40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898.exe
Size

2.0MB
MD5

2db7946841329c051bfa745d1de280c5
SHA1

bf1d4527decc844fbfb49427037f2690f45290a4
SHA256

40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898
SHA512

540e3653dfc31688e8ff303ccb3f5752e31a81e629788239d0ddc86225837bd249cb0ca58b1416dd69daeaa15759424995a110162d678fbbe57d636efb11c12a
SSDEEP

24576:Jzs3yGXRwd14jK42aMQDJoAOM08/85RkptVIJqTsqjnhMgeiCl7G0nehbGZpbD:ZORwdG2NcOMjUfkptVxXDmg27RnWGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
3644	alg.exe
3196	MicrosoftEdgeUpdate.exe
2220	MicrosoftEdgeUpdate.exe
4608	elevation_service.exe
3416	elevation_service.exe
3840	maintenanceservice.exe
512	OSE.EXE
1084	DiagnosticsHub.StandardCollector.Service.exe
544	fxssvc.exe
2964	msdtc.exe
4036	PerceptionSimulationService.exe
3980	perfhost.exe
1388	locator.exe
2592	SensorDataService.exe
2736	snmptrap.exe
4472	spectrum.exe
4048	ssh-agent.exe
3736	TieringEngineService.exe
3336	AgentService.exe
3900	vds.exe
1624	vssvc.exe
2420	wbengine.exe
4088	WmiApSrv.exe
3656	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dea5e4f7199060bb.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047787a1ae381db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000149cbf1ae381db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f07e851be381db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b1941ae381db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aae4491be381db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d3abd1ae381db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d587e1be381db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1ee701ae381db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c54f921ae381db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4608	elevation_service.exe
4608	elevation_service.exe
4608	elevation_service.exe
4608	elevation_service.exe
4608	elevation_service.exe
4608	elevation_service.exe
4608	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1952	40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898.exe
Token: SeDebugPrivilege	3644	alg.exe
Token: SeDebugPrivilege	3644	alg.exe
Token: SeDebugPrivilege	3644	alg.exe
Token: SeTakeOwnershipPrivilege	4608	elevation_service.exe
Token: SeAuditPrivilege	544	fxssvc.exe
Token: SeRestorePrivilege	3736	TieringEngineService.exe
Token: SeManageVolumePrivilege	3736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3336	AgentService.exe
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeBackupPrivilege	2420	wbengine.exe
Token: SeRestorePrivilege	2420	wbengine.exe
Token: SeSecurityPrivilege	2420	wbengine.exe
Token: 33	3656	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeDebugPrivilege	4608	elevation_service.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2220	3196	MicrosoftEdgeUpdate.exe	91
PID 3196 wrote to memory of 2220	3196	MicrosoftEdgeUpdate.exe	91
PID 3196 wrote to memory of 2220	3196	MicrosoftEdgeUpdate.exe	91
PID 3656 wrote to memory of 4544	3656	SearchIndexer.exe	121
PID 3656 wrote to memory of 4544	3656	SearchIndexer.exe	121
PID 3656 wrote to memory of 2184	3656	SearchIndexer.exe	122
PID 3656 wrote to memory of 2184	3656	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898.exe
"C:\Users\Admin\AppData\Local\Temp\40ee2ec71736f0f24ac5d15e7ceef16036f5ae767cb32d878ba83d92e1529898.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2220

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3416

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
1.4MB

MD5
b2d5e5cfd9879368ebeb8b47f0940a34

SHA1
cf235fbfbd792248fb989a753c22c4e09ddc88fd

SHA256
95cfbd38d2f29ee6d2a22cf9bcc82a31476c5065c07a43fefd6f24e634ca77ae

SHA512
f060f7c0fbebbbc6423e3fb68a2d990c980cb1eae4b1ef3247006c95867f55b4b4751a5376673db2d6df03404217657e74c99248b7a987024d22416edf5303e5

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
40bc8819e1bfcbb3159696cbacbb102d

