55a12ed3afc4190ad7ff980a3a6bf873b838d65cf9b19dae0333e8aa704978f7

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f56dd8dc9c7fcce57527671fc06938c0N.exe
Size

663KB
MD5

f56dd8dc9c7fcce57527671fc06938c0
SHA1

6cf4da7f0adaa0c0c5babc20db29e4bfe8345524
SHA256

55a12ed3afc4190ad7ff980a3a6bf873b838d65cf9b19dae0333e8aa704978f7
SHA512

98c0a416d38be3d141528de82eb825ea08d45fa9acccc1e1098a80a7a787441f1a69fe1c3f48c9355d246d9fd39f9869d6a63b143fb41fcc812718ca05bddb95
SSDEEP

12288:XoSdrFW11pUdglnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:X5dy11l11tmlNQ2OnBdFQtP51llPup3I

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4596	alg.exe
4064	elevation_service.exe
2692	elevation_service.exe
2440	maintenanceservice.exe
3264	OSE.EXE
4928	DiagnosticsHub.StandardCollector.Service.exe
2240	fxssvc.exe
2532	msdtc.exe
4812	PerceptionSimulationService.exe
1412	perfhost.exe
3056	locator.exe
5048	SensorDataService.exe
3432	snmptrap.exe
2548	spectrum.exe
3176	ssh-agent.exe
5036	TieringEngineService.exe
4756	AgentService.exe
2624	vds.exe
1340	vssvc.exe
4228	wbengine.exe
2232	WmiApSrv.exe
4932	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f56dd8dc9c7fcce57527671fc06938c0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f56dd8dc9c7fcce57527671fc06938c0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	f56dd8dc9c7fcce57527671fc06938c0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\58d792994521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f56dd8dc9c7fcce57527671fc06938c0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f56dd8dc9c7fcce57527671fc06938c0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fa2e14817eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007515164917eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004268c74817eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008056b44817eeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d005c54817eeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d2beb4817eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1928	f56dd8dc9c7fcce57527671fc06938c0N.exe
Token: SeDebugPrivilege	4596	alg.exe
Token: SeDebugPrivilege	4596	alg.exe
Token: SeDebugPrivilege	4596	alg.exe
Token: SeTakeOwnershipPrivilege	4064	elevation_service.exe
Token: SeAuditPrivilege	2240	fxssvc.exe
Token: SeRestorePrivilege	5036	TieringEngineService.exe
Token: SeManageVolumePrivilege	5036	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4756	AgentService.exe
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe
Token: SeBackupPrivilege	4228	wbengine.exe
Token: SeRestorePrivilege	4228	wbengine.exe
Token: SeSecurityPrivilege	4228	wbengine.exe
Token: 33	4932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeDebugPrivilege	4064	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 5020	4932	SearchIndexer.exe	125
PID 4932 wrote to memory of 5020	4932	SearchIndexer.exe	125
PID 4932 wrote to memory of 4980	4932	SearchIndexer.exe	126
PID 4932 wrote to memory of 4980	4932	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f56dd8dc9c7fcce57527671fc06938c0N.exe
"C:\Users\Admin\AppData\Local\Temp\f56dd8dc9c7fcce57527671fc06938c0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2440

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5020
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bba8e6b2a02200d8544693fc5f3324e4

SHA1
2fe5e63ac82d605cabbb03e007a9348b674a5846

SHA256
1e8e4f5eaf3db028ed2b5b87bb7b2113c777886b4db68040a360cf9c9669ebbb

SHA512
6095010f66b2f351d632a447a425f5953d7639257dbee150c0b5182e9c1d7a91fad1ade76a2dfed9cd1fba6444788c83f93bac65de455b00a0bb71c730c6dd03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
e2ef3c9c55fefaf8f6f9ef022457f644

SHA1
1d39e6fe0ad64f5a71b72edca613fc33bef80679

SHA256
f67d0f8ee29aaca8a4910e44bd4f36ad84c6a0d158f581d382a196cddb7859c0

SHA512
38052c1352b770a9a33cb83b23b073349c3172e8d0ccb3094cc04db8e092e9cf6d0156732b0ae250f3466f024a778e8aabafb337462aaefbb6dd737f0b8bf753

