5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28.exe
Size

2.0MB
MD5

fb29230b78275aef586ed66c97f4840f
SHA1

c56d8cde2214ca3d9032f5e25e0ac04c35422547
SHA256

5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28
SHA512

19c70bcd9bf343bad19bfe77068c8cc5250a4e8ab2bfeef160bc821e95087a306bb3e8dd00c726c251ccc393c25a4cbc648ff30e7ce7232b66babf8258a847c9
SSDEEP

49152:gvRwdG2NcOMjUfkptVxB2yEBSUoWs3bF:gpwdGVjUu5Qyi1Ps3b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3180	alg.exe
3124	elevation_service.exe
1952	elevation_service.exe
1288	maintenanceservice.exe
2384	OSE.EXE
1692	DiagnosticsHub.StandardCollector.Service.exe
5108	fxssvc.exe
636	msdtc.exe
4948	PerceptionSimulationService.exe
3120	perfhost.exe
2780	locator.exe
792	SensorDataService.exe
4848	snmptrap.exe
3700	spectrum.exe
944	ssh-agent.exe
3680	TieringEngineService.exe
3256	AgentService.exe
2740	vds.exe
2544	vssvc.exe
4608	wbengine.exe
4024	WmiApSrv.exe
2420	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd188d7ab36a5b05.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000183f08f44007db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000573c27f44007db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8a0ebf34007db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f69d29f44007db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005317e2f34007db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028a00af44007db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041e6b3f44007db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3124	elevation_service.exe
3124	elevation_service.exe
3124	elevation_service.exe
3124	elevation_service.exe
3124	elevation_service.exe
3124	elevation_service.exe
3124	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3548	5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28.exe
Token: SeDebugPrivilege	3180	alg.exe
Token: SeDebugPrivilege	3180	alg.exe
Token: SeDebugPrivilege	3180	alg.exe
Token: SeTakeOwnershipPrivilege	3124	elevation_service.exe
Token: SeAuditPrivilege	5108	fxssvc.exe
Token: SeRestorePrivilege	3680	TieringEngineService.exe
Token: SeManageVolumePrivilege	3680	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3256	AgentService.exe
Token: SeBackupPrivilege	2544	vssvc.exe
Token: SeRestorePrivilege	2544	vssvc.exe
Token: SeAuditPrivilege	2544	vssvc.exe
Token: SeBackupPrivilege	4608	wbengine.exe
Token: SeRestorePrivilege	4608	wbengine.exe
Token: SeSecurityPrivilege	4608	wbengine.exe
Token: 33	2420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeDebugPrivilege	3124	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4900	2420	SearchIndexer.exe	125
PID 2420 wrote to memory of 4900	2420	SearchIndexer.exe	125
PID 2420 wrote to memory of 2444	2420	SearchIndexer.exe	126
PID 2420 wrote to memory of 2444	2420	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28.exe
"C:\Users\Admin\AppData\Local\Temp\5961f96cb72c95a056cf1545cead0cd14f4cab213c5a52c76efd8c10c1057a28.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:636

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3700

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4900
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2e12d64986436669235fabef4c9ec14f

SHA1
ad92a07bfc1a6ee49d00ce8c56e0cc75b266d319

SHA256
4d6bef5c9153bb748d1dd42c1769b72ed4a7681cd8a5921d92c7c5a4fd9d3dbe

SHA512
417098730082110137ef851a4ad09d51ddd6fcc9e4be9cdf30b220b8020036de3b9e69c93b5b3ca78c2d5c67a5987d0825c50e350ad25f3cdd0964997f6cb245

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
dd93b7e8c935c7a3afd20ae2de2f6449

SHA1
a7cc075d45d079fb00705ffd0a9ae8978231d68d

SHA256
1d09cf42ee86fbbf508530960c37cf0b5c14acbd5564092e95943b286d998e0a

SHA512
23ee45ece04fedd0928856a2ca9c4ae3b306dcf6194875c37bb860b72219e45b8345c19a3ed7fb35f3db9dcdf03e5840ce8504b40a5447a6ad6495d0d9410d58

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
264e6bb09adb9e7bdaac3fd79513ecd1