SHA1
cc7e80ed687d2af311f0db93f77609fc82dca519

SHA256
8aa11e9f036b12b4eacd7c42db50bc0ac7197697adebc461fb6b4172ed0361cf

SHA512
3293df97f10b83582eabd7d03fd6e6f2c4fe5e146ba8c8ae3fdf1ba01a9af29ecbcca19ad050d2e6b3aa487acd1d7f828e4d2d88196d4b8c67961133ccf76210

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
533eae81f627925cb4a651cf8f9f09e6

SHA1
67e09161dba02efc3ccc6385d375f648b46c76dc

SHA256
a9646053315962c47d6e04a78097970263a09ca3315792bf3f2556d1d8e8c4c3

SHA512
8c918763b02a6d43601fde04737400d8c37a2d42ba37fc0a4ec1e8840bf6d8fc7b5f18124fe3956696b482589fe79bb3c388340a7455daf51b6d21a1691b7a74

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
baaf930372d773656ce209a3067c4862

SHA1
9e73ef8649020f581d2fef2c3075d5e2a5e69064

SHA256
f9d43e1a8bf7e0775795a915c2cd220ede4fc7311b6de6722d7a30cfd530b5f7

SHA512
63fb36a08fb62f3bf147e136dc73269affd34d5d9208a982502c93383c7964d6d4637ee46f2ec4a8ac7cb5360adf779b0e2ea1e16583e67f5f9a1d782e89e26e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
632c60802a4cf1bc20468521ef33c019

SHA1
7cba7d4cd7ebdb26b99889ef44c62dfa809a9b88

SHA256
04b35d0494c7ded6c86c3b3fd87c61f39d2d7cf003470bf24ac24c8a986263fe

SHA512
d7541f8624ed92670f4c938a476f7d9f5c0dc2b43a8d4fb742a7a71ab97bf9265612e8545f8f513c622d8b45b438896d857b658a72b6abc550b1dfa532a75305

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5669298e0c65e8c7a55048515affca25

SHA1
942ef65049e5e2fe018614ceee3066307d9da8c4

SHA256
fa6fd9f85657f60e11bf04892872c6bf304aa3366416daac8bef5d67637be04e

SHA512
fe095426cf6dd5c0a3eac7e1809e5592d5d6fb9777aa680092fc9360dcfc1f2fc6378a7660b882bc9df7e2f5f3c1f1700c9fbc998b023d4b6547e34bdbeb520a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7c791d75e4b4cdd924bbd8d2fdf8a2e8

SHA1
4d7fefd7bdccf1c0672d0931f6e6c9e3abca6078

SHA256
d2e4dd120a6b90eaa3cce6a83725b0a55f3b9d69fd53b22cec446246bf65a9cd

SHA512
5eab73e9b99d18e8b257bf072e8e2a39d76709d4030ba2b59db653a88ea995a19882b130a8fb1471972f9abfc75316610e3522e0f954e90656ab166e1eb52bba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
95bd7eacc642b39396e82105302aeac4

SHA1
8cab09f51596a59978cd5c88346ebe63056fb991

SHA256
427d028784d219ce76490e443b85a758f88982a624fd23f6e1b0ab495c55169c

SHA512
698e82ff479a1ae5ef37613e1098dee1d1cf3a1fb215238abdb8602964362a8d2b339e92acf45031fa6e700b5d52a239834ccfb1921fe496c642125b236a7bf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
10badc2b7ffb1556ca1ec305147f9e01

SHA1
404b4c4c70797225d1dc345fd794a0cb7341b46d

SHA256
91d20c8e5e877ff1a2742be066e10edcfbfd6446788ebc3b34b8e2decc47fc6a

SHA512
a1f89767b71716421e1cd2efd1ff5948a7d6a636f43841c0ad27e58f732047af1d87715a8a623e3c53db11e9adc790d93ae09e41e79bd0572687592033afe8b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
1c29f96756c8de0895eb6dd46e89a575

SHA1
43de2def49ff7d4177cbfd5aeb6be89c3c3b87cd

SHA256
39b7782852e1444e2431de8e0a636643602135f52d6d5a17dc6f5b7b716a10ed

SHA512
ad255aa7e7cf46218820428bd8a25b87f750d51ad4783a9dd2a158cb55f488742cd1f5a9473040685c9761a84c7a654d18f751c3ecb90bc04d0a69265f090882

