ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91.exe
Size

2.0MB
MD5

090a132d23b8f743a6b4d8d49424d626
SHA1

201e713f11711667fb1d8fb4ccfa527a262eeb63
SHA256

ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91
SHA512

a3a0006eed200f9ba6517b7d7c848b580df4aaa649d9f2a41c60927e58825bbe7319bd1beba19cc2d56633a95e9f83804e7fe85f9d1eba7decd2a2d60a368622
SSDEEP

24576:Kzs3yGXRwd14jK42aMQDJoAOM08/85RkptVIJqHMsIucYzx8gI02:eORwdG2NcOMjUfkptVxsPubGgI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3768	alg.exe
1248	elevation_service.exe
3520	elevation_service.exe
220	maintenanceservice.exe
1424	OSE.EXE
2648	DiagnosticsHub.StandardCollector.Service.exe
4388	fxssvc.exe
2732	msdtc.exe
2840	PerceptionSimulationService.exe
4976	perfhost.exe
4084	locator.exe
4584	SensorDataService.exe
2668	snmptrap.exe
1420	spectrum.exe
3460	ssh-agent.exe
4856	TieringEngineService.exe
4860	AgentService.exe
1896	vds.exe
4424	vssvc.exe
4048	wbengine.exe
2136	WmiApSrv.exe
3436	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e9a4348affa85a2e.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e48aafb73a13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000673199b83a13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a7a7db73a13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005627ccb73a13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060c6aab73a13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045347ab83a13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1248	elevation_service.exe
1248	elevation_service.exe
1248	elevation_service.exe
1248	elevation_service.exe
1248	elevation_service.exe
1248	elevation_service.exe
1248	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1196	ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91.exe
Token: SeDebugPrivilege	3768	alg.exe
Token: SeDebugPrivilege	3768	alg.exe
Token: SeDebugPrivilege	3768	alg.exe
Token: SeTakeOwnershipPrivilege	1248	elevation_service.exe
Token: SeAuditPrivilege	4388	fxssvc.exe
Token: SeRestorePrivilege	4856	TieringEngineService.exe
Token: SeManageVolumePrivilege	4856	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4860	AgentService.exe
Token: SeBackupPrivilege	4424	vssvc.exe
Token: SeRestorePrivilege	4424	vssvc.exe
Token: SeAuditPrivilege	4424	vssvc.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: 33	3436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeDebugPrivilege	1248	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4860	3436	SearchIndexer.exe	121
PID 3436 wrote to memory of 4860	3436	SearchIndexer.exe	121
PID 3436 wrote to memory of 3020	3436	SearchIndexer.exe	122
PID 3436 wrote to memory of 3020	3436	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91.exe
"C:\Users\Admin\AppData\Local\Temp\ccd9c88958e18a30a3321722e3188648c059e3a2057a37e3ee94036c695c4a91.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:220

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2732

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1420

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3900edde1d91363a166a9e8e61ffc784

SHA1
06f318cc2bf2073c9d602018f32109beb76dddb9

SHA256
70138847ecced20aa7e9e1ad40ea8ad169ec818f7a04b5c68226e0da3c8bfbe2

SHA512
edf97f1cecd90c455bd215246c70c927cd25982ab4a148876c6dc6f96c007ef787ccddce782c57c5a397d98a60d41192c8dce23b69d4f25bf9088e93eb0d394c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
123550de6c561c6fad799a3566c7a0ad

SHA1
20bd3858cd52aac6662859334132c3a2a6dce561

SHA256
4985332c5310eafb51cc207d96c948520fd76d07ee6a5a273a915a4bfc0afe81

SHA512
10643bf3accccde4fa11cc33ab0377872271ecff6c0b8b9ad22d76f36c1a1a2e10b83ce77bb482da5e26c7dac7c3b5316920452d0a572dbaf0c9ef5f5eaa1f26

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b6eac3fb6eceb997536baffc066de0b0

