2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61.exe
Size

771KB
MD5

763c7453c28bfa41f67ac0dd899db5af
SHA1

cee3928dbadf0e4ff7f6f8c2153651645268600a
SHA256

2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61
SHA512

a5a26c52871da73fff46984de4cd8516e36bab736cb51b74fa2f4c48e58ba5ffeb71585bcdb345134070d5a84cf71b7018cd73b3a39084220db9d678e0f3e097
SSDEEP

24576:ln+qBf6LaRFdGJm0Q3WKVSwdr13Ek0VA:l+y6KFdi2Ga9x3Ek0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4128	alg.exe
2856	elevation_service.exe
944	elevation_service.exe
996	maintenanceservice.exe
1524	OSE.EXE
2308	DiagnosticsHub.StandardCollector.Service.exe
460	fxssvc.exe
464	msdtc.exe
2488	PerceptionSimulationService.exe
2320	perfhost.exe
4892	locator.exe
4608	SensorDataService.exe
4008	snmptrap.exe
3068	spectrum.exe
4404	ssh-agent.exe
1452	TieringEngineService.exe
4552	AgentService.exe
2524	vds.exe
116	vssvc.exe
4408	wbengine.exe
2720	WmiApSrv.exe
3928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dcc82373c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f592c26c14a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e647766c14a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e584526c14a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a98656c14a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b22506c14a3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbbe6c6c14a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e5c6a6c14a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000265f2c6c14a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a98656c14a3da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2856	elevation_service.exe
2856	elevation_service.exe
2856	elevation_service.exe
2856	elevation_service.exe
2856	elevation_service.exe
2856	elevation_service.exe
2856	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4420	2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61.exe
Token: SeDebugPrivilege	4128	alg.exe
Token: SeDebugPrivilege	4128	alg.exe
Token: SeDebugPrivilege	4128	alg.exe
Token: SeTakeOwnershipPrivilege	2856	elevation_service.exe
Token: SeAuditPrivilege	460	fxssvc.exe
Token: SeRestorePrivilege	1452	TieringEngineService.exe
Token: SeManageVolumePrivilege	1452	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4552	AgentService.exe
Token: SeBackupPrivilege	116	vssvc.exe
Token: SeRestorePrivilege	116	vssvc.exe
Token: SeAuditPrivilege	116	vssvc.exe
Token: SeBackupPrivilege	4408	wbengine.exe
Token: SeRestorePrivilege	4408	wbengine.exe
Token: SeSecurityPrivilege	4408	wbengine.exe
Token: 33	3928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeDebugPrivilege	2856	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 3924	3928	SearchIndexer.exe	117
PID 3928 wrote to memory of 3924	3928	SearchIndexer.exe	117
PID 3928 wrote to memory of 3932	3928	SearchIndexer.exe	118
PID 3928 wrote to memory of 3932	3928	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61.exe
"C:\Users\Admin\AppData\Local\Temp\2c81edf89d1ac8ffaea6d876b1f15b22aab3ddf3b30df1fb1a5b25615da64a61.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:996

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3812

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4792

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9286073a30fe6326f48806b3665a5e3b

SHA1
51435603c16d78b4af1370988ce28cf006fbecbf

SHA256
575fb51704095dcd9b1dd2bb79476a32bd0eda9b0912c5fc46fd7c60509b7510

SHA512
e2e8f0dda560691b3c4220e2079492ba0d536e45aa70909e81677d0141d29b5bf42fa1c45661464bdfceb8928cdace86d2ef6e86f8f2ad74353423889c719300

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b3a8898e5432582da8923a6ff3c4cf9b

SHA1
7d7cbf28e7d53dd1eee94c48a2f5956f383768a7

SHA256
aa7712e0d7e923d20cd15f999af168d016ffab87e00e97859f5a1a0764c4a768

SHA512
da8c5ea87f8f8bd8ce21dfcb4dd16445392cedf88097e223d8150c02c800ef1c48d428fba2bbbbb14912bd76a2b2f2bfb82e711e6c64af4935a04d7cb44fd429

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e4352f7538e626a9d930f4ac9cb44f6f

