feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
Size

1.4MB
MD5

31d609621b32b2e0f01e9808faa85e88
SHA1

d228297336aa4c81c5662b5bbc210af87474241e
SHA256

feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124
SHA512

3a5c96eeb836f94364a24f751cc9e2dc3629b2cbd90527089b00f4f8a0ea3f9b46ca6c21344976f6eb826c542386e62be74da34c4b2dd67559666eb4b77af15e
SSDEEP

24576:dje1g6p7HF/w/ftDsBUiScD7WGfWVbvf4CNQE:djmgiTd8DsMcDKGfWbYCGE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3080	alg.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
748	fxssvc.exe
1128	elevation_service.exe
1164	elevation_service.exe
1712	maintenanceservice.exe
4492	msdtc.exe
4584	OSE.EXE
4164	PerceptionSimulationService.exe
3732	perfhost.exe
5076	locator.exe
2504	SensorDataService.exe
4660	snmptrap.exe
3428	spectrum.exe
4516	ssh-agent.exe
1716	TieringEngineService.exe
1680	AgentService.exe
536	vds.exe
2400	vssvc.exe
3016	wbengine.exe
800	WmiApSrv.exe
3976	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\System32\msdtc.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f43b4934b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\system32\dllhost.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093ef4a2141b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d22e12141b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cbe1c2241b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e01042341b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093e4612241b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006241a22241b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
1128	elevation_service.exe
1128	elevation_service.exe
1128	elevation_service.exe
1128	elevation_service.exe
1128	elevation_service.exe
1128	elevation_service.exe
1128	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2212	feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
Token: SeAuditPrivilege	748	fxssvc.exe
Token: SeDebugPrivilege	4196	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1128	elevation_service.exe
Token: SeRestorePrivilege	1716	TieringEngineService.exe
Token: SeManageVolumePrivilege	1716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1680	AgentService.exe
Token: SeBackupPrivilege	2400	vssvc.exe
Token: SeRestorePrivilege	2400	vssvc.exe
Token: SeAuditPrivilege	2400	vssvc.exe
Token: SeBackupPrivilege	3016	wbengine.exe
Token: SeRestorePrivilege	3016	wbengine.exe
Token: SeSecurityPrivilege	3016	wbengine.exe
Token: 33	3976	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3976	SearchIndexer.exe
Token: SeDebugPrivilege	1128	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1364	3976	SearchIndexer.exe	124
PID 3976 wrote to memory of 1364	3976	SearchIndexer.exe	124
PID 3976 wrote to memory of 1180	3976	SearchIndexer.exe	125
PID 3976 wrote to memory of 1180	3976	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe
"C:\Users\Admin\AppData\Local\Temp\feea41def0a66c43c5d0fbde700fac3b9f5e2b6326163e9b5dc0f9fb4b22d124.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1164

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3252

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2504

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3428

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1364
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
e8229c3c4ba534db2f412dc8bb37a857

SHA1
f087926f9d2fbda5f20c58bbd347f818b99ca54f

SHA256
27a0da0056dca52a01b16b13160d08a78635e33c61673b7e25bc0a2f187154aa

SHA512
8b81ba170a5b4029e696c84be7dfd43d7ef81d8d6c3f88b2a37244ce494044ee4fdd7674e31615a7721ed1023edd5caa0ed8aefe7be359e7fd8cb5cc7831e963

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
873a82997f86292a2af0482aadefaa3d

SHA1
75827d41d2d6b4fc771e17d3f178145e72499888

SHA256
e011722aea704f743c422ee0e949b0ba37a00181c1465314093b690195065838

SHA512
26d37b499c05a288b5938c2e774684f3af2e87999e2e7e5372510ae48d4e05f84954bad71185fef0995cc447f0775c1728665459cadbdfa4c94517101f6f50d9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
f76745999c04cf1a6aca0e7e944e2691

SHA1
7e3e863b07351ba860127b712a541d83803f3b55

SHA256
c10187cf2cc1b1a0cca9996619a7545465237d40dc1eb9aaed6f2622118966e7

SHA512
d4371bf6fbf9a84b153cac472c7035687d47c0894238bad383179cdf93d2ccc46f577cabd799c534b2141c6313542b53c5d2999745fccc1e4f7fc148007003d5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3ad4774037700bef7af1da748c30a1bf

