a2c

SHA1
ea8729262bde4c9dab12cafe4f58e6aefaf5dee0

SHA256
09bd332d8ab4d901f9da26668ac10dc5793213cee5334ff396ffb1322b738cfe

SHA512
4cd1f384ea4ce43962f822bd07f3d26512bc3cb03ee8d2dacf0d10ab3f0b4f231249e48fd9fa8b42b95955b616f761e17b934a30cc2946bbc21488a2ca025067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c068bf945779f8afd74ab8368137acd6

SHA1
5d0c797a0a751f9002567d1ac2e4a96e2d391015

SHA256
99f2ae5ba7c89c48d47d1b2599f6dcbbe9e68b901f147fd5d4dcded1596cf455

SHA512
1b0e27ef5f5d462b49ac0dd9fc20f213053ee3b6a6040cdaf1c39673777864e853ac043dca118927f751d878273128c3e2626bedfdaf38b89d839d2e6c407def

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7b30e9d3c18758be7e317f1b4f6da6f7

SHA1
1d19faa0d5b8bd03268844736a288f9d5c15fdb4

SHA256
5f9fcc8e9aef245743560a8cf1c528246ca4e52c08c721e9c48505fef8520df7

SHA512
7e0501c1dda6ba80c4842117a2ebbf7406b903ab9db2aa7acaae5d3eaf6caec5c2162c8f9b77acc62549f1f69f6db93c53a6395afb87166cc82f3d7634f40cd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b4a62a5d73ec64892a16d93f49437d54

SHA1
6dd6b1125751e5e15d911fd5535ad90fe5801a06

SHA256
07c21c568c67d3e01b08cdf28fbcd53d6e9f8fb2678881e8e35810f30790410b

SHA512
a2e36e0f9a485d9ee57e6bcf6d76172a5a8febb3ce6048f575d1eaeda2fed9a505d078eb1d4d06adb008a4d67981894c696b8e11c3e10683dd0a5044e97eda7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
10d6e2e917e09815de9092fb464d5431

SHA1
7d93a67d3bdc2697132c30f9eebd375df003c633

SHA256
ccd257109a1008713dc5bbf924e52306854ef9a6ee2f4509a41b2965e3f1358f

SHA512
5faf168b881749c12d8a8726beafdf634f0c0878920fe39039f9fc2addc8617c50bf5d2a10bf93eb8b6afde142d2459272cf24a577d1fa2949c53d7dfc1d4fd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3b590f9f46ac7c2057c6636b986c80b0

SHA1
29e369def76d9f919288211c6192b63e67f0eeef

SHA256
3c9b132d9829b599104f0c2ea5581a7a9466963ead083132d57a1e56c809c087

SHA512
72ef9c7e2cafdc0eb8c6c7e4b421c0ecdc09f2ab63f3f7c7c4eca0a1c229911f798164aab57a9e3ec2f3ffe4e80b70d7684f61d39abf9ecd68f13bff8ac04ed6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ad5104296332d2b48f97c1b4354e9d79

SHA1
25a3bfd6135b423c8081c559f79c24a54b661d1c

SHA256
ee8b5fd16b4f932931e0ac2df2539275bc9d3dab3c119e980e53bfcbf4a9659a

SHA512
a4faed578e2709d03792335962b1b85d5b36b3369dbd3a6b46f12ea9d5e1dbb6340d840176fa8a50c4375c761548524a7d53cad7c36521643b5fc93935a75886

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
abf93ba0928d6a329016cb7a5f921d7a

SHA1
64d4f7620895faabacb7c50ce92fd54a64164cc2

SHA256
2e0f089e60ab6b0f55153abd346e5c49661453339eaf309878e86ef5194ddb5e

SHA512
96b90ca20b20a8f829ba8f19432fd00cfe5dde9eb9a040d94550e2704ccb574e217df985aaf147f8fcc2a9fcd17e418dacbfc7afc9410f55bc73689eabd84e0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a0db7d7a571af9f91c6bee0496c704bc

