34721a184cadac6dd4837ba3b928b650541e06f3ba12823d6dff8446302333c9

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d79033b18280a291a7d427c91def32b0N.exe
Size

2.2MB
MD5

d79033b18280a291a7d427c91def32b0
SHA1

6c0f23dd2d78e16ad6da8dec073ad503acc26aec
SHA256

34721a184cadac6dd4837ba3b928b650541e06f3ba12823d6dff8446302333c9
SHA512

74e5ea244e39b030f7742ce564b24ecb576e578d7364c85b714e1fb949fe14051123764464a960216ceada7fc07d50787c6eae038bb3ea69e5e46a9b87aabe5b
SSDEEP

49152:BJIgK6oy+gAJTs0dzVv71WzDVu0VLGMb5Cx0taAUgLdpq+Xvna9k7VoiX996Kc2a:N+gAJNDQVu0VLGMb5Cx0taAUgLdpq+XH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4376	alg.exe
2768	elevation_service.exe
1768	elevation_service.exe
4024	maintenanceservice.exe
4192	OSE.EXE
3556	DiagnosticsHub.StandardCollector.Service.exe
2420	fxssvc.exe
1088	msdtc.exe
2272	PerceptionSimulationService.exe
3216	perfhost.exe
4316	locator.exe
4608	SensorDataService.exe
804	snmptrap.exe
3712	spectrum.exe
3552	ssh-agent.exe
4224	TieringEngineService.exe
4408	AgentService.exe
3284	vds.exe
5024	vssvc.exe
3404	wbengine.exe
4364	WmiApSrv.exe
4884	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e5ddb044521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d79033b18280a291a7d427c91def32b0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065e2f8be2b06db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039b4e6bd2b06db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c72addbd2b06db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003103d6bd2b06db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef51e4bd2b06db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ddeafbd2b06db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2768	elevation_service.exe
2768	elevation_service.exe
2768	elevation_service.exe
2768	elevation_service.exe
2768	elevation_service.exe
2768	elevation_service.exe
2768	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3948	d79033b18280a291a7d427c91def32b0N.exe
Token: SeDebugPrivilege	4376	alg.exe
Token: SeDebugPrivilege	4376	alg.exe
Token: SeDebugPrivilege	4376	alg.exe
Token: SeTakeOwnershipPrivilege	2768	elevation_service.exe
Token: SeAuditPrivilege	2420	fxssvc.exe
Token: SeRestorePrivilege	4224	TieringEngineService.exe
Token: SeManageVolumePrivilege	4224	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4408	AgentService.exe
Token: SeBackupPrivilege	5024	vssvc.exe
Token: SeRestorePrivilege	5024	vssvc.exe
Token: SeAuditPrivilege	5024	vssvc.exe
Token: SeBackupPrivilege	3404	wbengine.exe
Token: SeRestorePrivilege	3404	wbengine.exe
Token: SeSecurityPrivilege	3404	wbengine.exe
Token: 33	4884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeDebugPrivilege	2768	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2104	4884	SearchIndexer.exe	123
PID 4884 wrote to memory of 2104	4884	SearchIndexer.exe	123
PID 4884 wrote to memory of 4776	4884	SearchIndexer.exe	124
PID 4884 wrote to memory of 4776	4884	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d79033b18280a291a7d427c91def32b0N.exe
"C:\Users\Admin\AppData\Local\Temp\d79033b18280a291a7d427c91def32b0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1396

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3712

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
942e50b3ff7226748cd22f37ea40b867

SHA1
0c47967bd861a4ea879ed32207c130e713e1221c

SHA256
445c82f774d7482d7144069d88e33f13500a0a92466eaf7ef45d246e3ca8dc74

SHA512
a632c71948d2595306e81e1333a3bb75016a5040b1d4b86a845437caaeef3439be2ab70b2872fe4fc66fd605508b8d491f73ba37538a81789faff5bb6c2c313c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
4f0ef5a0e063b684c202216b6c2a10c3

SHA1
c642bdd42dbb2f6de2de41a5a59991abb0932412

SHA256
931f777fcacdda3059ca29f97ba79d7f8ad1e838d024b8933c676603ef8bdd1c

SHA512
d267c10b9516b8478890fc3555002852e9b5ca6964c65b4be86b7593cb2fe83b8b29cfdcaf1c4e00110668430d78fbad8a5b2cc2f674ee4a679639ebd5f34fa8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
1ad5c7b07852f02bef787448ad4ff449