SHA1
d537393b4cb206ca3e7623a04b8d5109b6bef201

SHA256
e06867aeefe51de85ff3999f3831c5d26a574b5c8511dfd58a837de8881cdc82

SHA512
c240a071ccb12c1c2f99277d8aab23449203532bc6816dde3ec892977ecd51c4eaafd821217a90341d8fb2b5bf3ee8ffb90765306e59676d10313d29e9b05bc6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ed0c75ec98dff96252c0a331c681e83e

SHA1
eea6f70d44ca94cf63df66c9a77f23c01998ab00

SHA256
a213b36de7d6ad052c8d62fb8ca3cb3e34d9ce4941a31a206aa4b0a31d1b99fd

SHA512
8879c0642619245a9304aa3f4ca74aa836544379551202db456dab1df21f52b7143c6011d532705b1983a18aa8a97f752620eea4df6590676a9e4a21332ed7ae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a493038d4fad194dcb7b6e0f0065e75c

SHA1
2c0a864733b1dbe6bef5e6b1b600f4e01b75d877

SHA256
005c84d4af2c4cfffc9d502f0f25df8184311235608f314703439693358d6ca6

SHA512
740192e6b3c27890d21a299106c9a4a218982f4c336f1b6c56ea9e0f3203dd23a91e7c9cc1479118af7346bc0ff14c32e8d4235b926e4eb9dbd8b30a4edb3e5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
0880df41e81ea26068e7c0a31b3e5089

SHA1
2987f918c53674e2ea3f080d632c541e6976e2cf

SHA256
5999c627467df8bf743ec5a870d8d9dba67bb7f991b2cb5e9bc32c34882a268e

SHA512
0aa3b1a6447023afaa3f42052cd291b06e86a462794ce421c6e3d683ce7ab11eca22aa0f3af60127e63769569a5ded2fedcd4dfd8f33c7b2322a52bdc29d768c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
849eb532e8967086b23c84f8d6eb45ca

SHA1
42cef6d4ce12cdba9ebc3ad23e26c21740c58fd0

SHA256
8a9aaa3a718a53c7b68a0359f97af4512f51d4edf90492d57c428c1f594d80bd

SHA512
6557607a3ee70a87bac54d30f72d78d19551cd62d5c3b0e3f582c5255f9d4b6a5d2b0dd586c507e85492d358251b07ec4d2bdc9de83ef422f81ee4d8d9e1b692

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
1a704faec354257b641a50473282eda3

SHA1
d3b117dc536dac05afaba31cdcc96effc63af26e

SHA256
8d0c433fed47643aab9b80cca633163d9be1879a276d0367044ddb97a17a9465

SHA512
d73f41214eb44745b78e033d0f6cbe42a3063464d1767b7f9e5084b3fcb9c76da5f73a789140e7900193b7df51f552dca68cbaac4514c2429dc42ad1d4fd6461

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1c235ba91377fad2bd4aebc48914b598

SHA1
364a5f89f1c4b61f01f674e4be5caa7be2cd7ece

SHA256
153674325ceda8431a4ba528d0b26462062dfa5d72f08176341ed6648be20ccb

SHA512
12adca4eecff57f02f4712049789e41ba8c9895cc19e9763a95e19b9676bfa80a73b933962b966d51392e4da45858af1717efc127f25f3d3b8e5d086389ecf5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0b9abf60a215f28be10a118264251601

SHA1
6c7cccdd0f75bdf4132eee160a52673128b6169e

SHA256
c8f05a51d758486bb432a0d55217a53398189ece860c42bee352ac79b4108ba8

SHA512
a0992994497227dabf2e5189c5cc2a53ba452a5f19c692b7d0d313bfc38f06fff79c0b0367a4b56555be06df47e8d27683ee30d03a925a08252071c810d6bb14

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7b736b4d313ad4c61ef6daf80e41bd40

