4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9.exe
Size

2.0MB
MD5

139c144ca9408f173a70f8836bbb1272
SHA1

7ae548fb936ad5af8eada8e2e4d1748ea9778fdf
SHA256

4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9
SHA512

569454c90eb9ce04be60eb250bc98a3c8e3ce745894103feaac5ad9e01b4b6bdee4e8f3b95f52d989ea5b76c6d62d128f77b6aef5e74e2c2d2c04862cb794c68
SSDEEP

24576:Kzs3yG2Rwd14jK42aMQDJoAOM08/85RkptVIJqPSkQ/7Gb8NLEbeZ:evRwdG2NcOMjUfkptVxqkQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2976	alg.exe
1728	elevation_service.exe
3248	elevation_service.exe
4480	maintenanceservice.exe
2312	OSE.EXE
4292	DiagnosticsHub.StandardCollector.Service.exe
3700	fxssvc.exe
368	msdtc.exe
2768	PerceptionSimulationService.exe
1016	perfhost.exe
2288	locator.exe
224	SensorDataService.exe
1112	snmptrap.exe
1616	spectrum.exe
3464	ssh-agent.exe
4736	TieringEngineService.exe
2156	AgentService.exe
4800	vds.exe
2984	vssvc.exe
5072	wbengine.exe
3048	WmiApSrv.exe
1944	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3d7bad9b36a5b05.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a4ea4216912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000329e93216912db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a74ca216912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf6aa3226912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc61b7216912db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000357a4e216912db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060d6cc216912db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ec2d8216912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1954d226912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078ffb4216912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001712c8216912db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	464	4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: SeTakeOwnershipPrivilege	1728	elevation_service.exe
Token: SeAuditPrivilege	3700	fxssvc.exe
Token: SeRestorePrivilege	4736	TieringEngineService.exe
Token: SeManageVolumePrivilege	4736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2156	AgentService.exe
Token: SeBackupPrivilege	2984	vssvc.exe
Token: SeRestorePrivilege	2984	vssvc.exe
Token: SeAuditPrivilege	2984	vssvc.exe
Token: SeBackupPrivilege	5072	wbengine.exe
Token: SeRestorePrivilege	5072	wbengine.exe
Token: SeSecurityPrivilege	5072	wbengine.exe
Token: 33	1944	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1944	SearchIndexer.exe
Token: SeDebugPrivilege	1728	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3952	1944	SearchIndexer.exe	121
PID 1944 wrote to memory of 3952	1944	SearchIndexer.exe	121
PID 1944 wrote to memory of 2004	1944	SearchIndexer.exe	122
PID 1944 wrote to memory of 2004	1944	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9.exe
"C:\Users\Admin\AppData\Local\Temp\4c659d2e1debbdd876db4e96d7e63268943232c461a20fae880b23b2ad7d3aa9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:224

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1616

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5112

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ea36be3bf78b0984cfe5b2d29300a42d

SHA1
6439ce6db43ae8d9b70adc90400b1bbf5e7f4acb

SHA256
5380eff944a781d90d0d294b7b2fb44e40c641d3164e80649d9757325c5ebb9a

SHA512
0b33b5cf9851b269afdca743ecb0a34ac18b5c5e138c68ade1a61a27e843684de7bcfe916383ba4ab62bc4afdd3521690d5e6d89cb130b2b4aa6b9d1c728cd4f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
8dbda6c7765a7f2543b64b7aa9d7d2a0

SHA1
fd32766694ca24cc555ec8b2865b5ddced09f59d

SHA256
bd6bca7acc602bd2e5b4b6363a50de5b6652f3aab5abfae4da6f6a1cefe7cac8

SHA512
acfc76e459bb7f0c30882b60c6bdf888f8a4621f1ed1fd836a3be4d3c7d41c009d637e152732e4e1bb7cec6d3a78887564e0fd2c051d35eaea420c2689413202

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6c7bc8289147df22d14e275d66b2c2ad

SHA1
8747d7d7d6fdf480a597f17eeb01e0ef2c0e2853

SHA256
d0987799ecc535ab737dd5377a7415104ea64c11f41bb478f688ffbd3083110b

SHA512
b2193233014d08b45ee274dc399b8687ee97dad95cbef84cb3f5069d97ce650a8265161d3d3d24e0a6f3a2c544ad507e83d8bbcef45464b9f217bf3d3c997861

