e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02.exe
Size

1.3MB
MD5

cfdffe473ecf7c8effae2ee60e4a4e62
SHA1

3e7816dddb1f9ea57c8fc50332585a94a8c3c30f
SHA256

e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02
SHA512

15f5ce2e2780b2848a0c1a2f30251173feb718e397438a2801e95b78cab9b08a2886d21e94103e6ad26d4d299e1b8c4a8156c51c36e2857993d6252586649901
SSDEEP

12288:HE9B+VCGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:HE9BUt/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2368	alg.exe
5064	elevation_service.exe
2508	elevation_service.exe
216	maintenanceservice.exe
3132	OSE.EXE
4484	DiagnosticsHub.StandardCollector.Service.exe
3276	fxssvc.exe
3676	msdtc.exe
1572	PerceptionSimulationService.exe
1936	perfhost.exe
3976	locator.exe
3988	SensorDataService.exe
4384	snmptrap.exe
508	spectrum.exe
4760	ssh-agent.exe
3912	TieringEngineService.exe
4712	AgentService.exe
4164	vds.exe
2836	vssvc.exe
4964	wbengine.exe
2504	WmiApSrv.exe
3480	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bddfd738c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000584a500aaa97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf975e0aaa97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005eac520aaa97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d1be40aaa97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009de92e0aaa97da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000584a500aaa97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004021680aaa97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1568	e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeTakeOwnershipPrivilege	5064	elevation_service.exe
Token: SeAuditPrivilege	3276	fxssvc.exe
Token: SeRestorePrivilege	3912	TieringEngineService.exe
Token: SeManageVolumePrivilege	3912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4712	AgentService.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeBackupPrivilege	4964	wbengine.exe
Token: SeRestorePrivilege	4964	wbengine.exe
Token: SeSecurityPrivilege	4964	wbengine.exe
Token: 33	3480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeDebugPrivilege	5064	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3164	3480	SearchIndexer.exe	132
PID 3480 wrote to memory of 3164	3480	SearchIndexer.exe	132
PID 3480 wrote to memory of 5068	3480	SearchIndexer.exe	133
PID 3480 wrote to memory of 5068	3480	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02.exe
"C:\Users\Admin\AppData\Local\Temp\e7dd9ba16f9a778c69af047a54e5d3f5471c35158fa269092d686d3c323c8e02.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2260

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3676

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3164
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9df7c6d1e83a18f1b680f68baae1709e

SHA1
b6fbecf2145a9b3973242e3c0661977faf10de56

SHA256
7e86e00f21095c68555c9c82308eb5399a3d870604ffbbfb65b583e9c3cfb24e

SHA512
85250b6a9b6b3497bbc6a40ef6bfbc4d36f3a32c0c62d0deb8790d9947123ee56a42d48c396e24c5f52be3b2d5918b57db4fb1f830d7944d08493b293436e491

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5462343c4ab7bd6c3e8c791066e5c749

SHA1
f2908e73081baf75f2f337588883ffcaedd86e80

SHA256
4912202d2a6c259df1ae46206b5c442bfba995b79f45a9439fde59091dc7e637

SHA512
33de293682fff39b4c7c28f1e79ab1e5c7aec3caf9a649b9ffa2cbcbfb905378a1988d366e6db33e6c0aba7f1e9924ef752c41bb2fdb002162ddcac33152a571

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1e56cf8e4483da821e90d9108e9cbc10

SHA1
dae518603b2b61ac07df461b686384305ee2d768

SHA256
969f8003ee5e6d10db11e11c2d848f52040c276b67544a64d59ba7051ac768b0

SHA512
601e50c2863f15f0b42b59ab1cad2722b3ed3adb019eb54c76a2dbb5e748df4a59204c5923069a52e5d85e11b32ab1c443ae6eb30088d9b4c0a12ba4fd5c8d3d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0d9c3883a454bafcdc131c27171ff8be

SHA1
c7d7da8a01f7d2d90b672bb8fdc5ce4d7cea8e0e

SHA256
75ba71b2925fefff3c5f6a8d1230e4805e2a062b54007cd917751003dd02de42

SHA512
0034109cfc5be38a7ffd858dd2e27fb8e05a6ecf05e1bbbbeefeae24749bc75791fffa7c2e931016bf49aa3134440023c1c2c84cd61dd4796b494e88721d6e03