SHA1
de209656345ca00126eb75f5971ed36c359ac281

SHA256
6f0f53292636969f72cb2a69956e50416bfe002a1917e8eb8014562c8d170acf

SHA512
fa7685f0c526c638278d4756225d58dcc0b81212737399be52eb760265cc3039741073558a486bf4f5da9bcc7b76b603ad3b5f48f5c3ebad9fc924f87117d78a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
438d3ac899fdbe9e98db6aab03d92095

SHA1
f8bf4b79d879b8e46d35191d9d6a11c5b1899c7c

SHA256
2cb2700ccd6d623cc6b2345dd8de33b45ea3b94510a06b4e2eec86012d213a6d

SHA512
e926a52b70894683d9b57bd952a7dcf534998ca9d95926eecb29b9d12750c41c095156c5c650036244d38dbaf882e8f6f00fe9ef602f3c5089859c6938807897

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f1da3fa77739ec4bf3713b43e67ca4f3

SHA1
4fe8ff4cdebd98bec91375b6e1cac2e28a4e4963

SHA256
d05f02e91e18ba11ef32075fb082657a5a6d0b88422f5c6f69df74aa4485d125

SHA512
313199440ac12f92d57f07f99fdd6fd0fa4bb262c28ca8d58298cf18bc65b6a31c0c2ff1d18923c184bcc1d090a2a642c4f84b6d5287f1d39f693ebb7332000e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4cf72ac6b4e0f518c85738c99dcbcc52

SHA1
7c983d945180a240e32265dd5ff8e9f121d578cb

SHA256
71963db179087a5fdd0154eca8e1371c77797b6529a1c536b12b470ad816279a

SHA512
c0d8754ade8977040aac1f9d527cc96000d5f3cf7a92db5860bb692bd7bf4f39a3df44dbe15e491c41c1f9d3817fdd77435ca88f4e33b244b90e1dc6854a67a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c362e4d367c8075c5cb6e5167637d5bb

SHA1
05f53ee96c68075667bc805813789d86ba688d41

SHA256
8c8001bfdae4f088b2d9510ab6a706b4a3d5d616077ae42246fb92dc8de3cdf9

SHA512
3224b01e6ec2a88fdbfeed04904227fe15e0cc8c1fbc7a846010310252230373df44492cb8fa7976e607afda5a7ea2af7ef4c1f22670992d6933d4698d690acd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d560305174ec3c3c033c6583eceeac94

SHA1
3d41be1900c814bf2c5874d8f5ecdd89889bef57

SHA256
71149df8777453dfa7cf0cdcda86a679fa06f901150ad43add6ad2ace0d01c5f

SHA512
a03d5bdd79c3e598c6d0bec37b053261462caacb0a8d754355d5cb68aaadebcda48eee94b125b71574cb9795b7a2a05e9fe7595077d9665c505ee9c9d52a121a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c4927975127974294928cf265990203c

SHA1
5c96c57d2381d59d376015747ea867256d9a49c0

SHA256
d6d2a23cb5e6af21de8e1f997ba67c35504170e8381bdc09599ac145aa9532ff

SHA512
4fbf7e7f9c2b07a30fe4f0693197488778ebd58d8d6017e2c5dfc41ef4caaff2cf089e3f027cdccb921de61727f1a7b3b8b56223f1613d8fe12a76cf2270efb7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
66c9b173c14699c0ea46e6f2c79861ab

SHA1
593e9bfdb045fdeec7fce23299d6540b1d701cba

SHA256
78beb21b0fe397254a9f82a862b7c6ebcc6e875c2f459daa481ed3f968f8bb02

SHA512
800d9dbfedf23d2ef3ae360d3c6dbf374d590c7a4152c605cfad41c779b1a2afd2865ff7fac643cceb6fd56c4890e658bec8314ef468ccd90e8e38bde6a3e274

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1f144909e49cf9841f158a68af3973f0

SHA1
92ba0f566b124a8d9e56e07d89031e4c3148dfdc

SHA256
5a16cce3add4e1921272cba2f0f08feb7aa1c671da12c7d3d9f1027d51a4b822

SHA512
15d5db687f6f8654813239a4ca9ca00b3ac7e12454321776d818e35839542d92ca58cffd88c0ab60a914adaba896a3c1411d9b57700d3f32c7dd18e05525b771