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
43c6ffac1c6d37c5b190a37ebe90f46c

SHA1
20db5498b8375aaf53921abb9fb84ec87c50e17d

SHA256
a718359f474ce43c1802a72425a0f1fc68d1f9daa0df781f8165a931eb710bc3

SHA512
78c74af14cb239920045c2ac13c387cec7fa18425bec2e9e9e3984a614aaa2b2a7eac4f4fd7e87bb9c3b87230b056eba8f0b09c2c6022e6a2c3e0f08c4b05baa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
abc1c773cec67e534283a62143c3555d

SHA1
34c79a28757e1850c713bdfe91e38147b958134f

SHA256
7b3a7d0da69a67a85554b2e4423cc079dc3fbee91e368377713b9ed973ea3d5e

SHA512
3c1a92afe926c39272e9cff73d7098e02a85506fa616f8acb83eb7e9c2b67496e6b304f50fc502ce15010d79f82961a75c7a6f5af71e844e0f543b50e5343715

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d0122150d21f419bc2e3b52f9f1fb2e8

SHA1
e3ba3668048f5cfe4aa41f0c3110fde1d9b762d8

SHA256
3909f87bad997522d66656e7153bfc78541d677bb008df1deb9312855a54b0d0

SHA512
13a7fdf9a0f6443c0be8f7a90ff7d2e1e77dc4c68d5f2cbf4ca8a12dbfce568072b6b7e0d0095eeaca04c1a8fd1a9f5c22c7452518ae9ac72f89c0ff88f11816

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
45ed907ea1a3e519f24ce21e75eac138

SHA1
d030c7cf90aec45837f91c9e297e7f8ed069d8b8

SHA256
81f3adc3c824f3fae16bd1967a798bb11acc20b322935428e2b56e1f5ce0d427

SHA512
40b2cd2b1dc24991a805207c6213b99c5ec17b2d4d5ac7ccd7dea84c8d250b80495e5cb5b953a14352bcaa91845f4f97fb3ec3d2a6bf754a522e58eef9c2ac49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c1b3e0ba35c387ce54976455b18caeea

SHA1
ff5fc09346fda0a48e11abed331e426be4d0d9eb

SHA256
2f425db46642e739cd5f84705ef7b630029700a8522527acc3e8bff1d7db9fed

SHA512
fa67e4e0d1374a5cc8259bc1b11607c72102b0f8f25e04ede3c401f77433df2afb54d67893c78124d4ed7015e0d1a97f1904a5a81e9de0e78575b12255184c54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ff6c98581e5bf63a21ded00460213ef6

SHA1
cb3a0f80129f6e3a84ff968dccdb03984d7bdbf2

SHA256
35a2f75cdea2734ed7f7e65d7391da2cc9f86dee8f407f51b2e61063b0ad8395

SHA512
ab233f3209c5219c329920a8750ddd7493ee612554342f6a69bf95cb32c1b902ec133036931b1b9c3778c3fde8b52912d3fbd6acd40ddd727c36d70abc73460c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d12ad9725d0a1acbd2fd2fd9aab98de7

SHA1
68af304b937aad3a06aa303ee8b06c0785faa60a

SHA256
189b6e99b19a8e6fb5e71d543aa4faf6b5871406d5c50ade1e5cd765ca539cb0

SHA512
4615e421596352f690ab9d40e2d0bae26cfb70f1152a0d6b03f565b514e4739ee3109edf93e4e8fc9468f00e13ad8e097191de9ea6317a48ac3f529215c18a11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
30c1d41c2c68f337320f0dfe3680b4ed

SHA1
adac4b635cf564b09f69b972a660d6c52321c3da

SHA256
06c749862f084892199333b175fb4899648ad0917a79a86740b11e4f689cd7bf

SHA512
75e50e8ecca24588a00b2486436c02601654fa9312f2377b679f3c51d7535fa0a7e562b6d500cd7cd57f83b4942137e542b0879e0ba0ba6d6cf10e75abe1c2be