SHA1
be199b8344c69f3103f74cbeae6b1b2831d56cf3

SHA256
bd285908cc34d63a79d702acd000806c6ee5e3f29c7521fb975c53a4905cdd3e

SHA512
8b1dfbfc4f2d2450093624ae45aa78b8facb5402c190f659dd926a352966d2061b99f1e04ac28a55f1af6e7940d32a3705fcebfc643a027f51debd68a3a8cd1a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e775018620420d93155ff2ce8d1bed97

SHA1
db4b0e33bb66c9d471e3f9bd4558725113d1443d

SHA256
82f3f9ee87576cbfd197100ec91ea72d2ee4f82c43d28f16594d2173e3d73417

SHA512
99e2bb3a394dee5e320c2af67f45b40d838674bcf68f8170e30816c81d4b00c959695869d12c55ed51cd872b875eb0063dc5ab61bc4fcb927782a7564ab0b2de

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4ab35ee04d6af4af9ff89d102c312dd1

SHA1
d05a295006a59fcadf3e2fe9f6ec9117dbdb05b5

SHA256
224ce19116087215369be023ade8bc84f6289875da6df03718bb1fbbb25f7f83

SHA512
1f8f07c79cb76a26b059067a9aaf141837d2d339c3337133e8aa120aa8a4e227e11ea3c59b3fb9c89601a00392771d79a0af60fe6909dad4c31ad8affe7a5d12

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
70c85c1cf14cb07a8ba8d7d48368f4af

SHA1
52d9a441d0c6a95bc508f3b850ef8b337019965f

SHA256
690dc8d697b22116f8ed262cd9677b2d57ba585c63e5eee239f476d22675532c

SHA512
3a8e588556d0dac0854b7805179c99e94a1306789e4402fcfbc9c4cb96adbeb2054a08a619e970e5a98e9fd0bc10e68516427b899e8b9651b0f837b9acc303fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
e872c941ee21a84f884790dbca18789a

SHA1
9edf085631fe59b200dde121000c22b0336eaf73

SHA256
5f0ddae2c52d4d00c157174a07b7f4196854373c9f738b1d34ea2df91f2f539d

SHA512
44036594b7dd6b6b4cd022c3ff4951c8168ca8250b85927e629fd640a31e725240302bb7fd6bd628bea96e1f2ab64f7e1f04fa1be93dba5ea124250eab296f03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
964a1f6522102669099ada2ae26987a5

SHA1
d9dfbf8b302838d4e8a580e03713a9ea9be5fa54

SHA256
75bbb1c64318816b29a6e70b9782d89613b613d84d6a1df94047ff3185cd1c85

SHA512
5ff4f4d0fb1ee4f7a5377de174487815f244c1a9fda53d3d20c44246b21f3ec3d68cc4cf1af200a37030177ff8b34417e726fced8ee70336087b76d8b0248c63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
3af62123731657dcbbfc80dc865b7482

SHA1
685ae9ca89bda1d687a96722ea22de1e538a18b6

SHA256
981d51abf984f478b19d18b56ffd3fd6724b0127ad9c69642cf42a632558df8f

SHA512
26560d24e3c00061a023b85a1c36bfaa8900e93ff1887cc9caa828fe86070cfe440f3616efbb8852fcb4a84c40a673306c47d8ef99aa0f6df7d297349517dec7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
029e1066d08f2e412edcdaa8fa76dfff

SHA1
9b9d45c0600de0ea2d4057b8238981871186cbf7

SHA256
e1df5a2155018d4aeb6db81c55ef123f25c48fa54676b61642674eae903f59b9

SHA512
dae7736c261a847f9e0e5372ba0de314d2c334aee2b5408c53456ebb6634b98ee81e61508ba5b6e1e7068f253819dad1f7b05e0dfee11b966da3d94897978b32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e373521c4bbd492a4157c58d3f63b614

SHA1
43b133c7a8c696c688abf6c108af3bd050e3095b

SHA256
99687cd34bad6f36715306ff8e5270b7d4341b20b2ec1748b63e1db20c200088

SHA512
e5bef67a909e95174cf62bedb3984638e0694291c69210cca762fb90f8d2be631562a12a9e0a6ceab3c18d65f210bd538e2a74cd95169e83a3c7d2086460f405

