b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2.exe
Size

1.6MB
MD5

aa223acc2ab76420ec158fcfaf0b453c
SHA1

499208c02b76a31dec4e8f34dcbaf5f043507fca
SHA256

b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2
SHA512

d97ebf145e4802fffe4bbd014ac23c11dfc20eaf8c32d3c46442af579d65612ddb4abd29705f00fd3017b828de3129f931b6c3a565719d5635a60da8fd003364
SSDEEP

12288:+W9B+VXipFTUzjsvFgzYxhaavfiu0h11RiYJE+OkNgzLQ3T7PBgIkF28JdK1j:+W9B+i1vaYxhaOKVh1DiIz33PTgIF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2288	alg.exe
4976	elevation_service.exe
2744	elevation_service.exe
1044	maintenanceservice.exe
2492	OSE.EXE
848	DiagnosticsHub.StandardCollector.Service.exe
4316	fxssvc.exe
2452	msdtc.exe
5000	PerceptionSimulationService.exe
4968	perfhost.exe
2388	locator.exe
3992	SensorDataService.exe
5116	snmptrap.exe
3328	spectrum.exe
872	ssh-agent.exe
3896	TieringEngineService.exe
3544	AgentService.exe
2828	vds.exe
4628	vssvc.exe
3692	wbengine.exe
4312	WmiApSrv.exe
116	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6e6ad94c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c4096d2ff91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c92d83d2ff91da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c059bd2ff91da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4bf78d3ff91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f8be2d2ff91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cc23ad3ff91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000612ca2d2ff91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bb2e9d2ff91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe
4976	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1424	b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2.exe
Token: SeDebugPrivilege	2288	alg.exe
Token: SeDebugPrivilege	2288	alg.exe
Token: SeDebugPrivilege	2288	alg.exe
Token: SeTakeOwnershipPrivilege	4976	elevation_service.exe
Token: SeAuditPrivilege	4316	fxssvc.exe
Token: SeRestorePrivilege	3896	TieringEngineService.exe
Token: SeManageVolumePrivilege	3896	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3544	AgentService.exe
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe
Token: SeBackupPrivilege	3692	wbengine.exe
Token: SeRestorePrivilege	3692	wbengine.exe
Token: SeSecurityPrivilege	3692	wbengine.exe
Token: 33	116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	116	SearchIndexer.exe
Token: SeDebugPrivilege	4976	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 3296	116	SearchIndexer.exe	122
PID 116 wrote to memory of 3296	116	SearchIndexer.exe	122
PID 116 wrote to memory of 4560	116	SearchIndexer.exe	123
PID 116 wrote to memory of 4560	116	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2.exe
"C:\Users\Admin\AppData\Local\Temp\b155b25bcb7c8040f5cf1c1de541d410b676c0df5baf43fba102da31d13d11f2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2452

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3328

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3296
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4255a93c36cfac2555d6eb5c9c4606e0

SHA1
9bdccfa63be15c51fd75ea9084bb606cece05188

SHA256
c8cf8389a32baf222c0b19b910918529f9409e19dc83967bb53d203fd1431371

SHA512
4befe078c75307f80d97537e25bae8ef7214fe7e69a58f46ba6e0b043799763cf9d00006eb804276241311b63e9335e62eeded25699cd3f450f5f537336ce2db

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
5b2ed3d72f665b953177552641ef9d02

SHA1
d9b69b4fc66f568259d53c0701b3f86b365821a3

SHA256
30af3d30e5a413c074d617bcd6161adfc9d595df98849b14b7f95f6113551faf

SHA512
7cf380098a0b470ef6bb91389a435e70e6e55104221be9701907a98bded8f84c7d05e91864c1b279704813591a1d986d41ff7a9c4a287bcce5cd58c1b45472ee

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b359e9e4ebfc8aebddda77490fdf0067

SHA1
6150aaff3cf53eb9bdf5148120466b980ebfbcbc

SHA256
6ab503977956c2e4e655df24e2e7982f604c1a4415095c9a733e5aab68c75dd9

SHA512
632095c7cf19196f081bb6e2ab11df63bc6d54212e996cf916e8edfb6ec39d7f98a0bb495453aefb4e3ea320ee1bc3c15509f3447204b2fa7fd3c7338d3b1111

