5c9b9cda06e35d9143d0c01086dfa5871e81196d35310de0c1687f2fdcacd4ec

Analysis

max time kernel
117s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 07:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d278bf87b63008547b93b17aee06cf0N.exe
Size

775KB
MD5

7d278bf87b63008547b93b17aee06cf0
SHA1

7402e008d3a087c9ecd9eaaee718d2a9e9ef7eb9
SHA256

5c9b9cda06e35d9143d0c01086dfa5871e81196d35310de0c1687f2fdcacd4ec
SHA512

8e63a32e260a08b8642f554627190ae4ed24b5ac83779d38396e8d9c6cdd8f1033e52354e4e29cfa9b55fe211daaded574d9d609879d2eba33557b2980fff759
SSDEEP

24576:w7LsBKSPrcKNHsyT1C24RuZ01FW1cwWDF:ILoKMrpNBT02CuZ01FWqF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4956	alg.exe
4996	elevation_service.exe
4480	elevation_service.exe
4756	maintenanceservice.exe
3128	OSE.EXE
3504	DiagnosticsHub.StandardCollector.Service.exe
1196	fxssvc.exe
2928	msdtc.exe
4648	PerceptionSimulationService.exe
4936	perfhost.exe
3160	locator.exe
2944	SensorDataService.exe
4948	snmptrap.exe
4296	spectrum.exe
324	ssh-agent.exe
1676	TieringEngineService.exe
3784	AgentService.exe
3996	vds.exe
1636	vssvc.exe
2088	wbengine.exe
5100	WmiApSrv.exe
4360	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b82168c55325400b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7d278bf87b63008547b93b17aee06cf0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bedb03a0adcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dd3383b0adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000460f343b0adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000219ec13a0adcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035c6a93a0adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e02863a0adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd298d3a0adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b4773a0adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4996	elevation_service.exe
4996	elevation_service.exe
4996	elevation_service.exe
4996	elevation_service.exe
4996	elevation_service.exe
4996	elevation_service.exe
4996	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4912	7d278bf87b63008547b93b17aee06cf0N.exe
Token: SeDebugPrivilege	4956	alg.exe
Token: SeDebugPrivilege	4956	alg.exe
Token: SeDebugPrivilege	4956	alg.exe
Token: SeTakeOwnershipPrivilege	4996	elevation_service.exe
Token: SeAuditPrivilege	1196	fxssvc.exe
Token: SeRestorePrivilege	1676	TieringEngineService.exe
Token: SeManageVolumePrivilege	1676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3784	AgentService.exe
Token: SeBackupPrivilege	1636	vssvc.exe
Token: SeRestorePrivilege	1636	vssvc.exe
Token: SeAuditPrivilege	1636	vssvc.exe
Token: SeBackupPrivilege	2088	wbengine.exe
Token: SeRestorePrivilege	2088	wbengine.exe
Token: SeSecurityPrivilege	2088	wbengine.exe
Token: 33	4360	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeDebugPrivilege	4996	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4068	4360	SearchIndexer.exe	124
PID 4360 wrote to memory of 4068	4360	SearchIndexer.exe	124
PID 4360 wrote to memory of 4908	4360	SearchIndexer.exe	125
PID 4360 wrote to memory of 4908	4360	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7d278bf87b63008547b93b17aee06cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\7d278bf87b63008547b93b17aee06cf0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1d7160f296a00724f5ec8170f261feee

SHA1
14d05e1b4f07e5ffc9ecd37a35ec149dcab20845

SHA256
45fcefa7c41412b7367359e92c05099acd6b1f7c5c7ff9174ff21396ffd6a21c

SHA512
f039ca8895082067fc166ff28a59f35253aea61e3578ee5b895dfcfdb398ef3f1ca5f63b824cfd9b74fccbef715effdc2839880d0328b136f0853a262634b04b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
42c2f02c3a236dbde60a9fc5b49ba25d

SHA1
51a3da9a17f928c52207d6df1c68b08227e0cd99

SHA256
71f63a2b69f908c0334eba61e8752e0191cdb52781477fce6d39b74423d96439

SHA512
dab10d649fd651d9430e418c85f2eea1faf8813e84a4057d240d99f8a83bb4664b42b63d4f31978de81ab7a73f60f6d073e89b200900cb3538767190435de5f4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0056a533a04afa29bc9619ff31fd5f7e