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9069e47502d87e178f192e0e2bb7db2b

SHA1
8074524e201f0eb49db16fca65a8a7cbcb381f2c

SHA256
ca4453ebfc868f0858c459ce18f8482efa93a0b1b30d94544c354a0ed69b9a4b

SHA512
3d9f436ab49332081de1be9f15e0a3ccf7247c301abb8e2a3f4e3ea970aea6fb31e0468221bd7f4dda7bdb04f729ddc03266581de9714da046e328017bcceab0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fb00709d084eedc5db40f2069c61eb49

SHA1
bdd47d1cdc868753c6df4241f4888cd0bff3df76

SHA256
858b10b43a07a369225b32bba2f441b5039f3ca7a27ec78f91be597e3c35a9cb

SHA512
0b296d0acdeb5cb3cea20fb3f6782b8f253c34dbc1ad29d177d91897d845ca93092185ed03ae4a605f84718fc0804c3e8ed4b41d57bba3850468c5e0845535b8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d4341ba58751925698c6fc99cdee7e6c

SHA1
fc8dd08c37bec4c628e80513c1b38b13a8cae8f7

SHA256
d57989d505cac653e5f49a0a884ff9daac7662f7c6eb1f0ce323ff07fe45b6fa

SHA512
4983f45d0df87c2ec8939034a3fe037ba8d096e11ddbfa4869442b773687d8810e474ba678cf4b4e6d34fff27cf9f8a4f4856f7563ef8a581303bd563a7812ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b6b06d90870fc049262900afc639c262

SHA1
2c284dad570311f4866b83b61e262384894f97a3

SHA256
fbc7b98f6efb6042c8b746e4d4a5dbeb70f7f63e28df7219d5b2145aba450d20

SHA512
4976723ff5f310d17dbb454aa98a8b43e80976d76f8f1b1783c91c65de37010b061b3cab486953b7e109b25d4091077de9c823040aed66ef8a73159d6a0a3695

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
555f7a93fd72cd94ecd39fde19d8d9a8

SHA1
f87042ba6b9e3c81e61bca8cc61330abc0173c59

SHA256
6b8d882a9bc0489a51c1578fc9201d73717c6670dc690917461c08ef58636722

SHA512
e3eba3ee9a24e57dcd2143bfc2ede93378588b8a7bd4068ed1b65c16e35f3e1b16a039cd5077ce6471e8cec6fe64c3b811eaca31e538bd042bd6649a3c790085

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8f095b4a1b400ed1759b3638619e26c3

SHA1
ae0cfe3da93a6f0a0df0f2e38ccd5e52ac891157

SHA256
ee0a63ede8422aac58f0f2f3346b9dd050b355d9b846f0ac4300a00f779758fd

SHA512
7e08eb1f5e3bf26d99e9e5dec84e3c544323c602d632ea754e12bcca3ec57f993bdda5c1ec4e65ecca8b9f1827ac8284cf45febb0dc44a4464c25d2671750b0c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3c29e20ff60b1ae641da960e4473d113

SHA1
f30280f0b281dadc2ff6044b2004725bd5d82042

SHA256
c635af5ab6843ea39ae3cb9439ba6ea80f9080d53831eba5fd2c8b8f24ba7879

SHA512
9d05333ebf1d903035fc40460d89985545dac1c060ba5cf50c1fc9c5ee1f0718827e7e9a62b59cb5833beaa509c065f4847efb404737bd26eb37d8732b8e1775

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
3bc2c39141fe4706eb2e5ecee9751dc2

SHA1
92d6efb084e685d3a2ae17375c86315773e535ea

SHA256
57a8169c6590a827adc2e6b829540abb647f3414a9e008577450a75917eeff6b

SHA512
f67ba5ca2679941ce8c1fb19a1301efa33994d220ddb7c263698a405154033baabcf89741c5c4eecd07fa954702d79661f9bf40c9ac3bf35a81a3b56af1e9abd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
a2adb3998da8c58becefd596640e470b