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c06ad0c791ca89c246aa159ceedd8274

SHA1
ddb07afe805f39647a1ab4cd968ae5c9ff76faa0

SHA256
c29b0e21f65afd29b7ba095e5a80d7fb9d6430f5bb9a167fed01912b65af1d64

SHA512
6d025608b060101af841f99b110c15fbf5b24ae7c09f422f51872a90fecccd9c1620a50050bfd65df95ce02bd26cbadf2486dd61f2af5a6a77928d74bfbeb741

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
27afbc424c2ce6ba1595675639ff437b

SHA1
85eaf4691968b122b3085513316be6a77de442a7

SHA256
30b714fcd8173d584f855a12ebeae6f4067876fa0fe65a674a6c4caba4e68c84

SHA512
bdc00d510bf9a1a623d189ce7be60863163c6f2dad745769b205d5dc04054ed6b9fde3c7f6475e0b98c0d3296e906a63d624e9d2fd6f57c8ab7975b4c6f9d3ed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fed4b1ac5215673938137b663bd0824a

SHA1
1f8ce795713b795b273cfaf171de37b60ef820bd

SHA256
21eb60ffc047e9c92944330977d6c9102a404178c89d47c63189782a09e94ed6

SHA512
98aff763610585d6dcb1be96ad5d082ca6b139c325d9853bfc409a34a91b1a437429ad3da9eadbd99e6d2a3028dece9789755abbdd4afbfede53679fe4402562

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6f19661e3e39b762eb3c624a706384f7

SHA1
18a9a2ddf0f7c10ae351b16072b171dbfb0f018c

SHA256
07f61f4b38248f5c0a3ec7c0a3f9f180b765d4175dd79ea0b2a6fd340b1a8ab9

SHA512
2bc0b91bd163922cd0015cd108441ffbed8ed0a663381626b4eff89609caff01640ac2dd7fac3731842a8bc26d9c5b907aa2f3a9596221dd6a6a645df191b611

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f86dd22b6b2c9977aae328e8d8177e6b

SHA1
9c379d812efbef5ea5c385599c3c8f13c4048e3f

SHA256
bac599b38acd11bced8e74a36503d3187a05ff2ee666bc7ab26cb05207e1b9eb

SHA512
b94cb5d13bff3eb955555323deafe49d4dafd1fe149c338c50c50c400fba45a04abc86fc0bd63fe58c0ed6e282ea1fd74275ea0dffe338d1a81a54f612dc3b00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
51adf87ccf6b21487c1b082ede01e90f

SHA1
02de777ddf0d079f2c6e95173bfe2e8efe2e197a

SHA256
96f16bb750c9798323e8235b5f2ecc8442a4ce2e9a835d879bdf33c27469c5c5

SHA512
78564247242700932c35d7922a2e30a0760c3736ed2eba7d2c0ee3b71603a4cebd878beca13f436617f563d033b1878d2fe131d03abec5debbea404a8b3f0e91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ffb097e12f2967374794ec3f4ea9a41c

SHA1
eca4d618f016827068980f6aaf1ebee86a1bb39f

SHA256
616b91a36a0fddf9fb748d2efae011f320552e4d996b6b1cadb76787c09afcaa

SHA512
c12d788e2493f4c559db32ec721df274ec2530be025aefc3b364619bdf80f80e08a8b4638c2989157a74213d23f5b8e9ab607224cd90b38b56ff92edb3b2e442

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
73e21a00142f18eed28b4f3a5a69db5e

SHA1
f7680b747e4b51abfdaad27cc9a11bf7fb5eb298

SHA256
bc7a5639273980da53426ee8bb8283e37ead5c6969dc02ac72b31f3297b3c5fd

SHA512
09f224c15f815f6c8873c5821f3addcb0778e4b5a2dc40ef574d1758cad613492ea47a018983f5d2680caf9c69989c633f363c310044807ae643b3b774f3776c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
33fcf6f1c28fc53e1cd7b8d5ff0a8a0d

SHA1
0bf216611143ee8fe8899e2df4d70c6c9a9a0525

SHA256
59c26ca77f2107cdecea467351d5f8eb8e51491c6f436411433cdd37ee65d7db

SHA512
8e9605bd3ccec3d21f9020e9dc79a12444c3f278da53164acba488c4b5a5964918c01eb4822980e02269f85e3f0cef6bca0f98d666112699f4797c55c48e5f99