SHA1
d9a151c2fe4a9e9947f0af345371cd90a41e90ca

SHA256
e8e604f3de10fc5a6fa0ff48b8e4fa1b296b9f5cd17d5aa6f17999659b8bfce4

SHA512
fb6b63d520f4425b670c5cc31268079834b85183c728df6df3ad2c981fb2f8942a3dbe886c5257b5bcca1f9562cf6250097a20f108ecf44ae39ae8cbec0edd23

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8da32feff8096d87a9a1b5241a7ae819

SHA1
b2026eb635d3391f9138336d55ec835497d6b5ee

SHA256
e8e30654649b9bc8ebc14deea34340ea65e3bd7206c70c92a47ea468728e24b9

SHA512
f069fbea23b36d4709fc3917a361c7443d8068f249cfebf6bb8cf3f9d6e64baa2659200fbf16bea21b6fe811e3bc447f7b27360e6012a7a0d81e39cbd562ffe5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2f7efbdc9826914e99780cdb38f09d74

SHA1
00ac2e04446051eebc21576bfcb64f4996fb4a5a

SHA256
8620cf8039cfd94a8f49245a6ae2aeeabc97207f80c35de505a5e28757ffba23

SHA512
989a9cd19c59d5dbeb666c0bfe8e9a29e01f34d81054364c43b0168ad8370e1941b08fba9b6bfa9f88db09b19b41f6af91a81d08f2108757ad87dfb4de145bf2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a72bb92084c7944c3610c15845b79896

SHA1
57d050a045356be58166f915f9490fc719d4cbcd

SHA256
7d898e0d85b70fa433f6658b9c9923a74a0e16ec88838019748c7a5d64518cec

SHA512
41fe6ec1fbcdd4376e0ec9e80290cf1cef12ed954762ce068e3c8db61097981841943eec85dccaf230fd85766e24719a5801441c8e6ef537fb0e9595b0b2092b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ae6255a44476227bac66c83b0418b4e7

SHA1
89749227216122873abe9af41115a54bb251bf8a

SHA256
05edcfecc40ed06c7522c59e3efe439425221b0e52ebf8cd2ec960ead5490b5b

SHA512
7782e8c12ae44ded8eabf51a951ac6e6177f795c3b9002533302504a54e7cc6e9044ba4de5ac53c43dd300e3356e23129eb1defc7a7e7f7db3f765e79ed615f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c1a92908cfa4294a952f2a04c8b43e86

SHA1
16fe2fcd63dbb83787aeef91c4f238e2c0923e57

SHA256
b3a4c69cf4950ae42aec32c2b8a57ce036b264daeb197b68116939348d30b216

SHA512
04fc06c00aa8c0648af3ed9dfb852b7d646e4ef0f6a606ab09d69340dd3ceb0111661c59ae4974fcce1cd6bb9c7c2fa007a1d11bfc76cb76bae176d70e1b294c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f6b9358035875cd1ae71367fcce38af5

SHA1
bcbd17ff53629a2c6c86d72f0b54193d4e1c05c9

SHA256
19b98905ac186c9102c25d044502544906a8d7a5715782cd28603a95b68a1a00

SHA512
d273353ba79c81ae2b034bfef74513c352a2efc8e2707e1a00a1291ebbc8e9d2d822454e364ff34d5f77a63dbf5fc0407953b573e1b8b10ba6ec549ae35d8fdc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
801d2f64949203d4db65bfeb0fa081db

SHA1
e42a75805c0737ed7f87cc084d8d0ff280de3a08

SHA256
23333bb93d0217ed2938aad2a34f0e41521d0eaa43b1990c411fdf3c3ab956ab

SHA512
d85eee952613e4eb1bbe5e2a88cbfe1893ba1669d3156a039327a569506e1841f2c84b205a68d966f05f120dd6a9b475d238c04de2df66fd45069242b781cf6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d2e6f91cd6118ad6caff529bef6634a4

SHA1
07a096015cbf32e691f9d4b3d162bfce960b6375

SHA256
8a2bbb2a7bee42a470ae2e6fc703e667a56c3bdee6e44f1f7c680c743ea291da

SHA512
9e1bd32d84df66eb7c7bf042a4bf2299ebf6ad7b561a4a55390b3d0071f189898e8eb2e970781c5d95365c02934a11f1481f46ecb144f88e4e740f8e1eb1e6e6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
70f412e583e9ea5ee89d5ddfdce3b877