SHA1
e573e77e491a4d4cb0f11a742c16e0fe8ee3e66e

SHA256
b1d4a1df3ddff9a07c89589cd4b86999999bc71c3ee7e70b8dc34dc3b3e56326

SHA512
4da5813da49fa0e8acc7171eb2708cbd4b89f2af6112b24948e977f1333d3ff3da5dd615951a0127a85710eec8a8a04e6efa9b40e2bdd03e3375b57542ab4e66

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d6b93b01d5c57994c2038132de7ca56a

SHA1
600a35656747228de36bf476507dbbf14792565c

SHA256
b9542bd62996b14d4186fca7980e9f5074e60cf7d20d3a3d4dda73ebaed34eaf

SHA512
6f7d677a0ed748e69b239f24460c4b9386040475ae7943d0fe4c0bdedc9b70835a377ef584089baa1b11bfb76a81356fb618e49497507a02e56d4cb85059f8fc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3f679bcffdd5a4a5a94d51c93c36b4cf

SHA1
d2fa4e9b34e93e7384b7e033d8f2f4258226e325

SHA256
ea30c158a9cf62cc8f6212b8f6bd89a4fb5c425dc57546ad98a2cb87cedd0bd4

SHA512
5abaa40c83abf3511a0e357e499192efd43010111d71cca2261b3b2c88e815c5b337800e02943d21aa1222285d92b02b370732e41f65050fd4bdecc27d3d2504

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
b2f85b7af7001ca440c611b3b1adf04e

SHA1
7c5503e4864644576546cb41076139853554880e

SHA256
ba90a12be2a9a6e31c5ecadf303337364ee3f5192a2e7497b92f1232880d9ed1

SHA512
f1f53d1de34cab12c6e9d81ddf48486c814ec1bd0299a3168739ff00017c08c0804ae1186d88a415ecc8baf54fcce49fe689c3773663653963f8ba885ca5054b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
58ef59186b55f17cda3434a157c68e33

SHA1
59831584abf763d02dd18244cd98fbd6fc50588b

SHA256
77561e2839696555baa4e058335af57cd0e250008447b4a2d830edb2bdd947e3

SHA512
0d4ebc2be2fda8ef2a2d13da6557f0ba49457254e6cdc343a086ec0d0a80431efef71449cc8ad0f2b854aa639801cd64940ed6233ff592ad895627dcb91889e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
983217cdf3718723d8a059f0571f7a8c

SHA1
ae84f02333e460b44f0bf97e70277b68a3349c84

SHA256
75675cb7b3c2d826c9a41dcbbb875ec5145a8c186314167cd52a5c2e6a629731

SHA512
be084f79064cf3def91cf8ae1af67f27c1822b132cf3dbf7e1f711f150d98087c0490520f15f98787ae7c619722a2a383510064626c08cab246f9e1c41c8ed99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
0df384ad40597933e4ffa620187c2965

SHA1
9c9b9ec61e717e5c7db5a359e185bb3b089427a3

SHA256
36ba4f5b9ea55efee8985bb988d33418263583bc1f939b5848baba86f4c75276

SHA512
5060f60e6c8c1ac675ea057b1dda07612b8f357c9e1716812414eb080b83f673fd303b61ff71896f9b4ebea741b6f60ab5d52e61109cc5d02ce76f7274b5a8e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ee543f9bddbd54be520e24992651b9f9

SHA1
3f9b2d5cbe4f2acfef3f9b3d0e26eaa4a7448bb1

SHA256
cebce62480930a467e5613631eaefbc9bcd49bbfae705994b1b4fd3d507e5c59

SHA512
d63da7a49f3aac3650cad684b3c9d7ae5dcf958a3f2f7d533384c9faa93e8c05fe156409e00dab7acd0e4ba6f27240322bcc23549422c60e5532c744f3f7a54b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
18c6125be2bb982f6cec19474b3031f8

SHA1
5218631cbbe0934cee144ebe154d449c73a25703

SHA256
ef5e16c8d0728d9f292debaf2e6f7f012aeba206de7d99a014bd958da40c2db8

SHA512
c911e16ba8222158f1d2616a4bec64f3caf2e87e31322303effb9ab043078b1fd666f0c54445b7e61dd5d9ebe7d1cb9bc074c833814984538bfeb5d53151d7d4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bb0068b0046805e49563f1027711b44b