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4394842b4108d9468de79ad6c10c6df4

SHA1
8d28c0e115ccee68b917d1cafede540bc8d97ce6

SHA256
ac2fffcacb1208a642b3bce8ad8d8c5aae0acec9730dedeb1b469947237177b0

SHA512
28bcc395fb1b90e0a049e77ce3d12eaf24e1d4e3e63ece3496f53037416a16bdee836e616c5ba612292930fec323f405232ce3e0197c1e51724d1bb756c25897

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
74f804b2a7debe6646bff5ce82281a7c

SHA1
a97de01c1eb26715956ac1a6db68a70273864080

SHA256
cc79210edd7650f416f55dfa86446e2cb735d6661e7941b7e428d6e77e56a2af

SHA512
9a7cf31612fb5117ce140fc1f8ffab482e49fd212c71f483e405edc0b8a4ba1a98aaf1b8ec735bbe841856d97d90b0c18bd52fc83f8c8b672bb9ae176db3a0b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
35e3fe59e59f6a3eb374dcf61e17f804

SHA1
891e21bf806de31a8facb9e45fab4b000dd373e4

SHA256
edbc00416fe5935c0ddcaba1a019b3b4b5c8ce52e3fd6c08810c666f2d5bd7f0

SHA512
5ce3d9b06ba24c5c9a982cc01f42156b5559371d81fa0a1078211dcbb90323db1231e450f5cb87af998b660ef1b341b707200233e02dddeeef62da0563734f1d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1d01ce592464c42f6dd1dcc3abf9402a

SHA1
76374140bb7002660590716724018aba07498ac0

SHA256
f1c313f5d5cb8441fd91c4644f57ab00e75c1ced8dd9f76a3f134ec9865c963d

SHA512
cedd4a5908045558395a786379c363b34a83a936cb2cbdbb762417fd6593ef62522dcab91b0c7c1d4b8f31e2d2db61bfdab73f3826e268a67a75d98b86e8308b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
b68e84768ee5e21b6445046007cf1cc1

SHA1
4c3fbed2ab47ded819ac9a40f309f782905b2347

SHA256
7e53e6eecfab3fc34432a209fc2c07e04ca74c95455e0b3f2e60f80fdc41d0d2

SHA512
a9c316cc3d517dff8ba80ac306f88435192902f98add91106a935aeb338d9f7a77573ae060d5d26ebb4c5861a2973860b9db3d58f271487132b2d886fe2a2ec7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9b622a877e40c42b5f7e3252c32653f3

SHA1
a7044ea79e62147b288e77d27d1ec1fd7f391121

SHA256
9b56accf2a221335d3a44122411f7964bfd9738e36a2bc2d0a16addfa4a2d8ec

SHA512
754556f5eda1b3e1d962ecd15e88f4a0e8f51d423b1135f08cd2ad8f00e0f131fee73c35613c66068edc4cc2198361a423f6c847da6cecb0a5a324250cfefe9a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1c633ef35339656da72f604bb9e2223c

SHA1
4a856f77ad51ea83f059f8d56ce6d7b3c63c7351

SHA256
bfda5411a314cdc50a1705446e5acd8ffed80487e38be637dee1abff84ee1c87

SHA512
a797abcface71c5140156621231293f822e2872e6d2138f34be6e78cd54849fc326c5070ead5b0c5e7633c460fd293790a26516926f90a577a28679a3b9c95ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
b9c79e19b2d1ed526099273d9b9a35ca

SHA1
55aac1cf5ba26736a7d2cb04aeb6834e0b197708

SHA256
bbd33a8917c43ce1bd306461aa8dd57dc822a7cc057e8d4393d8d3ca9881ccc3

SHA512
3b7a89342e283e95533c9e3ab37c4876b01a884d5b2c585a385709a6b5cc1a5b13f8626f9cc2ad2ad2994d85edb5d133264f34594f0c6a5f90e531a0824cb4a4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f654e2fd47eeb3cb2aee041030144629