SHA1
e3298d52fd68e062c20d781c3895e1a6e19063dd

SHA256
8bd36f787cff0023e8c5e468cac5c67552818074e7563e413aaae3c5750473fb

SHA512
48abe983a6a1ab28ad48b6a6814f9d06426f3eba7d71166919fca24db878ee2fd35429d2277d6da320e09ab5154f1beb22ba2230c4c55c3ff71097b690f34564

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
4021cca787f342a8444be5e1a2b96678

SHA1
bf9396a6a051daed78687420a4b0a534e01cc28e

SHA256
2a990344897e8e65bf9129296575b989e1d8966e0a669b61668587ab8565bf66

SHA512
d69ad58c295c9779f4ca446e469d5850de64bf8ef2821b597edabe752e95e33e6bb4f366705f8a49565de0dd260096079d9a90ab80e0544a027c4f36bb6657a2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d2dc916092a1b20c573cd0c683b10be4

SHA1
3865a7003e29ab3bc15bb0ddc8bd8cc27d279542

SHA256
d42a6e07ad41fdb13bce9476cf345f7f7958aa8a25bce5157e5e2b910af0509f

SHA512
64e4a54a6ec053a8ee1f1cbe77ca5e9f7c29d1394517cb0a1d2213a59f8a0b952cf57e9468fdc5eac5528c01d2975b0c8ac22f14d352795e51df1b766b0c6aa0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5f24599a432e969707e60fec7c295184

SHA1
ef0613703b1dc9cf5f40678fe01df106baf0a3c6

SHA256
62a33acd0cb95eb03d234e9f3876e7bc2bf897b75f5b4ea716b9f8b6cc85233e

SHA512
4c64c7815db3a52749021a62c6bd35aafa430dc871dff3308a46ad2b4925496b5861924875e97ff17f56a388edf6a224b90565c355ec1fe7c4f96166720117e5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
e3297bb38f38996e31d6f823927a0ed9

SHA1
e31d34ee297c0c49ce0e2484cddd39dd9872f9e8

SHA256
f03d317b5587132b01df2d112132e038f0687eba39a26da9753d3ea6ce18dc2e

SHA512
95891cec63927fe455d0396b502e68c45fad6199c4fa562d4da4a5becf5baaf34bd8d4356e8a7988d1f6d9c51d5c8e825e8165cf054fd967619caf916217029e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
ca7ee81bc52e1053176a1c28d80c7776

SHA1
295fdc200cf00b934eff17d4353167839eb7e01b

SHA256
ce38277e41393586783d5cb4a6346242b9fcdce78995eb02576a332ece88836f

SHA512
a18eeef58876f0066841b7fe02363e13feecfd219a1039f6eb25e69c428a57ca9410b8f647f3120405c4f8a046da333033949eea8772127c0c4cfff132e2b754

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6cf1f57a32acf8074e1f3c1d9de3f497

SHA1
cdd69acd55b41d33e97879d7fed51197046f4001

SHA256
753efc1108626d243647a6c1932e48fa59f455d7a4217d9563d5587f97d4b96a

SHA512
8464ce607df3874199edc515dd8eed1081e25425db3a3f37933b4bddeb51a143eb322fa4335962402d49665f90043c15d744edf81829a56f2c88de7c9d18709e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d72fc9a90eb75b1ec68b1d0460323562

SHA1
e316e6ba7580a0c42b858673314a43d7064f60dd

SHA256
a9417edf28a3519cc1cf834911b520d8db80a2f44f9888699be341729bae7259

SHA512
176d7cd93223ac03f6aaeebbae0a71e690dc3c2f198fb2b7e266ab6795720a68709cd6199546edcef142fbf34441b1a9f479db7edf129b87b7eaac6f1d2dd652

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a209c6917f2d83f048bfa773547d4816

SHA1
c1f7af9c5be5eb74b992b6e094c795f8957a3de0

SHA256
609d4edb657245f9e12f7b7df3f46cf21c961619759139b1cc22f4370f26460d

SHA512
946e42b62488f81188f74113c63a99456013ad102ce57af110ff928a5de49f8946e1acf0cedd8b8a45129cb3fb38e03e2d4de7efd9f0b0cd12399d3e7dac11f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
7a6d6fd82f6b23dd7e59843fe568d94d