SHA1
83c40ab61a6e4b75ea80fd4121acd5602c636420

SHA256
c25ea75eb7bdd430712e6d5496d182913268afc17ce50d49088b99922f6cf5d6

SHA512
5459ddb90dc62b3d87dd510c3bd7deda9416e0ef8fc3f7b51478917a2bd298468f1f651c9d0e037c0c865d982a99d50c3fbc7ead6759cd3c8b04ca08c30f3e5d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
074e428e6492c7038aba913576b688a6

SHA1
d7bb29b29804939c0c0686f74999044a2fc5f917

SHA256
565b3f3a13ed3d5c674f1e60f7df182b61020a29f1f7dbdeb1699c352ad580d8

SHA512
121654eebf412b564d5486c44136452ee56700b8cdf3182d832cecf1dfab9f6e6bf4bb10daa8246ed401ba08dd99c561233f52c19e52660d4da872ef4e9d5615

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
7d5641bc5fc2687c0d61985ad2a847fb

SHA1
8c9e99ee80739e53e2aea0eb2e07b8f258a364b9

SHA256
9d1137f3812fff562317cf351cb5057156ee6225af074ee1b299e3a5740a282a

SHA512
84d70c9302283ab60ead9f8003a66b152d186debeaa124a57471841c3222ea1236b598f98bc622978f7fb4006a0baf0e18fc1521010096fb29461ee20a7d8ee2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9fc7cb302c07da0bd08abcc85a07ffbb

SHA1
2a388762f2d0547b956c8606350ef96e9265407f

SHA256
ad63a3b9aadeb23b19e61b9d8a92a9db93c6b622a94f116f969dbe428481cae8

SHA512
c37f60a13afdb9e49faadd88ea8293111bee414afffba76d3cf20754560e4a44bd7ad6d2d9a936b02af8209675794058bc1bdc06aa9c53db97cda300feaa23b4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
7c1f00b81900dcd7e8a322c6256bfc14

SHA1
c77ef28f7bb280c8592fb13179d7613ab31c8f84

SHA256
67e78c08c642ef46c58452d79fe69ac89e39b10423c7ae71b635a71705d15992

SHA512
b607db239c79f0291ae06b53221b5b807d4226a8b3daeb6c59d5aa5206c9dcfb9b4a07d314ac7efe0558de262ed67005db4191e87ecc0764971750bb3d3464aa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
da0856452827a2e54b1ecbf90e7d1c89

SHA1
19189053f1cd5086047732b8851260050e9c5ee4

SHA256
3425b7fc9e08d88dac238a22ada2aac8ba24fb8279599248a459a70984fe7e5f

SHA512
28bd4208941015f48d9ac315caa91ff6cad7ed436a83d06287c9f6b2f832059e2c8f620eb3e8323455fbe77d67aa98dccd855060c46508d6e1b5ca291b4859f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
99c65ebb48b870041788e95ecf7468db

SHA1
d327c4a5141bfc8d4a1558f51afb4d0a60a037a8

SHA256
3b6d3c08c1c4af9a3134cfe330ab32cfd39ad22a3c1f02af84bf691371ae516a

SHA512
73cdbdea61b7faaa78fac56813a38061ffdaade1408ccea062a4c365201d0ba2e8b24165cf74b240d84413557141bbe9e866ba6101c94d0ecce3ed465ddb6001

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
648a0a3c7bbfab8495d27b41f5979207

SHA1
3c133af86b41a05fb4008c39712ebf28284ace41

SHA256
194115ff0c0fed2095d9d124288b7550f0220f3979102644fc9f8c642da5b9ae

SHA512
361e8f7d67bf40b67794549084c8bd39f3729e3e3b0b64e7e1a97d670d1a9cd58f74864ed73fb22dce1d6d3e7ae3b36d6d739cb413d4bfb7cb6d91b59773b3cd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
af48f45bcd7f3100f0d751c48afa7a7a

SHA1
1628a97f6a8c075dbe0d35bf6e0d82b86e799805

SHA256
988d59de44dfa58d7e4f14268e1fd22efa3b28b71cf59fd67b8d01fc7972b54e

SHA512
eda25ed79e14bfd8a5f879fa7e5690f6776bf502423af11cefe192feaed091ccb205df37c724d587ed8bb304cf073d5710e6fa654e4678b8bcbd436a0d334ff7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
a82c9b5c3c253aa3a2c4b7f5cdf8c0e3

