44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343.exe
Size

2.0MB
MD5

9c7adc546407027259da9444335f5e79
SHA1

6c400f433fc71f3106b7f7b6c8b9fe41ae1bf4e2
SHA256

44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343
SHA512

c3ddd63e264c52ab4adb20ee52c05170145de8da46853bcdbdcec739bd606d79ab13f90086476348e7066d253c6c0582bc30ba0139b6d5137ec839d7e25ea29e
SSDEEP

49152:eORwdG2NcOMjUfkptVxXf9Ckt7c20+9qNxUW:eYwdGVjUu5XfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4416	alg.exe
1644	elevation_service.exe
3120	elevation_service.exe
1284	maintenanceservice.exe
2120	OSE.EXE
1048	DiagnosticsHub.StandardCollector.Service.exe
2844	fxssvc.exe
1972	msdtc.exe
1356	PerceptionSimulationService.exe
2060	perfhost.exe
3096	locator.exe
3344	SensorDataService.exe
2352	snmptrap.exe
1012	spectrum.exe
4500	ssh-agent.exe
3092	TieringEngineService.exe
2832	AgentService.exe
1500	vds.exe
4964	vssvc.exe
1624	wbengine.exe
2036	WmiApSrv.exe
1616	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\73335a5f38f5360d.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa5c13260b21db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e86dc250b21db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f48139260b21db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb4ae1250b21db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a667c1260b21db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1644	elevation_service.exe
1644	elevation_service.exe
1644	elevation_service.exe
1644	elevation_service.exe
1644	elevation_service.exe
1644	elevation_service.exe
1644	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1836	44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343.exe
Token: SeDebugPrivilege	4416	alg.exe
Token: SeDebugPrivilege	4416	alg.exe
Token: SeDebugPrivilege	4416	alg.exe
Token: SeTakeOwnershipPrivilege	1644	elevation_service.exe
Token: SeAuditPrivilege	2844	fxssvc.exe
Token: SeRestorePrivilege	3092	TieringEngineService.exe
Token: SeManageVolumePrivilege	3092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2832	AgentService.exe
Token: SeBackupPrivilege	4964	vssvc.exe
Token: SeRestorePrivilege	4964	vssvc.exe
Token: SeAuditPrivilege	4964	vssvc.exe
Token: SeBackupPrivilege	1624	wbengine.exe
Token: SeRestorePrivilege	1624	wbengine.exe
Token: SeSecurityPrivilege	1624	wbengine.exe
Token: 33	1616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1616	SearchIndexer.exe
Token: SeDebugPrivilege	1644	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2960	1616	SearchIndexer.exe	128
PID 1616 wrote to memory of 2960	1616	SearchIndexer.exe	128
PID 1616 wrote to memory of 2292	1616	SearchIndexer.exe	129
PID 1616 wrote to memory of 2292	1616	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343.exe
"C:\Users\Admin\AppData\Local\Temp\44a13362492d267a1fccade223f53ec3fc942a111e278a85ce8496cd5c6bb343.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3120

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1476

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e1fe58712bd7721d1c83b7c95ff57c0e

SHA1
d88feb1e101caea9921018d435f9eb95b121d143

SHA256
d82ce6a713c487ecef14ea963552c0b86d2c76f312a12cb8ecfc0e6af2fc83f3

SHA512
51a96ab487f582980df49015246e03d074a94e43690cae8db895e3db3817a63aab3be9aebc6903fd36f9418849324d911c39a757464b78f894f9d41846081e43

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
325749a8bbca01f365e5e20b9edc5479

SHA1
6ad9cd963c969a6bebd912dcae220ee2d29fdb37

SHA256
043059d47df6f94e7169b3c25b48a90de9b7cd7dae926478131903de3caaa2c6

SHA512
4f3b8fdafc6955fe3909e774aa531a0cd98f963a8db35bd0e701f8cc1ded1f7746a8a2cc35482cf8d4fdd28e6a586c827bad08ad2e0999edaa4752385fd655f6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
82244f4b086b8742c9e46ef5a7824eae