SHA1
c6abeb0428eb250d3d9d419ee7a0b164af228d51

SHA256
ab8afe458e96a7ab4b2868720101665412460a2da3d4b53a8508deaad725fd30

SHA512
8359bee82292dab85be8b7cf7d8b0e0344c0fc68c209fb6444dc48f1c0b94eafee5187e446bd21e8e5f7156ea9aae645eff6a4b5b72202875a6c76125b43ff92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c52e9a114c5707ea247277669c5f7a50

SHA1
c5d37eb650e92e67a18ba4d62e8b111b155021b7

SHA256
17ea0143f5fff07e867e44990632c8cf1c4ad3a247b2da5114ccdecd59ecfe00

SHA512
323703b8046a01db8332b6d1cebadeeb5b1f9ce2a7b39ee3094b305b7274066aba93d38260af802fe52ec4204f292991bdcb8ab2144c00833650eaffc105a576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
fd5203468d95f37882f93f334646c37c

SHA1
94100cd90b6d2efc768ac70b2d46fff67aa50928

SHA256
b34d1197c1a3bf9e0dec27b1cdc2d36d1835f263694eccff3377f80f18cb2445

SHA512
8aad5084422de481366fe96c76c2862209ad1d210ee899cae917302850ea5e8ff8f85f829e18540b8f854988dd61c1aafeaa2f38cda0165dfd53f2291e55294d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
309a351a433bab05bd296031218bbada

SHA1
f70232b1cb79834bdca3f7fb719fc5084acdc744

SHA256
4e2d974f753cf2a830da69bc49aa4ccc945e0c58f039460a8f98756f07c4755e

SHA512
3fd818b8cac5fd9e2b31389b54b988ecb010f11293eded8aacae6e87761ccc66ffdf28d516cecc99f50e69880ca718ac332ba6076e45165e803f7e62dc190c40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
9dc958559fbfb5e487f0485b0eddbffd

SHA1
b2e0da0e935d16c3caffccbe2cfecee76e1f8ddb

SHA256
00d6503f12772e62910a7b3683dc6816d69330c434291600bc3e25fd8c953728

SHA512
c57e7c25de2004696cdf984e1e9d0fdf89cbfd4057e192cc87bfd57a3bce557329826cb1b2175ce9c3d6bfc1837fb444903e20d38f5d02ab9fb4bd23ce21ed59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
fc2bac398f3c7ff01f3ba708f90458c7

SHA1
90159c3c5c5471a7240172937b772e495bed800e

SHA256
296dbebf3f4644aeb30b2ecb489e8cce3684ed0472a127c063b8c441924bc07d

SHA512
1e201c5fa35de7b424863742673496872e5f7b65c2be38a28d3b92d2db2eb95c75d83090a72b590b1fe00bbe73cd16c66c26a0f1713c35d87805c39772b3afe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
30b2764301f5ef6dfb6ee47b04accaf8

SHA1
59983cb3f3b31a432878ca0fe1fdd0fef220b4a4

SHA256
9eaf8a3a077bb1c3d915392c08175938294e87e0f5108185dee6b47c719d4d5b

SHA512
32285d8800a92d63a6221771f86227c48fb2d657720f2e5a8b0b100354d7f9e219190f7505a1089d47c324f48cdc20ed5fc063f0309bd2ca5a4922e85292e391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
1269eb64778ec140baa61c7aea2717a9

SHA1
469d8c6fc7a4098e5257c03b187f2ecc9b9c06ef

SHA256
45a92d533a0d3ca91f7bc8a103acdb0d41ef73b8fed2fe5b5a3eceef07992367

SHA512
5cc3efe07dc2f2bfc15843cdf4612ab24d5694b16d8e7a3784e7f36bb6bbab912250278fe8c72e585c5313a56b0b2d54af149a51236306f35ada0d5727ead4af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
05a73b0f3277fc86489c1d41c75e0483