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
303dedfa24f830bde86832189752cbee

SHA1
d0f0771fd7ee16d6d8bb2ec3191bc901d86005e9

SHA256
e77ee3caf77b037bb36367676f188bd59ae9a1c6e4add0e109f6846b0cb8894e

SHA512
4563feba820b0060b65763475212013d22306770a70831d9ba8cc565372fbd8fae8f316306b824808ef599ee34a525fbfee6f9f00698ad2dbf12f5294a510ca1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
fd13761f0496c6eab25f0e6e57819d03

SHA1
7dda29cb28f48fc072ad49412f1e204a6a824d4a

SHA256
1d46c0950c79ac0726f6a170ce76e0b803aea2fec13af568a7fa4b1528bab683

SHA512
1489b3dcf0fb2ca7e6704d0afdc3b0e343cbc50cacffb6d8466749248b2c1eda968d816b9cf0817fbb54499856656cb8ce214cefbf813afe11e4aff3b94259e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
871c9dc9f4e9c5fbd53395e86c0ab433

SHA1
556f3f8b9d6970198c02606fc70979e21757eb93

SHA256
f6d9f954a2ae0fd7559d919f5f1eb449375591629793bc2b653d13b366a7c180

SHA512
b1c83b39b6e9a7f6a1fada1260369dab38140703eb566984882730421928ef0c28a8b42d414437407c07e8f86b0f8215210da7ae6eb0f7d7fe2e5f53bf837cd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7d44e4fec1108ec21d7edd81a8d74553

SHA1
4b1262c7ff0686ab46feda0f3ff22c19bef890a1

SHA256
574d86345d3c051a9ac75c11e53c59d5211af3d705d669e04af6cf749d5fd322

SHA512
69b180a590f85d68b5d9d8e7f74dbdcf7ea5a3869cc65900e781350d283028eead622b6cfdb11e52426232d760213feb36bae68478c4df874eb03d944933d720

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2a7b75b4ba59f53af0971d317455b476

SHA1
ef6fde0642f7caecb3cbe769800efab2063d87c5

SHA256
edc86ec597b968e0cca9cbdac1aedb525d23194d1f74d2305f5e72a70ac729b8

SHA512
1df95f4a787185da78fff30223f5a151768a8200743d763dd95d47edc6662629eb916ab8bb5f6c93913cac62364b77c856091cec9aaaefe090ba9e4590b48db9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
071a13dff5578ad37155a65d0686b386

SHA1
75654fa53c80a5f1f91611e6f14e1b775420848f

SHA256
0776570154e29a22bea2c9ff14947268c9e4cd988251db1ae75af124dea330fc

SHA512
3c7583d1649ef22c3c6203c0b639f37fd7ca16f8900f0914924917eee959cb762b07649cba0052eb6a42f9aca4eb9e14782c03a2c083f68abe32e6dd6fafa6e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6020b4446e354ef3ac8c961ddb25a1e8

SHA1
22e5fc6e23fbe79573c5b5f6ff377b5549029f5b

SHA256
4d7aa1c1f0f71b010e86e4963e7326d6a2c28355cc07212b936464b47b6fcc50

SHA512
adc2991f7a9ba02814d94e01e693d18e855f15f2511febcb4964a47418d726ea29f42a567fb45948b2b3c7a38ff1996d9463e1e7d48dd90794e326bdcb125c28

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ddcb8ed6c5f05973af669e64b4ac5957

SHA1
e7dddce71912e40712ccc2a43e0d59517c288e5f

SHA256
67e27d95467c021b2e0d1fe531b78a1f4a88a5f7c09d951fa4640ae3075697d7

SHA512
47154237747cba0a2536dad77c78f8d8c7657575a16a91d55f56afd0f5e27ce3b89fb71719b018d2b8b02fe7ecb37377b90123ef5d6ebcce70a2e6e7b030187c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a1186f19f7afb2f25c9bc8b9a8242c48