SHA1
281b8a2bb828bd9bc36f25d061441d812b6c55f9

SHA256
8399ac2490d6947676c697549a1ea5578fe184a58bffa8462cb3faf66fb9b8bf

SHA512
1517f66705a5e1116bc3eac39472311d73ae95f445c3ea2cd77156ad099765395d0940236ff0d71f74035f61662bceb57150a334e59c6825e9eb03033b1fa2fe

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8deee5f819d0762ad7525427728c995e

SHA1
75f7d10365111b32535e97c1b88a64f4d721a430

SHA256
4aea3654ba769fc7e3051d0bda45cffd66166a88e19f3111c7935d22d1afbcbc

SHA512
7eca5d4245b0ba379cb0a39e6b6a43fa5a16f86310312a73fc3c34609f78cbc19075d428a955299c398457a77256e0b5ac21facdc9c73c95f5d27e61edb81c64

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87e30d72305f81391381f29ee5181a53

SHA1
3f748ccdbcbc60b8a422fe21fa675b945ce709c1

SHA256
8c96172c08c82cb27d8301bba96306218e5eff12451825ff3e290f989c91e09a

SHA512
4ea983e2fe4c16721403cf34e7a70ac2cf30db98cc70ad542052c3e7bf5c58bdd2078e57695098ba15eedd96c4c50654d3e183afedcd4868dfcacac6f6cd0873

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c255375ba062be513e6501215702a32d

SHA1
25ecc28c2818fbd86a8e1ed3fbd4ef32ce737bcc

SHA256
eb0953c10f03710519977476ca94f4299c0df485abf2c733ec4a635ef50088b4

SHA512
18faa8947d83d06803bf7ce2f48caeec8edd6fb09b28b2f7c3cebd6b0b21db905a6ee2980d09ec0b8b1a2028c3258247ff41ac064267472c0d8a9a3fc14c74e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2cc07cf3c741bb6b3aa62e931a75689f

SHA1
2a716c70b4cb983961274bd1f1ca5cbeea486c6d

SHA256
226192e7cf215bc60f43431c97b674a21ad3ea979ff3754f5991076dbaf1a847

SHA512
b76df3840872bcb027c0f2a0764f6d17390af1f7bee63c244112f7a4d5b486740622a759138ea3c98bd68788778befdd574b4dc774502337f1fd79d81bb1006d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
77c9d02182534e79df2d722967a4a44b

SHA1
1e734c4b8ccfcc7f3e656f5020255c3c3e61d041

SHA256
89acdc8c5bbdd1c64f1807c7b5ed2b25585475347f7bdbb5423248c8c9376b14

SHA512
68aea98d7317d2b4e3d5655bc42587af5d07e66a41b3535d96bf96d14302d31d027822d17d36b0b689294dbe3f2845bd6600a5c90fed0b1b83babc57f87bdc73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d9406c43496ae01cf064fb9aef7ddd4b

SHA1
f24afad481b7cad1b5ca1cdc1851c332c91525ed

SHA256
1a9895ccd341ea38fcb7a82e1cc9a46a4c7c1e196d14525bf22bf27c8239833f

SHA512
38dbf4d085eb11f303cf78150a186554a2361c501355b0fe6fc8aa73adbff3db7de0cd14b1dc33b4ee4f3b92020411233a88965890eeb145d050505434ba8cb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3d2f13176cc3e365249c2c040c58420a

SHA1
dfd4ce91ea0563c0bc1d3b2e32947cd7f1a02f22

SHA256
d5a073373a7a10ecf77b104381d1398d393e2aa5b5c10e4cb80d3ae9a5ff99eb

SHA512
48ba3003aae5cf772d901d6b0d0e1fe0e280a3de5fda894ba1ecaa7a94fbe0971db8fb429afdea4f5e294d7ca1fd8f0954c84792c6fb73049cd721fb8f90d8ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ff92e945fec2da3594feb31b8f417a78

SHA1
9806e7718437c317e38173326621436e35b61be7

SHA256
6bd87ef9b29eb1a3598be7fa22ddfb50fa134eea7d564e7240dd61f2375f8558

SHA512
107b55539b6b35b3766f187d4ee54bdbb41ff2677d6d3b13672eb354b017dbed4ddc16271f7617966f8e05c527efd58072c4692c60b6b75f5d48f61914f95817

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b8dd45a1b4fdd28ef5b68d570d919462