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b2b8a266f0bf160a2bacad54ab63744b

SHA1
bc81c68acdde40d4ba122a588d3de5fdead3d744

SHA256
1502b412795fd5e38a1a543cfeffa2d4e3a781198c074006bfe0c095c0a4f225

SHA512
271f6cec43c62a77ab782197933f9ff2170f702f943ee3e3a237a933405abe6fdcc094921f75af5d0791893be0ba1cb779e90e448f83f49f3bc1d95f2faf7fba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b016adb4262d95aa7b2f9b173405ebed

SHA1
bf5c841714666c72b1a03e8a8d79d0399758215e

SHA256
4516ba50fc81f40f7f5237c42e5f73298006169fffcb357ef3340464c7c3b2a3

SHA512
c29637a5b15ebe3811e86a4d022c6683bf0590d46d0efb106ba4dbea9ca4baa6bbc00dfc62d3f54a511b54ade438bbab6637313aabd74e9c47a3945f003549be

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b1271470ac857fe76810740ac495ecb5

SHA1
6bc608c8169ac46c19f5f07e5d6e7e7c60e6aacc

SHA256
7577cb6137aaf15f83d8c21ad56447e497aa4d518f068a54631719c569e44180

SHA512
f053d5ee2d16fea93c1a09eec74aff007858adb2e9fea06f8e3370c0eea5fda202e98b3975e209581fb01d002836f94a598aedae585c54557b8695dfb34bffcf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e7b39dfedccb658572d54ac3e507ef07

SHA1
86a15e4fe7e1068985e1674141f34b736a27d79c

SHA256
bfb70d69f804f02218c03252809e51ae3dfaff05bb129121328f23e6fc6fd9ec

SHA512
6a255a496098b241e089e64d9b226bd396f531dc33102ab3d39cc7e3c80911bd47c4398c6c061035bcbf987352ccd6267f83e1603c14c6a8bf95f1c7f88c0e16

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
5467e5984fdbc74fc28f1652e288a436

SHA1
a511b27e05ba144f426f9623adce6527d42036a8

SHA256
61cdb9cb284e26217778b7d1e8e076ee6b4b47e5d56d5b604caa7538a4e49ec5

SHA512
8932f543c40a03770e1c595a25d540c1598b6c0b8274887b56d7e1e54da0948fe4a5881852052a06be3246eb2177e0a90946bba26ea2f8c8cee84a760f73ca93

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a3ac47fde722f05030bd37c0de05cef9

SHA1
0d5ab6a3608b61cbbfd79e16be4bb4128141b1b4

SHA256
d0aee8927f9652021251f3dc8c757a9399ee82075e43f941433db02f354b03ce

SHA512
789dda65db3a94140d586bf0b828b94dd2854cd80b63b047330e2199614c59008de26f7a3830c247bf359aa5db9f9e3217d0cd53bf730de4a7a55d36e5a49569

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a8f5b449341cde2349d19d5f72ae21ee

SHA1
2aa40492b1d01cd5b6a427aed2cf74885161e078

SHA256
6d5dd69cb2616c7537838db8c37f11757b7a6031bab47f82fbb4e1c9d8068c86

SHA512
3389fd54318a72cc08dc6a12b6877b16ea827be4928c1614a420c7bfe6bd39ee556a2eae8f8769ea92505dce9f4ab9a5257ebf03d1adf2aeb845010080c843ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
b39e8ef1293945ec5d53c429e10f77f0

SHA1
d75042f5e1b054462b7fb85bffbd210a6290ba41

SHA256
2f1deadfc24094db26b2aaa57c7302f2410143f08f2d93ca4f2ee2da6670481d

SHA512
03872bbdf5f49bf17c4dc5023029b10a06690da117161cf90e0862e752de34ff7e4a4db34a05bad9b964befa71be40e954a4fbab21626e514c0955f78ac3208d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b4dd7da054239eeb97d40dff930237e0

SHA1
806724122d514407fc360dd0b8f2e9a8bb52d83a

SHA256
aaec173eb97bf3597b2e645562f142be63bbcdcbd230812d292ba380bcd1e91d

SHA512
1d83609b5a4f1eef71e15344b3304dd0185c8a00f549a5b81c779d38642dae9954a1235e6765421e0e9e1f84193fd4d2ee0cc54c743e254d80f71aaa47889e55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
601850045c375d212cd2300e8a94658c