SHA1
9a61557b2d35317aec0e658b333288d2cbdd1118

SHA256
668de85e0393d6b1c388755bef4b495f41b6ead440f30c44f454b1bfb54f67c0

SHA512
598744808f1d4d6711bd0037634ee396082f3482eda0806ccb859610cb9f59c28b7ebc16de0a4331e28f72f6289c1ac05551853d04c1e6651c8766140a5df3b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ed0a5265c4068fef5e014aa816ca6b9e

SHA1
ec6b4e60bdfb39f6e920da17d473c9fa53df8922

SHA256
2104f3e0370b6388f2a730db059c96ae297768f356e019723f318679f2b9bbea

SHA512
18e62d817a8485d0e8cf9a53cb8829b6432f9c772d5edf5dd85ff45c4774a1614218d066b6d6cf8e57d13cf940b05adb4ec5e1045df662060907ea84fd35598c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5b22daf6e895a8822a0b6bcd49b662a6

SHA1
0ccf6117a94769608d2710ef2236234032c09786

SHA256
aeac13fd06e71e70d22b1699dd9af03af1a3e8f4c7e651d7ea3ee1988bcc2a1b

SHA512
c40bb33b6e40dcd0f8b215abb791a0ba6bf1ef4bb45f9d0a30475a3bc648d716611d7c07126f728a65b5baf68a4ca3c4b73ffe75ce221e356b009a82bf61caa2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a44b4608d21e18a7efe4e669b8857fcb

SHA1
d2706279ca19e885d85a2d3c772de2d599688917

SHA256
5b3a5e563b0fcabbaa640f6bcae8a05ad0e6f1d86ccb44768a291ddfeec5b838

SHA512
45867f213a1d8422466c20da493671d233a0f01302061dc9e8bc5553fb4bf02a5881389750f91bcd93ecdc7609dcd2bb7bdd23605c661aba56d167121a704904

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
aa9521d25f1dedcf2f67a34bc997692b

SHA1
5fef399459a834878ad62916b4b4065af63fe930

SHA256
9782c004595207c923df9580ad129839b2af9f90b187ee4e5904540e00be0f84

SHA512
e6fa1621714e60c013ab614b25a9c162c599bc0f9b1e886a55e0873fd5d0c422077567d0c1cb30dedfb11e6467d7f50547b92ba12a8698206a3207fdcabb69c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f3ecc03dc387579a3bdef9ca75c8ac7b

SHA1
3a0bed81b56d3aceefd64424f095769cabfb5bcd

SHA256
d81f69caeffdd3e1162199e4d5f5c9bd9c10251d427f0909a999b166b799b8a7

SHA512
9706377b5063fad27abcc3cbdd95884b2e2dd5eb20f36527d1d720137a55d20e5f15fb171e642ca2fcfb668b661a938e7944b570b034882767d576c2a8a261ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2006f383c20837a9da80ba5900285b9a

SHA1
7bfe50c6f8984e47ec2d087a33b830f9547942e2

SHA256
62398af7f58ed89cb76d3985a3fff635496dc6105c1bdc8337648f0ecb90d0e8

SHA512
382f329752fc9c7043eabc2f9288ff127f5eb6e02f1185664a69bee0d81bef37a10b3a406bc0b0878b511332154766ae417f01c6300966e14d27f8b3aefe76f5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5a66073f77248e008b9de2ae807be45e

SHA1
6a0d6b820aea666cc499cca90c70e062f7f65bbf

SHA256
1ba721a0fef0743905f69aeb047ac2acd1d3465cc62aa37d17b62680d6a8158a

SHA512
2cc4c14087b62ba968b3d3f3de0455ad6f7c62c8f8d10314060078c7ba06d60ce71b35c3221133b0ec9c430abbee9eccd87e70ee77300cf1778bdc93a336ad20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
660473b3faf66b0ddae5aa12c157c041

SHA1
d586fa68fcc985e24a97f1657c44d77a09142f30

SHA256
f960e567d1b79c58eeb4401a2cda1b5fa25038d2102d6b4095fc41ecab479e33

SHA512
690e1f90479ba48145722e76ee20fc737a5eb48d19ce6a2e39360b32dab88266fba8ed1a08f8e8e217b86b580582c2294c26d335776df8fdd29a447f24221d45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b254fb66a6aeedb437533a8cdd522148