SHA1
ca2f9205954a164492258b45328c46545dec78f6

SHA256
4a874888093e086f4e48a110e806a2ad36172a663652f52f9979342a86c8a12a

SHA512
38fae0e45718ddf529866f73689b3ee44e65142da0dec51c39cfeb58ec357ab63fb1e53cb562397298d03ea8266dc44d3aa22bbfe9e1c4ddfaa32981b9e78e11

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
18fa1534b7a8709c9dc9c5832bec2e6d

SHA1
7218d6b6c16c1b294f29070f3398f13b862a407a

SHA256
6fdbb7c5f2f6780c4ec2e0a895d7a64e2b61581fd84892c1db2ef4d84288b847

SHA512
ed4373919643b081a49d48534d4050516bdbceb70edb9de40843012dfc1936df26935bbfb34637c627150cf2e246a8f2d18341e696e1c299ee9d1f49ac379671

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9dc242e0336dcc29d75590a5c4890650

SHA1
d1aac3b897bba7d0a975f785a1e3b3831e74ba29

SHA256
3b93ec381fa6833551a591e64685a0e6761c969eef1a85abbbfb7d651c734406

SHA512
0a8c91c1a42685fd2e9635f1a4b784e17740472dc4d97a7efd91ffcff635ec8d9183d201f5796529c439c8a17f235af44e8e605fe1cfe1575594769e04cabf57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
487ed9395c2d71a4b18dc3f962b492bb

SHA1
84f842a99eb4b515d00ebdc610d9f5fe601dbefc

SHA256
52dedffe773c311fa4777662c53a0f1cd2778362cd3bd781dbbcb63d71925db7

SHA512
99470bf07941933fd27810e94250533a3498e9bd9dcb37348c8e089b06112ac3a000e14cc88d8f2a9a202b72b7b121cd827d937b8ca41796ac8aac1b576ae0b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
29355e3072322b9908a44495f780954b

SHA1
236e188e2e3a829710d3ebb38a97f77ec4294e12

SHA256
338af36c9c0ec01619a079ffb5e748b7ce7ec2635d3fa3fffc58857bbdd0e0da

SHA512
a2b3e74cd14b90eec495106a48e469649485fae851095afca90bb36c1107d651484374977c0d367578d9742f05eed6f8cc020a8178004905b06cf283bb8131ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d3b517ead8097394f4018013a65f110d

SHA1
16a3cd4e362111fb18b0bd50d308fd5ef484c7d0

SHA256
007a9e3cc17c047ee007d16e25aa73fb3a5c94b72930e8d6b558812dd48c44fb

SHA512
61fa3ac73a441ef97e183f636ddb6cd06a7b285069eb090510666aacebc58d42b794b3a566105d06481249278e37fab013b6955e7a4203600cedebbc1ab8a826

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fcac57756f4a1227d6801eaa5b6b9d30

SHA1
306f7de811927c7f3d8a1386d03dc9bcb44a9c2e

SHA256
e594962e8009becf144cfb89a7d54de39c54b76c6d251f5da7a1a6b59363dc62

SHA512
9c9dab1920b92c596eea256bcdf5664c0adf3369ff2f4c2eac34b1d1a168f520351a8af17a87ef6f8f646a719edc7190ceb586d8200000d412df3f286ba7ce3a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4adb99d35560dfab1a2084bfeff151fe

SHA1
a6015593d34db393fba95a90bc48396144817e18

SHA256
6c39e5c9d7ccd0bae3bd2b6b934c3aa82e144a65de58f16a8d39a95fa623f399

SHA512
c48f48ab652ff3c9e17905c8a54013875502143855b630bc519717923460ac93bad4c7ccc5f676de58c37a2333f253c77223e361eade389695b52c290c7de78d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4cb81104cdc52dde98f6fce79718ca20

SHA1
4fe28012d249c88ad088cc15faf9e04d9dbe7233

SHA256
21bfa32b6681274da6ccec722c0c026e6a868508f5d33ffafa498398a9db0f7c

SHA512
dfb9675343aff9262b716712fe080eb84548e5c286d102b396a6cb1d129ac029884bbd0b8106040c5ba01a26859e150bec387ee0d50b6a674d09149b2a221c50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f8cc25f50e221cbcf07fcbc782857019