SHA1
d12e1096b9b3cd746b7d6816aa373ef575bf4386

SHA256
418c7f8611fa99b199b80e3e4fa168466c921b82925a22f1d3cc22e8753a398d

SHA512
a1e50f293f897ce1747a0faa50a14fb7ad31df8d57ec319b888d90c51cef4b492dbd9c50b16020c9a19f08096105c91959ec13337d43849d421fe566681fa76c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae8317fc9438dfa0b6ec8f7a2c8a47ed

SHA1
70173677d3b6d9930fdc5ac964802f2b2fe39d6b

SHA256
3ba8f9d1b8a8db70c904d47fd99a7936ede26fb25d35670863f8ff5f40b0c987

SHA512
ba0c4627005a4a5bf81e429c8cc6ddc2e4cb5a2d09222543a1a2bd0f0dd1c5a74f7e46a6d890d7b5235bb75e4080e3fa1fdca85efbeffb362f11dcea614d924b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5b252d49dac6fe40ba1a9d19d73f2c3b

SHA1
964e3b004b81a453651e8eadbf832c25ab4a9ec3

SHA256
7897b22c9fc8ac0cf17ad0eb4669c9f9432eeec6c4a9cb4ff47d5eee2ba2590b

SHA512
b5bd3ea910927ce54df4cbdf8fc7a028ebcb1a923f053464f93fc72501a6999a1679c9b1cba844a982371673731ea4b1c6747b15d5ee13769b9772f3651ff2e0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a1c6bff9c3ea14233657c7af643a86b6

SHA1
75f79962d0a57c12b34e5dbfdecd0c7b6fb2f436

SHA256
0044d9c6b3a282324c9c8f70887de323c63893993b3525d6e3249315ab9579b5

SHA512
2fb4529505f85efeb6f1ace3f7e27e58eb5f9d8c628792ddb064f06b9fa010ae4d6ee4cc1e111c376748f95126c497889e699ad4b327178b3a625ae4f9977717

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
cf21c26154688cfec72b1c155d0aca3a

SHA1
a972381e25bb215d0f014d91c9fa5b8ca23d74e4

SHA256
b51ab2ca5357a6429a721b6b3cf900c3864f2324f5fcde45839b82fd8f826a2d

SHA512
9fd0898289165a5dddb8120e0e6408002b7694aa245fcc3c1381cd13991e7aecf7421185ee3256a500ccddcacc310b47002d1c5ed0aaaac9282295bdb876add6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
27b5ab86b0e4352cfacb4094f6d1c9ac

SHA1
e494b6715bd2a10b9c21c341373f5d3c675e657f

SHA256
21a9a60bb59213ad6ecab5f8c099e3166e2fd9742c751797af34305fa176b884

SHA512
96be9a6a62ae6477765abfee8e06197f09ce20a254b759b16308bc9c0bcbf8486d1b44fbcdc909d2677ec203858f7ea5ee44f5ae3597117775f520ce37dd09ff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3e4088a3d254c3e623844b3d56fd2614

SHA1
50b5b8b2c23edc1be5c12779312fc12017372fa0

SHA256
f243b88bd36cffbefdc1f1eb19d86d93070451feafa319b7a9fa46e90152608a

SHA512
f1c67bd1b54722e9e18baa01a051f0616eb647764e666a45b719dd17b0045466ca6745f39b3f975f1a72b89e10f8a72739abec6a66e5749d0aa0adf5c2e2bd1c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ba232a475fb5076b2e4b001382729649

SHA1
782a5cf65ec94cd59848c9268db9cdcc4c32eda2

SHA256
a3297c9041479f0f950c1ec5addeae47fea15cb71fc527ca31d971a9e5a2a038

SHA512
99afbce0ebd52d16d696f814871b49d8ca0e2c67923c301f6cac4f7a967437570b5bf46057409ee409e8516613a68b1c16e8734e1efe67beb3774ccf44134436

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
89c671ab5898d7581c29313c9171b966

SHA1
5ce8ab60b060fd3646c440f6571dc1a4c99d09a8

SHA256
05a47ab8778066fabc5be4638a065e098652faa8d48ade9b9f0c059169c1774e

SHA512
0f940edf409b877b4fea72926cdede148f925d31745663f1d9b02e578eec821ccb7cbdb510d61d4830ca39c9abbb6b149800515cbe8e7ca63a1270bb0a1443d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
87361f49ed980b958ab7b67194ad04f9