SHA1
b52bd54c64acf8b7be52c191402958eac5d78eec

SHA256
3d090ccc8f0d85a9c89db035568a438d87e86cab0e8cd033981d2bf17df37f63

SHA512
80c2799ce8482db3bd76f9f7e15fef88363a2778b1ce64a37521672faba827ed59623c0ff93fcf5932a3846aa703b9238eeb0b2dac80330c86d1d98174358c0a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
569e3f30ee107e15ce2921cdebe950be

SHA1
b95fd721755d725ba15c5008553feefd007d02db

SHA256
39ee2a27f8562ab05e0869bdbf26ec4364604917d8cb3eef545ff8e258c04d36

SHA512
25a122708e83d0cf69bcd6121e3abf259abb5666fec91af0af556874a64ae0d737bebc49218fc952f21cf72730fbab39cfd4fda4a3148e15e611f3bbd2dfc7a6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6b462ce67e07c6bffeb35870ec393f61

SHA1
d5aca12d24077613f3a72aa847c1a06ff0cb1319

SHA256
4d08b567f6c0ff415420c40c6ee779605559423ee31b8bba76e62ba993e3f867

SHA512
a29bd25eafa68bdea6307431a20f61c59fb4baf7b195e5f2f794b75a3106a4dc3b4c793bd6094786ad00a3594b7f8b37dad68a4bf693e1bf483bcc322d1fc385

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
75b0818d7188a31878e5cea4e1019ac9

SHA1
0af650a2126b5fef68fcdced9cb6e1860aaa614f

SHA256
ca22e3fa0d5e4388850808232fda64ad8b628f3be883a447fddc0980caa2574f

SHA512
6ca04e6c0781ca95c174fa8360e819cc2e18a33447aa212758a8b30fc7591193b2a90d64efc9e73596701d602c19f9be6cf78a38fe29b0d5e447f5ae6262caaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3802cd26b00b451c05be6c13fa4fe411

SHA1
f6a661bfd0ab307eef13bf42f905789b15beeaa7

SHA256
1b77200d88dede35a8065f19cb2f27946cf8851348f5a32f8d3ee17077b5d7df

SHA512
f80d17bfa263910231981213d09f782d13246a6f650cf69949dd0e3b149357a25af672cdcf70bba6348729a579d24c2bb3fafd5e3e535c9c43edc45979faf4aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
80e3fa19a0c996ad89cef81eff142960

SHA1
fb58090f7b1f72f4b4ec3b009375ce3afd395a86

SHA256
55a1bf70ce235eda6eab3964d680d0a1b2632f374f59f907f9cf29b94a680ebf

SHA512
d089a597674d978258d147066d86a0347efcf557751fab9b067f3cf20c939216432595d94e5f4f268c3aef95c8bdc5890519d8014e369bbbbf9f3203c1f39967

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
303f4515831d64d9f4d1aec41ba0fa91

SHA1
0d1da75f9dbf2f0da71c1252afb3b937e5e31b4d

SHA256
e1c75df51e94a815b2ada5d5524d69bfb0b2d0fda7594ee53603b98f71564a08

SHA512
c7b3683af7f622cd408478688d7dbb37f6059a2704614370b3b3b18a79d03fc1b75e5b1dec49354e3b3a7c79d991f0dcfc741eb410b05bdd24fc97f6600700f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c2d17568c1f8288070448f9652b73143

SHA1
73f754e0e7e6e6f77d48a3ab5dbd50b8a48fc24e

SHA256
d60adc9d7237ec0363e9c0adbcb85ef5b0f36c65b0092e837b8baef76cadd6e0

SHA512
9a96d82748bb0080bcd36195e5a1854db75d61b8782e99fa91c2f61cf9fbab9f816acdc5bf02ee01d45eb8647e6fddeff27e2e3e01ac7cbe4b4f3828589b0143

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e29c0037aaa309d0f94b1614ccc1544d

SHA1
df97ab536da984eab924b6ec3699d32764f0e12f

SHA256
da75241d9c954639e24eca0e09e73586177c3e152eef8aa0e364044e4c208704

SHA512
9b45b4c0fb427ee1d5201916263819760e1256e05448f852a80f6917a1ec3e024c67f5b334b34b9d0acb1efc67f7165b0152c3bc05dc3a7e817ce2b681ff7d3c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d3c773296e74e0ed138cd64cc985328e

