4374faa9bec519b3dff35108e6447001bfc69c8ad2f43d854aca47901565de5b

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c5c92936041b505110c8ef168da2fb0_NEAS.exe
Size

2.1MB
MD5

8c5c92936041b505110c8ef168da2fb0
SHA1

221012a3948694a77332ed5549f51e5c38d4645d
SHA256

4374faa9bec519b3dff35108e6447001bfc69c8ad2f43d854aca47901565de5b
SHA512

947934e710565ee124a4b7333850388acd0bc1052445c0fe411cb184b3e74aa7c3f79783558613715e7800065ce1f86fa52f4abecc59b0da27214f96d780f30d
SSDEEP

49152:kAaimdzYtiKX9G4i0awIlrrE5T+3gFIDRRAubt5M:kAav2lX8VDgrUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4008	alg.exe
2356	elevation_service.exe
4064	elevation_service.exe
3280	maintenanceservice.exe
3504	OSE.EXE
1884	DiagnosticsHub.StandardCollector.Service.exe
1976	fxssvc.exe
3876	msdtc.exe
4940	PerceptionSimulationService.exe
3608	perfhost.exe
3820	locator.exe
3700	SensorDataService.exe
2340	snmptrap.exe
3260	spectrum.exe
1072	ssh-agent.exe
4128	TieringEngineService.exe
5048	AgentService.exe
4180	vds.exe
3444	vssvc.exe
2716	wbengine.exe
1692	WmiApSrv.exe
4472	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3632b20c8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	8c5c92936041b505110c8ef168da2fb0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c7503b34da0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eeddab24da0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e49a29b34da0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ab2dfb24da0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dc4f2b24da0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000814797b34da0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e528d6b24da0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f65b2b24da0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2356	elevation_service.exe
2356	elevation_service.exe
2356	elevation_service.exe
2356	elevation_service.exe
2356	elevation_service.exe
2356	elevation_service.exe
2356	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4192	8c5c92936041b505110c8ef168da2fb0_NEAS.exe
Token: SeDebugPrivilege	4008	alg.exe
Token: SeDebugPrivilege	4008	alg.exe
Token: SeDebugPrivilege	4008	alg.exe
Token: SeTakeOwnershipPrivilege	2356	elevation_service.exe
Token: SeAuditPrivilege	1976	fxssvc.exe
Token: SeRestorePrivilege	4128	TieringEngineService.exe
Token: SeManageVolumePrivilege	4128	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5048	AgentService.exe
Token: SeBackupPrivilege	3444	vssvc.exe
Token: SeRestorePrivilege	3444	vssvc.exe
Token: SeAuditPrivilege	3444	vssvc.exe
Token: SeBackupPrivilege	2716	wbengine.exe
Token: SeRestorePrivilege	2716	wbengine.exe
Token: SeSecurityPrivilege	2716	wbengine.exe
Token: 33	4472	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeDebugPrivilege	2356	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3740	4472	SearchIndexer.exe	123
PID 4472 wrote to memory of 3740	4472	SearchIndexer.exe	123
PID 4472 wrote to memory of 3568	4472	SearchIndexer.exe	124
PID 4472 wrote to memory of 3568	4472	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8c5c92936041b505110c8ef168da2fb0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8c5c92936041b505110c8ef168da2fb0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1992

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3740
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ff485d9ecd804c19796a594b3ec2361

SHA1
6c8a2994202d95b4ba90fb8e31235c75fd4dc8ec

SHA256
f873923145047af70ed7d58ff3491cbd3048315b431381f16f107a4b410b3444

SHA512
9538709ec76953db7ad146808ffa4941e0e8244af54a22dc1d505ce795af58b3a8acc8630781e0e6a899d815af8752bcc90be7445a676ba3b8d54a3d3a2b46ac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2596234ef8f752f2c0ae9b508735090d