SHA1
c89f554895895292c9dab1741268ba39dce93024

SHA256
8e947906d721a6c9ea1c54083e3a8047630c9f3fc350e64ba93f76b3c79511bc

SHA512
dcada9dd7f19bc0804e58956d8ef1e5ea80c836c5a3c08a05ff9e58c1f4e1edfaf2b4eb85420631ef5529dab6bd5648a495cc4398214199784e0d47be3491db4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0d498e2972ed584d54af1e6a16e10284

SHA1
c9ded01f1a50743410e22b0c12c05acd7cb4762a

SHA256
9b6a455634b86b56dd5dcba97ef9d5b0e9a93740917ff1e3efbf401fe6867c45

SHA512
bcb6b27d60b08e540b911fc69b22b69ba0cfeb932c1536eaf0ef25467cb87deb6a11b892aeb5eed71626438c7078994ad28ed9bed949ebb352223fe911bdb914

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0fb8df27d5757e581d5130bc78069883

SHA1
aab13db06a2696cda6a8a63ae118ac100d19a639

SHA256
4fec1ef82e2ec8a2631158fe6f8c46a8e165358480671f6f612675ef440cead7

SHA512
e7900873510617c46e9ad006a580191fda23647f907e54cc512ba7c991ed5f28244be56f3fb5bc1eb4d663212b5739db79294d7b7d62729a21b61221cbab9a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2c04b950aa5fb2975e3f69c1a402cdb3

SHA1
cc764a176a894a2c4f55e459d38c8675fcd58fae

SHA256
ff40af5caa7893ff7c2e3eea66de72447863a146e76f7a528ef80ffbfd879a2d

SHA512
57a35d256b738a939e77eeae716f0088fecc0578561ad48790e62f40f89ccbf08b5c79699f3049434791ee5204980c197d530d451fd5db8c1a14d5bd254819b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9a9da7f9294f38575a4a8086b40a1a72

SHA1
e350caf786325cb856af8906435b5ede12049f44

SHA256
ed14f6a81e840159f7e479c7d4507119ddef40aa0e7e3c2f2784c9c21a02dee9

SHA512
479c4939c86b40a68e155c9f77687ed8523896ce2721266aba4acfca24070268599664e896919169cd75b18707f67a1fcd1670284e7b3fd06ff067b88f99d7c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1b906c4b3cd6896bf20bb79a4c43830c

SHA1
307e03e6f8f46e4c7ec76567e4d774abab078be5

SHA256
e9757b8675d124397cbaeafae0edb0c8a002f53efb48b14199875664561688fd

SHA512
2104da0eefd52eb08458a5b34a5e207c7c3cb7d2264447686c3d85ed8ac1fbe94c5db73a0111c312bc0455ecf8304ec384bed2a8ca06c8388e65647614b00fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7f6d33098a608e26d4f28cf49450b528

SHA1
826f045893f81f3ffc421a8352373df87de52599

SHA256
fa6e8258c90c9c3b23f9683fb9eeb2b5d8a736330adee28e26d34be73cbc2a3f

SHA512
ea1ef92cf0e29b63541c5dafc1a45f3f125c0e8c7c6c3da2f66bd83e51c0ab61504e452b8c8cc213664d95e9382c83c854b91f58680436316adfc244570c8f7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
70e742264ecfd4922b033c21b91ec34e

SHA1
a9fae589bd92c183dbd0c3d5bf301eebcde4cd1a

SHA256
1516a5ff48411015dd9ba530dd3b2607b40622e8ece9d945db1643fdc311031a

SHA512
ca474b061506cd87797a7b995c10bae332b6b0c998b7f1b9987781a705340d3ebf0206641994f5697868954ca27d8df0cd51b1b426cf2f6fc920743942b9343a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
de11ec1915d2673fe57d1ddeb17c8aa2