SHA1
213f5981b19bbca27cf38af925c0cae23010c496

SHA256
d8b09ffea670cd4ec1a74a8be7aeeddb3e7e73a965abe4a8387715e544c7feed

SHA512
3ef9cd9e27c1367a0c1ae27fbb15b373cda6d3ab6c33d2b609df94ab5f1234b7023e8b78ab006bee0b7aa76be9c9bec688bb6efc0c2f56eba867700fb748008d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d8877a084efe0f09fddb86683e9f2b51

SHA1
5145a16ec0a75f2279044e2405ae87960dc58052

SHA256
8af0aa9113eeeaf95481b624f3a8705f2c6c3aae29ac71b11aad750644bdcb49

SHA512
3be1d9f74dd0cc59063c677ef9f4d07be39c97c9ca134915a335e6bb61d0e5a9e8ece72ed7af4945f0a95098f70b305d70793037ed26bf13b3c4243bcd72f50c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
91c2ee828998974fe454b5156ebb48f7

SHA1
cb2f8864d54dcedc82ae18ebbb40465cdea853c8

SHA256
5267830785302c723d7444b051fe01cd3ecd3d990762df19efa493a301714429

SHA512
994ee3716aeef69c469c1f2f853dd071743991e953ae9b5772f34535f014cb2b83a4d33162a02599d77ba456c93f972d9d392000bb3adf280e83278ed827eb8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7cc23c4e3f573ddad2f4e0c083a2355c

SHA1
eeed40c01c732775aa94cd78b51622010c9bf7c5

SHA256
7cfdd76cd7386cf105bbbb1a49793c7b1a998c338a773df92ed9219c67fa477f

SHA512
ae77ab200cc8cf94dd86ad61c462b95a38f18aeaaa4f79a24c6c4d1d706fe02dd1196dd537c0ba6662e08da40059ad12cdb137919e070cfef7b85861fa6869da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9f06c374b941ade7ee20ecbc94222122

SHA1
5c7a179ad25d3477a0e38608dd7ef556f46a41b4

SHA256
c3168799f304db17959b93723d68efdbd118d325d9e763193060c2aab44d36a7

SHA512
84209a9f320e9280a20e3e1aa40f712c06c8cc4675b91fbd32544c4f91db7395641c310bb7d865a5b0d0b5e49fb24ea91a73eb032d0ea94222e74585f5410d9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
da3cd15e5a6b892fcf6b54c3ca0b3038

SHA1
c5b3ba7d5395b3462a4f61df15dba96cd4d1921d

SHA256
db69dd832b2dcf44982e82d55bdcb53e1fdbdebd032478d94e4f0de4418d215b

SHA512
d6f933e6dfb764b230c6ca3f81e03cfcdc0530fb226b265a6d6914a71a98b887ffd71f07480f47d3121341fd38debaf30225912cd1b932fc3915f9a7128f255e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
10f307f5ab6a04e49b535c70982cd93e

SHA1
dd0049feceec19058c76a1bfc280e68432cf6174

SHA256
a8b85aa7f641c8eefdabd26c520f0cf888f5371096e7dcc3049df9ea167ab9a4

SHA512
1ffb78a0a856615e8091d0b0e4bde4d608878b872ed81b26cc72e5c4a197d820e9122606c1e121b6308bd412bc5f2f919f1986b3bf68370da96633c1f42367e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ac3d571f16b598083ec7cb1762cd2040

SHA1
6cd915496eca7056faa883d0025078a257bdbe68

SHA256
1f68359d019df1836997425f2d93d30ade5f46a637df5fec2fb7dd96102b4b1a

SHA512
607b2c2de773c457967e35a47d9e7fa0dbd2585323deaa90615d3b861d16aa8c9fb2ea356031ce76cb75c3711898ac3ce94fab771f17a364596cc0e6686b4f5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d0f407accec993951cb9cfcfd2c438cd