SHA1
a08743f3e5fc54fc1dc1dbbc092d33f6befe4af0

SHA256
d8f8365137af3020a893bfda50586320748205c233e1d88a380ee63c6e833520

SHA512
72bd64dc4353f8029b2c1b9da77e8693704d7b5144ae55f9a390edbe5aa090ebceec24a249439824578b254e08e9aa2ff8ff9e9381dd6304515092f0f943cc8b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
382ac33f8e89d49d320211d157cc65d9

SHA1
2d89850a8c08838e4700e2e1f1df4b48aaa47517

SHA256
3a1d73f24dc656ef015708d2e45639755b7ff1e6a4eb9e806b84e1ac9d68c10d

SHA512
9c35de9f68f6f7152b37411c99046a50a1e9faf261cf7acda2cfe63eb454e28a631b3f682219b4acb9ac3d915d7a1f3ee22e13f9e9c420e77438833b49df3731

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
01766af99caa270783423011ed6872f5

SHA1
6e3a6e8117f44bbc36f1c93f67df0a876506c284

SHA256
f5c55b094661aea489584cadf74f562a6f5acb1170ee11d8087383b84c83c82c

SHA512
9ff343b42c9a508781c03b5e50f5987c0ce8ec82d38930ad3a02371dcec228357e9be7aeedc61df7da5956993bba783809211043a055c9a1ec1e1f57a2a594aa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9c4b8600eacf15b88fe76b676041f060

SHA1
f4ea7f90974d6d6e6e65841d6774b740ac5f1923

SHA256
9a5be529abd6dc4331ba3aa27172b1aa9eaa399eca15a4490f5d944a5cd01639

SHA512
8beff0e507e8aaf8043014faba6ce38785be2d09878ca1b3aeeef3b44e9c839cb60daeb022f89dfb663d00bd9c0b5ff40dba07fec3fdf0b41d259f867e3a4747

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
213f17d4ce4b3c49996adc0cb68a085e

SHA1
0140ecb6d8b858e33e9475c3b2aa03e08683888b

SHA256
e8a37fd2efc8e52b9feb1aaa9c0ab546325024adffbf6ce6263cb190abfe3f75

SHA512
e23247dcd95ba36a0c6c98ddb78ae952dc94740679cddd11f2e7a33851dd9c368a4c2fd05e707058dbc2e7daa1bda388a3c41c505d4c9f9790049ec866dbb922

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c32ef98341b69b2cae9a014d90629c6a

SHA1
57b9fdb93714c2967f4d3aace9b6749354bc617c

SHA256
458d00fed82e96ea6e7a191cfd4a64bbe95ac6f9cfe14419c526aa131be84a20

SHA512
b5d18e3801c245ff03d15ba912417a17aeb23c5bfef7526371a0e3638f984a3b26577e0c2584f8150bf06e7fb00169c99cbcbeb166e38ada8f076883677740f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
574f9f51cf2d77416b09a7d501ad0f11

SHA1
99a657f2e5119d9ecd9474f1a7c5c8292bb9f730

SHA256
23016965ccec70e9f340495ac2c1a3c298c71564530a92890cc87ec74bba6546

SHA512
080520f52a745976e61ccf10b5d04b8e355189a5a1d81df188f3dcf3c2640638772cc4c09428b34c2e5e3c5a205bf9db9ba78e316911bcbd4c6fd0a338bb9733

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
49c85ba0e10a496f978ba86fcca8988f

SHA1
c5e3cc53f58ed24e2bc2f9585534e1dac8793d4a

SHA256
c8f393ee9c7791cfb40f6ef11f0d3e25838ec9c1d1141620567f41d60b1f6b25

SHA512
9536442b3256ff34c17c3f4f72f6988d911911bd03c2637ad4b1bcb31076613eb6231274e94aba339b8d9dd4c2956b7432a77cb92ee28d228fd91e7bacacf098

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4904f5297ea04c7af62f06026acb01e1