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fcc0705d7b13a8978f096681ef169890

SHA1
08c7e0c4fd3975ca10592a4c133aaa0b291ac5c4

SHA256
ad0e713b81b05ed3181a16888d1fda3b65b7c7c92fad4e8fdf88e6dfbb2041c3

SHA512
b9c276754b0da54950321857c62b2d51c50d161ac2d069bad84ce0a58858e74e6f041c00537b47116a2fc6379d654f388b063627c0060084d97c3364657e7f3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
940f4b6b52e58617b433213eab4c30b3

SHA1
b63408135bf641de0ae583362b3bb1dca51f4394

SHA256
72c64927c90515afc63bd92c3d5eb425850227b76b3b25842db3bd3da51c1005

SHA512
c0a8796725aed0c0d907ed6b8032ae40176a537caa27b61ad03ad08e266977bbf35efc28b9af60ec72cc6c1214fb75191d23153f5fe67b0623c4ee6cb8d7da4c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c00c245ac9ff689e240fd3348ab23349

SHA1
8ddcf2f049297a182f18c8a318b6e02fb97ecdcf

SHA256
a6e1a6736c11b6f724abc42cb69dc5ae850da0b7ddab96b7b405c093d34979af

SHA512
c34f66ac67e4962249016529445d4146b599e5821a208d097a5204965b4dc1e68e9b33f168e67ebacfa558971b214b423568fa0f095484d4e1e840dbe7e9cead

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2ea1707e02a4105001ecedcee7494e3b

SHA1
2899b70e6811859a8590fe88534878a2e1e1a331

SHA256
445926cf1334556460662767366e7fb658239e30e57ad7df75fbd54e707a8fc2

SHA512
e8379f6b68174e57331b079955980d573da24d98abb4293966e4b32da9d9500f7dd98d5d35e4e7f03449e5ee221bf6546f54da8c3536de7484923a257f8b5b93

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
354bf6af4b58cc650f890e7abfa7f89a

SHA1
51b391689988864ed2c4c0e931468e82b4957b29

SHA256
f6dd595007a50e991999d183b2f5d1e3bc86da5f21a98d772049a38629c71837

SHA512
1faf93290e514e11693613242c6fbc39fa41b3983b52dce0f7adb1618abdd0b61aeacdf1823f3b0f318ee39e7d847d6683186faf3d68fe2c3e14206015a6cd57

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f414f0f351f0858b552b36d2665544f4

SHA1
04414bb0dc7a572c4324205ce28c8db871917a1d

SHA256
addddb2802682f31e1de3aa6a155641a4ab8af27b691d3e59338686f709405f5

SHA512
8bd65e0c868b87b7fbaf6592fd7964ffd439a0aaf839bf42417d12ee625bf43b6b357f97d56e0fe628c2407960edaf314bf993dfd1d449ec62c5989e778a7854

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4c0d33b22a46154a543424c70e8d928e

SHA1
1cc5c058692885763c03a6fe555c5d72018f3c83

SHA256
5e1ef7ef71e4b6332e18f0af44477d509d41ffd1722e36c5c33a6ee3375bfb7c

SHA512
ccf63d354bacb40aefa2c6c8b2557254812229ab66409172e99d71dfa4534cad72ba6e6781005c228d9eee520f00f44af4c92add2fa846f19d9519fcde17ed23

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f9caaa12827928162e5c07fb72637a7c

SHA1
6eb264736f39197fd8032318c9d097cc60615004

SHA256
11e61e6c004793103c06f402dbb2bea7c9de4e30412c08e8c4780be1429d844f

SHA512
4d7e9ea115045fb799f8d72d74f95775e2e337723a46360280d5863e980a65f8ede701b2f8c6d01b1c7af8801f4bc58793d94ac95c3696ec942118f1a4ee6ebb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4b3dfcd2e56484a6c7f9cc6500e40267

SHA1
50976005cf5fec8d92a5ae2e2e0fb7462e3ddacf

SHA256
7433356ad5f79dab4bb1bebb481e817eff0f28e761982f3797a02615fd31fe40

SHA512
bd1b8a508358759f0afad8ff71b2d7bdc674cb5458b015bffcf684fd2924a49caa4509acd51625f1837eae95aeb76610cd201c8eff7cc5bbd977139429fdacf9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
164117196250f58c09deeabca97a9b93