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
b13df15dd6283160d24039b1c46a4313

SHA1
baa71800f8a77742bcb03b33de73e6591c3859bb

SHA256
b5c7b9d835d1778e42ed5ac636d3ea49b579753b7e965439f607d327263bfb2e

SHA512
168430f2fd344ad5e34c2b1ccc32eb610a505fa5408a47c7bcb6e44235794be5a98bc3e53b0aa8995f9f9fb3afb72f5211e1d03a1d54c8daa018738973643e7d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
1b43c6f0e5a33db5470008e5dfd51f7a

SHA1
4504e1c3cda2244ed2a7636411d509be28f88877

SHA256
c909368073d1550c519831843f2dbf416e346547e84f4bdbd116a556f4d267bd

SHA512
ca01d35590565c8fc3992e6100bcdeedb4e4a7c0779d2bdbdf60648fd22e2a3a33a66b41c79233168021f5d1fb215c008cc520e708123f055a4b823f93031570

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9aeb0ff19e3a2820ac4b0b5a1a91a9de

SHA1
81317720b5d2536b4c1c455c787e2f375f8cbf63

SHA256
af313ea383c3e08082477fa36355955da60066250aca70d6e280ca2e59da3d43

SHA512
47f524dc9c640a6264157fb2e52d2475612c11fe1b86ba3e5fe0b76cd495dd9e16b684703dde6546b630ace9624cfec7482b3194320486e68c2ce11b44af7109

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
db719ae1f3ac436aa4a415c97c557d7b

SHA1
ec5b3f14ae6aeb7576c3eb2e5f2bab9dd2eda805

SHA256
ff0518c044ffa9981c858aaa803a7fdced81a324850945a135914ee85ed32493

SHA512
655dd7ec57dbde52b2531d25519a0dcbc89399d4d4bd97ce69cd6eaf865343a109d777f1142dfc84e58e808a75e4cbe4ddcf029b8b2f6c4376738f496ab871b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2332640fdc4be8348254404ac8a9133b

SHA1
dff75cef74ff70f870453bbca1bd47f2cf27a04f

SHA256
45a953e275f2858fbc1553fe021ce6068d09df432011bea922ff26468d22251f

SHA512
9265a0830d07e462319d6a93778989d05de36b99b344194e7a1800e849f9c361b3b7b3268f57219ea2fe209cc4abdfc63a57aca2d68d3602bed3acc6fe8e6fb4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
400711baa1414b827185399ff35b4216

SHA1
9f729eb94cd9c9703d9e06afebcba637a5133713

SHA256
18b03032cd17650584a1ef786514e9f6a59597fa4470ee887b1d94a268679835

SHA512
3a72550694b56c306f24d8c499b46d16aae05901355edefea4dc3ad6bbd32f6f2658c484d8091c21bf26e47ef7f0adcf331e8738a96bb5f53440f16f0d8ed0b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b5cd8db096e89d5bc415cd82adf73668

SHA1
f33d9d871b51e84723d52edbcabb7c60245dfbf1

SHA256
46cd404710aed3f2c4c5cdadd2d9a08127f9f7ed68cda35bd81a5bf3c08ab59c

SHA512
d1bd6ccc004935a758d38aa1baf814d3e169170d1fa43af7a1bda2649e55079647703f5bbfb0bb3d6eda03754ad19168ccf30afbcb602261f60d36621603f9e5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3d4fcca322119a31d79300eab1bdabb5

SHA1
6a2605e05b8d6c3243c14d67776372f14b30a287

SHA256
a5c3c540d31ca356081e1a83d15535871a17681179d3abc13ca934035f79bb6e

SHA512
0124bd56046ee7047d4d6905a683fc4388b3320b7f70f27c72ab6c464672ac3e89088ecb4ba0b9578d151dee4b9acc688dc149dd5c6371dd25a20a12cf18a2cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
d9799477ad101449fb5e0f9e75ff788d