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
370a31579742ad4cd38cd11cf7321f7e

SHA1
c2779472c9dc27d655ae978cb8c915227110741a

SHA256
f3a70321552ddcf14813ade2297217747937b18f0e518674a19f75eae5501791

SHA512
1a3781a2fb607b88253d4fe6407a3afac0fa7ff51a6e3139d8200c9eda297519ce085b69774cb4ddf1c2bb2852dc56022b54f9a65e89e634d50bf4f003d9bf6c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
85877a55ceb6aec2d9f8e1e226deac7b

SHA1
5c88acab3b2bf1934a69ca772a6968e60efa0164

SHA256
e275d29a4622d0808dd7ee6649574552c64aad815a707afb5358fdf99479da69

SHA512
1661ef2d03ca3c10d56f81073e82b4fb00cd362c084a79f8520a1fcd49dff053ddd5b75a24e99d169a6c53ec1d2ba464c5e3980f6605ecccb5c38e20c8fd1048

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
66762a52afe8d3673e76c64926f805ff

SHA1
9792361b2ff279572224fa1927965fe8047b2a98

SHA256
eadf153d041c5d4622ba300ce630a540d48b3f73142e936463e33a447545dba4

SHA512
ea1fa970598ffcacf1876dfc7ac17e23152af0e49f885828213d0492b6372407a7c391f73786ffccb3a17bce2bfac7cbe30c828839b0617917be3b265ab58dc9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
78aab550b74debb0c0deda14b1ec3916

SHA1
5071c49da7ef0390fb6818d8bcc1b50fd49d39f6

SHA256
9907cd3268af55c90db3720dc05bed803cb8b4972d60c9366bce369dc9d66780

SHA512
02720a5d7d2f98d5106c202398626e4db5fdd5162ba689aec0e4663bf99d68cce899a7ff42a05260c3d8a7facdd6dce876ac2cc1b0985ff5367f1348d1f2ee62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
df91bfe3ca9a727e06ef11281a068cd2

SHA1
342642c8b8cffca97f923f4c13a2652f5d710d1f

SHA256
6750b9296515d166c09859025ab9fb232dbc8c0050b0c96d04181f7d1fcbecac

SHA512
bbb22146b25bb8174503c3c5c791ac4731269b1c8c298409873a997868c072f3192f95fd9ce33e337f91482cd214cf4edcbf0feb24930c661745fac32b033b29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
55706ed6a6b7d765e21fec75ebf08b9f

SHA1
5ce3f45a60c02e0698a57a6b611d2f1e0b5c1f7f

SHA256
1143ed034dc802d1b384a8b46aa4051923f405b958d155e5e6f3ecbda1dfaf91

SHA512
e0363bb4abed2cdf070f0d197f7e191478aa9ec8b7f5316d53c3428795d10c3d8c8d4a4c771c0902a1fec1eb58e1836f12a7460435a0d225d96374c4332aaf94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
769194ab100420f96a95f8b56c8d247d

SHA1
7de0e83bfa3286290703b51e6202d449b86aed7e

SHA256
20b06a97a37243f7d1d3bc859d335f0d0edb836ea8b8c9482c7599f37c7052d9

SHA512
90794957cc2fa4d50e6938e578f28ec66cc5ded58bb2db85c176ebf6cb3454668a1f92ae2b79cbf3a80482dd4f8f461dd09c1cb1d9b4a62bdf299fff9832e13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
389fc385a3bbc7d8eccf99f72df722da

SHA1
6704b3f7765f5adf089549fee4a275ecec2c346a

SHA256
cda7ac158c69e86ab310114215d379e0a045443c1c45611e8948cea11641fb6b

SHA512
49794a2ec544c85038ceaf0304528cbbf175b7d4989c2004bd254d82062ab701841595427a588a5d7b3ddd44313e2dd5edce283a7d1bce5fa0aa2cad9b7dd122

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc115c2ad6e9fb84b9ba71149c7f4696

SHA1
79cd4aec16e135e0242a6aec3434e5f9636f5290

SHA256
77b3f9ab3cd8f7f74ba46205fe6bf98293e73def9ea7166616c620588593333d

SHA512
7195d43d3980e0eb22dba3d740ff5155aaa9adbec7f2512057baf9f4961f14e4536b2687eb531dc0890e5c81c13f5e280893bb31020d39c1414ffd229a8c00c4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6e8ab6a150ab5258cb55ed49f5625058