SHA1
ed963e4049655dfce19c3f27d25cdf8c64db290c

SHA256
446ed9fc61d64ca009834d89de005a1db9fd6f418c8594455081c341fdebf455

SHA512
ad3803231768d46a3cdd18fcb404cd224731ac7c2ef8c6b2a933f382bcadf4e3d2f283ebdee3fb419bb126c330278d196882f4d2cbe2986d94dc6e9ffa8818cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f57db5ddce428b9d7769a03af2298b20

SHA1
f3309deacd2ae6ede66a2d28b48da870718cfd1d

SHA256
345bbc1cdf7654dfe84a8e591467ab0150e5b88cc41f788227e6fec57c3e316b

SHA512
c3c561a94f56fea7dc8b314f296521ba15c61ca9b7ec9c7d9d3c650c9def6ddffa74a7d5433b7bab793528a75fac5c386d3c32bce4757889626430bb8aabf09a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3663e3df56afa5bd40986ff7861497db

SHA1
b622de7ba3a46de116e0be238d4de5b9f6aa6341

SHA256
643f4ee34f9a82acdea00b44a3aa9140985ae9eecc90fbbcf8dc1ab4f7dd67dd

SHA512
21b164048e1891d80b90f76f8be52cb250db9efef482ea0e94b0b31c4d0bb4846a8632118661269f1e9068abf4322fa0373112a287fd11a0923e194b15a6dd08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c113652a1678333c7945d16471514624

SHA1
5a88644913c6679eb74468fbaf6aa7627ff15aab

SHA256
b5885b0ad8eb07b79f55f481a9a5635dda95e2d8713b6485293192425ff01c60

SHA512
51ea532158d315186a07a66cb029e581efd1843c1d2fedd3d7491b7093037c43b011a3e976672d5d4a1c66edd3b9a1f64b0bedcb6f55a6941b9d71143401a4a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a1e177650e47d3d766fc4b9c62b01ad6

SHA1
ecc011ebbf111087f00178333e946c7a3c02190d

SHA256
6847bc227f7706cb87e575c97bed1bae0b73822c89dcfe378cf6e8f8aa7d18c8

SHA512
775b365dad11d49629ea2f0cf918f3824c7bc8350ed7c8693245fa00149f96aed57329ca3763a7c6dd822c05d16f5e4bfaf20f53dcee9cfcdc473a0789c92d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9e5dc6c8c59b8005de33766daf4508e5

SHA1
431005cb70984a94db048ad03b17bd78c1bbae4d

SHA256
391aeb71fd71e20932720ef7ae6f4eb492c8c9e177474d8e61f09e2570ad0932

SHA512
0210736ac7b08e21162923bd60bba170408b0c93b8a2b8acfb7d8f12223306af1886952f6a8742f5fc991e996c36cd0ab6b60aa5ab83c19bfd6f73facc8e72b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a0731d8ae6ad6e99cd7fa108708583d3

SHA1
3c29bca8051a258feeed74a6a37300df4076fd59

SHA256
2c3a4f6684c52a0af7a6821f90791f90b926e6bf40b528f7ee640339d800ed09

SHA512
13b43032f21abec39270f4c280557b9657a098aca26ce5da05cf83b602a382940aa18918884a98052d9fba5c3e6a574583fbbdcdf34f0a53000969bd2900a951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e0dde5c4a1be235de8f2fc9425daada1

SHA1
4fc18e99a72051b49e4832759bba1cb98489fbe9

SHA256
3607f48b58630ef1b1c7e0cfe23edab1326b87cd4c6b7419e76b04415b33fa0b

SHA512
e5d59ebb07914b6caad5d810e76982bac46010ad3148684ef07b4715f1eb20e3b1241df7d9c01c1e477bb4d43a66d1ea121dbf865f52922097e3e001f5a32c72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0a9f18b67f062dec3f652a2b1c362c92