SHA1
d2951c691f266f6898695180f1a94b6b727ab7ca

SHA256
b9c9bb625df53fdee41693a73e8dfbda4958a87c7793e1b843986ad71ad6c191

SHA512
5821fe0679a5a7706f8794713f04fc132d528f26e1bc887bf80ddd4e68158a9e06717cfbcf597ccb0b0869901fbe07dc29b9c28340b67ef74788308f8a920675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3b95b04eddd51d5b418024118c0e819e

SHA1
6c7876d7b13dc584b0a4efe320a909d7f2ac5ebc

SHA256
ec1a1fd9104c657030456666a63f026d35de332737f92236d33cb4e8c397e33e

SHA512
0bafe39acecbdbab857ef17b366653a734443b1296fe0e305e0334eea28ce018789a4f5f09f550c218071d0f5e25fadbd3b02739db245f548acecfdbc89bae4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e46c557a4e02f953888de1f32b871f50

SHA1
705be15521226befdb292f1894a95261fd0be394

SHA256
fde69131d48207ca054732ceab9df037a44f16fcf511371f741cc1014803b206

SHA512
65f20ba40ce7bd1720ea1880834f97516463b8545a2ce9461ffecfad44571e844881cf19df02dab7a4326a46748b2b0a781708b4f56a2937b251535051bcba15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
527dd2b5065aae91a5f72520c6bdacfb

SHA1
f64496632bc9458df59c01abb97e9281af7fc299

SHA256
4b9e4174b0bba4b3eb22a744c5536646e134c0548b1ece3cbb27ca9033182922

SHA512
4ffa9b4f7fb21373b0e94e7e5e9dda3076f8031f358ce7f06248b14a268c9f63056956a102b2471ad8e470ad7054ddeec459e1c8b7d57210e1081a39283b294f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6a4026b6e414354f20eff821c585e1e7

SHA1
f5a7e6a1bff5aaa7e2231d30558ee386f5a04670

SHA256
f0ef6ddef8d080c2f3afa8d2c9849dc38f5d6624f24e11b542f62820810d28e3

SHA512
3463b32a3a447ec5cd72e37bd5aac0357acbadeaae58b729b1479d02f0b5c6231f7014abf8237691374460a201b09797fb966f72dec1f10ea809188e90b6004c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
05881ad482ca96e031ffc186815d9ec0

SHA1
2681f58a4905ab3855a7516daddf43cc2309ea2f

SHA256
b8d5c42a4cc9b2cc18d1ced3e49848302d0644c1f6580440b411bb9ea3cdab4b

SHA512
c548c562af3c67b824f8ac65c7c3b2d8669e12bb72c55bac7ac38859e7d34916caf26b647b8597793d54a04e2aba7a86ef9809ce1f5d83ba52787d635362f688

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
dbda9d87dba9b8e3030c2eb1d5523490

SHA1
076cef2b56385c61944a4cb9a4e8da3d3d3bf877

SHA256
9950363f921a7949c8fd76013ace321604ed699fb3fceec43e2b44d9b5c1d2b0

SHA512
974ea682f24a8e0dc0a05f7d278fe4889e2beda7bc188d1521c43709217047921dd2420927589647d158f3dd35c1552b94b95828665578577b4eb8037d08102c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
03fa992c0f0b1cfc0052c61b3d9770cd

SHA1
8bef557a0576ca78e99e63eb64bf1c8872e15618

SHA256
9303e755e487b9de22e5e82f00423d222343401a21b2e5b7be5de7984f88c97c

SHA512
630df6734a7e07021073228de2d3bd3b34d350703ca984ed42494d8e2e4370bd8d08c505c0d8d8ad329ec1b7a00850102884c1a9373cce21663d547bbc3ab3fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
326b149d3bb8bb8b5669f2ad67a6ddcb

SHA1
116c39a6135c293b1853220d3235133b501c34db

SHA256
19b71101be3d91196e52d17dc64f8ded49d4adf91b6cd07dc305b884f8f80f87

SHA512
4364e842ec760b4206a5734120e2626800615e84a74de9f6bf91c371786ce74176bb75bf65e657c32cbe2c6e92563f932da5463fba610e158d1e789d8375bbe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
551f8e5d73f901c7421fa759ababe95a