SHA1
e42ecd7f5c9f16462f7e9bd3b5cb7f9fbf6bf45a

SHA256
8c80057acd8b2f5ba6aef5afd4dd931819cb0d72e80da02280f441810a128304

SHA512
ed9e06a138eb8cccfa7b611c71bab6c9a88c52f316acf07f5328331c27c1268fe1d7bc622ae25d2fca6f1e1dbba1ea0598c0f8f1d7d44513a097b7d644f9ab4f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c1c9a13fd9eb5d822bffcb883176bec7

SHA1
9cb66291ab46aaaa99ee6023f8d48526392a7d36

SHA256
fb330bb7fbddf565da9a48cd8e2d6b934500d738ce65dcde50816d5f412ff694

SHA512
e1f81bc3d0bfd7cf907ce706134832607f0b4ec2b62f0f2efb601db1a3019f57428bb4c2c6044e51cf0371fc8c71679d6035fdda7ebc3b151709ef92672e10b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8c7ebb08315dd5ac715e833192a11c9d

SHA1
ddc1a5a269fb332daa18e559383434c6d5e62da9

SHA256
7e838143cacac29f866fdb409ef560e4b5cfb09fe0e5f473ec9b2acf1db9918b

SHA512
61b6ab744fb3833bb3977e5993ed0525a92b8440871f7ee3d414d48027adb4f81d8d6f36a84adf740d5d9ad5f5c791f86d471d02f08018a3faccd0dec0c09451

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
cf1507b9d8344f00b6adc600627b51aa

SHA1
77ea9bc0b61253b8a3a68957e2fc4c173ecd79e6

SHA256
a0046aa82834dcfa40a6706e909b9503aa209bf5123fca59e83bc89522a994c3

SHA512
4f4d3aadeb5ef87a5b8fff218bc205986489b026e3b185814986821f4a34557ba3a1b20df86e37b110041c0f093ae9fcbcf1f6ddf6e219e0bf12936afc443c6f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a308d38e7c1723fd810b9cf7271cef87

SHA1
9af3c1c6ebdf098204fb13781361835e4a6b81e3

SHA256
32f5563544726f3b13d3cfb1f8755cd07d9eba231ea1c08b40df4b895783e992

SHA512
9d8c4f6ec07ebd133efa634daad64fdca71b9c9c4b4a2a79b16850c0b9ad9dc791cde407fc13d91269c8ec36fcfedb6dc3b11361aca1a14bb1b97fed0bb3134e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
f222fde8906544cbddad87fa6b6b7e77

SHA1
f043d8f54aab7cfe406f92672ba403078998e8d4

SHA256
733d914dccfb26573a1473550a16ed15746051c301a379e07ab9904d1716cd9e

SHA512
e3edba2c8c634589008f7a4d673ef683619dfb60d00ce4c732cb20eb7f6dfde0fa63a1836f4f942a04cb34e87a3cb48a41a7006b3ea1a267e6c59438aeff4a95

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9c273306c8f1d02dcd6f90750ea4736f

SHA1
beeff3d73b1ee19e52ca2271a47250fff8d10cdc

SHA256
8e606a7f71e0b27ae62523df85ace768ad1870545e9e5a004846ec0e6d00516e

SHA512
1639be09ee4a1575028c91a9815846aac1b1deedb4cca6413b1f14583c7c6994f28cce90574e80e9d361fc1bb1232968c26cbd3c071e8bc03c20a5bee3ef154e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0493d6213aa19d45b234f7b3e40f1b6e

SHA1
768923ea9c8561a4287566457a7b5a8d87bfa863

SHA256
a782f5715afdf5fed9855c9330874c0e83942e9a99a0289e694c1b97b7457f60

SHA512
60d2dc48d6b053f8e5a8c85b19d534163d8bd06fc1bef960d6cf588ea48f2316eadd1c25dd8d3ecbddfda34113164f781b864f069bcb03971f855ae110adebc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e0e45bc8d5044057a79906aac0304254

