cfb58dd92ec70cadf179241ac0b60cd145cc87d5be7ea99c6defd76764363a8f

Analysis

max time kernel
116s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aff06fba8bf60c196a95600e6831300N.exe
Size

1017KB
MD5

0aff06fba8bf60c196a95600e6831300
SHA1

21a3fe64be6f7d20bd4e76457d044412310b2feb
SHA256

cfb58dd92ec70cadf179241ac0b60cd145cc87d5be7ea99c6defd76764363a8f
SHA512

2e503028ce3dd90e2b26e65b745f3c524f3e07f7678fe4ef6679570dc44c1732d724f1fae6c5e03ea4929ebc1836b47cc9854f8e5010abc8862f77f82f8d52f6
SSDEEP

24576:M2lmh4RKF6dlcOdPQpkuwGLitb7IfbQTy:M2Mh4RK6lFQeuwRh7IfbQT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3736	alg.exe
4348	elevation_service.exe
1376	elevation_service.exe
4140	maintenanceservice.exe
1316	OSE.EXE
1612	fxssvc.exe
3476	msdtc.exe
4580	PerceptionSimulationService.exe
3704	perfhost.exe
4056	locator.exe
4244	SensorDataService.exe
556	snmptrap.exe
4900	spectrum.exe
3884	ssh-agent.exe
4500	TieringEngineService.exe
5068	AgentService.exe
4652	vds.exe
4484	vssvc.exe
1868	wbengine.exe
1944	WmiApSrv.exe
4428	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0aff06fba8bf60c196a95600e6831300N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0aff06fba8bf60c196a95600e6831300N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a8458a96003136b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0aff06fba8bf60c196a95600e6831300N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0aff06fba8bf60c196a95600e6831300N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80203\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f755c90a7adcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e3e130b7adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9e1940a7adcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f44970a7adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024748a0b7adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000708fe30a7adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000578e020b7adcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b4090b7adcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4348	elevation_service.exe
4348	elevation_service.exe
4348	elevation_service.exe
4348	elevation_service.exe
4348	elevation_service.exe
4348	elevation_service.exe
4348	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	672	0aff06fba8bf60c196a95600e6831300N.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeTakeOwnershipPrivilege	4348	elevation_service.exe
Token: SeAuditPrivilege	1612	fxssvc.exe
Token: SeRestorePrivilege	4500	TieringEngineService.exe
Token: SeManageVolumePrivilege	4500	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5068	AgentService.exe
Token: SeBackupPrivilege	4484	vssvc.exe
Token: SeRestorePrivilege	4484	vssvc.exe
Token: SeAuditPrivilege	4484	vssvc.exe
Token: SeBackupPrivilege	1868	wbengine.exe
Token: SeRestorePrivilege	1868	wbengine.exe
Token: SeSecurityPrivilege	1868	wbengine.exe
Token: 33	4428	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4428	SearchIndexer.exe
Token: SeDebugPrivilege	4348	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
672	0aff06fba8bf60c196a95600e6831300N.exe
672	0aff06fba8bf60c196a95600e6831300N.exe
672	0aff06fba8bf60c196a95600e6831300N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1536	4428	SearchIndexer.exe	132
PID 4428 wrote to memory of 1536	4428	SearchIndexer.exe	132
PID 4428 wrote to memory of 2924	4428	SearchIndexer.exe	133
PID 4428 wrote to memory of 2924	4428	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0aff06fba8bf60c196a95600e6831300N.exe
"C:\Users\Admin\AppData\Local\Temp\0aff06fba8bf60c196a95600e6831300N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4244

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5000

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c295e60306f9ca998f1dc2f6ecc10e8d

SHA1
c611ee2f5635670ec50a66ae2508e9a7d6d0faf5

SHA256
9e8575530f392e6629ee40b9b30cde47c586d5394954337f554f3378c3b3359b

SHA512
1b113911eb2994dc9aea4b8e095172e940cff5c6350704b6fc79656d07cfaeb82e686819a63c55efeaca17407093e21f7057515668dd85adb34819b0856e8782

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a9bebf3d120ed30526ef3ab1412dab90