SHA1
849fb5a697c5f27ca1f7c9645397355dd9748bf9

SHA256
d878e072e1828d57b02923c82736f19ec95e7ee8c936979f05c9957a2a07e2a9

SHA512
8d5bea58ef41457c7edfa6db3679d4051d3daa04ed9cea15630a36776eee85b733ab93d0c03af0421e6e1330587118324ab459fb6bbc03d20150ec0e2b0b4a12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a3780ebddec48a4a51aee33797db77a0

SHA1
fce2be337ce8337922371ca81bbaf92a3bafeb09

SHA256
6b6aae3252251c22112df1b671b1f37b53cff90a7afaf0e5b163f0e42f6ee445

SHA512
55cc3c9bcee5bdae7fb6d8bb5d51e68404c943f60d58819b11582ace55aaabd61c092fe293f0a6e6efbe404940800742e6926cd539c15be475c46e6a8957cd0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4406b65b2de9e74156b961a5be8f98de

SHA1
104f663209a700e021c69689e2f425c874aedd9d

SHA256
f991ff79213d794fdfceb15f8dfd5f87d2e028c6b3d7f4d493cfd8454a70382f

SHA512
1cff4f0022a9c1b56c75edab96bae1e5796aa81972112de2bfdca8a4fc02faedc571452502ed07e998db649ee022f69a4389b7b7648c5d4308c7a5c119b6c6ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e858642649dac9b04d20f1a22f37575b

SHA1
16ce6f3a87a0a15b09ae836b1004eb64abcfc0f8

SHA256
b5a669ecf5cdf54dea93c338c3a99d6d901ff63626fcb61ac6e7a20ebeedf059

SHA512
4db6f9ddebb8cc91f44e71d06bde327c90f12e994c4e050542cc9cea62d9bb25707998bfe66689dcc83fbcab82a0640adbeb803db8db48675de8092298f1a60a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8a4ba84a0112d2222148c16be98da2b4

SHA1
7497234f15e3ef88a54a9743856bac9d0d4d5a92

SHA256
2e993cb70be1da8c8a5e54ffa03782f9564883722d47677479247b567f36ee96

SHA512
22f92ee72f88e1c1ce16509d6935f8abc7dccd017baa1acda8e3bd4903eef7012c727f6a796dfaa52185bb9c4a8c90ff8dad6af115228daff786c2ece517f9e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
61023403e183a8a80bdc4d49b1447fb9

SHA1
2d7fb6a00e24b9046fad221f327cb15f50c3b2c3

SHA256
1ef48590a2cc456584a5d7def3be30b3e6ac791907dc1fd180cee5dc30366afc

SHA512
e97c292d327eacdd06c9eb0be047bb505e6198de25bae8eaa0cb3b04c23b0a116787def2ad866f96f34fbcc8be3b65740d79ac5229107aa16b6bad75517c69f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
49487620a78d85ca0af7e13d7071cd3c

SHA1
6483b48e61fd1ef1586f689c090d5669a57e37fa

SHA256
4347154bfbd4f8810708e44681191c6deb4d2a79895e32a046ce3bb4f308bd44

SHA512
ec06b374277161629eae572e5e286808af341cc80b37ccd5387c739627f9b70762bb5d2359c74a4d6641819e1fbea59f364498a37f426ef651bb1cfc4d5ba47c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
0f2a1c8a7d40787c26926c03d031280b

SHA1
c1dc4ff6cf39ce5bc574968eb1e760c1afbdecc4

SHA256
8157330072e40d636368c186f09967c50b88557bfb58520c75786c61b2ad61fb

SHA512
319baf1fc92f55bece8d00956e4f02bc5a4a82572805a2702fbced4fec88ed2ba6b3df7b7b64e7ba42e2958de489799d3619d2bf3c7ea2a68cf8cbe82e9f19be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
9e2788b55aab86c213e8c756380d228d

SHA1
0b6c4e754555c28f6345ce876881968064ec5cd3

SHA256
7841cfd8ebf9b024b94c33ea127df492e655628468bb4be1cc224f4fde12a5f2

SHA512
cf4dcfcc5ff4c71fb525b87dd72806fccbe98b719cd011225b9f9388dbab7bc358850243be945200170251ae9ce49a38b913f70969930848edced78b3de7d4c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
04ddb5a9222c4ed2398c6b4855df38f2