SHA1
32b13a4479ca9b2ed58724d382dd47e10f137f1e

SHA256
72e9086dd0d7b983f2a356f51003598ab2e59e69fdccb0ba024c43321c04db46

SHA512
6b372827f84e061c231386bdb74bdb1e4fac8d3b2715508aff92cfaf5451e5c70d549a2815494a8cdd1cf05ee772bd00b21a29b63889191e78e0482e9f3cbc32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b2c8640f9c08ef32823a912c2ade03c4

SHA1
ae681f5aae8aa63fa82957e8acea561284303625

SHA256
9e14fe944da2e4ed2b27e55b01702cdba81c676b4a73a1d2eb84d7d3d517915d

SHA512
c8bf069050f159a180f70f05e41bd9e286a93b2efad9ae177ad08d3c5b8cd01fd6c9336afecdae80f5dae6005c57a5e5a0898cf3a2b9cb4ef7fe5be4febbaba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
51b3bc68190b0b08ce56b14065ff8f25

SHA1
861af79659ba4cb42dc60b93a26391720f9cf904

SHA256
267b8c17000227563967493e8d49187fb04e4bf332f904972b7280b560e0517d

SHA512
55c282c11e26fedf422874a639232643debcbf2d5ad8645f378bc8d62b2bb9d06e6af3c075bcba86c549724b713a7c421f9a5d3f32b88be11148adec2cfce9e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e35f3bcce826c9143cb2f531fae776a9

SHA1
02d86702c812fcf193f50428a358500204a21b00

SHA256
0e482a60996009559fa88ba3bad10e4f79a836a6f4cdf7fe91761b0f0cff5243

SHA512
a9748a992644b1336b1ce3bd0c644838857a95eac0f38c6fc2d9d9221d3d9dcc5ef2e6361e4fe52e178f4d65da75e31fe3533668d3fe48d1df1e18849f242cd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
56a9d9c8252f81dea74860208c4370c9

SHA1
ca1db08b57e0527dabb2bc34d2e03ddc3ed8586f

SHA256
6683172c350199de0a29096c3b72c976c0805b2ce7ca5765e8f3ea61f294318f

SHA512
bb0f4df7043d0f39bc4f904320f6a033ad8e7c6a06740740d522ba450583f081c03e86094182b686f30abe3d293911a7548c60949891c9f4ed4bf1a54107f32c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0b185008077d77f45d5f1899bf85f4a3

SHA1
39e0bd0e2abd16645b59813363e3493f4825cb19

SHA256
d14100d929477f5d4227da75c60332146415e27ea9dfba50e593645a948db223

SHA512
5fa724f8bc706f2aae7fc8996f8329b6607058b1ed5e0e881175422c0ca3cab43dd2092890db8e63d4bae115df900508e627c5dc18ae22e12e4ea252b1c8db5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5259beb846525e71b85b5daa68fcd323

SHA1
b10ffd4c598ec761ca34e99cdd948e3e6392f283

SHA256
c166c7a44b00fe0da304871761cd8820639ae854da61730730272c1f5ea84458

SHA512
2759ef8dfc8e2c4460c73f1568dab5537978b746c3b5fae2b352d98fbdf9ef815e6b8cd0d4741cf82f1aeea572f807fece3f83bea215393efa66d2d714ae936e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ad4a499ac66a6abd1e6606cc93354c9c

SHA1
c0820eb2aa37c782b6545d298be031d9302a43df

SHA256
963f71f78b60d89e5d05388d2111f0105b24dd4d4b6a2af41e37a1aad77aa027

SHA512
d495d16c45de9e88686e59c05deab657e65b23cbbda9ee44d7937027ae58e78fe57db16699467a0596040df4062b41cc76ad2bf3b5a427595a4f056346dad19e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ce972b18b51245807cabe495a40d8123

SHA1
ebb5313bb82a62b79ed54edf8100bbadb43cf80b

SHA256
fe8e184e5ee49c9a7abfe3f842e98280e4f8aa067cdafc460a17e0e4ad2c6847

SHA512
b8f07a52044cb4383d92b467e9d35474b75dafdcd49df41f97bdff6ec21ef99cbef9b08c91914ff821a458367132195123551292c673727c63aa828e6cf61d1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3e212db9b81ae2195c400a7d740e4b9b