SHA1
307594112093e57e5e28cd58285fb8be4899532b

SHA256
5568f7803f8e75e8c3f10cacc6ad30c6549593936feaea15b54257883a5db790

SHA512
b01b99e70308276387c69733ecc864bddafe86f20f7f0d842d32d2de7bc6069fdb58e964ab8c3019ea5ec6244e544ee80f2bb99bf5452906aa19cbc7afca087b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
8af733e64f99374eefecde68e8f4837d

SHA1
e6c6cd5215a3b4dd5dbe02aa33d0cad5f021875f

SHA256
fd9ca52993f7316eea3775d08d1143057dfe308b4317cb65666be50d4a374a08

SHA512
2f1c80ef7688008446f8be83fb9b4839ea93e8fa10c45fe2c845e05aac572212d37d751e19d2a2c808a4dfff183a924bef90e0790be9689de7d6a7affcd812f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f9c605570fddbbb89656f5a9ca43a210

SHA1
9696a5c553c4ea859b5ad5a30ce2adff26b07d60

SHA256
982cfd7ed047b19a7065abe802775ddd317ba6cca0342941b0e78a4af1aa2d6b

SHA512
cc05d3de027b1a5af628f8ebfcc3359bb85129e23d36130b56203a2e44c613cb6c407729657859042b92fd17087acebd6b6393f547b73692d60a39214765f5a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
00b99d4d14b13e4712922c1a7c783c28

SHA1
dbea5f30cd8064eb38bc7a4eedc6aa32324d8d86

SHA256
7ca68d69986d75125b8a4d371f3d1ec5aca5e3a336b6009af92fc8310b75de6e

SHA512
32bef44145e224cf0d3fbcf6af5ccc0904ca68df8b6613cb7bafeb1956ee94aabcb876fd27eaabdd63693f6ff9f3aabc112381e969f223064ef37ab21cd01ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
8226cf13a290f8c05b1b4a46ac0a2a76

SHA1
b3198ee1f490ce7a6fb9851e18d82af9e3f353a0

SHA256
c348a27027dbe54b84003db2526d4a95880c107cdf6c5ad8fd04328f1a2c21c2

SHA512
5b0fb3fab82bef7c07f8f579ca763d6fb2edd4db01bd93327edbd0d0bed5ba2e0aaa803d29c44af517e04d681320a4f3708487891445ea4b8fe005700851a6a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
05ae025502eba4972a00637f297ab92b

SHA1
356ca2d0b19bcfc8db01cc71498aa5cecd128a44

SHA256
38c8e0a00b770d4b227551a0374bf7f71a198af92d762d655807f5ec9664ddff

SHA512
1aea698310c23668af6952288195d1e20572aaf79e98bb29347dc59c7fb66d591cdc906219e05b35b9fe64b0466f212d7e127712a1ab147510cb3650520577e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b34e7577c96d9628c20e077306b5aa9c

SHA1
e37509a6675b88d44c7fc8f7e2383dc55a227049

SHA256
3724a9caa1966d8709d92a5684f2fcb09428365821682093a28a751524dc723d

SHA512
9b595dd46407654ce8a10e49b488f0489ee42ff36749082a3bc717009e7e3b5e646c8119bed6f91f95adc0b052587a78d015eeea182d43f20c7c76b8e9b9dce1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
034b11242ea972cc66d39d30814052e4

SHA1
af72d1d0ec608ffec1b682ef7528658c06e77269

SHA256
3e5cb815df574875d3a1aa25ac891e4f152b7e5d4f54992458f88e9879438e65

SHA512
22f7fa27115e8b315f75ae3fa322608e7bd375360e6fd4a31d9b37a9531acc9a2711d89019ba803115c98c9c7cfba7900b6fa840dc4b830a625eb9ec5e560691

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
0cbda33316f3bc2c0f5f4b73b9a383e7

SHA1
c2f5bec2a82f3e0ffc7222456c6c90da8e0e4287

SHA256
829d410cb7b89e1a322ff0fc37218ec1980e41abddce12e18361b1b0049affca

SHA512
1d5b6178f8577b3207bd0d325982708166ce675a8daf56b9b4ed5c8a575d7d04e11831f9e98173ffd2d71a6d5c02cc6fd84d1ba7b4738881b0104af82d5e8ce1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
82b17a9ec5793568a1a64c7d1ed08248