SHA1
a78d95d2be6cc2c087afc0d66a42c0d78bd7614f

SHA256
6207c552b0ccb4c0fb824c0fa179525377f8555be405ea841320686eef07648c

SHA512
4e15193db228358f65b6bcbbcea911d442f8e01eaffee67b0c7ace16081c65fcfbf869f265a0776879d3b8b4a427f9ce925bbe7bdcb49e15245d55cb75f58d67

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
af5f96e60ceb7972627ecf4073e8fdac

SHA1
d57042dcb6e2c8ad6730fe0e59a4422945d20cfa

SHA256
943f33286fe206ba1a0f437342e787416b23dea12493a5e16ce77583ba82004b

SHA512
7477e7b0e5af016e1c8aecc0a3f6735114b2da4a7afb9cca0977950b05dfd9083a724b31f2ecbb218d3457bd2ee4878e50e8205e38d6c54b3afe9b3ef0ec618f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d8181a36c81d8bcf079e6a6a17eddf8e

SHA1
58df81ffe0720adb06732511a79de5c4121975b8

SHA256
4cee23399d7f2be71b771274b8fa622ecaf75a615189253659e7782341641fec

SHA512
0756318da564e5fcd0e8b4492c20d949c5baaa8e9f2bc4511f25096b37e4be8906d23207c4a902069f87bc93a3bcd309836aefcec3f38a26098dd5446b227111

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d68d96624517db95a4528df08dbc4a4d

SHA1
8504eebe8a3382835ec24409ad3958e3c5ea9622

SHA256
8732206597ef9576289c3fa8e2e99d33c960314069706ed50e8e95f63b0b57a0

SHA512
89bf66c379c496a19615cca5fc7543a7179e5cb4df433c1d60f64135d5aa086bedcef6ce5de7ebb75f0e7722a79a9c3e5e263f13ad6b69273efdc4d2d674d164

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e77a81a3612a4e90b4ad415a7f123188

SHA1
56bac390f59afab23b475753f493d73b9536ded9

SHA256
48051abcd3fcc2119e53630aeec63617090db4a0199b881c3c747561d219b6b3

SHA512
80916761b9c475156cbc0abb06b356ad9d69242adc4c875f745a6b2d820a6eadf6409eba22f8ce2d3419e40911a5bbdd3c48b570455cba71babb3cfb261e12ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
92f4e07a67209ef3ecc939a447f77037

SHA1
7297685f3120e59f671ddbac27cf91469c1fcd42

SHA256
d8ca0f2804e3426f9fd9c223d201660a6ca670b065a03c4e30de040b847504d3

SHA512
e5f85699d4a09673908bbc21f32f6c4b1b31813d3af73d7d6a5111f97a83904f103420bd7a76ac23d3161a90f1d569695c2da46c60b979353b1da71d80998453

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
275c6efbd69b4cf6d76a3c51e2b8f88c

SHA1
2ea2c8d6bf112b4d5af1b4a2514c8b822dceaebb

SHA256
77063e23ed71f192de6d03eb8c9b5f6fbd562c705b712c1e415a026a2df39404

SHA512
556f945f32379f3ad4d2a14b948464ff9459e9985c9318a3894023d37a19c58a7a73635658ea67c6c4f37f16fe9b48b3d62d62478051fdc64531dd81d0ebf959

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f14acf482ce2b655ccdb30275d751c52

SHA1
074c34ba6e08d876d7eca536e6d48204e8bfd7f3

SHA256
54201f70238cf9b1e0b8998f0bbe97163943bb30308459a829b6499c28aa6ca1

SHA512
8941f2b760d116570102b01da6e9639838388fa44d428ba4e58299720438d9bdb37c31c22d3038e6f39546aadcfa947c11f979148012360ef72fc1d46e6fa438

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f9a88d8cc51918b99a91d026ee777142

SHA1
9600c6caaee09c3903f662ef94bd1fc2caf0ef28

SHA256
ef7a8c52671fbfbe955c68f71d3278a8efcf06a05db2944b4f8d0cbcd1f1f796

SHA512
13d6f82c9919a6487e9eb363e53fee4695435c46bd36494f3d0a4a89228be6d9434589e823e0a0e2f3ea1fce2cdc5059756a3ec4e048e428ffc0ef74db90ee05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3244f856acf619525a8a9b762680360b