SHA1
4a4be77fbb6900e7116264df3af3162e18ff6ea0

SHA256
78cd08cf3e9880538f24da273d2b296feba7f70e470a2586f87324396b94b218

SHA512
5ebb03c0076feda9e47717cd44a732d41a6ec7523f3a1dc278de9dddbf3c57d48683f45f8b82bc0bdd9b9e06bec92c165df3ade023a9d69e61ff71839392b501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
cdbe803f13b723f52e26667d41a2ea1d

SHA1
451a42242e5dfa12050732c2a6c7e26f4bc10029

SHA256
7249841868e729d6d7818e9292e99729a0931f981b66e8a8882a75edfe91c84f

SHA512
38661f8c7ea9a700fba24052e87c43d06833d17e06b166392627414a0b6362db59f5ff98898c3a4fbba02824742fdcb600d6bf65dc4096b8fce9ae09a58406ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
cd8b3ddfe45758bf8f9c67ee27528c62

SHA1
4fe338b7edf2e96b151b15596582ca5791f35109

SHA256
eac1ed80ce527bc8744e3a1e062458c2763cab26eaeb7d2d3225297b3626145c

SHA512
31b16907ff0c9ced8b2eadd278af3a515658446f8e423bfa62f8751832db505c427f69d756fbc414db583dea85f80ac1ffb308ef939901f6b328311cf6015a6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6731cbc5cf269cac0c0d4ca76620e8b6

SHA1
dd30d0d1d13cf0d46a2723ebed901476929d79c0

SHA256
d6fd8fe87fe434e5a3c1567124bd23b2b6d11feb5ee29451d15afee5ca9c04c2

SHA512
12843fa022de7295c931dfe4518eef3dba199f4302d6e5baa7a0b745f23fb3dac971558f9da2a98959e921711ebba1dbae84e34a8d20d5f201040c587d725275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
1c56651fc1952f7435e9da02603d5bb7

SHA1
7d1c989f9c0e837ef8639fd511d0953880c7968b

SHA256
6498db9ebf7d0b531cd6da5e7b0b76f75430d8f65e7aabaa0e989ee162a0b5e2

SHA512
d2e08ab876b655eceb23789cac4ad8413b78f6edaadd8543c8e7195291f54e5982f22ec98a28c35810307c41d844b08553710d7923dd2b7dfec6fafc00329e73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
8169ea51ff30e64a3d3b1c95a9ca9e38

SHA1
c204d387630ada22d041c2767b2459cedada1f26

SHA256
0b293bd87e737b60700d2832cd4a104608bf5f6866021f728131ed31e69ae1d9

SHA512
c1dbc5865aac99054c5b47cdf88498e6d6fd05f3c4fa3bc35c5b0ee7702ef53fd7bf8a0a3014090a9f016cb2c5ddb903d3c62590948c761330aa2b58db5ac6c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
8a3771105e6dc4e81fd571c0bab72368

SHA1
5fd614eac51783c544c032c0701c27f3d9a4841e

SHA256
5776a0e0f7df8d1e6e60ace56a4bfb403156fa2830af419db8597d0ed3788ede

SHA512
234c26a4ed2ebeb02057fb680bfa6adf88e9f8d81eb12f66abec93d1e3b909c1e0a1d569ccef06371846ec35ea8a8383f0520db21f3c6161fa390f2b644635f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
38405d4ca81fded777c124e8ed47107c

SHA1
6fc83784c08209be858949e74cb461dba5b33475

SHA256
634404c24e03c38aa3dcf825b33eb6ebc27828fb9dff2204ee8e5df849d92f22

SHA512
4df7093b347621de5fc309b95db3ef9dfa4e116066ba85f9b3981e94e9241d2cd82c91a3f38ae49a8a6460e0cf0bbf6cc3de81f87b818cca6ab684942c5d01c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
9bd331fa5ad7183da749ea5b72efa72c

SHA1
9ffdce38b24afdcb58aa88674a426bae978a48b0

SHA256
38e85bc97cf31f99f02eaca9b42fca5fecaaa92c6b0f2efee0e84e1c4f9486e2

SHA512
c389a5193718df24c41b30bd300771f5df0da7188c72281bc0fd9e34efc6020241ec14d03adb36291638eb256fdb414cc691a313379c867353c719c976637a35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
9065a581f8f2cf66ec2c116466b77602