SHA1
73841674c08690fd6806f1a156d0e36b122527d9

SHA256
45fbafc5e89855d3c5046ff5b8577c096427156081d51b098acc6c032210fd67

SHA512
08965ab476e40b441d79d50b15bb8301a53e75eb1515b97d4d1664d067a5c7dd89c15c525730f1240b623f9566e9829400ef235efad64f67e4b4983ad5f003f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
57f8b5343cb225a3949be30800b9839b

SHA1
d89a89a24a81e43b01e43f66acd0f8a376e94370

SHA256
01e4784c1934605df9f6adda41722533d9e5bc0adc7c73314ea6e3445526cbd1

SHA512
8eded5a365bc79f023bf7617b31c48cd0bcbc2f85108855c369b12341a038a243f51e5bc76989aa105f41ffd819be3536bd9b834cd8a1913e1e230000d7e711d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
07138df0679f454c92267beaa9d66829

SHA1
dc56380c73efeb3971c0614fe0a2ab9eed595261

SHA256
3c39319a68f0f54f4a51c3804b72f7196dd78071bed0ca9ec59cbbb9af078cd3

SHA512
841336c7dd3a17c4cc571dd3074456ba68713711a2ec5756116a5e04d4e64eb1e23af7d4b322a80148cb4de7028a0aa787e56d7747ed07c0ec93a9832b892193

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
5ca5a17fb830f3ab2a89929a1b8a640f

SHA1
6d153c8071b05e29a495d6a9d5b31d8b3b0318bd

SHA256
56bcd3ae0e9b20b2d0755c2ef7c4c85c22c7d17cf511cd89b4284198caef4856

SHA512
6a6fab39bdeb154e5d7e0476bfb858256400449d58f9982f5cd879d69094bbbb2555a823f9cc7076c387d68dab5259842c70d70577468c0f67bc59ba8bc7460a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
3c1fa7e722788fa35b40269acad62c47

SHA1
bf82ea7c3ffe2a24d06a633e8d9029b318ab0b10

SHA256
35d2b0fcbdfed32e7441824928391d03da1f154fd6c73ec4bb52860afb8f07bb

SHA512
2016acb74f6efeff550c5d27df3b754dd4a28aed7a932b0e7d170a22b940ee847d3b707df35dd03b942ca3e5b89963c39a2225a8a2bb0d72477a3ab6e0187443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
e063a473b6a4348cd73ad2e25bf8e88d

SHA1
c234a360ce7918b1dcae804efa67a3d8cad0aab4

SHA256
40ded0cd61c2b37d02e21333f579c90be7a8f82c922d4512e126ba4fbf2b8f21

SHA512
32f973d6ce87d94c3e159c534a90f52ec27b50460e32a71b1616a33f922d252750031c7824fef98071c498a17833066296aa0c3412932cba50bf20310596e2e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
ad77dcdc709f3ca684f44fa03722b9d6

SHA1
bc0ba9aa9b3f6d56cd71204db507d5038404325e

SHA256
d5c16b33c3b0fd793b03f3bd9425b5ef9aeefe38315d680146ecfffd778c53e1

SHA512
7e9320f4d85257d8e3991322363c6128e333ded6828c7fbe52dfa5b8bcb2137fb6aad0636a5769eed8d04734c5ab1bc3db7928d6da6fa56c41f449f181c57f5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
e7e7360ca93408a5cb9921ceee2e3c8b

SHA1
94c410da30ddd14d969fe8709248dbd08d5a7611

SHA256
3525ab00297ffe2faebe69ae6b2c331db8ee380c59a0bfda6043227cf7db4b20

SHA512
cb5ffa3939c3e12c28f4c32d6d10f0ed780c5737d48964aa98170525c8d69907f8bd77ae38c614c6a59b12ab9afbed2ecff1b85032f8e4d87034d85aa73194ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
9c2d1a97674b9eb7f90dbbdcd30fb6af

SHA1
320c612df71efcc5f842566f59d9089b39b3150c

SHA256
83dd8fc1197c54f72730cbdf55b2e9a2e8bf391ba091fb1677db970729e18c36

SHA512
865f40688cede3531fef406d4359ec760b92b0f6f00ada0ba9fe1d1800248349185b021b87b07948a9ede4090514f3199385e1c09246ccf1cdc32b51bfe31621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
e3423aa50c6e8c202277192ee666e369