SHA1
06d36280c087864abe8700f8e3e06e700d64b3df

SHA256
d894916ff01377022c614a75a59b14aa646287f09a59f9d20dbe38aed3272f5e

SHA512
23229c05cbd937238c78cf1cfafaf79b7217874a4e7c3aebd2f1a691ec19768edd2da9609cc5e05efd115773f34888bca97da63d3d38d475146f5e2b787ad1c0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8dd4bf7b2aac35de29686adad619d6c6

SHA1
3d66daa40ca6b1530b344ec92288f1aaad615bc2

SHA256
03d7192d302dd123d92629c9ae14deaa67664ba0cb7b8812a907f94881363d98

SHA512
271201c3158e253b2a09547681fd8ea1243ce47be94bdfbd47b814c47f2432440099ec02fd8349f095a6b0d15771a0ed26c7ac3ce9326ece85bf3d2e9366e531

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ec40a35fa358859fc003f1dfbd612cc9

SHA1
173bd3e100ac2242f566270d21641d241c898b1d

SHA256
e158fe0a601ccbfa58b80266b9df43a339de9fa559996b6b708247f5c615deed

SHA512
d27f4d2c13dc519e6bac1963ee06c4d42571c02306b7077a2abce1a87858ad41a71e5da470ca92a3a9e6c9d0d63c06e85fcada61bb2fbc3fc13145341d9f313d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
19ca86206afa783eae5c9bd6472fb150

SHA1
29dff337595a06909c56558ab4e59a17e8d4c1d9

SHA256
782fd9ea4012c1a52118a62609e2508af950e3f72d504ffe7c4458f184b5a592

SHA512
9a67bdeebd17ba814c05b2e475dc606a6fa7c92c62ec5d775657fd7aa96677ed387648e4f733938aff40ebf3f2a638b7657a28eb7ae4e6ff6b0094a35699ce0b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d76d8835ea09aef544f643df838315b5

SHA1
4bf9492e506440b82d9242300de39497ba8f5345

SHA256
63667771738a9376f35cb691d31d7e94fc1ee4f4fb4be097e205e347c0803590

SHA512
5c2b371e2fc1a3f9f09b48ef1f060227786fccc66690934f5a1a8939fe50416f8ecb7750c803b3a86bee61268fe7d3c8cef43326f4ded5129ec6f799c8f6b92c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
cc6ca17d3d5624c5698ea64834eb1c70

SHA1
f28a52a62985d5fbbe2a10672e97b673c9b77b5c

SHA256
b83ddcc68006382255a832ddccac038aa04f51ba46b4755b80bb74b3cbc802cf

SHA512
9586c89379dce6362a76eb426229c1a8bdd0c900580d064a54888afd69f749e3ba6727bf685bc68c000a53661da2a52a304692d1949013b0f3916b2167cca4d9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5390a25ada32944fdf431073fadc1bd6

SHA1
10c69c5e17c447c2679e4ea251143518682e963e

SHA256
ddfdd91963318f6cc099246b00693d185aeb7968db379f4518068a9ecd662fed

SHA512
bb22a90112057b211aef498f7e9d7097067210a8d2444a781444472037f76f0ea313ce38dcd8390a5eca9c3afe6f7012d9c409929e037698d1df6e749f16ccef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
d76b08844d299b41e85e9fba4e952253

SHA1
8afcd915438837f8d596bf536c0e8f3c6917227d

SHA256
1a59b80df62d4146818fe25e8e8e362b6720d50e2ebc9e918b97002f31ba5be6

SHA512
fdbbdf05b27ae872e632d2987db3dda8d09357ef000ca24e31f96fefb069aa4d6ee939069cbc8d6e8a7337c70259903faad1a72178880f8e8d5cda78db022e4a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
85ff83db24cc6618e843a970c53793bb

SHA1
c20aa8bf3b617953ecbd0977956710c2a3426a57

SHA256
40955f19ce6ecfed31d4bc8e51b431165e58fa13b27c88767e62cc31ccaa4391

SHA512
9818f5d9d11e158c994cb5facb2fbe5ea09fa8737d9649436d2175d3b04373a01858f16873cb024b6c4717c96cec986c7491c32113fbd0de1d7eacbb0b44146a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fef925fd24db7d34aee09c5827603db4