SHA1
7dbd0f9d11bda1df5f0232e0dbf71a9c90486e1f

SHA256
0c673d138793e40c5d25727706c99b41d486bc9d9d4161d8cd16954b698e5ac2

SHA512
82cbad963c20fe97b076a7e8939de3981bcbb5ce098e522cf3c9cd9b7192fa4539d3d106fa784ff6374da38e96b67a65b2724521394c3eed9be9be0049a62fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
6edd7dd3a5fdb862880e91e3ec77090a

SHA1
c8c33a817add5d1cba66653808890f5b86bf3a34

SHA256
56d2ca1815d5c48785945f6e5234fa949c2e77370965b91b3b55e8be1ec17552

SHA512
85afef66be0b9c765bf4498f1dd6fa802f61f380fbeb6718a8b279c8979ee5636dfab77a9533dac05860d7d064271329f203479422730d5b9985cf49518afbee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
744a9c907794fc21b4158730a10c5b25

SHA1
8dbad1e7c38b73302d926e80900819e1059a2248

SHA256
014443afe53ee23b346d0feb087cb9d9f23807273aaa248266a6eef076c93750

SHA512
2ae02b66431884104ae7fbd430c71f62d05185015fcc991d5a36793a830bd584c0a380975c40fb677944747c637a736bce8133b6b90f322cd91598da45f54878

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
cfebd18590519889d4ef1a32fc83cfde

SHA1
f3f1e951ab63212a20966cddbb5734986041be0d

SHA256
46d252b1ff14ee9d2f05fd15d73cae21ee3ec066803b33a0751dc4f4c11b6177

SHA512
d57e0b0cd08015c101b2031bdca97a675291641afd0f11df93355ddd00c512cc346918763143af21e04a3f82c8e3d28cd12ea7de0ea59adc2b1dbc33c27986ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
fcf799ccb00032dbc2af3f8c03122462

SHA1
d1bf57b80d866c7c87d9669ad5a34b6c22de73e1

SHA256
851fc23c0086f73b1d2783e64901f5e902c3c42787db1a2f346bb152f5efc0de

SHA512
dc89e7d726d61ba601430a181d172f9e9030bab9f342e4b6b1f54e8d91d82ad156328c947a96a8ea3e5369509bb1318ff7ee8cfff0bff8cb1abee59ac4b7cb18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
80e0e65c01121647e2a6df5b38f0d81a

SHA1
fb172205b274736c8a63a33e83f1ff7c28855444

SHA256
4606a35804698fece7b43bff51b59ba10bbcfc75d2f310294f6990b98975ec3d

SHA512
8e4dc85b5eb1e6d16e40220015018c57befbb04313d9f2e3ccba069c1550c69209c08bf200976e9f0373abb1d29e27c4062831060aea7cfd722b2f576d0fbcb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
eb0f639de56c3975bcf45c029277e3a0

SHA1
b5c418d081f4da4db0c1e7c1891b952e87c230c4

SHA256
1623cab3570b5942a4fedae512fd39bb4ebaa92667ebbbf46d6281d2a75a95a9

SHA512
41296c8be25c560182d462c73b0e8c9115794591558b0b15e8206ae1aefe314a4bb3f59e1a96c6a83791dab48515b504b77e38268b1537cd66b5825ef7672479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
a005e022513b44cc921cd97aa381c508

SHA1
9f8130a4cf8c8bd98c18bbf48754de7a0514c084

SHA256
dbf1d432a8c18f31841bc0ab0f1f59044c18065f4496e2bc7cbbf022bc772667

SHA512
2ba7f87c147d286c3cbd2ac37845c4001a4f102e324f05d429c6ffcbf47ac91b004629a6317278b48c11629f83b543531fa5e2c5956930735127f5bdded342c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
a56f9facd7b7f4b1ee5fc699de4382c9

SHA1
4099a25129f847aeb2b43e54aeab9386875ce9c6

SHA256
380c69f9bf08fcfb0e59b1eb8aea53af2d06797dd81594c231578cc991f9fc12

SHA512
9240bcff8c989649c5fc44442099c64d74fa0e212f7fb44780b7b397dacefc81176367085e66fd36103159de67aff29e518663c2a1ba336a16112fc1c2b26687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
b48b629f6fc2eb5d48a6ea0df1f9a34c

SHA1
5098c54b0893ee5207f84d96520ba1f8841f7fa4

SHA256
89c6ec28831f6d00398b8f1a35916aeee86084edc657cd96da0056871ab72b78

SHA512
5efdbafd0bed15e3153b59259817de354a6c04d3addf7550416b587b4716b38314198266941442f1f6340f8d0c9642e81e074cacfe1cbe7337c5660abb918d72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
48c4a00b71ebfc939bc617d9c986e9a1