SHA1
a30754cfeec6d3a5b75700ea2dbf11bd741b9bb2

SHA256
9631fac31809096b8eb515ed490c40d91a0567b93927f290f2dcb456a2eae019

SHA512
cb9e67148924b3af4b81ca861158ff5a1e9e5d08bee7c6661c63a954b58b93b956105c39b826f80c90a5e696e6b28125af4c771e9d2155bb322112c838d519dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
539b229d0a6b153329cffb4c4600a630

SHA1
695d067495003f7f95cb0e0cb6a290dda723ad9c

SHA256
acacfdbe37d6074827169711f2c1c1c6c30a05b3da96a5fd33f563f8d3f15f1b

SHA512
5690b1ea004d3142b8b0a0cebb011ca8ee3cb11df3d8e2a3375614bdc2dd08c8c52f10beda55c49753af4ec9f67d17c174b9dda1851be2156f02d65c0e281718

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3df239310b5859e30dd538d708155461

SHA1
3c227c07aa556eba8d0de36d6f1d58051cac8400

SHA256
4a40e49144ef307c9ac9e11fe00df6d822f5731c9b9bbf54a9d38e2f846847c8

SHA512
a375cf86344aaebe6e2aafa2142a9acfbb18b3d52a3ef41cedbe361888efd55dd48bdb01041919b4a93074130dd784606e6569554ff57b759736f70e05661f8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fd80454b16b189b325b3be5e1a230027

SHA1
f57cc2c2fde09654abb5c56c867cab0120f4019f

SHA256
ae54263eed41fe95389b4860b3268406552a168c26a1ef11ba127afcd04f0d2e

SHA512
848ca31f7b2e788e1bc5c794f34035c54e9993bd767e052e2c299d5f503cf55cfb24b62602fcf3d6b14d667cf0dbfec349772e88d549a515a80114f8431aa32e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2a266ade357d32232fc556bdf7bc306f

SHA1
e18e00d63101c4283b45aba5997d23410f278e72

SHA256
d14964f70cc7400ec84a8d1fad0102688e9f1dd1ec8a67b629100ad8ce334606

SHA512
88714db380d2103f13cd03645ae2c1fc01a37ef413dc093b6f7ea8eafea305735fd5f57095e84a7ef52651a833b0d176326a626c3dc6019a6a494497c15b5b03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e226ae5986bd08395177e9b562c03e82

SHA1
f5c86c29daf96986c81faadcadcf40dedd9a9e4e

SHA256
5d5b468c72576e01ad8468655e017992a005335af66b0dee78cdd16a9bfb55ea

SHA512
ee052416e2c7a0723e7c458fecd19af1c75631a2ab98e02021e6bdb53b59181e137c9e4cf331329bfca85321d1e681a4e41bffbcff870b320866192cd0d80fda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9a54c7a3f95f35477e40ad40a5692913

SHA1
8f808355582abbdf73e7b0c48326a17354223d3e

SHA256
e269a17e169608b375d82aea22ae2ff16dbd8395f381b9f63b12ac283b1f7bdf

SHA512
1752bb51e5d6568af29b2a0bcffac5206c6b5b93fc2cbb617e5cacda78756bd55b1f6c1612ef2861dd6dbdd7f85e37303486dc0f37450796022e0d58e73ed26b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
85009ec0759dbaaf1993149de18fbd09

SHA1
7b374551ca93dc37f9e8b240ea875be66e751f17

SHA256
e271f9a6ea065aec2379e11558f3f3f61d80413cc36246e22eed131a0d83048d

SHA512
3bb3d202ffed98a46c864050908b719dfa5ce097416bc3f4c2badef9413562166e419affa253e30b27d641a4441f65ac05eb9e8292a4f277de2d1aab784008af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a8c111b44df0739cc466aed0c3d2878e

SHA1
f7e7dac0f410de6e299af87caf18c2b4d4c8b5ea

SHA256
82a61082652b3d65cf9b221c65e0993b852f206accef8a4b92a72b5f8507a6f8

SHA512
a3211240f06c69321bda5e64f0f17dfd46f3a74fafa4f2cbda422a8ab1d871f5d10c4efba06d0cc930711742137b58c5e35919b222635cc5dec80680538c9084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dd14ee60abf6f5bd1e72739ed6e6b1ba