SHA1
39985d4b0a9d3354158eed1176c793f37b47f4d1

SHA256
8a4273e6ab6ca138b0aab42b45b4e197829282126b549b5a2491adf93632df71

SHA512
a3211ca060b3d9305bb69b3e0e67cc0c7d6b9f09abe7d3fa780b396e272347f82ab01b1acb728a765ab7a04d85c89cdc50f64bf46fac8923a448449820d5d5a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
45d46d8b9be4692d60acba3c64b3ef9e

SHA1
3b9c6d7897a4359bd23b05a22347bf4b80b52631

SHA256
b50c9117f2e4eb9ec7e6a636992a462b7a7fe6e87a7ae6cb0265bf83b20e4c77

SHA512
5d8a88cb55d436302b11619cb2c1bab008845afbb9f85ee2ef5b0c1728fbe770bdd39c43f792c67564d069d5d3629feafb9172316b1bbc0381782264430a2cf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
bc249a3fc950a1e69cabdc4f231e5d91

SHA1
d1c1759ebe0d33b1219808210de53d8564cc06d7

SHA256
e425cdbc3c894ecd6fe1a10fc300b23d1a9379c63aba2d144c321a25c5be3855

SHA512
0b57d8d96364c12abce882cb830b1aaf9433db356d2bd69e07a04007c0c9e303a7548f09008f77a68a85410843f0d55bec1dc0c12c973366c19abb8cd26d4cf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
79e5181f62392b01f08fdbf1c8f22e29

SHA1
61fa8748d6485b7b3a13824359d923bacf8ea7c6

SHA256
751f90dc6853c1bf4b6cd32e18cc01464c274e3d2c68fb3a93b22a58db9c40d3

SHA512
4418a7088ce971aaa1751b172473c51935ee1296c1e957562a8666ab36d4d1efb020373ad694ca182d420e776211c77dfc8e7b52b17f4b718353565de525d529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ce20a15a57077d500fc63cfe571836b9

SHA1
649f4f1fa7065648a2db30f352afc73c5f4a7947

SHA256
f990a8a15f671ab0a6b044500bb64da22cf0c3baa69df5780fa75c3d3df68804

SHA512
bef4b4d71b750e1691d9f2d8742518f336d73705ee125a93a4f4704b67c19a875aabe396db3d4d0f677cb9a6eebc3392bf7e569c6f4752309a99ab7e00dc1eed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
aa4e75107d96313f5918ac1a661db0a0

SHA1
46d4e4471e95ac95155048f73cde791c0ed8b2ec

SHA256
e1dac6b56303d1e419f92933179cfaa774c2fb9d6070a99396f0585c68ea4d10

SHA512
ac0c4a00cde33299696f5f6abbde46be9bbc892f35899942bc3c313fbbdb29ba21e67c29359d9bf3ef1f6020259e1e72d6fc65ac5d62965e44472decf6be7aa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e639932ce046731aafed552ccc906825

SHA1
56a23b30604a57cc5b755fd62dabde02934a1478

SHA256
98427af873f9d066e20e41ea18ac1c0d7ab4ac28f3897938a61f7f186badfd77

SHA512
5cb5a44f3c3d451cd0636a065702a11b9b3679fe0222ae854e3872cd0eccd2050f0c09c03b7e4dc70dde96cc5dadd0f7aa27163def9c6b4a4530e6866721ea12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
0501a80069dd0d2b1a6b3aad747b5e44

SHA1
c8322d0bdde39d6c64ec3ec7815645b38acdb352

SHA256
85772e002ac9120e6fc76ccb22d79f73413a5ab93157638876c6e0e29c8da7e2

SHA512
8b0bf14243e590ee6722d5e6c1466b2742e5f5c5483442e33058f57759f94f720a29bc25f5500cdb29f9fdc90948bef791ac1e1b43270491a8f4dfb51a7ce547

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
c0d592feb3523d258c1feb4d22ce573d

SHA1
38af9201444b24fe782ef7e0b1c1947e77f33313

SHA256
a54672bedd2602b62f569991d8e83f0d57f171c99c178b1311255ea0041dbfc1

SHA512
b1706194c9cce5423d3e80df471801537eeecd83b244b5299ed2c4e8e07d047c5fe2dba5ddbb1039baee54dd07c2266910c45294d9946ba3da869a2404272d97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
dbc340e36cbfaf0352d5a1291f4f815a