SHA1
44de257ea5756eb75aba2a16f117ae78c0d9b8b0

SHA256
bfe76d3114341f1e51632f0db9066d438fe48fbe25ab320fec90c4a83e641297

SHA512
a8cc9a8be81295ae63a571be88436caceb28cec8541d65571f55b2dd1ee8ebef916fb774911371ff544f2931aff37ce057bb550a364aa649c881dbab0f7b21b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
eb4f9f403f7021fe020654e5ae770282

SHA1
ee81aba81218e262c57633c75b34caa35a0f731e

SHA256
5ef95004308470be3ff687bf76a371a689cb5fe524d3f2acb221a9f27c69ebf6

SHA512
8af3a7d27b79e1bec063a8bbd5df6091bf3162e37eeb0fd0687e5ae8ca922331bd1742378b1f2d77d3ec4d12de41525ff3ea01c61f1891fde7d43c8566136ff4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8119088a10a5ef1dc506e0c01de6c3fb

SHA1
550790cd55c99d4598d231fe06f92a6f9bc0afb8

SHA256
ae68b95f2885c63bac6bccd51c5a7eea7d702fa049fbff3802acd363080e2a19

SHA512
a5a0714926b8c72c45a5b57504f4a6c1864b7c9cf26058995b344c845368c4b718160e6df2075d90137a3ddcfa616ac2a3ad1e2a8a1a866002df95505090614e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
411fd81a2481e7e2e4b07d5c0a41fd1c

SHA1
f8c41e0c905e5c9afdaf380f4c96602b7cefb756

SHA256
b18abc4202d7ff608354f8205366a1d25a18608eb36d89e36410e65d0c0e3bfe

SHA512
78137e0ac21e44a52d9b340c3983d77ae4ce4d42108e3d1efc3db8c1983668e8ae88b02773b373e949f490cf046e9dcd8ea9d9872ed631cf1a22e576ea1de1cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e2bd1aa873eb980ec608cd15174ccfb4

SHA1
51979fcef0856f4db0bc43487fcec4583cedfbf4

SHA256
607e95a781dafc4246bfcddf2bf961102ca406777371ffd1181aebdcd03556eb

SHA512
c77c58401d762085ec7909c2e22c892c1c1b7a1f092f59da2bdc00c4a93330f816680523c120843f694ce4cb482a82ffef4137ca043f68034c44006071fe051a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a6d7827ecc896883bf9324c33eac7f12

SHA1
36ca062b7959b71200979d15b65f0c53808b1d0b

SHA256
ca27cf052d9eab2076453e4de7e0349ff800bee728a0623fb52cdc7356a5027e

SHA512
ec266c29ef56099128ed379b80f773df7da3213cbc21b3580364b431feedc83142aa1f7768bc08a083e747e047ef8f63144de2337af482694eadafecdd10b63e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
433090be816c77de172b85cdd3611b5b

SHA1
a9db565e25152b29addcf6a7d95740bd1a6f66e9

SHA256
3703677030c3e37335fb40c17e064ffbb0f112e3e98516d396f877c15534f893

SHA512
761b4b40628b5369c40a4a68aad5661dfe200fde672723942ef85ab533c472a512089fa929bc87c1fb8dc57b3fdc01f7aff033f517b6901c17e0289023e7774b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5e304da7a0a9754062707202021f9b25

SHA1
37118e6c3e04bb459b7346e8cd56baa134031b50

SHA256
d5d249e3e19c425e570fbecc6d26f0aef3bc1ea17a8c7920363718553b354671

SHA512
a4e02ddecc26fad88b81d4f892cb0f6a83e0c6eea596b304835438e67b7d83b279b64818e3484bbcd1aefce96ec956881946c765e3c37b0d550e86b85d407029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
abb7faaa328c402c8fae4a89ac28a1df

SHA1
332281591565c519a94d994245a4a6bd1e5d06b3

SHA256
77ed493af5cf1facb8f44926e958e00f13a386172015779e8a5b4b1a2dc12edd

SHA512
4d35052882c7619d0e97acabed24c12bc873b9b25ee3441f46ae11db67a4dfaba1c4ed4b15b2669931b8e1133ee6b48e930ab0817d8488073ef2180c9aa87b3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
53cd2e937963e6b1d4ce021176ba1d11