SHA1
9befa627abf321f87ae0391973d2ee4eab39bd42

SHA256
763bc34ba53996a32a2a096b40cc12646b3308c9390b5d63da017b0129d80fd8

SHA512
fc7bdd56c494ebe8cc6006bd518e21a816a2e941fc677997bde215ba77140afd470b92fd685b1d6b1794e4e2ca42c77755fd230250a8550bb81977180635baa9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
59f098f6d3771e2b01fb68ddf17c03ce

SHA1
226ccb9d2552d5bb2d8351e48cd4b65eb191bb8a

SHA256
11f7ee00a3e33b694b1ff0ba0bdc3ee8560c6ad7c26057f8c059eaf4a11f7f12

SHA512
22f0cc191b49d3fa439514b344ee8a412f02a23200e01f6c9abd82d533eac36aa3723d2f9cb04e16906bc2077d03d3b305e1da6dc954e0c182026e169fd08a5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
dd2849006e5428018afef5ceb41a6c7a

SHA1
eda5fec59c28f96dee04b52f0c0edb6647991b44

SHA256
07f9c2e296f749d220f5d604c120e829c5973e6b18cf0c8bc512a15864553de1

SHA512
b26f0a673407397599c2a37cf8499950858290f30f6039b825b59cd17926c852845df70852e28a7f1830274afa686c42b5bbb4a55d10474816cc3d87a3d24227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
97b23d59edf88da2ef68c831170b5d53

SHA1
a43e7d53a3a611a429a3a337071736c2c1aed5a6

SHA256
1a6903c42bf308213a23e060e27602f9fb3255efa871291a071e59948d0c57b4

SHA512
1a0e411224bcf3c22217f4df38235dcb869aaedacb74cf3d38c9a0f816a6e8b5bbd41d684c248c3bd78912c97fb08ebbde4f3d04201ac3c21c8e09c2d63a9fca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5374d53d1065dff92c119dce2abf02b0

SHA1
cdb7baca56f48e960f1f7f654ba4a2d5f640387f

SHA256
09f6ee1d830116e6cfd4c4845acd2d88899eda8811f1a2535a890e053c47d393

SHA512
2e1601ee3c044e6754a1216300664c11e041c6bdb269148919088d7cad36ba109e7f87f235b8bfce1b447344c26a4316bd17d66d0c2321fe4f07fb0987726ea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d341f45b3d11c931506e6acc17cdc108

SHA1
0ba757f14fdf4265855b86044e4e3720b7a4ec14

SHA256
8aa57ba59f12c7bf217f8591be687c0a4b63274f68690af633beb4560a09ef14

SHA512
e725a0728ae2c06e94dd4f4147b3913f5577f7286e62d40e10eadd914a0624b1e9e7690d84fbca50eb68e770872e5b0919783f66b55589496c0e0117bf06f751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
16a504f00487baf549d515f70ad2075f

SHA1
c6eb1f4618d245e6b044133d053b26e4570f9815

SHA256
bd34b5eb6d4c979ecc1f6e0bd5396af1d11a802c29c6dc88007c37f6328d7590

SHA512
b8eb103abb520e027f182c928c226292b1cb3b0cff3dc2455a8940abfa28f09bd458e406fc5af5fa78872ba4ed7997eee67f325f66e7af2ed58ca430e2405e2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c52caf9ae9b4a385cb5b9a535b720443

SHA1
f72e8e3bb62dbad3af712a472d4ebeb6af88f87b

SHA256
97b24606941dd4cccf875d4405aa7e8379a12db1f2cbb8af2e76a9a8276914ac

SHA512
495db11fc60f344a94cd1fbd9fce9a74abfcb34789f693dc02ec409c76c267371c72ed353013b1139524365d52a81e09dd57ab3d222737117d3be52a68032914

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5f8464da3fe92ba620706f24ece1ffd3