SHA1
2ed2f1b685ff951713ac5eb04565ae691a41fcc8

SHA256
26b583ef6011a68d9a19a0dab14d212f61771c3becbef9f57229d2e4b83f05f9

SHA512
e4b920c54a849b3bf29ef7994e514c5aa8786a538eb72e3652c22efa6b1b796eb92d76ed3883f46ed02a79cbd052b6fff3005c52e97bb1a6b383b90a71f611de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
c481ad22ef6f9397f7d46f914c40b9be

SHA1
a89ef8539f284ec109b509d950c310491fbdfb77

SHA256
57641a72006049dc38c0d353936a641b502f39e6ecea2e5ab167683e58d30c38

SHA512
5494f17174ee4058cdc8f9de13ed41fa9fa3951bf35abb0e8188962dffbdbc9a304a37ce9303123c97e3488142b291199ea7f56e58217116281de3b6acf05d9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
e2360d1058ec2d3d73bf5be214a78495

SHA1
93c75d96f032700dab1758c2a2724f0c15dbd9b2

SHA256
2c6f6299469464b26f8f5ffd135c3bbdb4cffe8e6a1bf5aa5bbf794dbcf1174d

SHA512
1298d821d210da1fea17a31b99807e41bae1e40659061a7cb52b3a25691b2b03a19e5ffe6477a275736c7b42bf0a95b8d57ca519e57858d074d624bcba8a24d4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
3de0e9e15e5b2904f2a10b4efb727172

SHA1
59ea530a221a4e291ea855728e22906719170a77

SHA256
db67668b5e0238aac00b8f98a8a67c7cbab729419e3891392d9a449797b07fcf

SHA512
c9da2fc53e3b8a50ae6bcbeaf517804714743dcb70b5999b84364d8c2efdc97d5f6407f383f4f5e8279397b46059fcd3f777707349b2a62c90afd0585a064d5c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4bf888ed9386297707fcad2cbbba3ea1

SHA1
3b6f70150602993868e4659e314736910106e33b

SHA256
10f6d7a966d145938a0e4129d0da2e028810f728a173635553ce6491c093bbf5

SHA512
c54b9195114e36dd470ebd5842f4cc9e5f3be09c622364577d92892fc616ccdaea981eb82697ea6569920b383a8ac6086b012f98f913ea3247d0334130805450

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cd73c7c2ea026f73d89d1b3a476bb448

SHA1
3fa81427bd98181d9e65ac34ed7bcdb1e2c1b079

SHA256
acda79ddc6f6f77a6d93f40c9e9187810f72ed3aea2bc7eefddeda1bf5231dfd

SHA512
b4f476938b642fad5efc5dc4060a4095f6802a092a4b772673800e6f8a51d7d9c887a27b1ab208bb6ec5f8cf180f59002056a79f48bf6fffe207099d7ff795b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d1f94069d4201b10c4d34cd4386871a3

SHA1
5b9537aedca070597e255a946b9a6c231533388e

SHA256
02a3a1157b2d74b1e20b13d757db4a355941c6b128881cf6252aec4494299b1b

SHA512
fb2600d7aab308821efc6d7193f50776a394b5feae886a2ac9cef200d4bd3e941db4ee930009456025d7e1d9757ec710c832dcf3ff060126e1384d15e82639ea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e9c0fe0bf58155e0da7a96465ef92244

SHA1
7dcb3a56a3fa172b654b8fbef3982c55efbef6fe

SHA256
f7719231549dab660613e72a5dcce59bb59863460eb2e40fd48be3815ab6a778

SHA512
0ce73105e19755cd8a1c91804726fa651623d0457e4df137b55963cdfc87f8876b335b5cd393ea9a85ecce3666d97fd3c50a48f879c004886839c6b74950a1f6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
4ae38115a4dca7d06adf1b859c9ba27e

SHA1
b49170ea6340a817b928852ba7e3af3ec65ffb47

SHA256
1de7aed95711bd3446939d9f361f12e4a87f407572746bee7ec8666c7ee42a38

SHA512
3101af3d2a8253c7616165699fe564fbb12700f3b70db762828e7684ee22e7f4bfae71ba3c58c56fdc5a0d8d28fa4e68454726a897835abcc20235668ee53270