SHA1
fbf40c4064e7bba01ebaf85459344af61781d312

SHA256
1474edcf7a98431b9add61321b05524428dc38d4a647351e5fa178e6ff767337

SHA512
3cdb355e8b69a5709346107eb019f8125b6abf98ef7bab4e1e589be26034d7c4475b105ab6da20826f5db27a3d646bd3ff8a2effdf0779209f00191df090a3e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
596d79f5ce87d61c753d063b2c770536

SHA1
26763185ecd81dcc58cad9298adb2e782ad94be7

SHA256
e934bc63183c55829794ed1f229b6014a474bdd3534843433440f8d323af0816

SHA512
cd10f715a88f857ead5c480d3fb9b0cec9c02d5be0cfeaac88ce8379777bef9a3bf86f742d2c4037ed17976571f9098b6416d0354fa338eb8b361aeae76c365a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0f13708b077c28a5816b28fd33201e66

SHA1
0caa46306a4840c1f835eff50838b4ef2cd3ab80

SHA256
58ef392c91ca1b71a9229474e11c368737fc9ca43707479bb003bb0954bd18f4

SHA512
3363bd938715c047c7da959ce00afac26830e76f8b17c921b49d13bcbb1a4b600bdf21bc1ba98eed0ecd6e3ca863e768dda0125fdb2b5d794bc45798fe261a19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6cda62cd3a0297d19d04819b6d137c5c

SHA1
d6accb2fd483a3acd9ddce53eba574ad9afe19a5

SHA256
fb3f7e73fa1810d33b328d3569c503e169b4784670757ffc884895301dfde4b4

SHA512
773859178a5e5d813982492e94bfdaf1452c1eb9129c50414b3d8a38bd36d30ad21e2d255269db067838c54260beae4f9072918d6ea2376ec9719af85f48240a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
82350a1a1ef57b108abde5dfe6ce9a1d

SHA1
2f8af1c0f1860594f2c4d24303d29aab6f1700c4

SHA256
52d44dadd0bda38857d08e7ce1bb0a464dbc8d6de41c08f3c9f3c4e99aa35dc8

SHA512
1f94626b4d36dcce1ba188e8e4829f355a1e37438e75f8dede6f1c6499030beee04e04680006e6bb7cc0116a52dc58442e08e39c3698b2657fd4fb77c3adc0fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2a44557ebee332c1f66a1a465e7f29b6

SHA1
0937c489247fb3fe18f3cf8e640104966efc973f

SHA256
64a186878147885e5057d55dde4b44ebdeca09405b3d63a584dd7c06b579f715

SHA512
149a37ab045532b4956931650bb084ad17485565be18f450d8538a90a0fa0398d583616e5b500997395757fab517daaa75688c283875ce25a0fdafc2c0b6d55d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
77d8e26589b97a163265dc60a3d7a37d

SHA1
a033ba20449eac9c80338449f29f56e9c19e2473

SHA256
b8d56bb7f55568c09d33886f909c799f7f7f741cfd14a528f6d5937c702f065c

SHA512
2dfac96091bc800fa8b18f2b7bb1c5ab13d7140f26bd837f37178296b1a2d4f9356eeb339b910aff62cc234ae271b9abc4d01bff3e92a7d16175392138a40059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c65da2db43d6eb24948ac3e06a9b0876

SHA1
06171538dd04d394e084ff4b96de7160ee589945

SHA256
038a418584fb8f0c7c1d1714e9ffc08f10bbc571ac45a352868ea2fca2562bb3

SHA512
9f53b4e070e4b0e5931d37efaecd8b22705083e404f1ab1d38481016bb7824c31342ec85a9435ad61ae2414d75a6a6031a8b915b32dea35514d071e1755bc024

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
89c71d655a45cc0b58318d57361d6b7d

SHA1
34d48baa2eb929a4e598b49f178e9d4e616ecc85

SHA256
b5a802e83715950a583adc2716c81c437e918540c1c5c801087b4280dd13a087

SHA512
1673a571021e51fcda4691d50d2fb83a3a47b85823283f3b28c56736122753e8e61888b26c19e759c66676bd7742dd613093df1a53e5364180e908f1c895b389