SHA1
c570136361bde244c8f7722fa265927b17ec4bc3

SHA256
d8513dd2aba5fd2edcce6ca95f085cd41f3468225256930b771aa848dc43d1a9

SHA512
f5d793019c22e6451fc4e55b6ef9898b1e049f7844ba9480d9c4e38e5b0495e4348fb5e7fb2ef000918cd9b6e10a06ea005bc99484fe2e3a6381b3dd69a0c30a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
97dfafd1a96581a89075ab813fade467

SHA1
4e458c7975efec6dbac1f5bba1271417e57d172a

SHA256
c8e0abe5fa860eae99e4b16360f7a80801e52fddd0a77dc6b1881916584986e6

SHA512
ce6d51ed8ce2ec8dad690785cc8f300e25a749ac0fdee48c220aa4e26c358b44ec013652c1b55aa85d4a544ffa9be649f6ac6e45e5c6704d4f3f0bdcf9635722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
ef3b227ab476fef62da28bc929b2c11e

SHA1
aa5b8f0668afe891036bc1ea5be5fca042dd5b2a

SHA256
340ebcf4e75fee4a1ee431b9779466347f9da3b518e337148ed24dce697b01d6

SHA512
a60e11122fb3ae2940e09d71e2489c40b06867040cde5138deba79bfca2896e15de69e02cdd0374598523e589d99d04845f86ff7c903161e36f6838bd548eb35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e39ff27c896e14d899d73955ec6351d5

SHA1
a28d414486a2720c77deb3203419c495225d6115

SHA256
c90f01be0ea30e6ea0c80f545f14c213bb0732dc9ff7c427eba8918c4a9182f4

SHA512
e4521749f7d269adbe1a667f0516f445046a203b640ea08e6757a47e03361778225ad6ebe2ff97ff2770c8a17bf5af278a6487b79d77d268ed5daf2e025bc961

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
796ab51c27494fde74362fb8c95be799

SHA1
d0d87b0ac6b4bcfb843f634365b9fda6c1cc105b

SHA256
78d9a4585e1eb7625480aa7dfc806c2f856ada65a54a00613cef01dba5e8013b

SHA512
7b8523a035b236f8aeac13c45d472b01773ad0b0f38b85cbc94e1e558f83563b25fc3e52f8b9e219c96ad2fa944715d9f3763e43db4b45c387b70d31b6aeea7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
2915f395df56d7686a4dad73624dc4bd

SHA1
a38f4de1fac03d0407c0a8048375feed074f087d

SHA256
65adf88c5e71095b028c76cceb98d7a9d28a88d5c201755740a7376ad2b5769d

SHA512
fcdf674c0b6957f2bffeb38fcf03854477dd456ab68a54c59055193808f897b559ddbaacf06d16a2560e70c0c0c9792ee543f2dc3c6361be89123ec2bc0812d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
4d58d11725c4f777f7676df6f4c39ebd

SHA1
c219fa4de0c044196fa97d7923d1f1033a41670c

SHA256
5a2e76ef7d42a2f13d25e979cee75f00773bf5c3f06fee3b3efe3d238d63a60c

SHA512
3d54d6123a7c1a95703921776695f0f8647a686c5789622c590eea5ee55e52658c24589dc024e0846c9ff9e5cc0c07e6e03f7b4ca0a50c8eae7e232bbd76d1b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.3MB

MD5
a23d5175365d8eb8934e5157a99abc36

SHA1
353de92c8448263dc29be396c0f82380a4785837

SHA256
c63d047949098d4525b5a2383306d7bec969d15e2cbc537e7d8428e63542ae22

SHA512
5e80b0fb067f084c13c685b567c872858413c27e715f50194087e15a33be22aac612ffa067844f0f4797784b401ae980f889df200fb4c24c4dd30e29c1c98b24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.3MB

MD5
4545cbf5098dfdc5e480a412a4c7d208

SHA1
1b8d320791d32a67c20129430e43b8e73ea793dc

SHA256
7bca8bcf4a8d5d954cfe0303ba4c96050a9bdb00252cd61c27e72b06475765bd

SHA512
94e9997e500ac515cc328ce653634dbbe6b76a60c8ce5685ccfe8e9a05e96f94f7bd4ddababa9da2dd14381d54e0c5502ff36463fa5cdd5ba7681fbeb890649a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
af593b8a679c5f8d758d163320d19d6e