SHA1
c30a90d9c319de4018c51555f19546fe76e4c81e

SHA256
514d45863310c9146cb509b363474ca0c12966b7bc4f6d0110d3232e487349af

SHA512
84f516197107a4b55cad565b285dd51acf532a3d2266f46640053a8b926eb236eae6b4d0313bd8efb57b2157f5c50ff1cd22927a2e82757e40e83b2f63af6144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
1687c027c95f5929f850840ea5194217

SHA1
bc84ecb5269899d0669f4c8fd30a205e00cba903

SHA256
d2d84d8d5bb06bc8669337a09254c940a7c2e1f90f48859185389a33c36ff306

SHA512
2479194074d05b085c26e2e76d66c92227974e2f2b466e050b46031025dc173a1326d50a87147f66c0dae37f75179ba81fcdb74efb032d6ad20392811f4defff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
9b236d3057197310789fd7bcaaeb0f94

SHA1
420ba0859a1f7c945d210bf04b17dc668058cfb7

SHA256
abc84d24c9be39c35b0eff12ef5de6a83eadcd683ecd908e7e97fff26e539214

SHA512
d68844af2cdf3bc91d25b1a75261e0bc4f924c8d864ba3240b426e0e105b80763bb4ac797b6a032de90d56442e1f96b71978136c4402cee1692e387444eca12c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d7c9bc36e458d16868e3e584369e0a81

SHA1
a88a7d2b2a7f4a00951be94706eba51c997c8ebd

SHA256
9eec9140f90af7995937d2cbe2a3cd3eb706131359759b2bcd52bad23fcbd25b

SHA512
d5fd312bf184d1c23e357d559f9decc901eb5f5d7312c0d67fa71070c593265e3cf1bff20bf8f86aea34c92c7fee9913c7d3e51b5476dfd6e664a385d6b7e9c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a18d7a658ccb55b360815f50b93f731d

SHA1
1841d119ae07241acc60e880b79bca61197abccb

SHA256
1318734b705b3d705dca859b89b466ddc48f784a94dd6d97ea5bce48dfbbff5d

SHA512
78d599b5bcbeb6c5e3689405f0fb15d826c44d51f7b0962c72351a2fa6aee80934693f7a3da199f1638da4935e27bb20dfe527bf3ceeab4a52077971ca8113ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
16f350cc49247f81f0ec5f5f380bdeae

SHA1
3bc902dcb28711f8893136c4a9abbd7516eeb73a

SHA256
f7b0a89af00c1b6e55515fc17126a68d65665aa2ed1294f6680aff709bf951b6

SHA512
596437208de6ae118db99a039ad2426e835519c663d03ca6bd701d50beedb4111233565a3c1bf9526e8d6a7c904623d94ce43c1661aed5b9cbf3d429e33fe2ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c506cea28ecced2f02fe707bbfcf0ecd

SHA1
5fc72a71a135dcab83c84d4343599093e927d87a

SHA256
420f411fdb92e87643f17e2f930f6e16b3e7942937471df2fd8e506b72504e53

SHA512
5ab6f6a6daab24e042434c2ee24fd93aca73f13e41484fb121104a0a9c35ac1f8e51f4c3b0ec042311ff56769ee23e557d0917d6a3b40f28b09d668ecb6867ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
41e91a4f593f1d641a1d88104adc28e3

SHA1
e5d86da19682d43b9c6e823fa2002e723931f785

SHA256
9f4364d565fda23a14dd02d7fc3d55cc27c4ce134e67f991904448368c46c309

SHA512
13bab419563b01ee7784194b8fe2081519b55137af85fdb7e22e49e2e0e9b9280c450285d3936c7feeccf0313871d2b17d9c652690f6fa6508287d7b06056879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
f36efed4932a978f4067bbc8689a539c

SHA1
80d8c84bd54ac9fc589fa15ffcaa2061fcaa1c7e

SHA256
364215687e165942adef5d1e4caa752885e711d5a6a5ffd8dbd6a17aed267ac5

SHA512
9e5f61ab2e42329fa36b66d37b9dd35dee66c8b0c7acb2bb7617f62ef884bef48e4fdb5d1c26dba5324b242bcee556511a7e017f6fc9c4dc61fb5f52fa3a3ace

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
e907a00df75f896b38d4325f821d0179