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
44d586542b83856d22429f4beb1b1c38

SHA1
f6a4eca8a2371b8a3c1d1497907513bd048daef0

SHA256
8c0d1fd064e74acbca8b1bccc6862e700ed29b9d8acbbbb5198701494a3004ad

SHA512
e3b18e218e457bfef290b77f1c77f74ca8ccfaaec771cca155c8c746b5ce84cd999802bb8111e13380b3a1d938791bee18e1eb383f5a4a38bebe7f2a1ebec5d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7f5224ada4e998a4f08e2f0f292e638b

SHA1
0975f4b99f964330f028965f6eac6d17df6ed4b9

SHA256
1af218da2e912c299f42a40530d0557ec542c08c83c07585caa6594b12f14de2

SHA512
3a9f7698e7e1db2809ee1a728dc823a5a922fa510cb167e16f707f763bdf264dc548879c485d417f990a02302fbde3b3b034663b7c123c016a21c9c693fe944e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
65eaae089b85aa542a025ce55032c3b0

SHA1
d6c32f0611d4aa0b26def15d820c7da2e8899262

SHA256
553c96d32c8c7d3816fdf71f681a32feafdea53910a89679ddb38897c4819cbf

SHA512
22bd241afb20d092fcfdaef88940aed0c6dc3c460a96a2477bd53ab615232dd88cc6579dd6f307795e4df0d88432ed4e263f351ca84776ad1a2b8c0f541baea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1b8eee1b25425040a1086f0cbac1aa3d

SHA1
77de81b3fe6e70efbd4dab161e1ec334de6ccda2

SHA256
8a61d58e8c5ef14fd7944b41de501967e0b466338dc840c9ecb12b0adff36ef8

SHA512
0bffd00636242aaadd51250737e118a5b9727bf7caaab1daccb935ebaa182cf23d30ecd25222a86ae3aeac511574c7b87582f21d904c8a34eb59b42e6276aa9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
214c934d901d284bea4a7aa7c70ca556

SHA1
94f8154c360c1737d709b2960a8273b8aeded0b7

SHA256
adad6e5825858ada2179945925f9d704f81a79757459a6efc55f6b6c07fd0b8c

SHA512
f532fa4b51d89cddc26929c5846b3b38686a144a16a89c1754e5aaaec114675aa7a20327ba55ba20038033b14124b85f61da7a93c7201dec0f7515f25074b3db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
20d01ce01d63e6bdaadd2edd585d3604

SHA1
3458b9d5a44d26eb605c7a3cc1deeca4c964d16d

SHA256
8948f3d03be53cc22b1ebebd2e1a62967dcd8d4dd46ced8ca877088ab51bdc4c

SHA512
c2d7fb412529a050f5c4a5e8e5d6a86c55e873923a866b9ac4ed1c2d7c2ab28f69e2203c23b78ca6907cc06bdf20fc4a67be62e23d6fb69b888ac1b7bee84ca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
90ccdcdd9f7472017f5111f5cf5ca638

SHA1
67638ed01e0f60e0ba66caed0ca9a8200eff28e9

SHA256
c997913e1b727cab803579cf3316efea01b8f3ed3244eaf276c5f83bb6f362b1

SHA512
aa581a486703878bbda447dd697ac012e52b76cc7a5632225fd83d406394f868b679f264fa61c69023013d5b9c8d90e8494b5dba458d83f59a8f1f3ec7c33b57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
473c01bdf44e8f6c2c602b04f4918f54

SHA1
a35f1150e24bec8886c75f0b4e5d2c4673dc58c5

SHA256
bbcc0bfd47dfef9d44340b1aa97b70f14f228095c44d7a39bf0a1f5b34ba1ff7

SHA512
5f43fd737d95893c4732e8148337b16fc9e2f301e1172d77ab45f135fd21af35b2b4649898c5f0b4d0fe985c1682170cb7ff4e7dbc5f2b136892da3395cc7939

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
be7249f90155cc447c3040d9a693a7b5