SHA1
f08febee59842ca3dedadc85f595336f7388116f

SHA256
97a5e62ef7a1f36e1610ced180df73c61a7fa5a09f4be1a52ab8e286f9fda2a5

SHA512
f8afe7caa954183115b392b069cea90879ff562b2e15ef4c8c9641852a50f26ba20790b899bca2604b335e0949663751da1287e6977bf2bc109a5d992359bf37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
43eb856ede4de12ae3869b7ab4bbab28

SHA1
6bb33989f2cc1eb5e2c2d6aa911e4313dd78af39

SHA256
23bbe6703810a396ca8ee07c96a87eb6235dce665b2036002e4f852ef6877d88

SHA512
e3169cb4d8b37088f9301158c10144e73c565363f4fa970d6cdb108de3a365fa1793726ec3297da9975ef6e6d57909975bb4b4331ccf7fb00233cdec13005e11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
0c228db76e4a7e5753b3ab6670ded87d

SHA1
10b8d24d73637e202b05ccf00c6bf600d986f94b

SHA256
545885b8fd2fe94dfef77177c1fa79d04637081f18d4a96279d58a12281096f0

SHA512
d30b3d4d1d9d9503591971770a3417731b4245e361e1efb554998abebc9bead357e15bbc48cafc08ecd0c8196e8b4deadf763033ce509fe3da7f3d156756368c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
1afd466f9be06fff8dcca7f59931f116

SHA1
b49f5341449798d53065c0168c1db512cd53f660

SHA256
46708ebe07446cd5741be0ac0f86cf5e92dd67d03341d312b02095414e5ee4a6

SHA512
12e2a92e31efbdc06e6d55daad3420cead268cf8d0f8f8abf581724b033b0c56b439b01b1123301c06285dbe33a29810dbd3a7895745ad03dc43e0daa7ccd45a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
1bb783835530794a89bc246c12a7890d

SHA1
fba2d72fc0fa3e04ef2ae5410e1c5ba00b13bc35

SHA256
6a252064f237b0891b18d8aae39aa8f9d123ed4eaa389df019cf238569865460

SHA512
ac70beca059871437ed294219f6ce1fde9f073bdff23b04feaad7d1951cb213c4e1246091569c03412be722f367640a7c89be9f98e07447dc95ab54ba164a4b4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
115b0b81a12bd936860f848e95fabec3

SHA1
97158051b83b023e5f6dc7d7c890b706f1cb205c

SHA256
54a667061615664c11d17ae92ea36eb42c304e564223bdc0c4f771c82b988087

SHA512
3521c83d0033ae06174d95d400557797b17a829b64fb2379384690a507666637b9df8bbbf8e39d1ceb41eaecd5a0f563949f5182c5d3b30787fd41e929a31a19

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6dd73bf007dafa0d824df4803ec19fae

SHA1
4e9f03d3ef3b429fb519372ce6d4c769e2e5e1d5

SHA256
4f65e93ee3bf67eab8a38832a7e0fce314a3b3a8d43540c6199d40964fd78bc7

SHA512
a6c20fdb4eb7ab27a5444ea28d4ac91ddbf04824f50eb7505bdad727185b519338e13d2654b559f969404533ab3512e58071337bc62ec8e67f0dec47c95c0313

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b275cdb5a7e0d3d5c258282a224e8c39

SHA1
b7800118eab3890886ea86583f99b470b38b87bc

SHA256
6913f63ebe9ba19cb29b7d2da8b4f7beb760c1db7e50fecee74d235259df5ab0

SHA512
9b8c322cbfb4e075302e3ab48ffb02b7ae340d9f5419c6734d0260b6b0494bb5bf2e17e203baa7ecf1f7d5c79ac772afd97dcac47ebd90cdd30d1a3af7f582d6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b416a9a615516fc77f28806bc20b238e