SHA1
c23d82b412f30c57e95b37e754c79c0718d2a9f1

SHA256
234e0a7f2a82dd677ead1cf55c133deb4f23e7445765c0fc80e7e04d079053b8

SHA512
9a8e6eb37fc80325dba7a12c9052187821920ceec49e354ca469f91becb62021269215631de1ceabbb42500e37bab3360807bdea685848dc5f94e62fef7d1478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1815c2f208a0d82be74309859aad6b25

SHA1
49004d400a51ea16c4260342aaa67b02a5f11aff

SHA256
f2a935bac41f19d7c92b12a51f942a3f385c8bf15242334b7c820aadfe4869db

SHA512
4977a13b32704b7d91e3fcb62c6f0a1d339978ce73ab060f5b7a5e32c415b7fec962dd5e23f3313e7db98696ffe36c8cfc3ab54dc23b52855a56702914c86ec4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
73a140c26b27948f6dc42687c3741b99

SHA1
f81f9c620410bdc1054d8b64e1f1d17fdecaa780

SHA256
957a56a5c30a5792f85b1008301f369f7d22da5f1b93d58f5fe961b5aa52631f

SHA512
7c9cc1fd484bbb088fac47d88bef2f54735c5de9a27c2b36b58f7339295e336a3ea6a0281ab013c3b8be4a856b8fdcc253d28351533d06432255b002e298116e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
857b0826bd83dfe377c6ca1d640893ab

SHA1
ca69beb6b5c91b152e5288c0baef74b4e0605221

SHA256
75104bcd9d5a9101aa0bdf5b4378e14bcc93dbd50dd614e86f85b0fb300855bf

SHA512
b4eb041663af0db6e5732b41db79e149b7882b94774f12d95815ce0a0eb5a2ee6903e797ef5980f9f7af22884a3510dcf8f2ade828676984b2eb764d44ca5229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6b1f9ab7ebc2fdd3889a6005f4302b73

SHA1
a5ae076b33894c47333092e768c92580234a5a4d

SHA256
92b9fbf42b14ce991c18908ac7ae800cb8a721862a01db59323afa42bff2fd44

SHA512
e631f8c635d22e882dc0262305095cbc7cd8670473ccabc9109c48e3b382a1f7fe6ef173ed8c3ed1f31d94d12b856961f66c692808ae0b24967f466ec4f101bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
82ae88ff0b64717e88ebd3d14cfd3e17

SHA1
6578f62385d0402b15f1ae4f6a44783c56cf52c7

SHA256
b24aa0f64db651c99de891eb82c2e838b06feeb70eb11c2e23305ca96ad4eb8d

SHA512
0b7c711925c66288f89c30a5b252d503d022643c1bef0116350537dfa79c5422e8961ffe50142c908e26d7e62c8b9d2d45b69a29f426e7525b617a5569d8074e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e4019bcc4b301cfeec84b03fecca19ff

SHA1
7cdb07055d138f96c48fa8284a923b10a37dbabf

SHA256
ecf09e931089f1b323b0d87110ef965f583020ebdbcdca7636a6dc32479d2140

SHA512
e3a63d724d68961df7f13cff6bbf0d796808c48b9a4db55e005747ba63ecbea954aa26bfac97c600e6eed10aff6ae945e794622b73ff839b16c43f9f0af1100a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
efca7fd24dff71b4b153fcb709b0316b

SHA1
fa7da82563ab6701c870d8a426d32ec0037c7770

SHA256
1344bd3339efa9d9b30ae5f220fa4b0ac14cf2921593ed4330aa533df294230d

SHA512
f5400d64830f7de4dc1213c9ece32e7bcc9782e962cf90e514b77608cd5edf73e1d5add114a7c57c8ff55f5dcf72df517c3e30a4a1d5828dd9f3bd3bfd65e3f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bf07eb61aa400cba31b138414f149bac

SHA1
e707d969936d88ba59083feca842cd74ccfb8653

SHA256
2ae826e408d6454335499103b4b3bf3a36cd00a65b7b792a8228219e08416c36

SHA512
8fb886f58ffa84c4ccc03bcff87478e5e38346f81456889639c8cef54fb2fb6d82d655c45fe4c064a8a6bafd26373d2f7151b715d2da333e29130182319f19f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
18e5bec31e57aa1bb12b8c6f8bd4f902