SHA1
02e913cb897490be417945bb2552c00c1005677a

SHA256
7fe98f0e85c375b0bc22bc3780acc9e8b8b76ca0b73dc22aa69a6f70eb321a45

SHA512
ed5edd4178d15e454df4cbe833325784b0b857e5078525a0a0ef06979f7c1b235527d6bf92852e613a45fb2b50f975b1c4461da687c33a877a637b93c0b27ef4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5a511ee207a4e39e96654058a6987868

SHA1
4f29c064f47eb011e9d68b43123230b60e2cf576

SHA256
23cc333893038abdac86d0c2a98854e513934aaa9c96a7656d22ee901e7ba0ff

SHA512
bbb06d9137d4a1ad3cf607393a7a9547352b24c4258411fbbe574eb9bad2315fdbd2c25f0579f295640f9e3621194d5f134ccc82b8077f023dc5c91631a216c6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e62f675b26fcda1d5e84b2acc5855cf2

SHA1
a750d1e5addc9297e335324d80bed602f55cbc90

SHA256
b0d4a9c922f190c94f9a9d1ae907a3df2860fdb923753aa833d0650838077129

SHA512
cf7d5d9ff085a17f0c7343c8e3acbf50ce014931c11e76f6d4aea8813e7753987341ef1b52701c5b975e179485660583127d386b5e23c69fe60d79499a31be76

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0e86b1a4a470cbe4db723147e31f6b25

SHA1
d84a3349830a6bc0899942421c176673cf26e6af

SHA256
3a09ccdbf2cc74ebb4f60bfa8767c368d1413d699acca1e91447f2601c93d976

SHA512
d89f6f209e271aa4b6cc3e285f3fa61e030f6b11f1d1ed9c899d1d9618c85f4a480de1ca18a75de274abad33c2ee850c44448bca4325756715425aec44b78580

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
bfac1908f6ff5b436740c0cc65ba4608

SHA1
1e11058796d12a57c14537146f7ecdffb080de98

SHA256
ffd4f2089b2ac058b37db6cbc9d94d5a24ed612153d6567ff3cdd2d1ef110df8

SHA512
f0300edf93e0bff04feeb5d1495f8a22b316c81313aee8ccbe9118f063452c911024ebd94d903a28b2fb4edcc22d92b25fdff08c4459c4fef046e9aa26b7bb8a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
33b1053c1c4dd260207ea890212d84aa

SHA1
787262871136facf210d9a8c7c9e6e9a7195e0d1

SHA256
757ba4e7f0abaaa5f51207686bad9fe90576ce2d06d5df288fdcda65c48e35ba

SHA512
771db0de09e35894038ab2e8902c04b0e35df64850e447248176acaaa4ae9c4031e171ae97b2b9df50a0bdd33b420aeaa44e031fbc47b13852db6e82a453a017

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
298cf4eaeafd45e8fc92c9a9310cffc1

SHA1
7cf403256ce3acc9afa34626c6be2726e590091b

SHA256
54500dab15423c30404285f386cd487a50bb245b6148ac5b6c1f596e8f9a2ffb

SHA512
db18ed47cf40be33af58a686c06c38bf9483dc36385dc5765b91c9c445c1c4070c9ba5a1d329cf939caa637324d0f6f4de94b9d0575b56837e28729411d21f1e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
da4f8ce6860b4c0b985e52d1b6b59733

SHA1
12c21f022e01baf458ec033e0ee8af15f57fd48b

SHA256
abdfbd8a8ea97c45ef85403b7230c6a0d5354238a1204a5d3ac5b2bd3ca29919

SHA512
007e849f2765476651c264fac05396b45f98587c9a7ed5bb7b1ae2c67155d523f0c5b6352bc8d0e3a903f7de00fd2c16df48d20dfde3bfbfb0599fb7965ed00a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
aaf7d951022a0419e0cf774085a375fa