SHA1
cf9c22829e9bb8d5ce297c830efad37ab9b56f1f

SHA256
f25229bec0a0cc7a4c762ae3208f3df1c8474af854b0d190b3b4c321149cb9b2

SHA512
b8a39616ef1b6c06a882e7eb52e2439019239f59c8e8cb8d82773e55b702a573a7c3ee273fa472791c292a19a9a154bada9a8c692d0c6a56279d6c1dc6b459b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
ada58ce3107944e68899c9cc0d143cfc

SHA1
bed436a10da62cce6cadfc68ef9fb184a5077cd8

SHA256
76bbc2055f263d146da924c1966d926cb842a04c3146ff608c49492b1ebd363e

SHA512
a3271d65c50930e7541fb6d89724476504ff9fb29ac846faac15046e43170ffad6ff36181433a65ff7cb87668fbdd67dcaa6921ab09f149ad7a220cedb48dff6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
3a8fa6ac6de22901f0b70d3c2f258ebd

SHA1
02909e166027192d45fb0d219962735765a9f80d

SHA256
68252a32ff90b1687eaf841969bd19421c809c916254b93486225d295119e680

SHA512
6bb4a0c6000959b45cef47acf871d944b041c08d371a0eb51ecbb32f34ad21590e5253d3e06bfb5a9e9e0fee21bb563436579b89a05d322bf01fb94f3c3fe522

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
0a092c70e66e85fecaa4094d56b40d64

SHA1
03d9da5239b8bfef74e5f76fed323e260df0794d

SHA256
6e07e268265d2bb71c335e476af348e07f35e7120fdc770012fea74ebe17dc5b

SHA512
ca2e483b12d918ba4d7cb2ba15dde48315596d2e78f616b33ac9aaff17fd2b589e1501f4517accb074700af080b84b1cacc9de2eda277c8b6ea6ecfb7537ce3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
c9cb002f133ea15ce87d6b769397cc57

SHA1
cebac0cc110fbf86efbb7ad0ef4938cfe644b0e0

SHA256
eb261099fede996450e73a2b6a9201d8d7a8ad2e8f4123c51180e055ee685988

SHA512
edd1222ad1739f6493e22de55ea3af1245e836b355b2be57e7208464c11b6f377f248e0db91d6c81e90390586febfb2d371c40153713e1c325abd29c27bf0c59

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
466a6703b9d7eadd1551d294a3edd276

SHA1
16386e9dec2bfa88448e0acbc82645a56f0bcc9c

SHA256
cc7faac205e76f29dd5fd6fad22342ea24d3d661fa6cd8ab1eeb3985d70652f9

SHA512
5582dbdad0a038c6b1a82ad5afd0cb189422ea9d152096858260587c5844d1eafb53bd3775586ff745822b1226d30d80f3128bf27b80596c4bfe2438b0853550

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d073ffb2cb3fafd352219fa95c83bfed

SHA1
ad0cda057f25274a68e0705fd25d452feb7421d2

SHA256
30867defb45da5bac56970292ba27e9fe7bbd36d8a2a0cac9b8d4408724c200c

SHA512
74b61db085be0daa096dbbb144c89f84cad61840dc259f1f2655d546ac3194e7880e9472eec5afc7e4e639ace0f050405407a53cd84cb4113448964211ee1335

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
446cdfa9bc6dfaba55bcca3ae730e797

SHA1
65455958e7575dbc03b8eaaf7a3899971564d4b9

SHA256
214a900dd7635b557424ccaa19c0e1f9d85a07e3d1bbf7349e185704301f3289

SHA512
f77fe4263184abaf88c8fb17cbcb96f58fe327cfb0e609fea93e18421b9c294aeb71855a359689d171b0ea9c123e1b5eebccfffc9865c2850ac0c7db2f9026df

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5d6a4c253ec14520c9e24652cd963565

SHA1
adc20b85dbbc84bb22a68a01819d81f99c1a7633

SHA256
bd08de1f5f07ad004aef4ee3ea783f8413decf91d987af34dde6debb8944a2d7

SHA512
73227608b70aebd897f8d43a9e9f3f314ffd98b6445b16c522da0286937073d8dc6e4b3ca1ab9d21aa8b6322d97cdffdb640ba0b4ae56209fc2b92d2e0ba3a2c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
635729c8f86133c02050b5135f82a01e