SHA1
bbf86cbe87b2b8c0332f5ce11e47a498ba8d6e0b

SHA256
123895dfc59a493e4e94d7352228cd984c11f60fe2cb6729d0a5597e5310816a

SHA512
d707e07d1d46939db3b123da26768c5fe1c1759cb5608d8aa931574a207aaa29d9806ed8ce61f85f77b7c510840cc0dc678e0cfc134a2e979495bb4bbdd2fc14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
5b24205f60aca20974122dba8c1f5ed2

SHA1
53720035f34aa2cd1ebbd5bbd3e9e05fd3cc73ac

SHA256
ae41253bbe9f728eff543affd55099201d2c724df68d3fca1edf6823c7cbb47b

SHA512
0dabf06be6d204655aac44e8cf7a0ba4b1ee8a49dc062b3487fb3b1baeae4f2ab9cdce0f468ae3a4fe303323c2baf0dbfcabefbc823a9145c77db65da9ea7b40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
61fbebdabc08a79884b698906e7d87d3

SHA1
ddb65c71a7c885e6214c0149941ba42a5bad9a88

SHA256
8e275c9dec300ec4a54d7bd964ec64c8039c4ee80da643881206b6614bcdab88

SHA512
215c0a938dda67aedbd1e5d010b16e869b4dd8ab95e925fa5350735d74313ff96838f5dbecd7b7837294ddb0496835696ea18a9e8e34542ecec4ac54517e3506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
bfb874e79f471e0295379d84e87aa1b7

SHA1
718113ffeffcecfc05d9d79e33088e8b4ecad8fe

SHA256
a067bc509f7d956d62a412bcdfaf5d8d439b204928d5334c5230225732b27836

SHA512
b30d43a2ddb7677b11a032238dde0bef2a75285f77b396b376e26fbe83ef6d68dc6fb06c3445429bafe8faed1c0ff2d52ff3a3b265574917bf712c20694251fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
af27b895cfd6f100ce466e6f718e06d3

SHA1
6cc9e6a156ba3db085cce5d6beed3677b478cd63

SHA256
8d93af6e5f993dd774fe9f714153f6ff89ae47fff218dfbb769813b7c0174258

SHA512
846c139f7f173a4afc81d6018497032d7978193b03a88ce595e7d6a437d88952a1ca8c8a8aa64d3e4690bc80016ea8af2abce622215cb72b6979f824d12ee734

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b0670defbd5aa0356af9630f270c9efa

SHA1
87018cb2f3a5485e39837db7d3de79bb509a4357

SHA256
6b46c7d0674c8bda03dc0050f5463b23585f0e413c0c3e1e88cdf1ae21b4cb23

SHA512
a0b095e68682b8ac1153134ed677285eb90103563ed6a481c529171e7052301ed1bf99489d7b6d2e09e2ec54333313333bfe7d14d4a5232394c9e4e0d07653ad

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
c60a1aa752a609cf57afe05eebac741d

SHA1
abe25a9e34380987f2e620061bfb1c1a6050f055

SHA256
5d9e48a0c0963b12067b5e1c05ac58476f44676692a539c6914c3610e01644e0

SHA512
b616df38dc19135945f6bf76e301aa654ce18757790ca99c0ba9946353f8fcb9602aaec4490ca65ebbf45e3b3cf74ded28c75fc684ffd44d73bd262729fd1a08

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0dee5e5dd196664c55fb9ad798c3eebb

SHA1
cc74da37b34a58862673289eda5ae713b71bec83

SHA256
5619c6841b6b4ea682475a453383fd4f362dac3cac02df5d2e17dbf29fbbf128

SHA512
3abde08dc10a6db6d4d2b835454d1ca7383863b34aca0d1d2f6a7d8cc85a6bd4cc31da14853ef818620c34983712e39e0a0409c035dd079065889c1543af352a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a905f32eca34b37316def3c1887a7e7c

SHA1
08089cb519f5fc15e99118a140cb56b39801ceb9

SHA256
577308a077208cffcfab46523144b2561ed849d3725349469dafb0828ed107f4

SHA512
2a17e293fc7065960ed385a8b998bbbceaeee643f0db803bc132ceadf8cd0a099f830b07241f3b40cbba2e4c0cb33c56903c5aa748407ca858eef25f00288a35