SHA1
673d056dba52f9d5749bea6ef2cd4b8988d19284

SHA256
8404c0698a980a3cf6d5e4dd167a61e842b50b8ec028e0b4d4dc93697f3e98f8

SHA512
a680d8baafe84a6b961dcbeedfba2cb24d99b42697a178aa08a1677818ff64cb33f5ecbd34a6cb31e400bf2d04bb76507726b9110c151bf396f4d1185844f8f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.3MB

MD5
a003b2047f90e13e6469cde03154103a

SHA1
af233cf0ddff0e341ab631078430ccf1f9bfbe92

SHA256
55b69fea1ed68853b435ffe001ec2e0b48a69ea4bc09d912e8625f1a6bb5300f

SHA512
70f3eacdf95e700566641a6990de08cc28a14219ce5e4039cc43c6fec42a8f7b50430f765423d89381dda759fa834bf3d5dbfd0e03d1026b9295a6569ad96dab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.3MB

MD5
b36064304567d2b76fa7a7e90aac54e9

SHA1
3d0728efe91c4b87621d7965c2ada8b6ae74440b

SHA256
524ad8094e61eb5685446486cd07bf2f4e7a007ff08c5f08a42d0c66c22df366

SHA512
ba7f14030d81244c4230e3ead1ef0c83073625b2cf67d3b6dffe6444f461da516571194af2a921cb287f87252701260712ef32214acd3bdfe264019a4ddf5f05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.3MB

MD5
2985fafbb1c4106d037470fea221a307

SHA1
94c413f7585361dc3827faf254fb7c75eb15d537

SHA256
6cf32540a56cf8cbc8d745641c5883ba481dad899c25e10f9b769b6a5f576863

SHA512
a99af85219b78889499166c614d15b4f7b4e68ed65d0c08d86eeb51839abc67e8edc0a6f0c9de0037a06b72bec84c189cdf5cfddf288fee66589526440582f14

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
4f875d5cb9b899717384a85ba339170f

SHA1
6388a51f7e5ee08f3af4f413ea70e2bbef151989

SHA256
4f76e61638289feaf875cc8a5a6a4e49282ba845924d08ad2ef460cbabae2bf6

SHA512
eb41fa6033fc5260cce26e235e0af126d939eef3207a4afef0cb474a404d7e65bc864d36c5794389fc4206f282e8db765e8aed7c07b4c47b2ce1c3e0cbfb602c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log

Filesize
1KB

MD5
e78b2244b014a629d6ad700c69430d53

SHA1
3f22b0a5859dc7831f04887e96ed3920ddb255c6

SHA256
eae9af1b26099dd139ab79e578349f67a3c0826043b606b662566bfd56b7081a

SHA512
fbde28a9cbe8a50354cc811ed6f036b8b6a961e40353c0a019293a769afb4ea03f00d1a298619031d476daba7d321c666bf9ba9790bb2b0311cda91a7ca34d3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
ebdabeaa9e37ebcb4d3ba5207975b48d

SHA1
af6bc11e185c5449cc869424763eccdb9e6b37f5

SHA256
bab256e1eb1b4848e5891731773dfebeebfb4ad8892d23bd9d19b1ec77fab0e4

SHA512
92d318910f050a700fb8c95243e3f198c867c47c8d439bceb3114502c03fcfcc3f8b47cd28fce406373b3cf982e9e167d3936af07c64f3bae8da35d5e3b245e1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2a6a4df91c360bf9a447ee8a26693065

SHA1
d5e295e497d8cd894b4675902ba699539c38bb97

SHA256
218fd70f6e662bb0c142c8b4f1146ab4a6ceabca20ef8789404c8fe5aea9c965

SHA512
5af5e3a0f0bf540e9780eeef93d7694dde21988fc1d15d95e273d8a534bbb66395c2d561231582dbabd07471cfe1bc5ab0b566a5ddda71267ad970ff3e60eaa0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
2a66cdb49af9ae79c54b064a77d53de8