SHA1
e27159f1cf39e355204e2953d7c8351f621f6350

SHA256
505549c9f95f3ac666b1ee0d6b49dad8d9b3d1a95199924cbe879154aa8bff05

SHA512
af5eb19622cd66eaeed30d9e0d2a1a84ae73a8da2b05146a409e4008983542777ee22a80b80461aa805e0bb0640103c194a0869727957e1ed834f9e16922e7e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
961d56e4e0b7fbaadae297370fe210cc

SHA1
c3d3c1c82c8f47f9772f99fbb1c284b5691ae1e5

SHA256
5895cc960e50e994bc59375180bb8dad034e2b58808c2fa91d0dc86844fffa1e

SHA512
ef0f1f14045a5d13b31aba5ee859411c8b58ef9a38256363c6841fea28129e41c615f150299203eb54065aeffb2ce487a82c3d24fd8af0dfeb7964edb0993de4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
571be0b4124f3b4c538a332a7d241623

SHA1
73b8f0c23bff14b4ca52cb06b86892b839ce4302

SHA256
aa17a983389f88d3a44507a6d00e088e49b873b0c20cdc646db6aeb4efa862c3

SHA512
09f64759d598678a8f7ed90c6b57114a3ec473b1a0238577f8cceea6c0f3032abbd07a6b27add956c843713149055a69a77bd3f1697fc37b2d3701def62a3d41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
112e7ac9d8f4f9f4f0bbb099fa4bc23c

SHA1
479140bdaecb78144bc18bd0c5310e6427838c8c

SHA256
11212f94487529694259b6d8bd7b4f4aa8a7f70995adbf43b6e4637dc42d7930

SHA512
31a4d6cc0e3c28e1ac29ee1b4a1c61d9478151054cb338ce3c4fb681fcef6e85f634b5188443af1008fa01a36365f69c4b3c83c386e32cff12af7363ee83ad04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
14347484d259151378fc12b9d04b41b5

SHA1
a226684091075fd438cf16233e5e3067947e806b

SHA256
bad0d37b332d172eae85c25ce8a90c40196bba334dcee72c50327b43cd48c90b

SHA512
5a1d6d59708656df30832121f7b79e64e99be0e9d4cafa34f24c435c1dd91bfb19aedeef50f72ba14152a2960fc757c9fce82d87e56381855d563d7db647d900

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
271adf2ea80ae48f83fee1553626c27f

SHA1
9b34527e3cfa11e85534f8f5977ac84ca6335c69

SHA256
0febecf1df9ed591eaa80d6aa5c5d345f665112e36905d8421ac1db1f117fc11

SHA512
a54208eaaaebe23b32daa04b807def02e6d897ee77a58a760302761ea184153e883d960292d7a989491ef337c5d7b5f6943f1a68481b542327c1b604e8443c5d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
dbde47f6935989ddf788a42d05147a70

SHA1
827cf5fdccc16cdaaeb58fae219d5daea74b1f26

SHA256
30a9d42b38abcbb702c52df6c07e9ce4096110e659ecacb21f5368d796bd78c3

SHA512
0734cd25c67f29e0b9281991b987bfc66dcc9359eca26e5d13066aefb5d8138db87fafdb95cdc1b998fae8147e271336ffb9a5c68287e0e7b049f8d3c6180119

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4d14e214d1b8908945408fa6c6722793

SHA1
e00a153497a4eec699dd70866c80570e0fa3e812

SHA256
b4339d594257c38db697c3de58f77e533ce776e6dfd3a4e2519168b012bc7354

SHA512
b5fd2a511a36e8decd8d51e4e834a930c93b33882738637d16811408be3725e42cf8870c583fd7dcb26881484ccb24d720e44fffcea1506829575afd7b5e39dd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d2b73ee03b7338d64b49640c01d923f9

SHA1
1cf0b0ce84d9b00226f84053150f8b49d34b396b

SHA256
81401a7bc7b19d8e66afe7502faaa44cfd095411e0d51587d6937e576c56ea29

SHA512
c4dbbc7322e0f3e0ec001b6bb683afc8836bb37181e451b9f61dc7a9e64f33356f79d9eaa545f4cb143df38d8c337e72ae17c139e99cb4824fc12a0cc8f2d74e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
20dc31d7d716162d97b6457f6563c4aa