SHA1
b812bdf8a4a7c23828d9d3af7d21e4cc7aeeb045

SHA256
8a7a902aaab9ab9b7797c1026ba53666db879cf47730d06462ceb70da8cf33d2

SHA512
527a9fffc2aa5f218b912c9e0bcb39e8f36a7ef6adb14cd19d83a112a76e81a2d852517036d38ff6d3aa248796bb057b878c9033fb9a0e72e99694b968336b3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7f0a42f19ebcb633c9d6fb457df012d8

SHA1
feba111c3aff56772eee9e894d76df998e6f6d99

SHA256
2deeba89154bd1b02c4172c9b1e658541391b4120ed728e55b7de73bb41de265

SHA512
5a8e79689d64a7e6c289b5c987109e31cae97b0c27b498b015117dc0d16cb9507831a241e4ef11bd5b77771bcba64806aaf730a9ada6ef1ccf6f9ad2040b35c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a9fae28b2d9249911d035a250589dc2d

SHA1
ecffca1909fdc6e61dcc1ab549aaa9ec15852b16

SHA256
b37974a2bc43782032c77b0d8442d21bd3f38c0f1da45be3bb8f359a0a9b1251

SHA512
4d0e6b36fe989c633660420a4da762e31777edd2cf3e428646646f988ac656f8800b821e4429f06b6615aacfcd728f85734dc2bf507f6dc1d8dfd60b9124edf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ba79a65bedca2fe2034892a34fc63b79

SHA1
ea753e99636a209b30ea3ef4dc54f621d4211e4f

SHA256
dd55e5524ea192a81aee782f10ca4ec3acc7be43938e747ce71b62978a23bfcf

SHA512
cde31a4c352138f1794e37cc40d339ef1d66959f050f827b576994dbd66bb84875fdb5da208835864ce5c362f271191afcce7d0e9a359003491ea64b100ad36a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f56073980b9d9657ad4ac72ae48e5717

SHA1
ab05e364121fe42b3b4d5c6d598fc8f73f804277

SHA256
b55ba06218cd89683a699c17cafb18fb10b665244b12f0d970ddac61ff397ca5

SHA512
c2c64436996dc24f8c91566b188d0081d247054bef026cd7b88499a4dc8ef72a23be7257506505643ed991bade213fe21b386ffa44ed2dd7233c4c9a16490481

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b7bfc139cadf6d6c8deda961f2adfc79

SHA1
b4bc5e7df48d8deb19aaf4b1b667d414cbb02504

SHA256
18a5d0b8a45b59cbd6f7c242051a066782e2ca67a6b072e4fc521151ee653c37

SHA512
ed7a42a95c8d48e881fe8c0e3bbf7ee29ea432aca23dcccdc86a948797bd7667a55de84bf06161796fa7cd2e3e0bcd9cbcf3017bbd6df122864b907b8b483f80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5de3f55851f3142443ea167d15f600a7

SHA1
e10c8d71e4058b4741e8339bc6534db9d6411041

SHA256
c46e2cb31ab2251432b296a26b1158199c8eece96403965e9eed55ce2f11a443

SHA512
2febfaf47d012179aecd3bd8d9f380af48c26afd2ef9008ddc24af00a1a9d34235c0e6a5916144adc8d366763da0482d9d75fd7ad9ca916fa2fcb172c37f11fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5ee4845480746c4db59dd1d7f5044c3a

SHA1
729857bb10c8bd3760c8a69986713438b2274f73

SHA256
36bfe956bef4b36045879c21b16a9c0f15ab3a7c7080a9ab98b68d0ffb1c5ded

SHA512
567fae179b8f7cc395ddd9247c58c93c1ad5b5c6eb412f169a64f879b4972e76210fa8f22acdea90bfb257c771859eeb121a72fdb0f99bb43e722ded8ca5b73e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5f532f8ed0f8e27c1fe303f95c47f89a

SHA1
36d3d5cf895ee562c7c5d186d87afe75d6525d2e

SHA256
a73b25fa954bc8d517064333b17d43322bb66f5e44bc5210090805cc3ec42daa

SHA512
3045215df0522104be2d5eeb41aeb379aaf45deb77f53ed956aa93d9c03f79b483efcf2bd05b3d82e965f9be1e02a26c5863c3c531a7c0f4b8540d4d24ef93ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5bf1f5a6c1cc9df0bee6295d3c05cffb