SHA1
ce7a2e6fb40f27a8ad393a7b97555cf50ec5dea4

SHA256
74c8dbfc91b0f2083e8f66d62bcfa2be0992968667b9ed2af6b0571f3009a581

SHA512
134b407474f73b4169fbe42067727bed249ad6b4bf8afbf9c42ad776ca613e1127d5b65c3daa6944ebde68461616c5029ffa90f1ebfdc1cb20e1b776734253a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d894503439539c0b8ed75129bbfc2a4a

SHA1
fbf5b19ba4492ba991095c312913830bb544b982

SHA256
a53b8b06f93320d1f41b3ce9dd1cd7219befd6120b8e92819fca4007afccbd57

SHA512
5db6a20765d7f0d31eff089b44cafef1730d0cb4e03e8ba93327833e72d1bacabde38468e1bf64724c9a27e47b561b54d2ffdf67306fc25b33ea4f989908db8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6de2755099e570ed08f0cd04c57fdabd

SHA1
76333ef8b7c016e368caf68a6e5db120fafdde0d

SHA256
ef8bb24427df9facc2d65268bf3f8376031a6d77035d30adc743a209f9620e11

SHA512
17a94d632b1a335af0ada3c76774240c9fe330edd1add9a32a60cc916790d5a4227da0c8db75b4811372f9055433080e304f8e871191f2baec7f107c27a4661c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0cc80accade4e57a63eb7126a031ce24

SHA1
ec228ea05111e5891277e737c7885080c0557087

SHA256
0d38dc5823714c34e3d0ab51ccb69b6b66e91ac1d2e4314536430fa4f0572e4a

SHA512
2bc9ffe7bf99b8bd4111f17ad8c1df086c0ac4abaea01d967ea56aa192eddd9e1c29e6b593c6ef3025cd6ca3f6e91c297cd07ec0f4358080a3fcc0f6c632f259

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e1e217a74fe531d78ba469fd59feb554

SHA1
0d770b736401bac34c371134c3470de31616d707

SHA256
1d014bf01f784d4b75743ac1eda5ab02b27c9e5506407947c40fd04eace8419d

SHA512
8afed626a4c0ec9fb6463dc09c63f3c4d2965e22e7c8e72a1dfe05dc267374498cf1684e1a346572a1af4f949d957162f4796d539179296efeb4eb6f505942f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c70b8249b2b1b9f336f95b1895f2c17e

SHA1
86026b0567774b859ec1e5d36a265b2cdeca8cd2

SHA256
43de55a09135a4deb35a9432648596c45aff87071c5dcc47d93a08516c127d43

SHA512
a632b8c62f66b03af36f9e2641a070c3a2dbf733b78cda9ef8f9e2b83fa08b6dc6f3c1227a0d0b2c14936ad0b848df5fcb78d0f1523866eee9a9fed99f686029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
af4f3a153e5fda4f34418ae30ff1cd64

SHA1
da4dbe523d05752e77ad41595941c6f512aca43a

SHA256
430a5c6f181a7e66723848f56e4bdb3be97277abcfe57c6b5264ab0992b2e338

SHA512
fa03b445f89ec4c3e27439612a461a3ab6a1907e40cb559179d866e7c2397314a37b86b845608920bea4ffc9e6b60596a0537dfe47daeb599a292cd7c94123f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f5bf4209a14c578ece183c15dff8fbfd

SHA1
3ebe76d27f91166611f20b6f72f3a6ad46bfce04

SHA256
943101e98700e91d92d8afc2cbda62ca684ed9babc6535d5d9ffd8db9d260122

SHA512
6159855b7fdadd22c8fe3d07a7ac1ddf815afd0bfb97951afaaa6894de59ef7bf42d12f843b6aa7e4a9a2d967e910a21a492857cccd06ce9852a7b7f9013c849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
affb5c6eed27ec84fec79309ee6ffb45

SHA1
6099b8ae473314ea77e2dac15949883c99e1ade1

SHA256
2dfd6b980025fd9a6208c3dbd232b48ea25e4608befa797184a67bc28d937d65

SHA512
e66d9b42e7dd52d64dc3a850d637b0c37acd19f1464a05c0535ffd0a00a8712d38e349d1e8433da02e1a8f11046dfcdbf83a3eeafa197ca87e22a5ff2000b4a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
ea27227ee1f3326bca2d0711832f8941