SHA1
4abffae68949ee9874adc71b18457a2efa195647

SHA256
02ad0fcab3c1fecbaf6ebb9ac9783e9b74111cf657fbf9ecb807b218f5d67181

SHA512
ec34e805e8496cb3303b392428f8089c7aa5e3c81051dfdc50b62db4ab78c850ba836d08e480c752e41cd6f60af90f22cefdb44ac291931523a599add8a5d2b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
33e9291428b0dda685ee05d127a39cca

SHA1
c81a1fb1bb3bbcade4a114e04b27d4537a33664b

SHA256
d0799052d1e47f88cf410939e8ef89ea413114ff68f8d2c8045f6955825f130b

SHA512
a7295bb1b35f9637e6a14b72d135bbf9b17ea08531d515c35802730adb35bcc4f44fcdbce71a0097f73eedf43cdc42db3e17b06b7681463530cbb8f1821ad606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
36a5e96c31a8e7a915ad5e29a4786d62

SHA1
64cad6f25da21c7bd39fa808a9e96098684c9aa5

SHA256
0a18ce7881767aba26c26ebd2cbe48d8432c30e1cdfbfd58b761dd0382add8e9

SHA512
b2e49898df934532fbf566dd92106a1a0d5c51b473b0ed0805efc963beaf90db4411cfb55e66f9a1de91ee225e9af58203145fde8c969fb2b35c79eb3dc85018

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7dbbcc6fbb52d15c18cf4d3ebf08c965

SHA1
9b6cc5475b730488e049075072adceaff1fd757a

SHA256
58402e603c10c2c62dd68efc4371cba52a362918201b01258d3e18bb95e9bf9b

SHA512
6340012e964d2c980ac1c8ed6f63fcf20d160825708dd956949de2d7aa02d2785a858d3d6b20c476eb69484d0fb260ccf3d0fc16e1b4de49a6d0778a2c12b8ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1038738a2974f81795d7fed864b43c78

SHA1
74d620788a183ca37df80fd8020868535e4346b5

SHA256
c146090c1ecd42c8743b66827d9761207dbd1bc740397dc07651c9ccd9bfe298

SHA512
aa88f019a5751c89193278c8e508a818219b720ca4af34aafe8fe5fd519103d386e967462071eeb36098ff08019c39204d8b5f20b6fcab820249235ad03da1ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
436078a85a0b87d6f2ffecca28c485ae

SHA1
3f33eae8a7fcb503954182956f6e3d8cf1c0ecbc

SHA256
89910e6d03b07a70b541d2348418372d5b3b17229228b9c0a67745ff1b9175ca

SHA512
396f4d69d365615cba3c02f39c4f76ab74cf7b76cfefcc897526320bb9729ed87574df9413dea8102d598fb7d9d4508b1a33f20a2cdf17aace91eaddad45cd47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7f4084a220840b9a793d56c89c4f6a47

SHA1
be8577652c53c000707d4684400f5e3e9ce4b8d4

SHA256
c46badefcf8b5aba45457eb48710f49732ffc89f933938a39b773ec28b161e1f

SHA512
b4fc6cec371db8f7e128c65a9fdebe0750f0dfdf40c834e2796b6d1e8c39e3d33ba90e716a636344daa6985cdabe6c567467d5d2b1d48ec5ef829b7c32966db5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
96a3c666ccd748dd7d35ab752de90228

SHA1
a6fecef3048bfcd95b5cc94e6e3a6cb5ee1fee92

SHA256
8cb322e76295edef623c637633eed6731265b88ac9e0db738b86551faca4c71f

SHA512
18cc642643600dc17001fa2c9bbaab7dfd95645565fc9ec4a206f079f4efc3a69e06a011459c8a8d6e4b5d7e930fea9e459f3f05e3c2aec09a992af5db1f845d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fe8234943bafd4d4338d201519bdca43

SHA1
7d3c91a29c4e209e7c8f4d6267b833a1c84af9b3

SHA256
34dd7f7220b951d4040c9f594de9088e5139bc3652fef258291dfb8b5debd892

SHA512
3ec2168f3dc082fe4e80305e2a458a6e63144e14fb0e93851f76156b0b14a4483e72ccbd3509c309b4c6d96a67051dffdc78e4ba86fd623c40629e6b39f8bf6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
eab263341efe0b7eafea6e695375194d