SHA1
446efa4ec6fb0c490e9ce23a03ecedf2d162f8da

SHA256
389a47a23d527c5d45a0aa6c760bc23a7b9586f508f83f102e2566c6675eccaf

SHA512
2217e29eda541aa530a54076f52437796aa0a34ca0dfb0f877b903f4805d7defe50b05a181f9b871375640e5f1afa53915aac75eab57041755d31a2d9eabeb1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1015d622d230e6dd961986b754aeaf66

SHA1
a6783eb9ce95aab8170dde47bea11d57dfaac071

SHA256
80c9aeac45a14a31517eba613f5fcdca0758d75f887b4e10bc2b5b327318b549

SHA512
af80630146a1927489283a58984c0aa47b940c341f3bd00915151fc15c91f44a77571f9de9b0f0545494311079f59731c935dce0c7f31113a49c529aa6072e32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2b67be79b310fb4f89d18e82dae1dcdf

SHA1
e0c51100668afa5f9f7845ec050387f8cd60530e

SHA256
84962290a3cae334a3273278c0af217e7d2641ca75ee51b9859ef288b403f1e0

SHA512
5a83b5bc10cda36cd47514a713b6c48260839781a84127ee4ad9b2b7ad25684c12384516519dc61da05fa8d60ad3d42c4394a2a2c656ed319ec5709f2350dd55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
988e3c90e5475e13bccf56c896372266

SHA1
6f4291361af6366e09fbb7f0f845bbaf61ab498a

SHA256
74c24bde243208d968a1043135975a50ecea8d07c320e8d39b63800d2edd65e8

SHA512
643e20d44a3f9c9a41d629de38708e456390e6c73ba32ed1f4bfca4fd7374408f8f1b4adde4bb0053f9534d2f517c27304f7cdffe611cc10f1b8c138edeaa115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e20611c8da416b0c779938432eb923a5

SHA1
c046b7d62ae07374d0caef9575ff57193dd07b67

SHA256
bbde6bbcbaaf16a1f0698949f9d61b3e04fc00a36eff02fe55c2cfa484f37b93

SHA512
ac4e7df7098ea4d64017d62337a027cba30375f9a51a71773d87c1fad0ecb3ae9644e3ab350a65791679efe0a1be070670b3e37c161f9f80ba908ec519d1ff69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b4985dd24d146b186ca227e4ce023881

SHA1
d0242d5cc44f948afd4e96a45b1cefe0068ca74b

SHA256
2041e791fa8c2878ff473a8434bc6f72a615ea56c0c3ff69ac480e2d20b3c7e6

SHA512
b432b60f103a0c37a6a3cf45eebe29df3c6a5e2af483b1a247bc1ad2c787f8adf8e256914c915d9fc1584ffe0f1a9287f4c348031314580f3fbeaa009f6a606e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d5bdd49de3fd1304ccdea84d56635919

SHA1
76ffe0189b50ac3842dbb673d8ad0c4d464641f8

SHA256
eff9cc5a03a2398e566b832bf3496218539b03da405e8beaf6e76dddf71fcab5

SHA512
b4a7d37d7c6090a8ca64c4ab81029ba7569e6473eb50c7cc5797b645ca48734d50b8dde39a9c55e7308dfdc08bc9cc1d683b6757c2c8beac66b7d0fe715a5165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9520ac554b9e63263f3dbb155aa33a58

SHA1
25d3a507a581835ecdc83069874384d508cdd2d4

SHA256
2c416aadd5b1632e6469755e1799e5ffd140be694c19165b762513d0e9007d65

SHA512
473968da47e43ffc49f200624aabfe66f1f59f72c78dedf70016f61a42cd42c6e51c5709d7819e7c0231c8048bd4134fd5165fd455c38f9ab74b67815f41b97f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
458462218eb9c87efa9a16b1d4ab3ccd

SHA1
b5c5e02f661e4fa9924cd75c0cc1785d4d679bfc

SHA256
70186b6f3cfa1b8f06c87740acc799ee385b118dad7c72d30f3fdaf00a4aa277

SHA512
84523cb1f35eb0acea52f9e5f97b94e44fbf6f1d87229b7ecd07e46bfecd0c945bf53a4ff526e9d4e4e41e2dfe8f98b282fa2b03dad883a3f4da27c7e1c2e985