SHA1
84a8685673f0bc432a4e21d84530952677c8f494

SHA256
2f417ffbb19de499e51c0b3409432659a4caf99305105ba9181904d734f96b24

SHA512
261a2bf8544c7e31f89fc551ce526925d1cc5e7311d907f959eb5d999e655788993573ce84d157563b88df20122410245397f7b57c8fb4d2f2fa606b45d3909c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
b17f23559c1f5b59d3090e9aadad3ed1

SHA1
00c61ac7b396bb2d804f591d546d7c8d749e4eae

SHA256
d5c734820d795bbe6ca92b2319dbff16ced700910f3969d523efce87afb78e73

SHA512
a684cb013b450f6707c82be8b6e6194995ac98c6b43b73e059ddd050e278268cdf4631a4edb208eb6bc2e315b01623280a8c99c0b836323770a852dab88c0ee3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
a564ce5a1369deb6d08e3b6ef88cf3d5

SHA1
7f32693cce421d42cb2526dcec7955e57ee33c68

SHA256
ffbb65b52145e32a385fe54dfc705e43b545469c02b1809a794de722f7a60d5c

SHA512
d0f239997bf8af85a528eb036c36e0de289d3cd63d56c2592d52e076fa1b419c7b2dcd84da11599172200da84743987e23b51b9b3af7a0aead8caeffeb03e278

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
c6615ddd1695a32e7c74d909df1bf945

SHA1
a4fbbaa3a0af4b88b6d3e14b91a40815ff843ef2

SHA256
70ea4c23b8803224ff68c0cadd3d400d14675824be094d75d6ae693466ff4505

SHA512
444375a7959a7a283b44adddb8517096e40843b8b9e3642c34bdc5150e5ce697893ce99379a10bbb268919e336174ee24a6513a6b5a1278b7923f7d5a96a32d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
217e46ede9a64cd63afe8a01fd71ca56

SHA1
cb3c2c24cbe7323c01a0ba39cfb5985764af9971

SHA256
bcb33b188688fcff0b0333d0b9ef0c4574f4b87fffccc485aa61f4519da3d2c5

SHA512
f0e42a4d4b178bca56d24ec72cb8912b525b776f72a2e855a188c00ebe001bd87cb0dbce915124ae138028ca4678e8901edf411b77051488de683c48b386f66f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
951692146d4b442fde8cf062e76bec59

SHA1
7a5621c7aacabcf454ad7db8e4f65db24344a26e

SHA256
2c12ef14a7844d28806e0fe490085130c975be13947a35eff4c3b3bb8d3ed71a

SHA512
5caeeaaff190b4971479029b2f3a7cf6fda12c4d8d142f9f0517b3f4f460e8c2166034cd0d78be1b7ed35d1050b2e60686afc0fee01d339f716d77ae704b822a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3739b3475032ddf51dc83c032ebc58c3

SHA1
e6fd0e013e9e0a750828d9e128433d54816fbee8

SHA256
e5d4e63da44e6d0ffea299adc8c23b7853b7db75b4d7b3670224c5df524c6b0e

SHA512
fe1336a44deb89b628a94819f4050d0ef8988d637886203a24049afddbd88a7266717f7de19bde282de5447f79a78b3a585b33553b5331eb95e7b1305e215e11

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cb2456b01c266e72c1e137121c37cdf4

SHA1
0682b095a5d504cab9eff74d3985454db0d36c29

SHA256
369482ea1c026ea4684e4ea15c377ba679c1e6455aa0fb0a2c0531d2417479fe

SHA512
bec025626c7e64e6b4e182e44b1a4c64000f5893843e08ca9814b133fb81cfe921151939ad453b044b06615cfaa989337a8bf99a57b4b147d9a11ef2a7b65eef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c185354398d7fa8aa942e200e7743be3

SHA1
e8e96f4ccb01260ff4790d5d89e91788dbfd1a79

SHA256
71de6274bf36508fc97cb2ce3a4c98e8857789a528cc93d1390f76f5e6e6a87b

SHA512
6747a5a9d690baf08113821d1b76eb95613852690c7a9269a394add8aa57c24ed27c5e17431c728583e934fef2f3c7139c54be0640e562b047b27d3752ee2ab6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4c8e72f8f52ee1471f3b1f6101c5bf42