SHA1
f04fe7b4408081c6aefd81ea7f4f96d7c560d3bf

SHA256
a65bf65d2fe873d65923c9201ae19212739d62685b1ae35c5bbf6632a495f3e3

SHA512
2a7fb2b3ccc191415f6f6e8aefa3788e025ef280651688b94a638905a031d0dfe05c5214c0f1eefdc8ebb113267ab9b1773db8fd30e28bed2f8835777e64ec16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
a4d6c6d7af0c6978299d33b819bba8ef

SHA1
942674bd8246cba47cb3387e2fd6cb5259efbaf1

SHA256
00b77d9d92353fecfebeaded06e65e06e8a5ee67e3cb09ee00600b912dccda0e

SHA512
3e1e45bc0da017ca33739de26276d4534d4a58e534043aad9a324f0483d635da06f4ee29b95a9a413acf1ed29eb2049b559c455192485fb4dc6553a77eba9489

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
692f90cc99c9f07e83b547e44dd94a9c

SHA1
ff01dc3adff9dc606ef2e5605fd24bb31778dd93

SHA256
f3da3280ce44940aabcfc6dc4e395be3c5de379cdec2f76854492d9f65c202dc

SHA512
72d75945de7f5494095059e95c1c5186a633705a1d02f7a1cd2d92f3366ed9857a8ebfb8253a12db5593ab6146a023a76f6145be0210d98c42cecfe07746b0a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
c4e1813018085ac76e11c8e31b1c541e

SHA1
e97f03209a21fe487644bc69f66788c0e96cb541

SHA256
6145099ce6996463a12826b2cb74480ed5b76bb1dace49c22fcf558df5edcda5

SHA512
a67b06120fed3c6732cc772557f40e0d884def3f8ebd02c69e5becdf3520a86534635eafbd26a84293cfa8ec8b8d41bf92cc3c7152f9f9ea613c488c5e24905f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
ba10dca3880ceb6dd46f927a325bc366

SHA1
6f645e62432b6804ffd78ef1d1e8c1397578d37f

SHA256
5e2f3642e9d06a185f3e2bb54103de9fcea3124f9bb8a4e60b009e4bec224d7e

SHA512
5de0e4d035307edb6be2cfbbdad0accd7949200fa65a0bf0666c133c7ffcf7cd1c8160ee84ab266bd511a14535ab4c4944618c3cd4a50d1cf12c5769e87ef31a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
932224efe108aee1fed58d4062e332a6

SHA1
d99e8f9ececaa45d327e768b5ad232e83a84d8aa

SHA256
8dbd169542181820d8c59ca459c3419391ed0926cf6e9a44330b4034ec46abaa

SHA512
b456a59e4f60d4dd8ac6a4a7bf8f922ea2521bdc13d43010c762b67bdebad1388f3c63e7ea29db749a1d9b949edde8ab2bb741e193c7581bb25587056196b05f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
60649f3cb30bff2d0d2543ab86ded1de

SHA1
8a36279822298eef4fb04c97dac7cd98fe16f2a3

SHA256
886d3d8b48e5b3cbe64e88ceafe8b9371dd187acd3339feb3adfbf7838fbc26a

SHA512
013a91b405890f050bf5c6d32e5c888e610074d6e55a75340a3223e1fbcf31cd388c3ec7366fd1de6093998962b1e8b35b217a6f6297514937dde098092fb1b8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6a3e83d47d401a7f08105892781d0ddd

SHA1
669980100264a798d820b6d7afe4fed41154fe34

SHA256
a32f5dbff4903c4a60dc4f3c3ce903a6a0c0547b647c927bdfed83f34e8d6461

SHA512
3e8dc0666f861c7b27dd2bab73ee834579a580d364a168e610922aacdec87558aa35f9a0723ad279aaef9d9bac81052c3b01f18269004448d723370e8efcd7de

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
93ebf4938b83b72e4119e07508f85fd3

SHA1
d27630f7b196c79d734ef73703e599e1924e4a82

SHA256
a3f5de51dd637971791e59516c8ad775a79d6819601337d6dc9b0fedb6eaf85f

SHA512
1ff02135a8fa6d9dcf2d503b79ee99ba94e34d7319e65c748293c3287e81d38ce35b7ac918e9a45529136c5106a871024eab1e4ca07210fb4c4960f4e46c8d3b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
913e44788621fd7f0211c710a2482a07