SHA1
b297f7446b3e790e01785eb7704c8e0bb78b424b

SHA256
df65256b6eda6e934657c423dd94d45bbfc1affaaa044e75c01b39d9f4144647

SHA512
4413504dbc14565d70e476391ed78c978853cf1afc9cd0c098eb4a6b4fc81f378336d1016b8b7b23cc7ac648eaaba9f8f5e00a93fdf7668bf0679c10b731f4af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ffdd238ef19cb297c810cf3c5ec5ae0f

SHA1
0c208f17469e68fad2844a2d2bc7d72b107be0cb

SHA256
e67046e616b86c43c86e531e41986f915b8799d326122ccda65404af260a9aba

SHA512
42ac2e1f79116d0b85ba77b95b08bbc6e60cd9fedaead9d41303f5825e760997c1bf0d3dab7fd7c186ccc9e4f154470eb8c4bca9bf9f2d39140c649b1f179f43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a0a5ef45cc2549c4440d822b70c75ef0

SHA1
57ccabd0908f9a995f73cf3ee2b2ff168c19bb4b

SHA256
a08ebb72805041e44d3c88a068562e1079685e65a11fbfcbb3ded1fe7696fd0d

SHA512
8e01eb29932924ce5d433ce45a0dccfb63829939bbf03751ad932e6310ad7d1a97aa6ff0f16f07b0cbd707ca074db5c105e820712f9b10e92365b61e50a8288f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
eddde5b0734e8221d8a56c18501c8657

SHA1
a199d8a310e7908c8dafe9290dd5ef018266635d

SHA256
ee3314383603b80cdb298d9f8cc20ced984770965c4a8d8d90995995efe6ab01

SHA512
67cb3c8b894395c3af9f56ac0bdb0a3f4fb4b2d4f6a0de9512737b86c17164efa0bd74d48e420b06d3e9233af286f02586990eec026355f6bf37ae827ea61f65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7caa0697eed0763fa896a567b7750035

SHA1
ad1997e3fb514cd66fd7d30531b8a30e1779b377

SHA256
587bdfdb3975df0dc0837a1056ae03491704220e7aa61196c610de564b7dfda2

SHA512
2ffa60615392b172ff4ca7c5dd3fe3694fd9d60c0659f3f61471fbeab718654ad3fa3f76abca0147e51bef103258671d6ddc68433487e41178222f847de39a92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c8aa5c9bd0864dcbdcb7e23184b42b8d

SHA1
9d608a5eb93c4be36c82020c43dca146e1f961c8

SHA256
ace5bf211e637c2c46c75ea71585d969d569b42841569366ffea8b20d377cd50

SHA512
abf97e35c170354adb99553395e60bf22b32f311f33671077e95b9f0e2f794664048aa6166251174ae285ac9e0102cff2133b817d611422f2a9e69749444b0f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9d5c6537f2ba6be07540c19d6a33b47f

SHA1
18e14f9ea74a1a86f91d552a4f802c50d81de021

SHA256
6340261ed8ed31f7f89f1a94a153f432191eedacd4c079cc381e8069fc184e38

SHA512
f178d3394f9f11b446e7380d46b9e45faf05d089c24eb8d89ce6d2646b557515f683d59249d487674d556cd972a99a85b11cd2227f7b68ab01d31ed765e1a39e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3549f2cea237df2d892c3318943cdb82

SHA1
e24e88708ffb51f04a59727ad34892c0979a320e

SHA256
0d7c64619dc8ebf1454807af3c887bb6844e192815ef83751b3529c147ada5e1

SHA512
a01b0616d08f49b914b678e3f1d6a8ceca518e9154381fc78efe1e982b5a9ff37d8ba09e1cc653fd5e9ca5c66847cf138602c2051ad88df7d6932f732997c504

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b36593f4879761a3ebc31245a422aa4d

SHA1
f88bffcaa7c62f8fe7d7d63ebd0d102adc88a70a

SHA256
e974ba3e4e1933e5de9e001aadae891a315452f163b088ee48d38fb78edd3f3e

SHA512
7ff256cb239aed669547d668e092bffb1053475bdc278699c84a7bcff060d8c7674714d385d36aa337aff76f235786a63da04dd93d7b6a314bee32cf6b0a9286

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
02e942668a354f73e86e5564dd9acd32