SHA1
1abbfe6cfeae743496c1ca8c8d1433a341df58a5

SHA256
6f88fdd969233c7451c7886bfcc4a12f0bfb0c4b46b878fe7b468b02a566f215

SHA512
4952b9d68807fee3379a917cf40eec43d2607e70785604889a886c327276c37769b9ceeb9ca4b2310f619385591897f239746caac8cc80bff240fe0cfccf1081

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c1fa28f83ef7ac15711c34a3520b91d8

SHA1
03d71d60910d63137884fdadd257c0e995b73d7f

SHA256
17a4118e3c5a6808b522bd413b6f7b1d65a68c3fb16005c5c05484af640e1a2f

SHA512
1522c127fb0f0edb1ff5d0264780aa420abce4226a8f071ebb729db31badf1cc572d2f2d765d47d5d0d7e2d1f807503e48bb498f25820d52aec41385075130a2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
639fd0accd49f71fa3ef31975b469837

SHA1
8dc69a75b86417973d9b8d9a70ea1f0e8ca7ff2a

SHA256
902e64a62650b63369bc3b83d4863c34446f50d739b3c25555798236b8d40ea0

SHA512
155acf9aef1406b12f909b618e279ad4a822275303216845be39ba4a6aa5d6dab3df123f07eee338c42700152dac62002bbe0b9ff81c62a844127cdeb7e32fb6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e52f8983e51620a9022e4b09df8ce66f

SHA1
a79f5ae327db1f5beb0006de2007e5065e0364ae

SHA256
c8ae72232c7c644e770c905fb49f6933d875d6e732625cce60abb16ce6e7c864

SHA512
f768ef9776c465a9db5bfb456ccdf730bb68327355c89368a1bb0139a5827872fc37c9614b0de2d0f093d62439372153f676af917116a774f7337bc1582744e4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
90aa59c534fff80b10c94be713936ce4

SHA1
c708b36a1fc5a617ba76f29471da5a262e26b37a

SHA256
e16acba75deaf728474e5d807948b6a2b176d0ab3a1950ecce5cc1e2653bfb37

SHA512
88a627aba6670a031bf0d65363f4b5ee4bba817fc72d5829c6577294a166b693de264ba34c143c0d4381ca984ed8476204888846c95361b79deb89318fd92627

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bfaaf67471052247d584905171c6351b

SHA1
0456216da6fd9d13f95088e08cc9500adbd558ab

SHA256
e8abfb21d3cc6a974f6f17ede4c1ac41fa0d0b8e531c66f48569ae7e81c93358

SHA512
9fb84fb05259e327308255d89be24600afed09deec64e9abb2ecd6e3c2338885f33f567d906bfb5a0e53d5b7395998ce23bd7a8ad2330c80be4bef7c0e2e9689

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d9bb1e50610d490cb82eb6cd3f87605e

SHA1
0a32d62881423295aba550e2c917630abc557160

SHA256
967654497c8efc5243367d8825f493345fbe3db5b1b6ecdd9ffc86da1bc49b2b

SHA512
7f58f176217cb242cb116d8a770bd44a2a6e639069fcaac377252788ecb3db63dd84b86e9ab00151724a594e8cdb9caf6a2eb3c912097fd0a6f1ecd9b333aed0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f587e88a59050d3631b098834bdaea07

SHA1
6fd7a5b7283c7942fadb60e46b2dbd13bae84736

SHA256
cc983a979eacdaa3b33360d73a53d4869a7e85a360fe71acca1b46780af57f1b

SHA512
7cad49fa959918e8ae4a89955d8f30daa036c9a2a350de6dd945bd07dac26d628d1cd82fa0ae8c5dd69c2a0d13d43bf0cedd3254458b67c3c7ffb6c096a5e128

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
85b6041f7736a0e6ac222c383438525b