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
0e960ea8856fa27ab987012362385db5

SHA1
44f83af1469abde6709602c2fd4dac7419c2cccc

SHA256
3f088a7da36df0b6053ca578252487faf216c40bd818a1fa604f22e8ba571a14

SHA512
007043f9f0a7c07386b885f37d13734928bf73946e8ca18b68613f6fbcb706aaeac704b897ec93ff3862827c83eb75c7e7b10df0d368416827824afa1f3c2936

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
66f5b217989d14a5a8b660f9813c13fa

SHA1
9fca7ac67299d871612d0033f2106cb943f77b33

SHA256
dbc15801aa236b0a1a55f91104838a0bd00b5aa7b495b03604f20a552dd9e591

SHA512
76fe823804e14f1e9cee96697e4f7d60576dc8c9474512a692ee75ffd10c1207edafb7cc7b804ea29d2e02b467b7005125839a74720f297df94fb9aa9b3ab61f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
e489f18ca59ff5598bb0bdceb1313aae

SHA1
beffc139e9c1ff64ccdccbe0c0f043c7c4a03257

SHA256
8a07a818fd63b4e0cff0ac965965f5bec7acdd1ddc7bc84dffb67b602727d1bf

SHA512
bd79a3e0313ad9be185bb8566cbaf0ad52731fe7abd474b79f3cb8682c4cf0dc719ea48694f463b18268eef96a9cf784865262d2e7d4ca76606ca7144be4f302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
9784798c98d2a40001101f48e41075b7

SHA1
20ae5f756669ceab46989c8e7d19c542be8ac6fa

SHA256
8645666c818cbff79d81d01037ec009a8a46c3b78935a90c1f4276519b2fb8b8

SHA512
021133837d241bcfb6e011f6936e8bae65b3176db9e448fbc951ef865a839d801e2e32ad4a60ec23eb27993678b46c419e381a70d0da04787dd8cd11b0127e68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
34a6cc78a56039af950b588c27c70939

SHA1
cb7af0771c3a2bba705ae551f1b495d67359599b

SHA256
26415cf7017666d87551c6f0026f5d461ee297c3f43b16439e9c305f7ee26eb3

SHA512
6a03e51391ee48493c78a69e2b66e8fec62fd8dc127c51aea8d625c7e5c39efaf0ac3de21e08705113dd421291836f8727c7a0643dffe6545d40aa28d7ea2d09

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4bca740a0f76e067338f5d89aaeeecf8

SHA1
f6911b195daf7ae895a04e34e6a55aef5500e1c2

SHA256
3d012a2d8b7f5540494a39238f6d286000f1af1514abbbbdfaf95282b36894e9

SHA512
c5e4e6efea49dc4fcae62c8fa59e7e9f4a4b7b148cafe01469d470735255c4f762e010ae2730ece3d5c7438171c96d474ffef294ac77997c7161e43479c448c6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
88978642ca9187ef3ee96f0daac462a1

SHA1
d5d612adad30cc45f28c825e7ddb385c612f66bc

SHA256
4ca6bb396adf101d203a9d92f3d6bfb92557bc918d0842d8188a3479aa59c7bc

SHA512
2b4ed74d7c15eb2eede1c8e0e36335f1f575474579313c5b91397ee83c5bd0e9fb63cd16f171be3ea532f82f397e9ed2e4650248a6be2e59d4536217117ffe76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a0e1f4b1381b1b1cd8e14566b4f5b544

SHA1
b9fa71c2698375a4180fe152dc05abe66f59c18e

SHA256
6c754f3d02c82a578c8e716e2c1379dfe4bc7b22d727bb896e55a094dfc6798c

SHA512
1d84fbbe18339b61a45fa334fb6739b23289c1d8fd0342b481d1355e4f7c73eed7ad5a505ba03746cff578b5701dc0dd959de02d508d44c456fe285c90099f6a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e65aa0b1de31b17564fdf6b4d97e9b0d