SHA1
037b0e02e45288497ac9dea63426b72f8cdcc038

SHA256
f7aacf6d1658be23bca1441031f0192198e09ac00205bc48f547697e979b9405

SHA512
36e53dade6c3f6ecb006072423ca836968f3df1d49445735a39940f189d3910e7c3e73832ec1d89f156cfb557a1aaa7524d60bbbdb6948e3a49b663334dd9a3b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5e809d4da580aaf5082512518ebd2bc0

SHA1
9f3222b6015f592bd18490313c974c4bbfa0db43

SHA256
67026cea75b0c49a417c0cc1b060e08606d32dc77b2299ade66d16e4b661bb0a

SHA512
16c7ac9b3452a54a8ed368c22364f24a1b63f379acea4d1fd40400674b9bf93fa1f642adfcda052924801ee7969c036e13043d75d93bcadc0ccb85e0eb9261f9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
914d10988574c1078923d6a6fade6764

SHA1
d7b9aef71a0114b4055bc54792035bb4e91fe704

SHA256
9123ed6b18277f87cbad2e7aed2a948d5ea9f53a2b61090b10c1780b44b07ce8

SHA512
95ed1103ed358e91b23a08e773853118d57d77d159296283edea79b2a65178e857960c7c98e9a0cfb2ce36031a1794436e58a0dab91bd53ab580d54906fc41f2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7f9c7fa8ad2cc5eb05e8c6313a409b0c

SHA1
ed81faafedf2bad80f2786dfdba134145a7c5b7a

SHA256
830b793395c0877094bf1328d7cc2c460221f473debd032e1ace4b959ce9ddf2

SHA512
ec514fb44ec2deabab1132e6dcff6be0839c7d2d0df522493e30a107bd54f675630dcea6e1e11df366b7eabf9313113f15d0a4876277c7ddd8b9809c11f77b1d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a335114424f9064706412006a37fef34

SHA1
5fcb14432c64b7000ec7d814a5dec12d4a016831

SHA256
b8f715ed24967ada201d7d72c9d2eb92115f3914b4ae322cb861ee83d62ebf63

SHA512
301e2804c31e25414b55420839e8492e4ecc8af0cac6af36caf76cccff3b193ad02a5fad9c69626c45471b499580e95962be268c7d7d4e0ccbaa1559495f75fd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2865d787ff4daec4a3df73a9dd433285

SHA1
82f99dfbcaef4dee5e6b81c26ef3dd2f730cadb5

SHA256
3b321d295d988f6f73b04c97f5648fb040e393222ad7d5b4623b48f8c51464e5

SHA512
5a736780778cbee6764073076bfabc5865cf1c53fcd8cfbca8881f273abe628ffdf69e260db2636fa6bc04f93136d8466b3a5544e3046000a4c933b3059061d7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fef804dc5590ea5737fb93085dbb2ba7

SHA1
3fcd8cc75f470f3e535ae20c27e4598dd85c7316

SHA256
1068bd7b9432eb36b2ff325f7b00c0374dc8e1b2f2e3c41da3b24d3a10204cc5

SHA512
f9dbfde4553d8e7e7832035262d3b9cb235a0502d346cb2bdf1c349c8b7901c1feac2a78c54b372521e8d6497eec80671d4661fe197257fa733b5c9cd999249f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d78c50c50c35843780d7c9e16384953e

SHA1
c2686cb98c81148d335ffbe60d574cf65285a14d

SHA256
69210672eebbe9185ebbe5ae1a64b720f69971b0aa15c4c34c9d3fab15e7e82e

SHA512
b9dc4bd3f1e3a095c61602a2d24771af58469c7fed2ddae77d84e7be29916808f24c8d56462080a4f5fa87a178089edcdc54fd53e07ea06827a2e1f79999ecc7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d16bb9205bdf851391f6b275f659cbcd

SHA1
65c533941ec4409a74a9945c0fcb3ec8d0f89add

SHA256
a39fe6a35580cb20d7a11dd81d6abebb13fa2b06dcccaeb8fd15035a7b7e0692

SHA512
7352387835de107607ee91c8ab816f8ca65e743e8e29e597337326d06f902a4f865a777102ae4a7fc3079a9f431f4c09ce17796caea1877691afd16a571b3a3b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ad99f2f95c4f3c645cfbcd55e16fc2be