SHA1
39809e750645bd193ffd72644d876c979c724a74

SHA256
c059fb871465e14f1b515254efc0b2b9770e5f6187f83eb91c6739a17cd64b0c

SHA512
8397e4d5b8166f20773964484f7e3bc397e55e3b48d029456eaa1f790c3db2862fb3561975da756787127e1984a4f7842da3cd8987d761bfc5150996729bd858

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e7e9137f60978a33085f7e05bfa0540

SHA1
b7751d51cb640cb8c4ab5ff933ae79b5c2ce7574

SHA256
ec8cedf8c0bad37b0746b61ac66affddeb743edec82b4ce87d7923cb32802de2

SHA512
3fc5680aef094c2ee9460dfa6e764087927047455c6aa7e16910ef013578996f83de628fef0d028dabfbf7a15584e863c3c2996126f6adfb27b04a94e5e11517

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5226986ede0d5a21bdff616773941d8f

SHA1
59d404c49d9da6a068089ffd66966bf662f8f521

SHA256
d3ccc830696750b30aa68756ae71cd2e206b72d454c6440f3fa3b74cd31ca1b6

SHA512
924ef9362872625d65dbc618b9ef17ea563b438dbd4ba63294bd4a65f516ff7c18334adeb079ad3df9fefebefbc02d6a6d4bb9c60fbf9f7e9ee07cd8ce91e9ff

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e4a79916a894b924c16a20e2c05755f1

SHA1
ce57d08c4919deacdd41ae66c394176c38c36229

SHA256
78313fb8e1dbb5d97b1a4b348079503aadc96ee445cff7b0e81abd53da52d314

SHA512
9c66e2abb21a58b9a1c9e6b61ad5fd12d52d5c0876a2acdddd253503fcfabd0cc09c3501cb14e3af6c2cd7ba2fae3e0819554fc73178a879393463cf084e7c08

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3fdb1250e6dc661872c6735bd4b44856

SHA1
8460be75f26a7f1a679d7de37a1db53ff2380404

SHA256
c68ca4ed45f85e0e872fa64481669bc4f21cdf8f87751e179b8989a3bd458e1d

SHA512
8548382148d86df47caddb48108b7aacda09c20c9a6045e277d721e6d3fd4b84160743e61a19374c04fdc886e02473b1e47be6f626d4d4440cc7fd724b37fe91

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7e0b3cd0f6d72f8da11ec8399fc17d7f

SHA1
6757bec3b23ec417bad3c6cd80368c89c0c0f055

SHA256
90213ec57178be190b6cc32691326fd6030d426d13d7c4f988d1a147a2d23f14

SHA512
a0ef8c4a86198b403fa70e442060c444a7f8e5012bd06aa0f6023f1e25579d4ff4d44fdde1480d504787c58027b77cbb85e4dfe067cfc1a1e748f0fddf94c292

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
05c9eadd567532231b2c92332a5aff9c

SHA1
5f03d5221b3c865a501bfb673d98c13a3b008476

SHA256
a559741d3b8403575d4d1a52a0e74ff1f587cfb13a2ec8a3849be1cd38a91e57

SHA512
b8d511c74aa969170b481715b89cba520f3abdec1e24a3d16408e66535d809618e26476e47deab615e3c1eb499914b1cf29b3dfbbfbca6ffe69156e30d8fcec9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a17a2c8714fb3f0c87bd2fc689ffde40

SHA1
290e5c0070c137f665b936ec91d586d6a6a24777

SHA256
de3430b3015364c7cc6c33ba89cec7faae943b1349216ce7126f1698a9f8c95a

SHA512
63c44f56f4fb8df769951d3363be33cf37f2424147acdf38fe897d28dd0e9766f154f9420e7dd8a1c104bd67b1b16f6f99dc72a3b231bd0c1b02cc5b1a77fc2f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
307650d1be0ed777d330969cb7edd6f0

SHA1
14c1f02a985c468c1da7c15f431e3c25c0c72df7

SHA256
ca2261f850efd64948d98a77d8d19a881f726a0c62a4a8eddc940706e03bd777

SHA512
9f0f8cc2cc5f947df0545558c8ab9ca52db5d8a87bdcfeba181fe10048d49091b9dcd1bb5aa698353b295e8e66fc27ff65ca446d757ac51d7bc8ce89135de45a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7fddc2cfa4e5c4f1a00cb699521149f5