SHA1
da986557c8e2adb71898a9817623faeb67bb46b8

SHA256
7b92c95b6af9d4a1b723a8940168d2bad1f3f5d6b74e8fa8c71c20eb9e43cc13

SHA512
34e10c5b55a73c1de390b97e67e923eb8a97dc0ef5a88acac0032fc817ac0a9e6bb35063a8f7ef71da348599e10e3b34cc585d0560abd4eb3d433d1818161f9c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f769b3436a016de01125434f0fdbfdbc

SHA1
72e5158e8deedd54c1ce45e24a89c9977ef3e0cc

SHA256
5a05556cbb64d3de20af5d07b611d66fe3b9e357e14e02665abb4ad55cd4a3f2

SHA512
1d0739103a31d06bf1c99cb4c7ddf48dfe2679da8f08f2c436bc513a1bdc6f95c66b96d5fcea0004b51bf80fb44284cc00d741839684a16796f796d9ea4c0cbb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cf7cd9d98f135dc62d32b39281e7d7a9

SHA1
62378fcd8264068672081646571769b215962cbd

SHA256
1ff22b3ac3ce767f575449ef07208e7021f959668e393d7e448ccb1f38bf7123

SHA512
8c8da90f101b3ac3d51be419a2918a87bfac9eb7cd8552bc2166489a651e481bc27c26ab1b0da429d82cc12ce8f6f42f416d30f94f7356d86cc5fb1ab3a48085

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0e5d0fc868916c78742b3efb0f92a9e2

SHA1
c311e35e931f545b838d3f9c8f3fc231bb7eb95e

SHA256
11bd5365cb56e2f46a4509204d2368d579cf7e6869b034d80dd587a7fc816480

SHA512
f0915358098ee572e30da14810aca7312715a4b5769bb71b0a467a16244b7cce253c089956831c037a21b022191d8d99589ec70ed1c104f0e8f2882ee6889682

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2bfdc5f4c08ab9a3bc356023f199e45e

SHA1
d19efd223135edb6f04edb6b9e5511d1eab8cb87

SHA256
ebc07353e6768f2e254e8831c79740987028f58bc4afa00748c6edda36324c5a

SHA512
679a919599347ecaedc6197fbe0289f7d661687177d3bb1320ee81d88860af22af79a10b5cac05226b6514c6b775906ce7f9764463ffad10ab69edbd405064c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e1b93615cd71b0b890326108342c15c7

SHA1
61e1b4efb3dc8a2940a136cf6b771b7b7d6a9203

SHA256
44fe1512c1f0dc6c862e0927b792dab06236be6dae525ad893abfb3d9214ce38

SHA512
661c85319ad6c03df8b2131493e95b55ec88f0984061727665c63dca568dc40afd709e5b2fd4393e041df5df8c05df5d515db8893f53e43bced81cef25cf6c24

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b8784153f98a1560512fd41a759e2ad3

SHA1
7699679e37a35ba56de557abc3fd43f3fb67da75

SHA256
97aa3af451f0620a00e7f0a187d7f8e25a17fd87bd0771130ca95b799818dbc9

SHA512
87aa90ae06cd9b4b616db8223039aa35acf661e5e1a4210bb3e123974cf82cff39625c806f7f9dd8892abbdf2204fbc2ccac9b05309d236ed3e08f204ca4d03e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d9f886140c1023a42583899560c7e29d

SHA1
de12f3c7f58d40f7aa4c205cd2a15923c662843b

SHA256
89dc8d4d467106fe02ff1a3c7014d8dbda1698338a41af46d66cf477b57b1378

SHA512
3ae449feaa6f7269b89059de8fd566035fba931735da60cb58f52645ed9c937be42a285715d98a75f2d2bd432ffcbff3915326d484bcd0b7ce63670c7dda4582

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f8f96d3940d7082729100932081f51cd

SHA1
fad808da5e4c893ea67c08e4e68d8e661305b61a

SHA256
412fe09a9fe70374e15e4f8a49121177d4f1b430b717f913967b299620d5ed9b

SHA512
cb6c629c8d31dac1a3dcf2e884478850508012f15aa0c92edba551e959ae11cdfb150bb32a30a186e506534b2f812a00efd392e661bd2b93014565a219346d6f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
45b8d44370df40ca22bbb82186835678