SHA1
18adc51481ee1b3e6f6ff889cd25039d591a2d3f

SHA256
9c3844bdee45da852a5eedb73a2fb0098f7a70c7b3b16b4ca1abcdcf4f848a57

SHA512
ffb2ef4ab2fe06b7fed98f2eece5e4d70979ef13512ef3e98390c885d5a638458b3f933fa3ed9cfbc7e7be6bb9feca1353b52d229a1be22304e2d217f176edd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a3a87ddf0db38a23668ada7c52c56567

SHA1
29095dfd1334de73f4507ec4c87b87bd14097c18

SHA256
06312b71bde049fced6f351fbb0703a9710d21ecb4b604434e90e79e816b73a4

SHA512
40af33b9dcf5eb043f6a5853333fc6b36773a687002c22b4cc726fd639c80082cb905baf749675419f3d6c6b02d16361efd713328765d580b5cca1e7c52472c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
996482819d26d7f4a0bab6fdb42270f3

SHA1
827d47449d680322a5a5bc7cd76bf21724a47e3c

SHA256
ce480d28b1fa84e7b7140a9bd49faf62026d6d921d58b9811e32400c0da61508

SHA512
e15bafa4e021dc710fd2371f2c8a46e7fb7f344c2843733f2573c3cf47d6a91b81758b9d62eec4a9df5266ec74bbb0ac2e7c9aae413f02025f668fa5791d88a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bf2574a5197d01e69e80e86a5408d20e

SHA1
a2ce026bfb8dc9e45b78556a6918cee9f28d219a

SHA256
511bac1350c183a01ef17a58843c397f8dc9813c758925b42fdcd1d04dddb779

SHA512
edededf3431f073a6d0044399a2bab26337ced0ff46b758e894daa6f5915dcecc6e8f8a0e39b445ef4ef97d1696af817e295c487db1cc1bbbf4d394ac4f9f0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
236002b1d63fc6e587aa55d3652c256c

SHA1
e4605ac7e5f0b71f63f0d339fdcad87dd291af54

SHA256
7fd85ec196674dc76954b6993a3a88cbf86102ea5a088c31b4c82a015798510d

SHA512
503eac4780e8c16d15d3c6d61687470d353cb3e6bd7df95c21e37232c0537f47814af92230fbaac4bc14e54fa14fb4f4a8fdda482e413ee791904b4d76578aec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
817c7bde53b0237abd8712c3f8c6c321

SHA1
7f6f25ea38ffdc622d538da5aaa03a2360cd2d9d

SHA256
01fbd4d34002bb169280b1f4c0c73139570e57ed5c30e45fdb7bc8c1a93300b5

SHA512
add98804128aff0637d696e7b574d339759b5c5403991055d8923a9f35f0c63595b1f2de6a582ba8f4584f244a790ebf16b72b24657193b010b2c6241bdc6865

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e8fe4e3719a6c85737923c8351b3b7d2

SHA1
2d87a9fb9a9cf4b11f0e6abb30d9670b69832ce3

SHA256
3b3cb4d38323a206bbba48297566281fbef248066eafb9a3e3937d43c5f47a4c

SHA512
a7a1b88746412d621d6a7a90288e47aeae47ccd63b1610ab2bdd66ac7abab2a437b09f2374baaa724681949e0af91b18d777e20c870f3ac5f5f27442cd81d11a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
616348e206210deb849849923cad460c

SHA1
e7994e7e6655920de16b7f5dd1791dd5598e7469

SHA256
4120eff1879d9d68a10e15dfb3a501c4e331e4923e507313dfa0a650b4904a63

SHA512
88a5db2d29b39346f247cd041a299727bcb5f283adc651cacc2febc5b2554b6ce600889ab5ea0b89e5c31be2d3d5106f0688bc37f8d5c4154d31abba1cb66cc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
0c662793b7c424dadfa59a28c72919fc