SHA1
234cfc3d966a9096676e8130f43262d3d66d4951

SHA256
948221a415c9d3f2decffc61bfeb8e20e3f85633464d74ba8fc9b6d39aedbfba

SHA512
ab295711f7465d59b2a3ac42e7eb14f66b48b65cc821be3ab652c80eab00ed73afed4c4e9ab4eef3c3c4f821843a00e3e256cee050242d238f166aee622ab53a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6f0f6bc938d9897a5d1169b690bae624

SHA1
003eae6266544e382f8994822116626d897b203c

SHA256
153a86a2392176da696fc425b30b1545398ca8d26c42d43fafdcffa7275ff981

SHA512
09d587223b134daabdd27f8dcf75f992e92463b24c6fd30d870c2c6312b23c32069932caef41d07c55d59e8271bfb5627a21d65f4c7e8e225f7bf448a23124be

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b92eacad8f83d92b96e7f58f74cc1e9e

SHA1
721138b082d953ebb9371fe4bb2034fc774a9a17

SHA256
5ddfacb52769f1a33d4a83c4a7ccb7d4848565144ba9836bf5d4755d12864d42

SHA512
d50470baaf8c6f60b13105352f44dc1a90ee7e06d377cd05363d0c50655ad681ca0a01d5bc9dad24a3e333aae0c7d056978c7c53bee700849929da882a61be37

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7743a09141f883d68f9a5105b0b07250

SHA1
e9eeb1067e39c31d6d637cfe1738dcc8bd8f9834

SHA256
c53908064aab3dd2514c93d8304980de823d017648361fccb9e0225858b4e443

SHA512
8e2572791535f2be6acff4d2e0bcd1807a5084e093fbc583c8243e6342085d9852640cf82276fda33a705e42a2464f53bdd1bd0edf63a0666ee4e19105a5eeef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5f9abc4c839c9abc31bd98c4c4a78c3f

SHA1
c3a19cbdb85d52dc64a33fbafc8780569bff7537

SHA256
27ad7bde01df7fd84f01e6892ac41f3a03b1b56d8dea806e8413457f173ffef6

SHA512
fdd2e910f2d94426ae1ae29363d903bff3257346c0dd6503ceee89defaae1c2e6ff9ba7eadc61643ae16e3a1b8bb2c42a0cb97be2bcaa177de964e6c308e3ef7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7a1836d67b90fe0d6e84cf539d6ee425

SHA1
f1b87f722c223c5c7884901583329b9d3c4a3c01

SHA256
f1b5277860e307d9781d2aac005b4cbd252e3b41e3afa172b0b5b710d941dd87

SHA512
364cfa5c36fe7bad0621114feae720845024192bba443a6a1b88cca372a50a7326f9862d203f6f98ad2ed5b96f79fccda8bc520660464acba74a47827edecde2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
63777eaf618ad48398edd996deb370d4

SHA1
4cc603988c24f147fec6f001292edfb251ccef6f

SHA256
13fc82c7b2b0c60994ed96a9080a993b3fdab674dc6af4c3d8977f1a23eae8bc

SHA512
f2a05a1d1bda442c0be5edb854a1525092069d52d1ff63afa407affb1a55b34ce4386669694346cf77f4a23df11a675d6dfabef0d6d22688ab05c07f47378e3b

Download Submit
memory/220-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/220-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/220-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/220-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/220-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1196-34-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1196-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1196-1-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/1196-7-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/1248-46-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1248-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1248-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1248-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1420-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1420-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1424-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1424-82-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1424-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1896-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1896-593-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2136-425-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2136-599-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2648-362-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2648-257-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2648-251-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2648-250-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2668-521-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2668-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2732-276-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2732-388-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2840-400-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2840-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3436-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3436-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3460-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3460-543-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3520-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3520-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3520-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3520-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3768-30-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3768-21-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3768-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3768-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4048-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4084-424-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4388-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4388-262-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4388-261-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4424-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4584-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4584-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4584-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4856-544-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4856-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4860-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4860-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4976-302-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4976-412-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download