SHA1
e9dc0ae927822b9dd0ed836af6483365acb626ff

SHA256
84521f52f6925c124fe36456974c903c8603a4cd54536f5e6f65f01a677d093f

SHA512
ba160e5c57ed7a1547dc98bb48037a54c80cc55613fd0032a3f77502a06959aa78cc0b9709846cbcefb9df3dfebd96070390482820869cfc3fcac2f9f3b4db2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8a55011893182bb0b0f234577170e9a0

SHA1
3d58ede6140a27311cf2730fb1d6aae793b9ea77

SHA256
bc3b2a62e2774c9cd2516e19474a6edaa60384526532310b7d9844d69ee3bbc7

SHA512
4e12b11577fe496c093e2e6ad8dfa423c2750fece888638ff9cb6bcac53e9c2c4184a913bd6461f26bafacc20326caa50ad188b399d4aa02081a6f1467448964

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b63ad491a4ec4182a7fbf66d561029e6

SHA1
c07b6ea8c97015b25caf68b49a1aeefd07014278

SHA256
0dd186636a0f33fb48416744bef5e52252fedd72399ef5b90b306b9834934769

SHA512
4ef6ac07722f013792bedd2991d99d7da67f166002a0a916ef73ac456e49a31ab6f014c9e4b5b597b0935f708c54ebbd2f87f26790c00b376221cf6bae31123f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bfd5a12d03745dbc0aecc87d6a8b0aca

SHA1
825925d4f5635ac40821ae2aa8e125d3f98fa1a2

SHA256
0a5bc3e0da524dc2fb0740afd3ba74be591b4d44a8b5feb4356ee39bb127c049

SHA512
ca7b2204d01ec4e1b0d629cfd6b04e712afaaef25c31c4df796c7ade0534581cd514347299a8733ca7eee20af73f9c7c8da974df38e6938b5fe669810dd8b8d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ef2ce59cdbf5421313c594d07c01e485

SHA1
e0402704b978cd7cbb9f5f13b6fa6189a4666e8f

SHA256
2ce36802c71ed430f0457c0feeb6940ae8eb1bce8e0cd8150b937ed1bf655055

SHA512
e03c206e9dd00302ed176f8eaecd636a35c014b3dfd37d925851a92a09e2491cdf95dd6a75e4660bcc9fad9b73b63726dc674e9654854274488d99fc0be95fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
996df75946c16dcface3a6c0d3b73dd2

SHA1
edf506153bb56dd05b27906b4acd22786dad5f8e

SHA256
cc80012423a51e9020ee5b6dcc3c79e1591f4dd1df37509a2a4164caf2a4cfa8

SHA512
73c9485934374119df180627ac634872bd36bef263acfff98bcc5b3a36fc37df1b1d5be25a348e245d20f9eba16cee9a1578a2c32a6890bb9a056006ecc1c161

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7f0ad25a5cb35c82c883ae215f15f3f1

SHA1
868f46bc447cecdc5d8f036bfff8d1d1db2fb906

SHA256
a6c3143375086495ac8510c54b2c996a6240636be751eee46189ddb427768876

SHA512
57130be29726dcb323b75cb8d2e87ed0971911fc19bb2b78f2e6a8914b83e4c9a09e673353e9f789ceff7ec3b9cedc48e2791070cf819da224ca755af6512b0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
87532296f0e44b19794278b9f9b3956b

SHA1
50f37a3c4a5971a96bd2cb1e2c9a8af4eabb8571

SHA256
97c4ac11895e968b7c897a9a848587bd6ef50bd24bb4aa2ce902848a0352e4e3

SHA512
48a3d196ccedded44f4943941a0345b789d00e1c41529de483d4c5bde98f0a56bb7c12bbb5226375ddc5d81ee8b785538792bab6ed98329dbf5240818a84a363

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0cc5015be2f10bebeb98d9669eeba6eb

SHA1
d663e1c69841ab28c79b2279c516b7080975d3e9

SHA256
87a2490cb164b2d1e8d140ed78fb7798dbebb8b4a23c81c13ef9be2b365a7414

SHA512
30602a472e9ad6160b32cb9e39a6f14dc55b374f575de9115232ce80d99ae2a62151b282756403a930958feb5fac6d457406746d99dba4f32d688edd54d63b8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
eccb57d44270516a2ca9c0f8c791f736