SHA1
2dce82cfe2208b5b10f1270eb3489a6c4e1f9355

SHA256
f6d681a67775326ace28a4be703957e8bb7682fe015a276a7afa8c09644f4291

SHA512
4784bd32a9959cdc19124859ff435919544ec98db56affb363c756710a1a4c08db2aca1b5a4dcdf778cd72d98171ae374b1560121b3af3ab164689472c45d891

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
515f93c08954fa660675d5378e63f083

SHA1
a4f2a80f1da37f2c3fd339150186f0e1adc79735

SHA256
e5f17773517a8550a3abb75139a86723d8e5ce63410366b937a3b81daa81e11e

SHA512
790c97946803d161c209bde934aebe1731deb381507816f438ada8d1c43ca6040908f0653c9539319758c437f3a88185026d2f597ea40495c0d592870e1b5b8f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
86a511ce41d093e674f1a19d9d31c2c7

SHA1
a3d445b35268d1f3d564b529f4b80cf006a176bd

SHA256
6f8f9f13e7b17dc03ae92fbf3563ab193c5ec04659c4fd8d35f6a9e7b065a8ac

SHA512
45a5af960598629d112a00f7fd097973c67b68fae0b887197a1ea7202757c5a95f1301860b1e36030c59ab3b2c3706695f7e6cdce83b636d030967d2b739ddb6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
96f9325e4c2c823cb63a3c8eb59ce3f9

SHA1
2fbf82f684ab2d5999df402ee7caa4ab9c35e774

SHA256
f17fe8f4f031484d448d3687e5828c8990a9b797a5deb4e5c4dc5b7ffc8c8f07

SHA512
7b56bcde93749096e8533979ebede3405ff1783080ec0c335bfdf9087bce2b18d9523639e79c368b05da2ab3387a0400170dc0783f6cdf4424821ac00db61419

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
44e357a969cbb1f3ac950e1b1a8a43a1

SHA1
7e7671e0ef31076eeea243ceaf51ba7b828d2a91

SHA256
856e7a9e66b723a52c8befdad4cdbb2624b72b5504ef0b0632297ae29d324df7

SHA512
481c3a2b692dc3939a0d67113a85a442a9eabcde8f28b3d13c81b90d9c45c59560bd90962180ae2af56d0e7f03aee943baff54d493847a5ffe784cbffde4a7db

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d20b045e517c8e57675c11b2cd4d43ae

SHA1
ff126e5f660c030637c4a8d2103955e2543bc226

SHA256
03671adefa7eb6ad2baf136d8c8ae8e6f00fc3fbb9caf18052b21440272383e9

SHA512
c8a46583d1c5d97f778da2b98413cbfd1b84767f6c8154a790565a62deb21a156f40a63347d8c75c3b869cb305a334991818f4622f35a229291936acfcb8b935

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e90305ecb154309baf8ecf638c2a8358

SHA1
c3800de64bfbe7568795e82ba12b691f5b75d76e

SHA256
6c8dcd286e5af8ceff555dd6aea7eea34d80a44ee7ac9ec359ac8b48ce01b88f

SHA512
aada22e6ead61bd838e82dfbe83b9c2f83818c0fdca889fe62f8e41a967e372c04ac0a5cf8a478e3c4c51e5121f276cf5da6ea2dbbb90537e869bc60f53f38f9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7cb01a63d2e862fc07ab6d951f8ac8c7

SHA1
17321a7d061e31a4881a2fb21c92094364d895d9

SHA256
731078c0dd77b4db9e23295c0f3b9da642b582751a83dbef6a74fa17a1c7411d

SHA512
f4108dd9304d017b278c07a186a877142df9c8c4204db9056bdebc38d2d81e43df0bf7b05acb9d89162a215a53e36b6264c3be093ee69534e3774be04cdc9a66

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
bb9d353353e691f6b7d09c5a8d5c3044

SHA1
060a3e64518e9547be30e5b0f418cf6ad0c743ef

SHA256
7b1737d0e58ccb445181967a4c20d1c340be95fb9dc7c8ece97442862a3fd332

SHA512
e1727730293a98726a599557e18d3f8010061374fbb5ece10778d5cd4c0a206633d847f5b8e6d0b0ff356e70679a8f7b34356935f8b35d43806928c2d9104fe9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cca7669d2f7ad861f21c4cd149447c78