SHA1
00ea0b4abde092d00e304b896bcdf15782ed929a

SHA256
2e65f7f0e4e49affcbbed5d9f702ad068bb90f2fdf912a577a2c7fb5b4f82c5f

SHA512
76e193dc754aaf586997a3dc051931c82c08c8c3b475a0095913a5af17f89b4377143d49bd311fc03540a1ce2473dd42166b154ab096e5d454ca6b2913272fcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
d48481261126bd9aa6785432b626a328

SHA1
a4d921ab89c2019faab81e8150086a3b726fdb67

SHA256
262e758d8f88296deb6647517aa2db035283bdb349bd2ee52b254bf5b9f8d6f9

SHA512
f6c6607102a05aa9c18875c3c7f0953f38750027c82cbe89cd1c38ee8a75b054824695c46a92dfe8af62f6115927dd40f1203b3fe2d2de465a7b1b8dd3d9abe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
bbd056d1aedd743a357ca7d3b51e1c38

SHA1
15bf3b107ef142da9d11bf3fa6be916e2cb3c7a3

SHA256
44ca5cb2a80d43e85d482d0210560519f9f66c7e27a25dab0c6498a3193c8929

SHA512
f73ec44cdbd1f4d7e89eb357fffabda99c6827b5a58f077e5e81f4f4f8353dd8fe69c1861331ad152a5541bbfe0762ce1e2d3f58ab9fd72a9049c6b079dc919d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
1dd43c17b38e2d59520a4378c04679ad

SHA1
5a48293e783f361c938ce6c1ceca31fe5cf42d72

SHA256
5c2fb258733bab2e939e655d3520637dbb9afa0ab188165bf12bc94a94d389f5

SHA512
b3b5a288a934068e5ea5b552cf195addcb54c3ce96ec9cf279772d82c295ad8ac3dfebbfe8f994cdf714536253cf71c71e6b1fc444ddd1b1af39595666c9448b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
faab860368ad0a28d42fc5d6574362cd

SHA1
fb32db907e6bddf8504001d2d122e9338dd2a232

SHA256
5f00f048df624288bf1efe125ee47bcb69190ce5e77bd5f8102c5a779f5167e4

SHA512
027d6330c25edda9aaab5728d483812f62aae0580258da4cc0ac7271b1818a791166c433f7f5a0b0fb891fb2ac28fe4423dff92b2933861e0a378afaf3ce683c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0a738f3cb14c3d245e6f7bf4e49072dc

SHA1
acfbc8260b29cbeaca0af516a19421a7aeeda009

SHA256
eb35dd3084220486c3cd93b23c2b2f9b7e7a2aba79fe8ef05213038fecd4f716

SHA512
fd2781d7f95379b83afa7104f8f2b803e500f4af0198c598c30e1f03c05d1cedd2d303ced7d6edfc6c93fb0cc965b78c5b5bc5ac090b6f4fd8b19ad92652bc2e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ff24df19deade8a787508f7f4c5cb389

SHA1
263efdc5bc092f1ac7763318bef3a1e5af297e48

SHA256
128902211a6efce95287c59d7648fbe619a662dc34bacc04c11a1d13970e73ea

SHA512
96ca97b4a22cd39e222a7e815e8408ea43c38039af1c7d9f32b9ca3b7eb7bbe685f8f362d667ae8b829004b54b1823c0c641ee66ce5204e708f4c27c903f9fbc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
162cb854a2fde7629ebc5cc2c95691c2

SHA1
12ad0d8bea538ca57aa39d748c5237f2b063375d

SHA256
188d24c5c6d5d2d6778af79f236eda9aef2366adbd15ea285875d227a7e1dd27

SHA512
d6aca6acf4e52a6d82270f5055ae7882e63ec399db1fc0ffa159f0d79746acbf1b8f2666b5667fc8f62f00538b17fccb700378ccc687c9e020373fa26b645579

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
88d859a855f8efa1330902a2571c65b7

SHA1
3b526d3635588046a791c9c17e14f9be1a3ddaaf

SHA256
3b7643004e794b81b6379e26f2fe01789096893c2d3a27446135cc5c13899d8a

SHA512
ea9ff4da5fa1276385e03676d87bf2e108b570a2bce5f47acf976f677dc0b80ca3676d3d7aa2ee365f580e116a987489b9862f2d338f3b0bd9eb8ac94872c000