SHA1
9e23f73edf11967b9e355c12e14c7706ac24c31c

SHA256
c65d4e1ee1c9a1ca1458e48c06af53fe6018ce210ff161957ffd422aaf6500ee

SHA512
2d59dcb34b2e9c9ef32f9d2c6398bb3befd16f9eb1d27ee77db17b1816bfa39f1c15bf73df93e6e15163afaa302d1e93b62774bd71798afcd3b13fa27ca91ed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
1bbd439fc554ac4fde6c1cff3cb27a33

SHA1
4aeb0d64a4ef02280bcb07ef3a1a73ed73db657a

SHA256
968b305c7fcde79f2f8d4b5802c79ddb6ddd4b4842a56d99d57112bf75ad5113

SHA512
0207065035b0b9c0b6ca7f4f51f200f9ac4ad34ee1a58d2d724af079026be8fdf478d8189f82aec39b2beece02bd8b056642c9230c3766b8f62555192db4bd0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
db6b71c695863bc8bf557579e9110896

SHA1
c1f6dc28cb9928b132ce371c4436a0726b7b5463

SHA256
a0e5647ca90be3c509677f643e34cba4a302caf24e0a18eb6917d0249f6e2269

SHA512
cfa6463379bf23be1ca96174cbc791553b7f2eff500e3c1ffdb1c1bafc4c935d3204de4e259f075a574967907b67b9d506e5576fc79837db126ff52210ff1311

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
74c3b5d509ca03248e7fee1c30e847f5

SHA1
6f2b50cb4585ee0d92be83e4943060e98e2d7be7

SHA256
db1248dfa9f17c65628bab7503f0ac0cc07c2576ab06d3988ea7759962db57d4

SHA512
3de9696e4a4042323ad04c7fc07f99984856256cf2fe84ee0d72db120abbf879a801a842da3ab9c14a9db35e3da4e2f8354b2283a024f9628f542e53d0d5f3dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
a43d681687d85c67a00ab4d31b215ec9

SHA1
8dce967096ee74a3a9b8bf3c0885c1f4ae803109

SHA256
0a0af1f61bb3247af3a717e08e27617c06e5e55c692b448dfd953c9bd27546f3

SHA512
9410839e07d6f7cd51c0f9c8bab99ef65de03f4036afd1cb919364390f1623bbf9bb7ccf0d8822ad7d0a414a18fcecbf1024ecf596571592f4e3d4a584d4ef69

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
159eb3ef7b0cd71a92960f49e5390d21

SHA1
7a71062e1be9b7969d52e72c676138892f51976d

SHA256
1bad761a6bcf61bbd12aa18071aa9098ddde32879062239eec2c9f8d459ab743

SHA512
f294d2c9f5d220f0911854d87b547fb05b634957e7711be89f9c9d7344c7cfaf997ac58ac1a8b54a1767cd3770eed5de901c96baba96a62ee016f69345b5155c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f0053f9f741f82a9e360554c96cd6093

SHA1
feef3bee9dd343641fff9e4e883af818f55d5f73

SHA256
6970cc0a01cf3d32d7bdda64b42e61b1dc603fd6f0bdaaf5b40f7c40bc1f5021

SHA512
0c89d1e949823e196576a49a972dbbeb940cf84bc3e8cebcb9c4aa5152b85fb1c84559fc18bb27cfd18eab89c95eb5132910697e9f51dfbb0c828779e68cb930

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7475513ed454917c5e40e8da16dd547b

SHA1
7f1ba1d632bfef1ba41e915e4e9add31589d92c7

SHA256
5c36e823b3ca911f93b7a303ce43cb792c050b6555cbd17fb78bb1403e44bfd5

SHA512
89b329fd2585c98e26da9a4b1c713728afb180b63a4ae1031a16d99ca88156a99bae3893e06d631d69fb5906e01c5ec36d63d3106ab73b7a94daa529245ec714

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fbfa415a8b7cad04ad84bc78c711b163

SHA1
d61332c2740645804e3a33407a83b49fe9a1abb8

SHA256
de28c38673d093fcfca435950a12cfc3572704aef96c37852214b31d77334ba5

SHA512
89f52cc3f6cafda0c6fff2856e2f15769f0ac9c39e36dcee62f60c658ff93eceb8a7a5d4d77d3015ab168cee50391dc2001d50922806f52399f514177826fa5b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8f3c89945fabb9e2846774f23d5f314e