SHA1
dabebe3f9a21232a85b4ce0368f5d8529e80e0c1

SHA256
2b73ceff0088bd6be2f04c237a734bde38988b8f856e39ece064eaef718d72f3

SHA512
a51bfb97440e09d1b9a8f9302722408756a2a1c8310b47d002105d223bf7d70342593e5a4826916fba60a5a4919dd10f7f8e2c606c3d3882df378ea547d9fdd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
8e421ed6f2d9ebfe153c32faae1ee983

SHA1
64804b44555db0ce9b8b049b18c53cc3e72a90a7

SHA256
0f871e5bb70675ac3814bb9b1b8e16581d62861b7acf74a27079646981a91c0f

SHA512
2c7d20aaba5cacd9834aeb77fc3ca5872070a6868b07959cacf52ac4de66c310e10b8da54be25e4b86c08b60bc47dc131baa382dc709387617087743080f0584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
cb34b523c0962177e441654866236f0c

SHA1
c218aa3ada12f65920633e6596c04fd6e9f27661

SHA256
f819aade8dfb4fde50a1b4ba8ef04f5f47b8433b0988156a0f702677dded856d

SHA512
ecdb4abf399ab50344396818d101e987fef2a27da7586deee4e3d1041af92c490c34e08673ad7a32d74fe732e65027e700b71c8ecf3f6789c90bedf164c75ab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
2870286e3343d6b04b8fed8cdadcc73b

SHA1
1b28a77e377ed24088bae5204e0c868779bad5f0

SHA256
d16780f46851157fb0e4a39345aec9f118b02a6d28f71e6845d7c53319b5a78e

SHA512
85197c46ede3f2fbb22d6ca5837e15caa987023d4b895806d68b46bfc73486f74552012bf5106500c966c6229b11c773e38f734a6151fcfef0c48aa626d32456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
39190181579a6b8d653c3bb938391411

SHA1
8302d590938479ef9804f210d18ed547e25620a6

SHA256
d09d37d60d8f890f4843f146553e786ad5c1ea58e00bf86fb68b9b9c2d4f54d6

SHA512
6064f4f27d10318bff7bc9baf7202f26cb78cca2d1ef42ca6c45673e6d6671691a65b350b9ce733e14d586811a24251550693aa10492cc0ddae5b6fb59c71f38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
5c3964dbec795a4ef54f05cafc21ff5b

SHA1
f6c9a3bf446caece0b73f901f8c83e339f488e54

SHA256
aba919224fdcf525bf7ac76c93c93be24bfa374b326ebc2827d848132fa72d4d

SHA512
18aa5feef7b34306e5fc5b1e2a8833e870759fd957ab23ca85675b20258b6aebdfe5e24716d5004afda19f6e587dce279dfdf17b2a82e558427ece861ef0241a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
83ff3cd443b90e95dbb917de66bc2898

SHA1
cc38a93194e4ae506bbdd1745fa6d0a080b69f18

SHA256
f279e23d58b31ddea9ad46b401c01d6700ec715c0bb8e2875ec06ebe92641a98

SHA512
34ed7374372e832c5102e3be531d6a9698e11b51d0be32e4550375dbd6708e3c3772835df973f3af52581bf514e7c8199fac0596274d8f218760248aba50c139

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
d290836d7484453d233d5b53e966e49d

SHA1
4b952d066bcfcdeb7d8306ff4108e6cf0c6c9d9e

SHA256
8b343eeb935004406b43b37ea36516112b37eab022d46a0d1ab16683852ba9ff

SHA512
2b007de890842b9428c97fb14ca2c5649f767482a8bccd6b09fa8182fc767f7c86342334721789bda812ebfcfda0dfaf17d8d7b20b6e04a287c505e647b76c6c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0dbaa8232670e7bc8abf4d4500a7771f

SHA1
51d2e16b3e70cbcdb62e79cc9833164d90e2dab8

SHA256
341e9eb419ca5ef3750f30c99d58396578dc3fe9acb00d600d738239c65c3353

SHA512
3ed7646758541f2e5fc550bdb62b8c576e759079b94f190509e920c7c787f96c1f461c21c7d266db7567f8dba93fb0bcbea1d8f7dd3282427414fa5248cd25d0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
2a149ccfa60a6260c83fc134b79358ff