SHA1
d7a6259ccd1ceaaad5d79f2139c7f97fc904b507

SHA256
791ae9108844844b067b992f200c42a4021534ed79956f97192df2b614b9d2b0

SHA512
d07db7b73dd198927820ff17b5338a6d1ef0b61c679f9357972dc99b48dfa5563a3c1eaff3c1447b1c9185d9fe21982a44489bc181dff1c6590cd3bbca1bd39a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
051b03638788540dfe11b4060d6cbff8

SHA1
e23db1f2de3892ae390d21e1437d6cbd584137cd

SHA256
034f2cd8d744f5690ece08e8dbe2af4e911c30400e068c2e3505ff3110f5a8d8

SHA512
ca4755e979577db730c564ef3f10acfe7922c2d7be0803c9c833f4e4b6108ddc6d5d9075ac1c6a719f3f3b8b1486eff8a2c58a325c568931cc8b0e0faa179c1b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6f9b8a9adb81809f94c00d6e30f62b5d

SHA1
236002df29528f0c510ca97d65750389f86ba37c

SHA256
5dc1ce1fd33b584205c2e9ddc14a7ec22042c508524b20035e9636bbd71114c5

SHA512
3954e3275996197f557271fc29c0473dbd760a0bbf16e5a9f13862176cdb635d9742ac1abb2e49592804ab2438d35b15cb414600b0979c2d99f9a03bd6b150e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2a1fd2565d0f0ee806380a66d8689610

SHA1
46e486febf4145bc980dbbf728baf273a7fb19ed

SHA256
83f7f48766de02a806c709bd4c9f9bb78728e175ad13317243aa920f88e0b3bd

SHA512
79c7c27d1aa86715375948f7c0c9d2215a1b5f08e6709b678e3e80dc2d5974a8872ebc9d980a42585162d48e30b30c3e683ec175a34b2b7e1cb164b1db657fae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
76aa12af400418708bde5c7febbfea94

SHA1
2d7abd69bfab5534bae76145060859c26bfce19f

SHA256
fa4a2880405612bb729a6adc50ee699d1cc6c23806af76ef9654f4bf156f3e4c

SHA512
10db66e03a69eddf31cef85a1de7e8bc88c69ab63aa64343997ea1c2c64825fed41504365cd1878b4e9014d7108f6a07b29080f63bba453e1a10bb587ede50e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
65ea46819fea721fafd05510650af76a

SHA1
333fffe7e2744b3c1742b546f93dc1d8c1f4ac6b

SHA256
3c613892868be5123dc8c8ec6e256be3fee2a4190d705e5caf64f98ea4a5a449

SHA512
b9ae4c29670af63a9c1187fa47fe38421f9c028ba1bb6dcf2a169b9d4e5ea583fe4194b75b58039a7cc1562add71a604db075c743cf0de81320bab854df23fd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6cea1da29e038b35b1f24af9ecb45482

SHA1
dd55c1cddec91ca51f99183809dd90d18c6268b8

SHA256
ded4c89c5fa0311140fd353bee1bc4e3cd84d5c61e0cb28c133c7028489a3417

SHA512
dffd6eb7cbc8fa18f74c82656392ce2b261c3e5ff6179cd7a3298c24f13bdc046d15f009af5e3646df2accc424e97f199278b6c5be3e89498daaa884b8b34c83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
05ecac930bcc4ee1b833b60fb22c7289

SHA1
7f8e225d1f7ed2400b0be7c4d7175f1da3b3d91c

SHA256
5b19d2b5dedaa62391ca14f80e4c1a589e34b9f630fc43da556b77dbc991af3d

SHA512
ed4347528f6a8fad681dc8de5e23c17d7de5a4364c514f73517bb1397d84e354fa6f39b129cc8f2da6ee7d17cd3b94a9dc84c21835f39b350a4b3fc7bf064bec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e8fe3d26ae49a388e848a04da51bf162

SHA1
37f2f512b6f3a6d0b5f366f8cf56abe42dfd0b1a

SHA256
b7933aadd437cb16e7fd8aea207de9fdf5c2e2e455b27f1c97eb44526c768d53

SHA512
2e7b112bd38872928e7255892a360bfd78360ac0b61b74d9410979f0ae652c7b2677e4ee351d802bbe8ff5050443cdfe6cc2782ad29d5fbf7660ee8795edd844