SHA1
1695e8ae9c7af624a0493e52faa70df17b794077

SHA256
b3645e7967826c4ca4669ce9ccfceb571e5962e1aaa4c39bdf7cc1982e3d0e36

SHA512
6c28ea5a792f35556204977ee143543dd0aaf5472af8bb81ecfbeee9f526c597312ab6369a77ef1757f06b3ac31a69c9a9a179bedaef2e0a51f3d90a2fbad826

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
47e3e44e0d0f7427e3cca93d1c045c11

SHA1
b2353ec4d89a086bcb5e540da05dc597f6223c35

SHA256
3ab55c8c286a71286b668fbb3e1d380cfb72b42ea1c09110215366cb1fd4cb8e

SHA512
82e22ec521a4dc900a32497ee32a95dd45591f7032313bbcefd1373b5a046d9e84890922b7b347fdcb679084b227de999ca5c9547d7c5571ea438f3a405df2a3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a5d387142f3bd5ffe4ab66ebca8a867c

SHA1
93026ea6b834bcc821d301b9d0bec47f0c88440d

SHA256
6f546ead3d44794ef00cd3dd22cc86b677bdd8e5854f2db95c6973aabb556156

SHA512
5749573918ed33caf80e167362cba7a9bb975556220421850ba67a403862e8a3cb012962bc4e981a1c7a6ef12361573cdc6792f5679435878fce406cc2b33cab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e088a8786c717ed3d9ef01683f8a0b6a

SHA1
cfca51f612b08492f61de064e8de1d9e676fcefd

SHA256
67621e820e914e60a65e2cde5872b36bec8f5911f4431424db54b1e1b004f9ad

SHA512
4dce4a469af40038a979a8103a5abb4ed907fb12db5bd415920526746acbeded49815fc652a17399fe0dc1bce9e5917f7e8a66fac65ff0b07a9e5dc1143106c2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3d6f8d946734799999847fdba6cc9437

SHA1
eaac26d849aa868dda6e8f9ad6e24a55c9198f9f

SHA256
a778e3915a079e13535fee1f6eda7224503fb760d24184277b7bb47dd1fa33e4

SHA512
4a65ad3cb1b974ebc1a6887a7bcbd0596a0f38ccdd1e36915c91d50b0b1b3327b743ec5c8df4594d37cad73572c4b41e1b99675dbdcad18d4f147aefa76953b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2afcb2caa6b3a38d45e10044f89d424b

SHA1
f90080cbffde1ce53529339d34c594e565589f71

SHA256
129e43fbaafea64666c371b400fd43fcefd7686de88544ea9daea39b1e75e3f6

SHA512
241fbbad3e62afc75d770cdb28e459ab3b65872b38d3d2fb34155319315cac76845864bc7cc7ee41c72b5f5cd762bc96a10f87afa3eea6a4f82b77891a98199d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
62da88e99773fcc554aa90298f60f1c7

SHA1
35371b29fc25ed32486a4667f4f6e464011c7310

SHA256
fe0ba86109ea6aa6ed165bbee199552f83dc9db08755844f415c3733c3053841

SHA512
974d7d7505794b0be589a1641d819bb44984565246a907a7ff28a40b33e1b5c7e339c191953d95fe335ee291f7e8c1dc8f5911aae756110e3328dbd779e4f4ed

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e58989463ad20bf01e1629af0724c6c0

SHA1
70e976c1efcf4254bd9624c57134dba3214570f4

SHA256
e14f9a6c5f29907e513f615c70cbcc0533f1ef0b3d31d7ce1ba46a34e0f335be

SHA512
772ac281b32ea8bb9a4e0fe18f9668a925ae8d2f6ce6cbd3520d652929ebfd5aa05342c615d9717fce63085ece97d545c1bf02503dbdebd2dd800e2c1acd3caa

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7cf674ec5761abf4b5433f25fafc1d1a

SHA1
d9bac55f41105c69413f9fcbe46566c024a0de4c

SHA256
d5b36e94dff78f1c35e5defd6c279c051282d2539ce2de150377ddc83d4a4529

SHA512
c91b4bf526a571dc3f1339f71870cc29b0c891e471c1b653b23ecda1928daea89dd1fc1336594e2283e7d91967afc8f30b4398a1c08d6781ea91ea18bea0d41d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a29de73859d44f86bde89d42001316a8