SHA1
c443525e160103d82a4390ef959d89be30fa7d1b

SHA256
afd3a314738e7c15083e4560bfd8b32f96b733dd3a3f1dbbb246ea65564061f0

SHA512
363855d0947f4ba9c854f4958e1417587b9f46151d93563247e91ba014fcc8222b7f7863ed812e69c8d83369190f69a0a0415d3f161da94ccc40c37508fd01b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
78825c8e45d2f5f1cacb185c92bdac08

SHA1
0c64745c7c104e7f278a9341b1ecacdd994b3df6

SHA256
96b4aa849e305071656fdc772bffbf0c6da556bc77496ca9d0c02440582e1834

SHA512
f75056dabf90690a263e8e5c985533275d814545f36a65a394fa2f0b79314bd65998f7865e8f7f3bbbbcafb5946e64156c28a02ff1463ef0a569f0223ff3e58c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
39074303ceddcd2501872f8d90dc7668

SHA1
9e28908adc93ccb62e7ef9cdc4a5beca4f8075d2

SHA256
726c07b962a1ad89eacdc7eb4bca5674ede6702ae92c28e3f9999e6d49685c84

SHA512
b5477abdb5e7556fb73ca33798609340518a26e4de1677c6a657c8e2f9f79833fa7ca4cc3706641d1d014c204986a2c23e599e257745b357bb86e4438f54daac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e110758071e37e4bf398011a1daeb14d

SHA1
441f055413871aabe8c5243c4aaf927f8298297d

SHA256
cd748be59c8ab97cd0efd1229845569e928ccc6eee3d1dc6c483c266efc1bf4b

SHA512
9cd93f68403d23a5ef3782c08f4e30c603d7f83bed3735338b4cf5d4e776b6ed488faff71564b854f749c22ab4840dad0b997ede8852c2fc4534c8a1f97c0806

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ed7ebff0d3776b8d25fbb1dafebd67d4

SHA1
1172d1437d50b87dc7700e898e9ddd20e2d380b0

SHA256
29ae6d6aac51c07045b197977de2bf706f881f937834e6894af72a5b951354e1

SHA512
81f86268cff6c9f6386fcff1e80e46aabcc1c4bf5a4179a3b68cf6ad05de9324018fbee5237849d44c27ea94785eda6236a48f64b8342abc2a23c551ba784b9c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1232bed304a77996cf117c24c584330e

SHA1
c04689c7ceadad13895299604c4fa680ebdb9c96

SHA256
4ab80c6ed62363289e0a60433942eb4f69b0939f95005b08b786cf7ef488e4f8

SHA512
0fe363fa7a18f95ecd6ec72a5976431e44c402aa39d056e46baab9fb9ca671899677e27170bdf7588de61d7b65bb08cca4ed0fc7c8527c3a64367e5e6aa1921a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7034e4e7590459449857f5a7c80f9137

SHA1
caa87adeab1ca22caee3dc90004e60e87ead0a6b

SHA256
e397f8269689900d5f8bddc1f8e1b2455183ef05709ad647caf5d8c510928977

SHA512
61b0350b8c058ad93f394ba82ffb0b03470321261bdc888ec098f90bf52beba55e03f35373a96e8d8b403360b473218f3872103e657f338904b9289669e0b1ec

Download Submit
memory/224-717-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/224-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/224-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/368-274-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/368-396-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/464-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/464-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/464-1-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/464-35-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1016-303-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1016-420-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1112-531-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1112-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1616-347-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1616-582-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1728-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1728-39-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1728-38-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1728-47-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1944-720-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1944-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2156-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2156-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2288-313-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2288-432-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2312-244-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2312-80-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2312-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2312-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2768-408-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2768-289-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2976-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2976-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2976-31-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2976-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2984-409-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2984-714-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3048-719-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3048-433-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3248-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3248-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3248-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3248-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3464-359-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3464-678-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3700-277-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3700-262-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3700-263-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4292-370-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4292-252-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4292-258-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4292-251-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4480-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4480-69-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4480-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4480-63-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4480-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4736-712-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4736-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4800-713-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-397-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5072-718-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-421-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download