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
4c98cc09d1151b3b3aa0d987f9534a0c

SHA1
fa4e06ca21ba4c3fe362ee919c11af079f03799c

SHA256
c3178765e0889fd2ce2ba7bd9869365927e8c7202146e72be0b52f2f47d79287

SHA512
ddfbe15d659b095a19f4189f700428612e9710fe083cf5b1e240600987d9d148d14d5f63876726c9051fc52aa7ff198372a9de74206d66c20d0c0da09e965337

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
0b92e532ba6adfa27b96371f627ea2bc

SHA1
dbd4641f6eb835c804e8a9b693a4eae237b41a69

SHA256
0149840318ba020710afb8d7563f56023d3179943e645669a2d9b8aaa06e0750

SHA512
2e926f7ee9596b29aa8fcaba0ae7e30b7f043a9f1e640c64c33c7eadbd04fb98fab95ddb98e74750e2ef6a3d350af68996b89044a26418150372db1845c401f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
94edf6f11b8101db9188db616716aa70

SHA1
03609ed3320fd462d1002bae62731b36d411a2c0

SHA256
e7f8ebc5920d885b4047d98e7cae54216e5cfdbea6fdbe4b159ad0345196b448

SHA512
24c54f2850c3da91c6b46acd478a83020da215a5fe7f92b26da34b8c05bb096664ee3bd1579d49e26cc715431b31b4a8a4ef82bb98ad2bc904794049385667fe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7bcf59c97ab7aab560b4f863b86f1914

SHA1
76d12b41f1118675dc349231abf55e2bcf802a55

SHA256
775c7bdef4020b7c5db956b88fecf0428b99930eb83236b90ca95bf40f5f8ca0

SHA512
67ee352743922aa22efe5969a2db2a0deec71605c4a59669e4dd39b50bb5f0be60372e7c70782f3308a3dcabed4a9874b7486bc98b39de8745e8182abff6d11c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1157f0e6d77a439373f22ea5a66b6761

SHA1
ded532a23f4b9aa57f85cbdd6b9de987885b7fa9

SHA256
18b676780416910cb64ae353e4fe76dd968a55e00468cc1039be9c7363b2687a

SHA512
e8b3d642794d7435bae5de1925ce0cce890c18ffd991b87b525440ea3a23344fd785e9f63af7b6ff6bf1b7ab6458fb75595f2e258f3749cbd06c531e165970aa

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
4399ec52e1060a9f602fb37cbdae5f2f

SHA1
7487168fc9584d43f35548308642d98a82efed98

SHA256
e4de2f8974aeb011ee9188b61b9a8ba1351bf91fedba62c0af51c3d8113cbd28

SHA512
c08261f163b9a9b438a7ceb469b10e27297584d72722d84ad48728abf2f7fe7ed80e6e7e51704cadd6db3f5f70baa4e82a87c9f957320077f9c5e419f55af9d9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
272cb50797aa5225318ebd54c6499787

SHA1
e57f9af49385740905243e89f703eb9e6e1126c3

SHA256
93fffc379d85d091c980512987c675a73ae1f647ce24bf042bafe16774f5adbd

SHA512
f575ad3792c43d047c76bdbe472d046d0a7352fe76c426da317bafca330ddd70501a28de22145a291dd045eaf3049285d13029db12ee6e4f17843abf11a926ff

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b8ae7754c6c482e5d2557156f4f93b3f

SHA1
41d59f155c578a72891ca319f4a0ac5c009c327e

SHA256
53e6a6aead309430771ecb37f581e9e9ac6989a9345e16121b0f382da22ed5be

SHA512
a8133d2bbe9fedb6a9ab9f3c75eca6c360b313623038877da1e9bb17ebdf93fb0c752e0ff1dbbc26aa14a56a85ea4419bc252f6ac165d8db1ec304363a6d0ea9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
a216a08bcec1d4aabb04fe021a8a8806