SHA1
88d34bb4e2140e21e3f93c7dbd6796119d12fd20

SHA256
95551f7041686cd58cff18b6a88fc3fc6f99cf9493fcf66a4ae6598a44ddfaa4

SHA512
43d91cc86284561847bdd815f6a20ff961f2639a3b3a2e25568d3f76ce6bc782aa9bcb9527b6bc92e79c2d499c88aef121a376d058c2a525a537e9053d5cbff5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e0301de86984ceae1c4a87bc84af58e0

SHA1
c9da0a0b2336a67fa8e41088c5ac91f821fa2268

SHA256
878e382d87d86598517d9b0ba0c5238d91a333a0297e8fe9503505c09eab706b

SHA512
1ec991cd035c8928cce963ba7ff2dd9fc6fa3d243970645a7e313c68afc368b5c767088435eeb04c6b7490dfe3fc61f5494208bcd707546e53b7d4bf4f586959

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3d40742caa984fa93d6e3852121224ed

SHA1
9e2f59f57271c4b23d41780e0335bb8a26e22599

SHA256
97cd08bdbe297c83cb7f4ef0e4ce7329dd815ffa06ddce6f6c427c8ebdbe10cd

SHA512
d3227a5963238ca9e53d479c8c65f84a2a131989bfcf79f416b2e4b3572c9793db3a3fc88dceb316c064d987852f79aacf2ad360ff4263b03f70fb0e1b363b62

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
75039e07ad1f8bcb869a9af40d56c9ff

SHA1
2d22c294a0a0b956b0d9c16f82da489134ebef64

SHA256
e41cb35a110e8b5a7b2798175395987aa23b255584c56351e8b89b330e07b3e1

SHA512
98538005dc5f656d1675bf783e2b6ced62f6931fc6dafc7d1c344cec0a56d3358079445ed9f36695df9d48412baddcc3ba2cd022b550449fbd3ac43c7ff4c883

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1f5716f84fbdd8c8e3034e9626195471

SHA1
0d0f58f8af97420de0a4cde1bfc7ca9f2618c9b9

SHA256
ad6ed85e10b7677c753d0225fdaafaff027efd70111f79d8711fb6dfdcb2bb84

SHA512
1a901e06b96e17ea4d3d317d657b1b2fce977e14550d67dafcbc81fd666ffe5573535332614a2a80d4fa2eaa869736359f88b4becbd80937596ea624f2da6f8b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2931dc9d62cd1e9a6ed38fa405a60422

SHA1
07a974c1afb1de1ca86acf16532fe3da1ffb6a89

SHA256
319389e1cb0fc46e2a2d26d6a37fd433dbc9f06993b067b1c82ba247a19dcc39

SHA512
39ddb23082eb676e22b2a60067f3de304e284e0cd643e0790551cfd37cfafa562444827e6c53f855ecd275816570cf65c3b049f43491530d61273a2c56f75728

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
81d458d5c56f2a6515b3e0260f89738d

SHA1
743073fe3955849621542e57ff9321bac1181692

SHA256
7ff543cfbf7c02bbfc8a7e85680d41650befad2c53a26947c1f8db0fcc5e9c3a

SHA512
07f771dfb788fbb9555e74f82cfa0505946edac457403a2e8f307e2086892114ce8dce76fe1348e6d098003839103e6985e4aeaf15af766eb7bdf0a84b76c527

Download Submit
memory/116-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/116-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/460-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/460-254-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/460-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/464-379-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/464-265-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/944-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/944-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/944-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/944-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/996-50-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/996-56-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/996-58-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/996-60-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/996-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1452-585-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1452-354-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1524-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1524-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1524-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1524-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2308-242-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2308-250-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2308-248-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2320-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2488-391-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2488-280-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2524-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2524-588-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2720-591-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2720-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2856-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2856-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2856-28-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2856-34-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3068-578-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3068-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-428-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3928-593-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4008-320-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4008-529-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4128-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4128-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4128-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4128-18-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4128-11-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4404-582-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4404-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4408-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4408-403-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4420-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4420-24-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4420-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4420-2-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4552-365-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4552-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-581-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-297-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4892-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download