SHA1
1ff852719d3363af82453201fe78e6d0aa165869

SHA256
729765b642cc5fa290bf6d296ba9cb17ad41e18ec432059f30ac55bf8aec249e

SHA512
64539c230a956cd9cc2e150164b3afe8255a32d69a34ced50affc354afb78aaec5780d1dcc0944e4529c3371903a02ab9d0ccaba75b601796f230a3527899307

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ee20d4a69e18556b071ea9ab32d603a9

SHA1
8c3670c8896c23ef35bc86a46b6dccfcf3c6ce6e

SHA256
4e0886f8a675f2e5cdd054402b62244effc31a6f2d48aaced1586a7725dd6f5f

SHA512
84cc1efadc2515bddc7b9248211312e8a71e5d9758fb3f70ff166b9c8948bf1625c5b66c3cfe40a35c4a56add6e1406795c4b8d2a6b6eccc4b2a888da4659fd7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7d02738bf46c39bb2f9c3e9d9e01de27

SHA1
44420caa7b2e1f837bc62a0a2232a69cea45ed2d

SHA256
437d22a86f1d23a3a0e7eeddf29e3fafd6b516878e9eede0db61a996039ab95d

SHA512
76c83b02bffb89bd2f500071ac7c41df75a2b5a043021649162c84fec505f2bc1d8847e0cb42d8f6acec74dcae84361930b880d06a6ddd391c4dce0442d445d0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fa2ac7854a8ea8c82086f7ba468b5e7b

SHA1
6ceaad927eb80f8a68918c69cc34f38fbb017c30

SHA256
1331a03575c0591525b381b5a52aa50d322ce463f2dba793dca8604637c399d5

SHA512
c3d536e198fac723d840c48d3267a19f3c8b5b8ab7e8ba712faeaf4d0d48923e04c2f18aed5703453de69b0c114fdf7b29e26429db0f99abfd073a89abfb5ebf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2f00260b7ec09fd11a4e35ea371f6f5e

SHA1
55946dcb1dfa463b12c423b1ad8c61bff54dd9f1

SHA256
32d0b0e37918a967142876b101a2a474993556e2cddda5b18abde3eb3c411f52

SHA512
62afdda4d7093fc3145816e86f29f082c5c30a6bcfafdf18e659e7858d59aa7ee83265c46c5bf5e76d37951b32cae48ac81f7bcebfb7f6cb54256490342dfb4e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9438fd427ab98863bc95e4b57e323983

SHA1
9147999a02823a20c763a903e2d41ad0a683ce30

SHA256
1a6b04ad584bc314371d03807d801f4d430a0c716966b8d6dfe63cc2bd8b28c2

SHA512
5562902216f241a4e7716234533a93c571509d3cb7b37105345da6e68ece14f45bdc842cc7433e577450720f015878155f666ff2b9460b48af057385632df00c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b54a2bf8d50c35b5741ba3399ab05f55

SHA1
bcbecf9b754899a48d4fd9e7778a580acd45fe4c

SHA256
68d6f41630c5c293a9a61486066d0ebc2d3e935e5040d5a8f187b7ecacf0cf03

SHA512
40610195bbaf69dba1880e617d20b0bcd2d85b7b4f6d6a5482670cad30c6266b247b4549c4ea6658fe5ab77db707a3a24f3a2874335793d2dc26c902d18c248c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2269e5e414ca5fbc037b5602a6458218

SHA1
1515e10cceea703350a2d7b44a1cfb9867fa1e60

SHA256
a230f785ad275fb1df0cc9b4814877c6acfbfb58e865db7242daf00062c2bbd4

SHA512
187cb2092ad5b219c3152f6436137a78999ebb0536fd32f466a48b596a0d360727fa81525c60cc88d295c157ff00a3d06197a27e49ba977117ad366a4b09d18a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e58ccafa7a70e8f49410672accd334e3