SHA1
6f043ed1be47b0b972b211e31ddf46799814eb85

SHA256
b32339f610f7b4e5e85fe880165d2a826d4c4567b860b77c4f436850141f0a24

SHA512
b0c059953459ee5842ce9d7bec8916d0f1d169764e5e7c0bb2e0ea2fe415094e5c13a596c783747cd25d75100c9bdaae8bfefe34c554482db767ba65a8d78653

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6ee4bcd5fa88f87bbe9a7c27e18b7219

SHA1
70bd7756ade47c56347559a24040e971c54b75d9

SHA256
30fc413d476efccf5f45af96ffa706249e9fd96719d1a33ca7fa46a9e40f5b5b

SHA512
c32175612571da36ea775e11da608cf42217697d18fc4b027d36d979b257e8581adb83630648eb4ed17291ecc55af02e11884396c966c7a52cf9f9b2d54ec8fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c4e74665df9d8dd38b5612bcf0aaae9e

SHA1
1d36288f81640194b916f93f5400d8b59594eb4f

SHA256
f6be19503350c00743046d49e6088d09ec69173dadd79f575036ef1ad67d5e79

SHA512
5e228d4b8dcfe05c3d8b1ba36a85eab7e15952cbd3924cb1bd7e7bd79b140072888afd435dc382d71a27c36f4284133758d6b6ac9aefafde9db9a9bc2b81b3b9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
40aea13a6321722da01221ea1873ebbb

SHA1
f42f7e149999cafc5905d5892258b8270e62dcb9

SHA256
3703b9cb73c44c52b62c21e8e610161cd40c39172f03698cb3bcac64ccc2bcd0

SHA512
27029f04cae33426cd0740d2d446a3e297c79888e27b8fc0613b09cbf57c241a195d698e5817d637d3ebbd2c2b4d4a8647045124a51104d4658368d9580d63fa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
09412a6305c959a05d41d6d6052fa4d7

SHA1
150e21feea037fadfa09fb0c2a5adccc5a29348d

SHA256
0a0fac7fb54990959798cabe4ff1cdecf81d7172847ae215fa767a49d53f59ae

SHA512
2811810a2b41057e8eefdd3cc47e273d25f3239e5e19352d3bc99920002a3f294bd3d64574a047d8e66836a3b1357f8620f04361e3ea9c2f3d9b648347d75fac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
743bb4c992ad325a9b9cf066c2738731

SHA1
46166aa6e76b15fd21baa0171670ebbfd987bb18

SHA256
881e3db79c1d32a968ee739ec545ac5b41e21c36404d26c09f367fa031840d97

SHA512
980aa71cd0ea821ff47d5b09277c0376487a5ff7672290012f7bff316224793d2eed323fcc31176f831dc675ca83ef552fe9b1b8216be04911f2bc70974abc98

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1a7a70dea13ada176124bd82b76bcdb4

SHA1
b861494d75f3133e16c640f62759f1e2f1bdc7ff

SHA256
bf1acea299467bf27549cff6e8f816ff948675b7b687b0e6c1eaea0c42e8d323

SHA512
2ad7c1f46f07de93e462ed7f31b5e40ce157a9f1a8712435d478e23073a78890835ad6da64846b255f33fe707d48778ea220b8654e9d3467a4c752341134d2f3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9406cfe322444c13ad871f0798d32ba0

SHA1
1c2ef77e09c0edee0e9173b9a138197dd9f75938

SHA256
68098208d3e2c8434ab5637ddfe47db3d6b66301f696179348fb53a372e80699

SHA512
0e1f9a8ddc7a4206b1cf6d9f76beb284626c2e6ad6db8e36bdacddb5eda81b953026f29fccf49391349d6668b4597d4d1c0649567ed7b382931082c6803e80c4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a0af5f3f3c3480f753679b92b63d109d