SHA1
6ef795d084199e395dbd36687c832c1c0c92deb9

SHA256
6a013653a0779c23e91d44c859955ec0dad48c0a2c6eebd88a37f5fb0e3b0d0f

SHA512
9eaad2ddbc995b4a20d490b2c026cab5ddfa1d9348f879d0b42ab128ee78ef4775844d86198b2bb4b616f91c6e138603563a5b08363c8ca2795c7903c20e6b29

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6c9fd69ef43654cb022a9e3e1c9a97aa

SHA1
d4a63d19e06b3340aa4b7558378882589496900a

SHA256
46c2a4ebf3439f50c196a8dcfbd5247645a1c4f9c4ad67dfa4e69c0e9100bdc4

SHA512
cbc80a6566e52314dbe5a52d6ee5b987c6ef7d2867ca465f01d22e01527e27ed7b587570de12a49388d410c492354c83f278155491a6c48e29396fb6b9daa06e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
349bec48ac4b69129a92e5c09e964080

SHA1
692c13ae55dfb1cf571adfcd121ffb3cf8d45534

SHA256
8cfb40ae34f0a67681b4330133f54846deb8a1244efed4e80c54fd8ad0282849

SHA512
f491c3b35c9d47526172b03ab4c328aeb62368b8b58baa9c0211c8ab9dafe39283a8d6ce1bcdb207e1c0ab455bc55577f2f8d079109d9330cbac3ec16eb5d220

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
6af7c3fb5abcc78e3df8400ac929d233

SHA1
388ddbd11575a167457228e1acad8b5bf9ee763a

SHA256
41cc6d8e9829a01249973b54795c4cf4bacc7984278a652a1aa658f78ff246c1

SHA512
0a8efae36886a1fb6a03a8da37815169f68647f42a6a07ea39bdb8bb9f916acd311960ec1b961a75c59d5e98b5be78a2abdbbddc0ad4afaa6d2db78f71f5e7ef

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
821a8d3127b14d3a16f190c23b0b6b03

SHA1
f53b7ec6e7e044d2c71d4b9bb3d82779e331cbd7

SHA256
a459af804520fbabd2bbf40a1b9f86041be63ee9a584a82183ee6c71614f6844

SHA512
7b9466b53a62d998301bb60e7f3fed65e05e396a22232b8ad51d85f0e88184b5437b2b5cade25d9a1739198c7fefdb6ec80679fb4b492d8c831b470af0c43e4a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7ce09068ed90f95ef6ce0571b669856f

SHA1
9305363a4e13adf53945710870e133cbcf435c64

SHA256
8f9a6767783474b8e0dca4d954eaf9685ed30ef88affdc47ecc90667720d9a84

SHA512
8406e780055053334c631a7c8153094ff419ebaae7ea278231810d76a9f3f6ba5f90f0edddab3e76ab08ab25f387b8712ec255bf762e50be34ea8264c126bbe7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4c7cb84bb56ae3af621d379265c1bdd5

SHA1
03b73b02a30daf559e971211ad60405814178c56

SHA256
497863be3d236fc01f774a3f3f696f771360c8199c4f3f29ba0a11f6ab3e2d86

SHA512
b57624a670f5805ec98426e366425ced5cfb4aeccea776fd5f985e83612e20893900d8508efa7e077328c9f4fc4a266e80bf8b627ddd3b90e0a09f0ecdaf9827

Download Submit
memory/536-436-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/536-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/748-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/748-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/800-336-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/1128-39-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1128-31-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1128-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1128-245-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1164-47-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1164-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1164-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1164-248-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1680-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1680-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1712-55-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1712-66-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1712-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1712-54-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/1712-69-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/1716-316-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download
memory/1716-417-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download
memory/2212-0-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download
memory/2212-1-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2212-75-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download
memory/2212-6-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2212-7-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2400-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2504-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2504-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3016-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3080-182-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3080-12-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3428-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3428-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3732-274-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/3732-273-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3732-327-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3976-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-269-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4164-262-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4164-263-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4164-323-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4196-211-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4196-16-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4196-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4196-23-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4492-252-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4492-68-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4516-305-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4516-416-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4584-84-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4584-86-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4584-78-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4584-253-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4660-290-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4660-340-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/5076-283-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/5076-331-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download