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
866863923ceff4f3f67a1575548fc9c0

SHA1
6aaa904a19341ca9899c342e43a78ba5aeff0207

SHA256
def7f8b451d76f38c8d36a8da771edb82bd64c52f4cf6840576abf15eb24ac4d

SHA512
b877a6dbb846f08b7bfc387ce1cc99df1573df074f81a20bc1af8ae274039af64d30b4fa3ca1345c0f145af20caaffa3cbb011ab3dad9fb3a01aabf43caaa59f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9d2fedd4cf6ad90160e9db04a85a8aad

SHA1
990c5b90b77899665a6d97bcb185b12924732930

SHA256
24ab2a6da692c2ce4c2abecb46c394ce86d44154a057d4b0a0f0dcf4578a3033

SHA512
b9c765d6a3ae9c37e46c6489bc1a3f163bd5aabc3710ea22fcc3ac639a48602e92ec59e31ba6c19a7a201099d5505b2e56a4820d190439bee210d24b185a4210

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3da65d3ad38419be54234a73b2da150e

SHA1
31932d9ad5fd95ae43c85818f36140a6700edc6a

SHA256
102fac02ae7bf10a144b3f18742a8c5f488bb6f49b225b02f6f6888b5de235c1

SHA512
e4c9f04ceba22526de06342263add84e2effe821659ef9a4985f149848414df554f227eee9601b5d8b2eed99254af72102b52f6c5dfaa0ea58d05e562d4b6495

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1380bdfa834b7f94f911b603cf7e1948

SHA1
77666b630045f7adb0e9e08d8fd7549fd0d1d2a5

SHA256
ce5f43aefd11b19328a5c7cde33a7ae6834cf9586b6d7dc57a399365f8e9a824

SHA512
425c915947565deaea774ba122c001707fb4f5fda9f32140b746b4ab9aaa60fe6939ce357f841a01d2bf3c9705fc9b0c538402cdfd948777879a714b3819f3e3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c08766275ae83d26890d6c6c79b9ce1b

SHA1
66bfcf5c0bcb23997be69c9feb4ae60d6334e1ac

SHA256
86d1839f26325156ffe866311ab9f90caffbc6045e3b7a1e85ee7cd8afb37de4

SHA512
d258d00e7ebca28081a0a8d1b1461b464a5180f3b449c25a7215ca9de923e94898253843462d8a4f7019b9213791302ff10db5ef045117d66521217a40391eb4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
12a4100dbe694eb448ec784e847060c1

SHA1
157cc12951c88484584c75cf355f5ae3f606eeca

SHA256
8e94a7c2c3c33d153bf95d51f54869265e5660501a7e2d454b3fb6d34237be74

SHA512
8f9711a6aa24700190354d30be1812fcc13285642f6dacc254e3a990f8cc69ac7c8600a6294f839d768bade537848a86cb4f8907d44e95c257c548ca803d5872

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b7a2dfcf734d853799cc293f9126464d

SHA1
0d7291445ecc03accb476f5d0a316e67ef0183a4

SHA256
f25f1e2b441e4adbea137cbed3714a69de82654b2570d0ad713cf9435f238417

SHA512
43359fe2788fdab05db4268f324cea646cf971841d39b91c34928bcf875158c737849f344314e70d8d44c627c33431551fd3f57df044bf9e9ba37f16b1821877

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e14c38d0833f4ad591d4c0d3442a9216

SHA1
8fe3ab4068ab75c8cc748a11f3a9e22e7048c668

SHA256
2d8fc920e9561744e463e0ce43d0b908af714ff0e3f69b0bd0fbd93fd7843cc6

SHA512
74023ba23126b0764ccef4d0e9961248f79ecb176795b076d9ebfa26805e1a5d8995c6a883e22b484ac71984f8c188960ece52424a59b962ac004fcebcdda252

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cf35742fe7b92293ce1c0f518c84bbbd

SHA1
319215e7115aa502893553bc891e034287772b87

SHA256
4a3842c30dfe749aa6d2baf911160119f7fc65d6d14755d7ef6bd607baeb9715

SHA512
be36fc4db4a82d9eb8bce90cc7015f4d7f3b99ca3ce6123b291d33f53e5a508d9514571ac7555436f1ff16c0cf123ec5bd6444c0fdffa94e44729c89c800c8ff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a5a56d1e86f708dc01bda67f24ab0fd7