SHA1
c05411be75700e6250abf771bf3e5ccc5cb68c99

SHA256
22d8bef8c9aa81e331ce7774d4118ae7ce415814403df5081b2cbad1eb431be6

SHA512
6a752ec0e949212e49b24eb1bdfc28f72d9dc30e934538c155983ad5d7002a328942a73845cd3c48e8e58e6361e26248d1c56e48e9e2dc28e24186034b3f76b7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
22c543047ef3741d67e8c7873001c94c

SHA1
440b60d51a365d9844c9db4caba49538115a603c

SHA256
33e5bc6c85f5bd2139037aeb6bf6e3ac2019d3d118fcb14186c533b7a7cc5f52

SHA512
5d7ae101d86de337e26b67fae9f9a406af981cf13742f7011ded1988d988cca87eb6e8dfbbde6e260fa3941707a09ac9775c17f7d18b600283c26d40e3f1b7d2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d75b33da2fbacfa1fc633e18b305f002

SHA1
49c3227283275c53afa52a4e917dd1ee6bc0131d

SHA256
dcbe20a9aee7a8bcb243cd025e259cb7408960a187ebde0728052b5e4a190304

SHA512
e0a9c7851ed927a25d78c021ad09341bebafe0bf016183b66571487a565578456403f16251a587b44ccf9a0e5a5d141f86e7647835b2c235626fd6f3ad1a66a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
d4bd3c098cf118b882ccd5fed09fe82c

SHA1
ef870eaeb63ec82afdc9f1b2155c35e5d7f7018d

SHA256
2a1ebefc0ba4bbe9374f12cc528c21958d0e105a0e573037ee52699e0593c910

SHA512
973343947d660466f286db449f0d5cc211f1376c1124854c0d60ad7487ae269bb253c321727c1361836ed90a20f84fb5b957b581601fb1139ffd5da642cbfa03

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
67897f5b8ae2591f798e1274662acae5

SHA1
a6c56f0326e3d5dc0dd786f71a299566d3e989ce

SHA256
5af09147430a56b0e4bb25d3d9aaeecccb5070ce2449c46b7d507d90f8d623b0

SHA512
78aebe0c67efc4c9427262d297bea6c428c4f714ae77eeb25682094bce3a912aa95b829c8cc568d5f8aaf12ea394e69a0227abe6e86e896a508603c037248158

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
91ce6e17575b8c6927c56d1af6400f81

SHA1
bf0023667cecc313d143e9238a869182061c9bd6

SHA256
447a4d224b48f929aa66c91f13ff42efd8da7e740623eb64ddc4fc666859080d

SHA512
24d14add010b65e0f5eaf5d44984aca2d188b8dfb5acc100dbcde928a5f08446e980303d0ba869c4678ccbb9576ea1a11bf1aa2412d21cad834a83f21dd17ac4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c2d74e3403ab9bf8856b9a457a158ecb

SHA1
4fd7ba0247bb2990679796d59a90c565ea57a09f

SHA256
a197697e95390c7b9dfc0012e398bba9849598e5125c11e4d896767e6977a694

SHA512
5414e775a7d3197a05d17b08f9d8fd2daf126d57b8475bef758d0071b55d182255199c4699b54599f67efe93130176179ab9760efd1d19071e545e4c16633e10

Download Submit
memory/636-389-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/636-277-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/792-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/792-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/792-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/944-352-0x0000000140000000-0x00000001401BE000-memory.dmp

Filesize
1.7MB

Download
memory/944-592-0x0000000140000000-0x00000001401BE000-memory.dmp

Filesize
1.7MB

Download
memory/1288-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1288-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1288-75-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1288-68-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1288-70-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1692-251-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/1692-363-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/1692-258-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1692-252-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1952-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1952-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1952-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1952-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2384-83-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2384-85-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2384-77-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2384-244-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2420-601-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2420-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2544-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2544-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2740-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2740-597-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2780-425-0x0000000140000000-0x0000000140151000-memory.dmp

Filesize
1.3MB

Download
memory/2780-306-0x0000000140000000-0x0000000140151000-memory.dmp

Filesize
1.3MB

Download
memory/3120-413-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3120-303-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3124-47-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3124-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3124-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3124-46-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3180-219-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3180-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3180-31-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3180-28-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3256-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3256-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3548-1-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3548-14-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3548-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3548-35-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3680-593-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-364-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3700-543-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4024-426-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4024-600-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4608-599-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4608-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4848-335-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4848-524-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4948-289-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4948-401-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/5108-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5108-262-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5108-263-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download