SHA1
3722c01e5bdd9b21bd6cf3c8f34608ffd5aaf0e7

SHA256
b943afbf3ad74e5eefc9f27814df527464186cccb8484edf1284d5a9e2b69bee

SHA512
d56ca04cb9a910f42f0750c3ade6737de9c3b8ff3a35a2cd472cb7234f82bab4b72a1a58018530d978d4ea916c75cc91528596b89df192c4df1d4e8f3481d6f2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
17f9222240c68f4cce46d0dff8372aa7

SHA1
4cf12865777b360fc6da70ad3a7d45e086c34a3c

SHA256
c55a27fc8eedef01368df54b926f523ccfb09f2378507ca85658ae35fd5999c3

SHA512
9d82cd47f8bba8ef76bed6414a712d4d926fb5fa29fd4c54bc0284a78b54620750365abaec1ea0a2113efec77ff4e37703a46596b6193c3fa28914bec94eee6c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9db1fc85e885e3246ccb771d619c60b9

SHA1
bedb02fdd00505eacd770d39882c8c16d3c65cf6

SHA256
688e51ac75b2018a7f0bc3b8566fc6acf5cc899333512421883c4e10a7c33345

SHA512
e124912af8d6034c51ccc2fc8204559bd1694ba8e9ea92a4e43862ed7acc2a1f43556dd61330d9aafeeb1f53e706cbc452e794dc3f1a0abbc800ad4126e9d660

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
9c360c06552277869758fdad481479fb

SHA1
84c049367ec37886a9609df5f262803115d5729c

SHA256
aafd8e0e69f31d808e1850333f3d7e70d08f4d20082d68afc7ef797edc83fa0f

SHA512
3ed74de807309a29e644542dba2aa6125031690642384ea6bfc8f8265643bba398f0d9dcb0988eb3a3cf6f4b21339da2ac359a330e262f823c76009e40882afa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
18836d6b947431e5db8c2f56be04bd38

SHA1
92a30cf8b939416d148ec21c3881dbaebc3ebbb1

SHA256
7b305b442d225476a46f9a22df77f483b28c595b090e0588273bbe35211ff675

SHA512
661b775043757604e8157de379c58d6ddbf63070d327dc257e231db32f1236e47ab9ac7ac7d8eac9dc6d1c7bf6e68904dfbd20893bb72b36ac291b7d6b7e04af

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1f550bca65f690bb74f25eea2ecc4c6f

SHA1
3a3d8f6ef72c021d0290abda1000ce4c7034a9b4

SHA256
ea63d663f9ff2a3e1e24a6a6e670bc85bd07b64bd6306f46f5bb932afe71a26b

SHA512
0aa38c074f38b7e46aba7c0f2fe7a38e8d22a5b58b9da4a9cb1e68acd0182cc0214296d83e28623afa4af0a2827039905bb184b3e4ac41a11bd3857b666b688c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cdb1b811f2fbf8e87661e13213c53ba4

SHA1
6a77b0b6645c6194c6bc2bde5b32c03023b67fd5

SHA256
1bca40e1ace99aca0a24a7c78f0ee66eaa6d258ad067087f674179722cbe06a4

SHA512
860eb4246f7453b59308a5382daeaa9792132cba618624337f605c8904c010dc82b8007a2642d6dad73d9e556e05c5a55952002362e5059614ac92e7e8b8b487

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3c6a01b030cace9ea04efdcb433e254d

SHA1
6a32fb7dc09c05c37b59c1530775b89c083f5904

SHA256
832450e229134652b52d56974d5e05345216d077f006ba71d6fc3f8fd8f264e0

SHA512
f25c42ec784a264885a719fc21abd062257e03aac33cc879deadf5efe7afee2ff98c18fc6d690d8f5c5c985a3abd0bae7967410438b11e2f4d07bf3c35ec80c0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
96d19ec02764524eb9351ed73102cc5a

SHA1
61a6950a084adb6107921074cc50177166bf9b89

SHA256
932990fc9b752255e56f734e5da6111d75e0e24d2062807defd2d82d61b18d70

SHA512
ac5863e9bcab417af38db727aed4bae23edae5bba9cf2f5ae82d358184be6c5ed66102f87cf90b7e91d003b511463954e6f091d103468064a225e717d73adc12

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2486af3d2ab764c477dc3ab34098498f