SHA1
d96db79045a82bf4ac1e538edf6eaf4326c9e3bb

SHA256
e26202deaa1bfacf28ece6d191f6bb91d64c826a12381bc54f330b59462128dd

SHA512
2ee6b79bc28ddb7a870a2ce50626c68e6499989989c76a5f77f6b60f7fe5eeacc6021015ac30794a6aaf9f8557c5cb6c320524f1de4732e2c8fb18ac8bb99417

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
48afe8b5e51c32f07ff76f5da368cc54

SHA1
13bd116d9842294c76d6d3eac6706c5084a94959

SHA256
f4cc4f00a96470680f1fd5ab24671c996e92e4255c6206df7f049ae6ff5946fd

SHA512
753e7dc774c65d68181679af3e2a3f8b2bc59882367903442fedff8964f30d2eb3ef9164b53fac93d34b1b949f565c4d337d0214775c9ac1dc652789d38a50a9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bb51a032f34159eecef2e9d05f4010d6

SHA1
058050e47b6cd076543da9f6f4e84064e95f05a3

SHA256
a74f57fa239f3b0ed9f31813035114d0cd63526cca23403265df73ae07b2068f

SHA512
5faa23fca446f69aed2fd2e1bc9ed9fd204e019fee538a5be0927eb73a0a10dd8d9a916ca7ce29f2ec6f08345785e7ae07f588ad0c16709bb177787e8de9bae0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4590f98ba720f44c0a7634ecff2c7a4c

SHA1
b0411a317e237f7db7e15074e6693b2fe3ee0b85

SHA256
a5990b58b57d474373e489603a687ac64fbcc83e9928de1315fdef18a97d576c

SHA512
c28469b0abbf8ceb95b06acc270a73bfda458d7679657da7b2fd7a3cda476ebbfa12db65e544442713575218d49df6a31ad0408d82a733b741d6d3d923a2fe54

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c1be87e89efc2fab876793987c60aba8

SHA1
9ea6055bea331523536c4815ea07fad34ae8e57e

SHA256
d5820d80d72580d70e175867f6438e1999f6aefaaa7c86345ddc70a48654636d

SHA512
98a53872e38c516a855ae0fddadc4ad40011def929f5159a4d551f08c942e56892d673affb1660c3030fde09d8de40fa899d96ec082a751b165d3be23196a173

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
19c3f371eaf183dd6f7da809c92d3209

SHA1
8a5817fbb071faf83bee7cf615449e8549db03b8

SHA256
6466c65f1194073bb86c5f20fa16593ce94b4d52ef78ba1dcead9af57ac8b014

SHA512
633586a8931fbf14be30c26f9f10d5509286ea6b2e563237996ef4662f3bf1e7ddae8220dcd4cd5df55c71dcb53fe886751320096fb549aca2ca87b49fb7d69d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6bdbd2ea98232880255a98bbe9b71740

SHA1
609e6eff8b83d52b4077e53cd4babdd1701b9cee

SHA256
3f5354b55fab7d390fd9c49852a655d9dc3032e4ec4d359c1b6344e878037561

SHA512
14626cef9675956f68c8cb27caa82097d4ce343ea9b56cbb156a672d12f8e9c62b2ff9e60f13d540378495b9b06ea803c249959f5e697992cd16326d24237b3e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e5ca1b3b4e29da5a9e94e54fd279cf57

SHA1
c365d98676dc0d567cdb488b0d63dacfc3c87724

SHA256
dd34b8758bc4424ef75202e935a365aa539e2e27eee6273a026044963878ae34

SHA512
e3085fbf57c18d754bcd213778ae95be13ce53e4b2894f271819c79742e41e028799dff30c9b8171a4f3351db4790ba77f1ed9fc18a0b5b5dcdf92af5bd259d6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ce18c87c312ce441e704cda7afdfbc33

SHA1
3fc01b32123cc5c62b8773d2afd925a719c4e884

SHA256
77fccdd97d58a773ca5e8141914ac7615eff2a5066cf2882bc40d35f5f5ad230

SHA512
652ddff5733a32a085ae16986d195f91833a7f47a484e546c0bc65d6447748a225be71c9a1c2951eacc07d90ce8d6532ea3816712059edc951858d6b77755d4c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
84ee82c83931ac18f43edb48f80ce3df