SHA1
ed3f9eb4d3a99b20b5663b93f4ae3a212d4890ae

SHA256
2eb3458e652e2a7249f1de66cc88404587a2d3fb6efb1e9b196dcde91909758b

SHA512
410801bdb362ba7c8b2608b69434a90d717834c985acf28101e4af0a6d4647966c68bf6c5d024ea78750c7225a73ce9637cece1a1e55dcbce12860d95af1b5e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
097d091513401cf4e7d2360e08797c0d

SHA1
cef28d85423180fd914dc2da879064173274965a

SHA256
40524b13800946cfae69d66c6bd69820431853e342473183360997fb4a26aa94

SHA512
61f280ebb32829e4db3aca73675657598883570ba6a0a637f8a0d9f746893e6d567ac2be33e23f0fc6961fbfc4b9ef03dc8f9968722b6bf9121262334ddbb74d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
06854c4a1d022609d7cc9c3e84bbd684

SHA1
e9cb6b18b3f283607d014425308bbdc65015d092

SHA256
cc6dcb0476b3ce77565f68ff14a636b0379ff19ff1d58cec54c18a566a48a942

SHA512
a16141990cdb752d759d3dc04e12e66dfa37430979dd8e337f30248e55ae37fee9ffab918d1dc26006c708a6b7d2bdce7173a67a8903120fdcf929254a7714fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
e1d9c17ef1c8609bec8d02cd3aa172c6

SHA1
97dc0acd7056edcb1f733207dee5cfcd92716b54

SHA256
a61461145e4ea489cb16abcfd601114fe86d36aa084e08945fe71bec33709f5c

SHA512
69a52d634616d3bc4fa9979a18c3c9bf361476bbb02ab091ba67f3ee24c926a460fa2973531ee014ce627ad3644de1b5002d03ea71353f13d788c9f47763d3ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
984f05dd7498bc1a029275ecd39955ba

SHA1
52c1922ef9de69afbfe404b472a9066ba68be765

SHA256
3e19b28a0114bd5b2f8d6e1e4e0856310a5e6ca8c9752fdeac22750ac4c10fc6

SHA512
3adaa953639da03556e51e5fad0d175e832e1037d9fdbc217ca6c5f46459513de6cb9621dca7be121ebd9090827e7e954ca25ab6cbeb9ca7c618bfae97642d68

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e8342a704c1261ae89edb9f8d872302c

SHA1
103fb89bc71f794c465c2efdb69e8f441f8e87c6

SHA256
a6b13338bcc2a01ba37f5d2cbff04a66692dd38f34e17f1840fcc0bbaaab93df

SHA512
dd4d287764ba34cbddf087f802cf45cf81f5015ff07b50b0e5b220b8725e0005bd653e304e250a43b954cdf555e32c581088535cf88b14d3f39966b6c0ca50ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
686768e6c3e3c439b72d9069c123aaea

SHA1
1b2d22eae9c284a22508e457c0c669476b3fb22a

SHA256
671b294071d546f2fa37ceca58c0b8b2a64114757777506951887a23a14d3eab

SHA512
62187e47806c616bf290e95a42fe7e2ad268676a0582958e75852d021a45fe8ba12d6145373b0123be5ec7e421d9414fe6f323270828a1bf68c69827bff78af3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
415a73bae0cc89edfd2d5fa90b3d5d8b

SHA1
ca9c68b577d2a3623f29696c06581a0c9edc9499

SHA256
8bccd0ef11ee3f51085243aac22b39ffc84e1659504225b742f1d26addae514b

SHA512
5298d16f980c19f6b0e64fab7770781600d9c65ed4eca234f6caa9bc2335ef04d2556c4cd74ba7fd70c979b83e665760e39d4269e39e2e4f5c08163d38ec7f85

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fb5739d929d9ca745c0169f3379ef6ee

SHA1
21e8f4beed275e5ad04194c77218a84af1dbf2fd

SHA256
c8ca074f8b78030f321565a0187a44646db9efb2397615a80bbbb173e4e0d9f6

SHA512
77404dad9ed4bcb2f95a00d4c0f4e06ec5899310b46b329a36683c72cda11fed459ad139d506254d6a8ccfe6b2a5aef42f48e5ae0aed0c986e66d1c345984e91

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2a97bfeb57cf44e63c01c0cd6a35517c