SHA1
84cd5a61b63106cc9750c91c85f8eda1385b9d01

SHA256
c699bd70903ccc936d789a622ca590e356e56069416ae00de4a64d0f519b6078

SHA512
0386dc7d27a2f652406aa3a4e815c676d46fe9ca81d45f21f17ae9d91e06cbfa9727614b8d026a572fc6020f11663fc25fcab76db4dc88b273db7f268773dcd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ffa89b626598a16ae7dd916267e58871

SHA1
06e8c50fbb06fbf0a2f0f49986d8cea7ec175b61

SHA256
3dcbee7e8c5a20d68e11dd4a232e02dcfa7a4bab1c5140edf2ea7a312bc46931

SHA512
594c8f31b70dbbd950393448daad814ab34cec97d58407ed6a9897941ed2e5ce7eb4eb99bf3b7a43e06eb0e8da484688b5d23b61c0c3a8ad43ebaabf0bb72b5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
f1fa366db20b5d825eaeb76b1024ac3f

SHA1
96c3aed2ab7100f5d556e3b3ae26f306d0851f09

SHA256
ae8dc8de4636cf05c9a8fa3a75206e5cb9e41b63e859241feaba8ceda259be27

SHA512
e529b146f41370b17f18f6e816d55f22967a2070a448cf5147c5079798b1f44f8aee507a0a9d251dd45c88fa66254828c4ec9045c26d70ec4d3ca465a5f555fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d4314f48c302f051ea6b2bd4653788dc

SHA1
c91a5039c341704a1a15307f6bde81f53f1a62f7

SHA256
35f6e3611368ec1e3fd8d5187304a7e3924ce67fa6511d4d8bff8f0e1edea7f2

SHA512
1d843f7863e21d5a36b0b8db55adb42668841bec7fab2f23d0addfb3faab77e8fe94a5cff21f48ecd488cf1f23fb35255c696a03cab585594cc4bd5c5378fec5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
373KB

MD5
5e57835d4b22569b31a912b3e5c842f8

SHA1
1797d7dde37b290535ddb717c769575408fbf7fd

SHA256
6e356a493b189c015d087a08800411d68e08e025370c7b495fd53f1fd1660a75

SHA512
3d77b74ac968cebd7d86c6e81f0b3afcea16290a3a3acfc5eec79e857aac043b374bb553c5dbe48aa138030a1000f1a60f0640006f817fc9b4ddee727bb69494

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
73ce1575dddcb00b223b740d1257e032

SHA1
5d3d37b393d996155b149d590c3df275d69c0854

SHA256
39008068536fae27e7699e77e757aa590849b74e4122cad8cd1452b58a023725

SHA512
948c7ae55fc7db586c34f482f71548c597b387aa6b925fc2cd16393b8bb3b6421f54a0630395cdf2889a690b872525380b797288e6669341fff7b591465067c5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
df7543dc984f085a9e0db229b4d37d93

SHA1
c2fb7a596f65976993d87ba956ad1f8f8ec295bb

SHA256
4756cbc6ee0d43dce6928369dd4890f85f09249076529a7ebeb54e5daac447df

SHA512
a8b14a610365e3604d7a16be3a3c7ced19e698f3e12c0da3bc32f8c0a684e1c67f08a9f0c927b41d821c160ae552cbc242e1b3bc8beb07e178a5a52ac0acd5bf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cde0037d967d2110ffbca222e7517f8b

SHA1
a1b1c01153877f7d098a39bf0895b7b9b5cc0aa0

SHA256
6dcd6e202e17bee9709472ca63f4cfc32a59f907a82f55ee1b4c9bddd61e36d0

SHA512
de61ff231be1b4e7527a3e442be49f318cff1a5d2ed733a154de17660a7b9f9efc07e3210d79b10b8a88ba7c6a57b4cc87f461591b0cdeeeb0255d3f452e440d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
94429b00c77427611df1da7c94bba682