SHA1
496650b737ae4aa4c62056cacd5e7d2c2a3a84a9

SHA256
039dd4ab4c7acdba7c41ff7300ce043dfee2bb9723f62f3cce4efac5c832dfe6

SHA512
4c65aff865f6f032ec18521768029c065f6cc99ad8d29ddddb60d23ff4d06179e674145b509aa3ecb191bd4572b9cc515592a4aeaef3bc1f06d74d87270b692b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e42aa74bb1d017d1491ecddd56194621

SHA1
3f1266a53137dbe890193d78e06dc7823a514a79

SHA256
6860fbd174134d290e928f3252a12cd41bfcfc9d4a7088b1a8def7a22e34eba0

SHA512
1ad33eb6bd90b87856a003159bcddbb99922180656a35ad5a7d3ae4d84e2a13c75cb8bf634118d7b0a0d7e62a6b4c10002e6dcb3c88b4b62c88318e3abff23a6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8a482d84938dc20d8df8801acea85b00

SHA1
b6a37d1ad0cb0df821724da7153287236c169d9a

SHA256
0b39e5289fc4e429aff1b78323472194a845ba3e41d4ef97764005ef7ce93aba

SHA512
35048231fe5f46d21f24a045ff308d9844c255ea579b4296ecce4de4a6a45e0a03fe69db34fe34d9a7de000b10713cb51b6d51774fae98ab0fad602dc79bb1f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
127bbd8304191b502d27da808b37f848

SHA1
8d2c4d90b9725a7fd473e935dfe1b15928dab45c

SHA256
b8d98f198a6f08594c276695b9c39aa4fa55875f2102f17ab8f2584f31146906

SHA512
f97c3c793854e4a049803bac356d78243cc472d3fc24a8787b0cf05cb2e263e7f05da1faff56c4f375eebc036f2bbb0f8f96dec6ee404e70029fbdfa2d4ab05b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0dc00e301af3bd5ea08ad481d302c1c4

SHA1
fc779b050b183104e5d170e1d92885aed39e52ae

SHA256
f98b9dce52e7c7e6cfbb4842cc7814c2b610d6977e94f732593b04abbbc029bd

SHA512
8a5f061f5b826a373fc08e2fece9d97e9a811ddec7b67593ce8cba0a1b9041393ee71d39f112812f4a6435214c7597ea2ed06c5c82037011ecca7ca685fab322

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4adfff879bd60316e768e6c2ce23d213

SHA1
f4512594adca80bc4617c1b5e02062298e08f761

SHA256
79a9acc6d876908531642c0b6b85dc4aa8e8218a25cc77ebebbd5e289526888c

SHA512
0d80fa8a2320eb8997e17b330b17b3965f09447fa95eaa2cfdad0993e964e41db3e44e5394923d368dbcb45b1a01f493d4459968d8fd9c97e5e6c6f757edc131

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cb9fe3337ec53c54ea46ba82e8730910

SHA1
68751d6a8a946885c5b61b29ef7ebbcfdf81adaf

SHA256
9391a6b8d3971ecf630dd169348cdee6a2394c940b32df707771c7d66904d685

SHA512
9bc3f27c295bf0d454868d64f20c7c673842ed4444e3bc2ccae145a0a2ece62a8d3293ff70e0497e6db2f61627ce1434afbff2add4b095d32c9016e96a967054

Download Submit
memory/1012-525-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1012-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1048-258-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1048-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1048-251-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1048-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1284-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1284-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1284-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1284-68-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1284-62-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1356-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1356-289-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1500-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1500-642-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1616-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1616-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1624-422-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1624-647-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1644-39-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1644-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1644-47-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1644-38-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1836-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1836-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1836-35-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1836-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1972-277-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1972-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2036-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2036-648-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2060-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2060-303-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2120-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2120-77-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2120-83-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2120-244-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2352-337-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2352-522-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2832-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2832-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2844-262-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2844-263-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2844-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3092-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3092-593-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3096-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3096-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3120-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3120-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3120-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3120-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3344-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-646-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4416-29-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4416-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4416-219-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4416-30-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4500-558-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4500-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4964-643-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4964-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download