SHA1
1de63cea93a1753a4751bbd300769c6cc23b866c

SHA256
a5ab39ce7a127b4a6ab90c16e9568db7b28d8b7f7bdd5de06085b9884edb71b5

SHA512
8f5b7a793142f1d650280ed895f7132636ca9993ce5dad9978a0bc956a25b7f8f28b50cf82177b66f19c341a49fc959350c81639cf0289e6dbe9716eed1b1114

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3afe316dce2a6cb6d60343c561b6883a

SHA1
546d08c432a70a68a470a8365c3cb1e4c740f71e

SHA256
3974f7d9b51681a135fc1f53ca6b6ae34e2e7c8bb331d0b0cb524bb3741fbb50

SHA512
11011be0009d2cdad0da8006391d915f94d9ad3e6e82acc3f5acbd779d2317cec31e125038a8e2e2fc1f923d6edbf67bd7b8e71894bc915535dc8d7595705312

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fc964363804934635ac67b55927730eb

SHA1
f15e32db71ce80120fc9d658d2c37aefd0ae18b9

SHA256
f66bb2aa0b081886f6935a83311b6630b9aee69ba63e184edc92e14e72a982f0

SHA512
75d7f0a7cea8a946aac454830832c7daf93e4f5bfb28907d8b0fe187b35ef3884953355132b5440f36fd905fd800e9d91108c3d6208a1ce0d9f449a1545ddb47

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1f8df1e65e1c9850b5dc39acd3452630

SHA1
410b7d99e0a16a826016f55acb6d8871b762a29e

SHA256
0e94c0d2ad1df97d36439bc70084914f93c3499da81b556891a168771f104da7

SHA512
ff159180607855f62dbf40d9fcc5422a3ca9a65f2ddcec0da6095eceb5d4972a7c51b6ab10c068cc8b982e8997dcfd907b8f62b6bce58ffa9a1558c73b3f1f2a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b629c1a143b9f3c10748cf5bcaf80281

SHA1
0c4b6da4255e3be5b5b533ac533d4b96350983a0

SHA256
0dc84a5156ebe4ada4f6f88195d62f1ec7205c9f2f0337774f0a9b398df9fc15

SHA512
9fb16d8a120c0134776267d649ceeebaef2c7ee24fddd7785facf00ea84e71286b3d42802f992d3b2c8b94d083cb0e2e471e7b7528bb439017865764ee778940

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ecdf6d8df572ce76f731f9846cf39dd

SHA1
a6c22bcfc93296e3076e241bbd2aff081f161141

SHA256
f1be301f02c1333353cfb10ed00650c6c75e8d9b64bd3729606762eeef5c8b2b

SHA512
f754e97727770c5212e059f57011bd74140af52f2cdd9ff6bd7d62bdc41531a094e845655a93c4510de00ec1637f5fb196045f42ed0ad9a1084897ec4d49c952

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
c8546fb4d3fe30952b228c28782773c5

SHA1
482bdae0feac6aff9aa18ec2272e69aef7af667a

SHA256
0a4083edecad69a2ada1bbe0554252d1d0b2b2d9210e76a3f793e4324ed081da

SHA512
a90473a9abedc365d5f5b89f0947159e355cdaf3ab34b5cb093555be74919c6dc2eb173c2954ca2f0ef8b0cd594651fb30a2502bcf9ea4205e3abd073202d565

Download Submit
memory/1324-259-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1324-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1324-266-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1324-276-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1324-278-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1344-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1344-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1344-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1344-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1448-394-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1448-400-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1448-399-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1448-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1804-543-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-385-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-328-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/1804-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2108-411-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/2376-354-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2376-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2632-248-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2632-315-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2632-254-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2852-17-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2852-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2852-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2852-23-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2852-232-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3148-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3148-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3148-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3148-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3656-369-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/3656-359-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3656-428-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3664-367-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3664-303-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3672-381-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3672-441-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3672-375-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3692-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3692-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3692-54-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3692-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3692-66-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4016-291-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4016-353-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4016-299-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4212-438-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4212-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4528-372-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4528-306-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4528-317-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4544-342-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4544-335-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4544-402-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4604-75-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4604-69-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4604-68-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4604-241-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4736-463-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4736-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4832-0-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/4832-1-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4832-14-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/4832-12-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4832-8-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/5008-442-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5008-450-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5032-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5032-424-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5088-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5088-283-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5088-340-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download