SHA1
cbffab90217cb47649b8ad8102ffa157c9b2b1cd

SHA256
e83fdd0747d9dcb5fa57c0ad92523be851ef88e67de242467cf520b4db99dc46

SHA512
6561167cab3a3136ccb79b1e7a5f35201ffee951cd0ed96193ab9d243e932f3bf9c1163a595884acaad38de64f4f4d8550e5bcf53ab2a5ae8f3231e303e068b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cdfdc930ae50a371c57504948d3a96a2

SHA1
6d9d21fc87137433dd18b0224fa61c51b168d57e

SHA256
0ed0bf4e65d5f120d3f0c91c8758dfae5942c09a1e968bf3769114a675291bce

SHA512
f1b195e01a5016a0878d0b4374ae663d37cc80824f951eac3849719111b57788c6fa79313378dff8175e1787a6f75ac3acad8f766fca3c945b13a272a67d4e5a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9c39ef35a1fce018e6c04d5367395cca

SHA1
3c85907c723246aa7cbcd1450c8a2a1d63eec08b

SHA256
338c8f3e153d86b59a5853e22607df5ba02e611c0db1f957dc160283e87c4dc9

SHA512
872fed1aaad87840b0ab4c2c1688c8990e4234c6c664e34995fd8ce7b82707aef448e467b69d421fd3f8a4b8305990dc77341ddd71025d3dc9bf844aac65f0e7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
1df255122d4475d2bc77ea448535f564

SHA1
d6968005725b49910dac5e444cd83da07abae86e

SHA256
061b8ac60cc55745485665f46a3ac1959e748e4c0865dcf787d481d7ceac55a3

SHA512
3c8422b30f9e40c8d906be9301dd2437fe9f669bec080c69ec140e1569b54af1dcf74f8ddef4091349ab985fd17360678bb8cc2617a55011901e4eb99aec0fe7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2e0ee05e0ce2d81b0e3c2ef73c3fe8d0

SHA1
ca8200454f4d47e752960d57dbd43ff24dc61f1f

SHA256
d96a838706568e1e77a9851f03b94b94815fa09be5b3e1fe27c58f4887f74e08

SHA512
8d5f89e4c6c8048e4e319cdaff3dc67102768443ef1d738104a04a09ce3c3d4af02de089179782c7fab96cf3311c2d7c52e2e3afeb0ad0ffdbbee072c04742f2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
26fdbe68cca039fd07a55b8a289a97e9

SHA1
f5d550cb4ad0cb2ae6574cd4248c48b266e70d07

SHA256
f94e6b126c81c1aeaf345994a10a720d16b153de0e3823bfd043f312ad029074

SHA512
8c359df17f874a3f90fb10fc9922d7bf79870685ab5f3f92769da74d5f9e41c04e90b952ed9d159060dcedaf810998ab4559505aa7cdec1d775625c167193d98

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3f85aa2dea9e6202b7d2311876d40486

SHA1
770003cab792c35ffbb71764a7657307d6686467

SHA256
b639ec60a853b7d92284db9cde449fa7d65541ce93d05ee9f7c292a825750073

SHA512
f04102bd0b78d58970a71e5c71f7a774bbdd8b8b7498e77f5c8f60fb28ed95406ed5a85648ac2b3bafc7f80490df6cd9a72375b24796a4e660b92e5dcda025e8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e62287da990b7cdcb975e2017c6e19a3

SHA1
9c715138f0d08c3f69d0c6e39980e061d1a02365

SHA256
24d208a2b0add1088502f894702663b3c4ca269a177c8aed9e396bb0869130aa

SHA512
a374b3702d9e7479357c579d712b25c9b147e705b7679a75b1d8443cf29c19c37255cfd626f047ba3e745d000ca030344fb1ed0e847428271573b37ca38dd021

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c11c08621650dad0c8116a30765e2b6a

SHA1
d7111fb95ab32f5eff5c3063bf75b3ce68677f20

SHA256
2714b12a48660ba188ca8ac5ecda5c5cf29e139b92dfcb9b73e292f96414e167

SHA512
637621c872d357b26a4ab7f56f48dd3eae5cbd4932524f91bcdd5793da3976071f205e8fca75a54a9eb5db67e4740c31198cb472b0fc0a0540e00d52e1d07a43

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e377abe4cef77267788b6d159a4ac021