SHA1
e58d4d4e8e0ddf6b6926e2353dc833203ba3760b

SHA256
f9ee4cd1097a135d2be4e1591e888838a1196444fe643d10e122a515b8388caa

SHA512
4d960971adb65e730cd4c285455b96ef808965d53d113b32bc2b8020218b0614c8813a5d7b03cf72b5bac9f4c8013cb7674f903cff99cf9b1eed45b391970fd7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b9ea2f5d14d714b9f6e497f2e2922ad5

SHA1
200ed86ca46550a7f3b43848bcedd4c00b0fb4c1

SHA256
578b70becc326b4728767009af5067e74352651e9053ad9a66958600b5376f84

SHA512
fccd5438d37f05b9241f696b539b6ba23cb39c1ad0fe533676b5643dde87258ab3c60710e54dfa170f224e5a207c51a88a70c67cbd451d3aeb71a8c5db011a97

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
670e8c3031f157296f60290f4e7cbf35

SHA1
8655ecbafd8037bad3ba4e8474e8aaab214ba79b

SHA256
69495507c532649c30fa0f6738e5a29fde56af2ef0cf61e05903e395a5ed00e5

SHA512
9d4d0414ec235983fbde2d04348fac2387180e19ecb441bbcc2705dd4193290fe33792666bc72c8bcea566216b218b2699f76b59d5d2e25acf5ee430005e0dc3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c0640c9864103c430ea2d0af2c0c515f

SHA1
bca552cc5568fe664b1660ee53d3ba601ded5436

SHA256
89e2f776b8b822794793ea64d95fe99952ed9d3cb129e3e2be826dc6ef2f00bd

SHA512
6990660f09f27d64b0d1ed1559a748b4e1f7b1099e8133a732847340f86c9d74fd100554d0ceff6211f6b99aa337380457d81264d699f976156ff94574ed6ea0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f37aac9679fc9837dc22ac80dd3b7e38

SHA1
c096731dc3e82343df622078e7ae82b97b839dc5

SHA256
49c17e81a22c3e7913b400cd02c64ca6375c3056e59f0d4399b14ba27673abdf

SHA512
241625f7dc33a2ea5cd715065fb4f1cc1df7716b0259e740f01dbd59188724f57ee654814f35e27fd0c7fd3ac03572b861d485b62f25b747e8cb0ae824b9a9e6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
187305e5d6010687aa366f33b87cea19

SHA1
9a4c591e515d7ea107dae022438e181cf1a587a2

SHA256
2d0a194f00268ad84d393de3f3c9f7c478703fbd2b0d48160cfc1704f4574e2a

SHA512
483daa83836275eb95278668326ba1f70d8a9d11719a091a6173d8141f728872950e70ed1cde1f46d8addb8f16f5eb4d7c8435e7f1755f01b7c2dac8cced7798

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fa452acc0fe6de6617487a8a67e5e26f

SHA1
566ff7b671712fc989fc22ff77a838ec1492efd9

SHA256
099b43f8395b649690054228dd306aefc37fa6a5410843b46221aabf6ca285d6

SHA512
f5b5e78bc9f249418222e5064aee0963994574cfd4797551061e67ecaa8ecf79d5370b5ca527e914d40aac994209ce08a3a591e87b92029751c5473a87fb089c

Download Submit
memory/556-502-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/556-313-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/672-28-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/672-6-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/672-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/672-1-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/1316-74-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1316-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1316-69-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1376-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1376-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1376-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1376-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1376-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1612-241-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1612-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1612-251-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1612-247-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1612-240-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1868-611-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1868-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1944-403-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1944-612-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3476-366-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3476-256-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3476-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3704-396-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3704-281-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3736-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3736-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3736-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3736-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3884-603-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3884-338-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4056-284-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4056-402-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4140-63-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4140-53-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4140-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4140-60-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4140-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4244-602-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-415-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4348-30-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4348-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4348-36-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4348-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4428-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4428-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4484-379-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4484-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4500-606-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4500-341-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4580-267-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4580-378-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4652-609-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4652-367-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4900-599-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4900-318-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5068-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5068-352-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download