SHA1
dc907768c80bc879da5cea73b2d5283f7e5ade59

SHA256
f82a1a3647f80b52b74ef021d0c9f5af4e05aad2d40cb348bf585199a99eacda

SHA512
f234d40fc3faaee0bbb02657c8a409314331f37b0e743a44767da25b59d41bdab07a0868f1b9cb96958335fa5ad52147555e472660a9c5c68e09d989ea85b906

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
860ef49c1ff81371dee11e597af93d09

SHA1
5ec5aa65560b0d5a174eed78158b0c7275761f84

SHA256
101f3757288c15d0e3ad8375138f122eb7deedc4ec3fc92b32aeec73d824408d

SHA512
0333527c767f9acdbf2adbc772f2f818ef7caf815c909e98c98b1f4b19b213021887c80353f2b68b08008c916aa01aa36acf1d58a891a0663a532a53a731fd82

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
db9908c77a7e6204f085552d3c04c2fa

SHA1
60b264b4ec2c8838733163427099fd41d4e51d2b

SHA256
a52d47f4bf0e76b18dadd7faeea6c902b66652bc7bfc9291c39a562590460e09

SHA512
176bb82e71b6203c710517b4e6f71fd9556bbdd169c7f5595a73b6a516c7fca74c86bb811615f543f60f319c1c45011e8bab73bb3d204f5b1af0d4e8a74d81e2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
2827af7d3bf5ef4813a7aa3a732f50c1

SHA1
0e52bf7258de3b5052b832c9fd1feb0d37b8339f

SHA256
a20186faac084bf6da4a21cfd0ca4710e8b2d7dfd024de1abf7c66ecc6cdccd8

SHA512
e95ed7fd8c6920aa2d860babb7d7724624402b8be24a6641b68a2d4aa39f6a42be1156cd13da1821c4587da9946e534bad29b71ef711828006ac143ab1c6aca0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7e90a6610719a28318e9775e8594f12

SHA1
aa7b7e7abc3781bce79ab1c38a0e0c6ce6b8907b

SHA256
cf7faa352cf832d261e535d3910424f2dcbe63255c76326df03bf11e2718be58

SHA512
b9a5a0935632dee215a8341e967a5189defdf5b35e0f750d8fd36df367ec52adfd97f89c6655649d3f85e1a5bb02922aabe823449d2c41c83f111be0ead3ccae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a1b866885d144b988c432b54dc59fbf2

SHA1
2d868fbfcad5fb32ab0e5af0318caeeb6d02a2ec

SHA256
5b584841dfde13c178bbee6863354b07a1621f45ee03b228d828086154cde69c

SHA512
9aa65780a61d9488c105d1b28508283e57ec30b8b6302a8ff9fc34d0f112bb7d0fb3f67b76433029bac72ccfa6f8b02576a344828ead2d55dd5739a6f2bdc564

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9df64dbddc9c40b45014b5b19d2417de

SHA1
ff1249bccaa756c9288ae8ad6c7bb25b435b72ab

SHA256
99f55cf28be5a72bd58c3540da17d10b22b8ff13667f93ee41f766c63492624e

SHA512
8b84d08e584f07581689f9295ef5d100200b054653be99a72832a813d1966b588a49c1c0b7758149bf2985692873bb2957be49673c6dffe47b4146d6eef7fe64

Download Submit
memory/804-513-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/804-328-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1088-380-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1088-265-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1768-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1768-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1768-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1768-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1768-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2272-392-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2272-283-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2420-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2420-254-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2420-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2768-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2768-28-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2768-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2768-29-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3216-294-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3216-404-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3284-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-585-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3404-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3404-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3552-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3552-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-354-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3556-249-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3556-242-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3556-243-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3712-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3712-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3948-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3948-8-0x0000000140000000-0x00000001410A2000-memory.dmp

Filesize
16.6MB

Download
memory/3948-13-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3948-9-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3948-38-0x0000000140000000-0x00000001410A2000-memory.dmp

Filesize
16.6MB

Download
memory/4024-64-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4024-66-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/4024-61-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/4024-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4024-53-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4192-76-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4192-235-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4192-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4192-68-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4224-355-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4224-552-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4316-297-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4316-416-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4364-417-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/4364-591-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/4376-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4376-15-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4376-23-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4376-228-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4408-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4408-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4884-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-592-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5024-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5024-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download