SHA1
0bd752c0b64b2878cf31736cccb0881078de75f4

SHA256
cbf2f4489f9f70472c44e5287d084aca911a59a6d2f41fd5972b726a0db9b5fa

SHA512
2539921b15f361c189356b253d231e54281e7eaedd624d383d41e2c5412bfd7e16bc64c45a10cc4ed13c40a8f5c8ebf67f2355a97f6dee9c1281d51dd1e6776b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5f2359c06172796706730bb8abf636dc

SHA1
0a9a3169fa095383816e8f66b7ff449a4136a355

SHA256
53a9b1cca6729ad71f025b8017eeb489961b7f88c69d8cbc79613c3a6ce9ad74

SHA512
c0d78e2a40f0960afae5971a9cd91bb37418ca8d5b678b7f9a16627ba9189f181349246a260ff11cf9e2d50faa6c2bfbf84ceeb20a1d93e3bbc7e1774e410ae3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b76e2d3dd79701a6574d870408ec274f

SHA1
04559958e01ef02390cd5b9e26400564ce5138d4

SHA256
4f7da17aedcda2321db11fee78ad2c6d03db2285183450de26dd8a7097e98e0b

SHA512
9a9cf3c418a82f0f9e2d079db150c851f15ae96066d942ba5622c4490c8779a85c256215c1d1010a10d9cb8a596caf0d47bc67853fa2abb75fc50166955c4fab

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8bbfd740963ec10df278d8a22c7e97fe

SHA1
6643b7f50b42865e03193fde3ce1aebd89f1de55

SHA256
92b3281795f951ec0bf86e3017c4494fe7bb112bb881b4551498bfd9dcc1d60d

SHA512
9fe71e21d6bc1da40afdb23c94e6ad1c02b6024c616f9209b9e74fcff2d9a8e1af3788e3988c6c82360ecdce2ab7a03e8d07224f063706340b193bfdbc42a3fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
19b9387c7b173e3bc5d012c66227f5e4

SHA1
eab34fab4d84a9e58a3996c4eb67f13658f29944

SHA256
55150f98efdeaf2276f57fdec7a466fcc6ebf0e74c486ba7659d1a0616906846

SHA512
63f3076e8aec3546968f0a5d86db6e4d32baee98ad27efad5b95e1839b612a25b39213ece0ccdbf9bae0c61c4fa5b00aafc96d1a63919d591353fb4d85ef833d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1804c8cdb15a40c0a166c287658004a3

SHA1
81026d2ab751c32cc1ab550afb7a6f594ccc5728

SHA256
2bb346e09d35d26bc710fa26ca11ec6fab577662051108aedf41c1a2261e087c

SHA512
e31845b935938b560a7cf68b690d46e75eec6b18a286f5e19e92205a55a2b451ef7795fa9ac52b4a1eb6f7d733ddafa08733f69402462b89f01e17142d1591c3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e5215df3cb89483086948d9bf9b80f35

SHA1
a53c230538750e82d6c0aab26b840a4a15051a43

SHA256
44934d46a65302508303f736a3ebd1113003b27ea83b45e12360c01860854710

SHA512
88eea77abb5772e6c19fc2bdff8b53a30bb86bf73cd5a31254d4476909afdbd13fd464f406e4fcac0f1b65a92602e0f2b11e56bb20849a3b7900b8f8ca83e246

Download Submit
memory/324-625-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/324-348-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1196-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1196-252-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1196-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1636-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1636-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1676-626-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1676-360-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2088-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2088-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2928-385-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2928-263-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2944-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2944-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2944-624-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3128-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3128-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3128-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3128-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3160-310-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3160-421-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3504-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3504-241-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3504-247-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3504-359-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3784-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3784-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3996-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3996-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4296-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4296-621-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4360-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4360-443-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4480-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4480-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4480-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4480-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4648-278-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4648-397-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4756-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4756-58-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4756-51-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4756-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4756-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4912-23-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4912-0-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4912-7-0x00000000021E0000-0x0000000002246000-memory.dmp

Filesize
408KB

Download
memory/4912-1-0x00000000021E0000-0x0000000002246000-memory.dmp

Filesize
408KB

Download
memory/4912-6-0x00000000021E0000-0x0000000002246000-memory.dmp

Filesize
408KB

Download
memory/4936-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4936-409-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4948-588-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4948-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4956-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4956-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4956-14-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4956-24-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4996-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4996-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4996-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4996-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5100-422-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5100-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download