SHA1
f557515a4229480cf7378f202ce7d9bc2b3d7a11

SHA256
bbdb95211449a00e61e803e9f704d9a81e20810bb4899e42ee898181baa1ce78

SHA512
b0a1ce29de3f3c3a63d7c38f498d7f0a6ba4d0d35d067c7293dfac56a048bd7eb5736d1ca119ea401f47a212bbb7c85e0a2d19ffecb025e3b29716c378913526

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1c6363fc00d728114b9044566b1e22ec

SHA1
426edb1d7496c886c7d10f9a1d1cc597a553c1e7

SHA256
8287c9725f18271e691662c369d6085f05d9643df3b4710618ce77621cf297d2

SHA512
13bc004d5530d2182de5ea90b57eacfb7ad13478bba68993ad47b3aefcc8069c98e40534720967c473ac622bf1247815906937a7eeceaf3ebe81ededca8822c7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4711c361965ccecc84172a7f794d112e

SHA1
8ccf48e432f110534df103a191d09536b6171a2d

SHA256
66a0e61ef90f4bdfba54fa2840e8ba86533e958c3fb1091fd7ae7ef37cfb0cd4

SHA512
6e64b24a47136cead5ec268c7613f089ae07f362c425484b724306979cf4637f7dc30861fc721633ea70f5387d161c32dfb9c336d3bd7b9341de91b58a140823

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e24c379a3b3db5ba4d4dd3f3ba87cd59

SHA1
d9c95de45520fb344733fbfbe4ee1626760afa9e

SHA256
88d736a045101b75b5230cd48b8995bfb9d2d6118e958e81486c032fd16b6f2e

SHA512
c2a9be5defa5802bd5f338561b15181aa5f9a40d66911a70fc3242145a068db6eda407470d2085bd0568dee877e1b798a68d590df585104f375acc2fd676be45

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e9f1f9abc901e626e19c263d07186ce6

SHA1
139ae53ec15d7053e4fa0561ee5783b1e24dde50

SHA256
8966b02d5d162e4ecb9b9d02c3499d25a8436a70685d5b069c9a218beff00f3c

SHA512
9dda09d68dc9abd9beca9eaa6308148536e31fb1e256b28a139d9be96ae20b4f915af0cfd9664b06aa57508816043a593b09b427dcbe9a75b7a0fb97b4509304

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
468c04a40bc87dc13c36ef1f449a6c36

SHA1
d6bb26478122c853531358d0fac7ad74993e1324

SHA256
bf29623f3a663ea397fd5c3ca19b0c659f2d7965e6a0877650ad48af628b3ac3

SHA512
cd3cdcb7016f928ebdbf6f4dff48bc6d81a830938b10cbca5ee7029b0548d120474497be60de89c581011c0b9e42754c6792ed0978d4c9b59dc8dffa112ee835

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8e8463fc11df0ec7a9c3279ea0ff41c1

SHA1
7d23df672353d8f9a5de741fb78ffe660ba3bb8d

SHA256
2930b868b2bdc12e06b9d304cb25cd74f83e4fc2ac869a471506a4276f5c6aa9

SHA512
489c5e2faddef3e0bbc15c71c4042cad0104a7d2cef55279580b339c8dc4fa6df441315bbf95eefe538786e10ae36c2ed1064ae365fa6020cb14a904cc5200c8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
116023f41c7f9c3f7be5bee64bde58f6

SHA1
c4b52eb73765a54ab073272c22bc2d50b4d3f2ad

SHA256
9248b9cab1770557b52972c3ad249433d911ac27f9c55af307b21792d9f78976

SHA512
8cc41f60abaea00a7c7633b4f53cf9c36ea595bf83e78e00dfd1567f2ce997a36bd8d8fad2a880cd846b32ff647506b0123c689197b4181a6f9953572051dbdc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9c9536bf4ae3a0d5f2095d0381744922

SHA1
c0f8f0e3f45249327fdba65e2eaed8d80a3d4c3a

SHA256
50ba2789ea07597f8493ac1edcd5738193e0fd2633b156a9c01aa577462e9e02

SHA512
8881878a663045899d15a46a56dfd37d420453affc6f865b92f58ba3d22bdd05c14c404d352e0e4e9ab466bf66abc5d9e7f3aef17e656363f48eb5fff5263472