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
71ade00e95a4f20fbdfbbf3ce22e1c86

SHA1
c3c8cd0aff9f0ab72d8ce82d5944a6bb15a3a6db

SHA256
c5e6a7e1ec0deb9b9ca5280705e21ff092e040556d6f16348a0f58e66495611d

SHA512
139479c2d953eb67dc8d1b08cd82018eaa7979811d9c08b3c6ca1ec8c51e14d116dedc34f9aed59af8eb6109027098445fbded77173ee96ddfe5c3438d9f677f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fb1714a4f5407eab672a3f8e52bf3c5a

SHA1
3ac65e2963a1d796f0068b7c0b9e26448aff65bc

SHA256
ff95c23de39fb48061ca45e8c06fbbbb36108efc6de73ec12eb2b91e9af09841

SHA512
3a0dfb6431779cdcd9e84b80a6ca535f98503c806248c8078f5d0c04911f2beacbca6e50f6daf1e48571ca5d6e6ab64d61db621e07a552bb8dd30c4a77d01946

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
01c43b6cd4035188958e2face01690e9

SHA1
e20de4bdead545689237b6723c55405bb67cab59

SHA256
a4d260358f9aa6c74ada6899934b764706b010f8ce48127b39e9b86add3513c4

SHA512
9910786557c71ef19f1ecf8ef3e215ae1cc5bfda3c70c647f139f4128d499cafdbb542a061765695fe534a49c97d3f7d507c1bac752c8bbe8eb7c464c11b9e56

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a0045979c61a3febff3bc05112c8ff4b

SHA1
7cbeda0f65a9bb68cd19863ceaf1b15fc1e11f57

SHA256
bbb76589c51adce76bae9e28312004cb0c04b3e794500df530ad54fd74d71e6a

SHA512
d8b500e5dc04b6307f04921101c73d60d2d3875beb8c7bfe12a02a9a0113a8b1f9056af0bef21f25fa96f32ffa2eb22d5af47c293f35f758ff77c6cd9d57ae91

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
85c0dd293ab59a2b78dbc1662cc77207

SHA1
a1c9cf4a46792d2de9b31b0b60d074eedf06b75d

SHA256
e5ae07dc944c1811f4a9097caf079d3d26b4ccf647efac66b979aba7462045c4

SHA512
b97ba4eb093cb8b3d527fcb4318d04d12dcdbb64717cb7d7ab5a8f91f524043d082bb8d64cfebb8d8dc86739d8dc9627a593264fc05f5ac4affab730725623a3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0895f170b152fc443c8727dc5ee8a54f

SHA1
0ff94e3e6ac64ea427f6b885a394a6cfcb1fe2e9

SHA256
b993ea51ed77d8412d68ca9a0e616e3b0afc25ee421465aeb06912808f60df66

SHA512
b23ecec5ba963ed830872e9f9f1fc806741e9f50ad73374c5f9593f1f1a9ee8072d57b2cb1a87f521fce752ab2c9aa9b07155c6972410f60b8bba0b24e08ad2c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
461710c26f28ded05bfb4309390f08e9

SHA1
b0b8cf6fae7b4951876be84b3a4dee259a61cdbb

SHA256
acadb538054498f7cb62f887dc6d5798af467bc47d45a82cc65aee14b392b72a

SHA512
5adf6e9111c42d08575cfd80a371bd3333bbf8ec42e3650bfc6575fa28da0aff720fc102541ef1fb03cecba1c7595ba45344bd8f605d82c8408e7d99da562a93

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f4f6bd457bee49a462ffb0bc48e1bbd3

SHA1
89992eb102d7bef37c41b806d6e9a587e87bbe53

SHA256
d7918733a9aaa3ffe331f0559efacc3765e148629a5eab0a8966f6bdc206e15f

SHA512
f91967412fa459310d74c94a22645d46a8eed09c02b2397bb46ee3fae88b7a08ef64aff657e1b6392dbdf02200bd4a65b84c74a47f2318b5510224149678e22b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2f7d351ae84a0d8f80b718ff3e52d6c7