SHA1
17dd983712734b2a2a85b5fab7e747c91870709e

SHA256
34588d3da350916beac8176773a356b744d216b4acd9c480b709948783eb54a9

SHA512
de5b06f70f18e6fa43423f2d1516bf41febc8002277e4a3ddda05c567e8542cce2d590d6d816f947fc007a4ecb38eca220fe258a7039079572d0f40211671967

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c2557a115cd2a59da02c6efaa85fa2dd

SHA1
c9d296a8fa2a55e40174fb0ece83b7c869511689

SHA256
319c7623106be7bab11ed8748915f94bce0b94f821c321d2c27541cb0ff332d6

SHA512
3ba3f67e4be7dc0d81fcb988f0504cab571152cc33e3a3d355a4d7f8c916a8d5cc3e2358e4592e8e268ca7fbdd8da42f1342bcda336c31ec5f81d2e666544d9d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
92411de80c119d630ea9f705c35eec05

SHA1
64207b2d6fa9d7231f6b04652a0995105605720f

SHA256
c5a22e01bf25f38a5618122b5aaec49f00138d19af0a1a49be736ee56f19227c

SHA512
3287a05dd94accdcde2c73561d7c204bee3582e1f397581dd9ead5b257a58209ba53a2a31af1db990ba0202a13aad92d6d74390f2a3bdfaea8190434c41a21f6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
03c4f527b9210a28fae0fb7a1aa5a0a5

SHA1
fe86a6fb549107b92b961e9ab35ac8802509949f

SHA256
3cb73c599e768baabc42689e51c64a73758a244c3a4775f74918f74db5891813

SHA512
33b2e533f626ea2a0e9d42de346a608c8a7789c3cdd1854dc8d16762eadcba5fd2773341212bfcd83bbf192145889c2cd773a5dd49a6856c567b8c70d3151863

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
82563c117d077fb413b43ba26a30146a

SHA1
0c7ce82a5465e0afe4dcf0cd67f8327f36caeb8d

SHA256
60b8f8670e829eeb276d544d8c08b11adafe97af41022bcdf77dbd80165d7cee

SHA512
d1f507f247b68e6be94ee443e1a72bd751e9b8436bbd3e52825b5d58f283353f6e315d7d61288fcef49070850086551b3725db2a09e5e6080a6dec312379989c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8d2acde78054c67fe83d3268d90d7aea

SHA1
8ce42725463355a00d77e0f1a930531aff8580d4

SHA256
9160e4985a9594ca5c53aa3c875c2f08d141e5e6d6ad44d3ac0013c7a6009455

SHA512
0069fb5cc4ece87b0b3bfae39f5f4a69e25eb6c56afab9e984538b664095fd8a78040778200c6efe78770d8eaa1d8a9588dbefd5626f5053c0606c29c492e743

Download Submit
memory/512-94-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/512-257-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/512-97-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/544-301-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/544-277-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/544-276-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1084-377-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1084-265-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1084-271-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1084-264-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1388-439-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1388-328-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1624-593-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1624-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-35-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-7-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1952-1-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1952-12-0x00007FFEB3E70000-0x00007FFEB4065000-memory.dmp

Filesize
2.0MB

Download
memory/1952-37-0x00007FFEB3E70000-0x00007FFEB4065000-memory.dmp

Filesize
2.0MB

Download
memory/2220-96-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2420-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2420-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2592-460-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2592-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2592-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2736-343-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2736-531-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2964-403-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2964-296-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3196-39-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/3196-68-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/3336-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3336-400-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3416-256-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3416-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3416-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3416-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3644-30-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3644-31-0x00007FFEB3E70000-0x00007FFEB4065000-memory.dmp

Filesize
2.0MB

Download
memory/3644-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3644-28-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3644-217-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3644-254-0x00007FFEB3E70000-0x00007FFEB4065000-memory.dmp

Filesize
2.0MB

Download
memory/3656-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3656-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3736-386-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3736-588-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3840-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3840-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3840-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3840-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3840-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3900-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3900-592-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3980-317-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3980-427-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4036-415-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4036-303-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4048-365-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4048-539-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4088-448-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4088-597-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4472-538-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4472-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4608-255-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4608-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4608-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4608-47-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download