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
91e417e20148e2d7007699580ce43633

SHA1
baa2d11b04ed6e7d056dd7e7b0a117a7e95f8e28

SHA256
8019f38a44a0a87739ef9579f48fb7fa2a6d183ee4bb02ae3f910b41637997bb

SHA512
12dc82edfa181965fa70431d3ad2bd488f1d450fde2a04170bacba1c555c855b3cf2812b3574f1475f709edb79e78ad1771b91db4b2d9aa2d2cbd73146e27cc5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
36ff338a87b0ab6037a33ab115b612b5

SHA1
37651fc1d89359bef1bc4812ea62289b4d4a0b48

SHA256
f3eb54fff0f29538bb69b713a97c81a5384b3da5d217e116746ebad047d5256c

SHA512
576fa0dbe828e0b190aa46f94335f8c4cd8e706cc1cdfead3c4cbc3c4d6cc7086e8f8b3e817f7cffc9ccc54792c2f8361acedea2788381edd66329462166e1f1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4c426b537c3b0c19567227442b31253e

SHA1
3c4c4894d83f4456c66e2781557ed4075129d42e

SHA256
0e2281c97dfbe28a4d2d70da11c28ef68b2ed2db14b98146ddf1616658596760

SHA512
4022be9f343c72a76da5c3d23a4c22d891f1904d5f30f79c89b7d1c6b5944012ad42a0741576f71656990dbba956b9a9272637ebfca544870028c2d921a535b2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1194717e43ca8e9e8dca170a4ea03984

SHA1
9a1cc5c1095c02b4ffab8adf6dd1faa33780229f

SHA256
61971f97c9509433c86a506d942da29071b21e4c5f69672fce0c72cdc2f6ac3a

SHA512
f3465c9c194f8db6b1132391cca282a988a1c0f3b5bfd2802deb4386caf8c6dacc1f639facca844146f03373906b3d955a992d83a92e4ff63ed3dd78c9e4bbb2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
12af20912b3d7b6d0537ffa50886402b

SHA1
1cdaaad9f9d8c61a349ca656bbf25a50e787d93e

SHA256
5724d7a7bb49b3c6d9613008d38c1e3baef2cdca1eff914854b6df6f3c2a9969

SHA512
5d0126e1923af7baef38d0834a2cace33fab8a790d24b941fb64f8da1bf635318fd1babaffcd394605514df7c9cadb6242878d8113ca206508890aa7144e3d10

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4f53af3513b915319a27646b0c584f3b

SHA1
5bfd44d5081a9b2d215e3b834ddcf4e0a6955961

SHA256
292dd6d281ab21805374a5db373bae3e45da58cbd0345320b8d77349b5f3232a

SHA512
13380f92bd5cb0849e80a48b04de770fd97a033da3752a26b352a873662be7680ff1b16a2aff97fe3da444e604c2cbea2853502d8fc574b339d0b7c0835d6571

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
321a6e565890cc8f457cd3999b877a91

SHA1
90340686ddec556342d5a6cbf5714787d06e3572

SHA256
5f8b5c6b41a53a62e80002c9d2f6dc7949b7a6024fd2ccca7ed477cb3ec360bd

SHA512
69fde3134cb3e0b075897eea3a9ab67b178a5c51388ae5d50aceca8c9f02c4aa8c9367e97054714f5dc34f12f5b852c4cc7e082acacba86136340b403ef004c2

Download Submit
memory/1340-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1340-606-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1412-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1412-404-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1928-1-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/1928-6-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/1928-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1928-26-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2232-608-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2232-417-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2240-254-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/2240-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2240-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2440-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2440-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2440-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2440-53-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2440-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2532-380-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2532-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2548-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2548-597-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2624-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2624-605-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2692-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2692-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2692-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2692-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3056-297-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3056-416-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3176-601-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3176-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3264-70-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3264-64-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3264-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3264-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3432-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3432-516-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4064-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4064-29-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4064-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4064-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4228-607-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4228-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4596-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4596-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4596-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4596-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4756-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4812-392-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4812-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4928-243-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4928-249-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4928-354-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4928-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4932-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4932-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-602-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5036-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5048-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5048-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5048-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download