SHA1
2d38890f8b2dcf92881d903c5c90eae1948cc674

SHA256
3faf3af9880ef4cdf9798491f478dcd4513567ff6e86a8dcf4e942989447791f

SHA512
d694dfaf935b0fa9daf2ab60a140b9949fdba505e0c8aaca92b60017a74424cc172b66e3e97762ad84e0008453639221bddd4bdb43907b6ffedcce3a0fc2b073

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
896ab241ad8d8d34c9cd909574192507

SHA1
c2da01d916a715018426b20b8b9362c15fbff9cc

SHA256
443cbdaf486394e530cdfa280a76c60a1c2460a850bdb8e72895d5da8fbeb8cf

SHA512
9e4d4cbdce2339707b7159500a7680470355b6b8699f76764c2362714b404d9154ec5f5e8624a8ca338232cc58205d1af5c7b8670c23494733db0b43bc114d4c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
08aea485ef63349029e6ed727ba6dbed

SHA1
1632727862da62ce23552cfc9b160fe4c5865535

SHA256
bce5a211c49cd20f90870916ddabff7b6e1054bd90b5166cec865a24d9ee2474

SHA512
ef47bf96f47c427012c700027fb880603b46c106014de9772102bc8fe32ff326a7361f8a99d249e6d22885d2e95fe3e6cf894f30ef2f8fdfe8323c34c20a5731

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
bc86dec5f0e200675c9a76063fd4a10d

SHA1
60fd50e8b4109e0dc60d269d302c5fd87d2a21e6

SHA256
93982de07fa1f0fa050f6dd472ff3610b2d885fccca6ec0ec3db290cd8d093a8

SHA512
92addbfa3a37b895e7a2b63506a6df325f3c71bd5263bf6d5c86f3b815a099d871ed6279699a9fbbfb65db7f1704842e5624049501a0d7ffc6945b2c33d43768

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
72f83ef4edb39e0a4a0762c1d87946b9

SHA1
7b442935c534f3cf6bfd8474a1ac4d877cb9ec66

SHA256
3a70dc62bc4008735d7dd692fa27bd97668fc80064d4d1558eab9f41b77ba684

SHA512
ee53e6f972685047e6bb307324518e2152455d07fe343fb83dbe72b9eca4231f5c6c79750f97b0e644f03754f74041d4f665c432b842589eb55c2851bf21e4c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
12ce4e93de114266fc06c9cffdcd1007

SHA1
28a0f612e71842eee6d3e0c9ad9a26bf9011d634

SHA256
b6760a7204118caaff6deeb7ebf7573750e31d365bdcd5bc16448ca1058ba6c5

SHA512
ef716198bf040dfbfcf5798e4f8492387b0d3e5cc02e5a1a042ceeee6e93804d94fb4c1ef863abc300c98f1b71c36476084a60992749e1c6e9173049675fc9b1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b366251e8e85dc7e669b39fd77221ba

SHA1
819bac4986cee196ca872e60aac5197c956c9a74

SHA256
4e87f1c6fee23524d6431f30845e2641856d12113e4a9d566d215cdacccf843b

SHA512
736e1b1688a5c6d7e0a80e607a7b3678cbf779d2cd54db05c9b0ac43e801acc35ad00b7c326abf1c87de813b02b34ec2b62b85cadef6820e3299fac28fc891b6

Download Submit
memory/116-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/848-245-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/848-312-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/848-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/848-244-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/872-435-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/872-368-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/872-374-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/872-443-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1044-58-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1044-66-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/1044-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1044-57-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1044-50-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1044-51-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/1424-14-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1424-1-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/1424-6-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/1424-0-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2288-16-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/2288-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2288-228-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/2288-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2388-315-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/2388-321-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2388-380-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/2452-281-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2452-339-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/2452-273-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/2492-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2492-239-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2492-67-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2492-65-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2744-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2744-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2744-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2744-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2828-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2828-418-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3328-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3328-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3328-361-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3544-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-406-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3544-400-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3692-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3692-445-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3896-448-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/3896-387-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3896-381-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/3992-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-333-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/4312-458-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4312-451-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/4316-257-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4316-276-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4316-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4316-263-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4316-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4628-431-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4628-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4968-365-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/4968-308-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4968-301-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/4976-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4976-34-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4976-27-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4976-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5000-287-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/5000-351-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/5000-294-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5116-341-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/5116-348-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5116-408-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download