SHA1
2262d519cc132854fbf2340d86637f0c51754c49

SHA256
46f7ba69053c0a35ac1fdd490beb274458e740f363e97e0fe0815d99196b6737

SHA512
c561b60fc0437b1eb0ad1114d2da83aa2d667e1c1473e81c5cf3eddff5b39f1f300fa3bdbde46cb625b7cf3fcceade74bd503fc84b9797d072c27f8a7a88a47e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6d511dd8849d7aa0b6480c30a83c662e

SHA1
346ab04e302c2d0741dd8ce7c64f09afc9ab46df

SHA256
9280bcec1d0ed89c21905bdb4e65515f1c43985e7f74ae877429ff6ff9bddace

SHA512
61ed2f147c21c6d2ae0d434da7aca48c4286046c0858c1ad7a7cb803e767de348fbc6855d3d82af5d92f2fe375730cf8d1bdedf916a710375e58629cb9215494

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
07b390f9168bd2ee22f397278be3068b

SHA1
c3c57277daa3cfeb89a757a69c6f62a1e70a6b07

SHA256
17a1e9535394327767c7f8f5b56aa207a35d7d4341f022379c8c7e0ce8f5a2a3

SHA512
d700a39786731dd6643e9071607bd1562c7d647e3ad237d3b8ca1c8365722fe2877d2cc645dfdce93457a69bcbf09948382768678f37bc6b9b99b1be9e81b401

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eaf3b850695a0bef8e6049e2988d5555

SHA1
100b86178973cf536a69191349eca7724b3d89bb

SHA256
3c2680190a6bdb52f7574c92d077003f47a96f8d8fd9f9ce9a243d425094fd71

SHA512
85e2f4a3de1cb7d4a0a0538d1e34ea97ffcb94cf2e0881f16c0fd2c34510b21ab81b68729aa973c00be5d45c32d49691a12caa5c8047563a2bb94b4fd49c662a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b81ec2e1472f14027ed149ef7c3e7a6e

SHA1
29d3121704471ff5193f59e06f4ca470083bf3ed

SHA256
fb58e5ac2ac15a4c29d4358c6b046761d1e52e17f9f240c98b0dfe9f7ffca6b2

SHA512
b72c15ee582f76feeee53b2e6b0976fbb128aa0a6c45055ad7fc2a8eee0cc5818b053a15f10accb028908eadc3306ae9c51f22fa55f82980370a1f943ad69222

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
61e0d0147ea493dbe30655d75e84c237

SHA1
641d14ff631604fad261504aa102fd209bb8f606

SHA256
faaf8cac468b934ce0d9ee4da9660f978709483033b8b504e00e9fa60cbd5bbf

SHA512
11f350261704ccf43f1fb81f011d98f826a27f2d0cf0478bf51e40ff06782077ea7251e2fae1b4b1a299e51bf98d746be74dba7a5ba4dc2b048e164944cdc2d6

Download Submit
memory/216-57-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/216-49-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/216-63-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/216-50-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/216-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/508-358-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/508-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/508-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1568-1-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/1568-6-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/1568-7-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/1568-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1568-17-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1572-296-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1572-349-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1572-284-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1936-299-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1936-363-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1936-307-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2368-14-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2368-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2368-229-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2368-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2504-455-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2504-447-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2508-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2508-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2508-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2508-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2836-429-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2836-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3132-65-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3132-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3132-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3132-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3276-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3276-270-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3276-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3276-255-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3276-264-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3480-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3480-467-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3676-271-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3676-337-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3676-280-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3912-386-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3912-445-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3912-377-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3976-376-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3976-313-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3976-319-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3988-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-332-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4164-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4164-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4164-416-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4384-339-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4384-346-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4384-406-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4484-244-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4484-243-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4484-250-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4484-310-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4712-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4712-404-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4712-399-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4712-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4760-432-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4760-372-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4760-365-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4964-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4964-442-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5064-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5064-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5064-27-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5064-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5068-552-0x00000175098B0000-0x00000175098C0000-memory.dmp

Filesize
64KB

Download