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b4a9440b6167339f13050261023c1b42

SHA1
548fe2da2379df90e87110feb000b6f02dd21bb3

SHA256
6f70c5dc01c2c9db4b1b8f18aaecb54a3d7495bb3be67c409576dd0de86dddbc

SHA512
e778c66fd57effbbc362e1cf60db67fdcf622bc55516af6be40730e3df680affe18c036ad5ee3d4a8277c0f369e497979c979a1d1ffea1ef053c7d9ae7167cd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d68a53e2df808ee6cfb2bc30c64f115e

SHA1
8a02c171d6a65856dbb8d8552eff6d2173f2bd5e

SHA256
a0fe66f36f1c0e5a1b01acb36a714109212e7558c7f0d9b970f4d907895aa974

SHA512
348bad1109e49b4ae8afb9050d4c8267c4f1ca23ff5d81dde9b458c2492e33e3ca9a3111e4b84baef8ed7bd4eb302b9ee2ba732f5ca806366e9cd7a4fa5510d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
75749e188b00080188e8cc8351e858b5

SHA1
a597e04516783954c9370cebbf4730073290e4a3

SHA256
c967b7670b5e88a0c0ef6b10cb260c11962d247d0191079dece0b77321f0c61e

SHA512
5f1e2128e3217fcca64ac58b8885706f2316b3c9cf2b3189c0d5ebc3e33d1a238e0ff6172e017249f678db633d94110ca2a7dfb8dee3d1236273a8fb698f50c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5610b3f076987a19274247e277272890

SHA1
c9da7250e2eb32e463d09d42cba7768076b22028

SHA256
49b6c3415033be7f0e1b77f4276574cd1167ce1dd2ddc5eaaa275e191796696d

SHA512
e8eaf48c1348376a8cd31444196efc842ed46f1e7f9ff2d02e2e9d4102a0f05d218faf628c5a4bd323e0ba370a7fa36695911ec0436753e66aa150bd3525726f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b79e113a78e2d2ccb17172f324cd99c2

SHA1
46377657522d60a54965087a7d3d8e4550f5a494

SHA256
d0cc0f5f94859349f91402cdcbf7c1804fa69b15db2ab6d3a85511c6cb85703b

SHA512
f93b2b213b35b82d21bb21fd0264a0a8a9ce1116ec76a34331ddbb3689ba77f7c5a803a7d49da99f6cc8eb8277b59e9ee4fafc8cc7fb3f8f79ffc392cd6d122c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
5e2b5a1c107216f91114b73fb2d01ba2

SHA1
05732bd3f60d50b6d23ee2e42c619e5fde9ca789

SHA256
bc8a96700b221a1af005064bac7b133f53952cda41ed1f46999751239197d7fe

SHA512
06aa0f21807aefd322110fb4031ab8cfafdb586acd001358811a8887e0eb4b485feea2cfda734b26c9a2b76dfa9030a60af1acf57d480978e84beaeb3fe56fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
90046cd13a7efe573b7becb39714ec7c

SHA1
b646d7c10332ec49d9d5c88a0fee9643d38fe37c

SHA256
b44a963cd5a530a29ca90119ab6c745f46be9175348d39aa1267337e3af11cb3

SHA512
b69a82f0b5a7762eae44df43c84a12e153e274d71335e7fab45bb36d265fea1f5c9b3fc55e94051f9d4582e033a0eead879523db32119fdfede1aeb7e767fc4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e9f67c08bcbc825716f9553726eeb785

SHA1
fb249947e569eb36c4441c465d23279200026338

SHA256
78a179c19e5f5f20623c8bb6722c57ea63c00a3a0f8600fc7ab896751fe0f795

SHA512
cdba1f850277931890c3893c799b63b1a0ea915d3ff976b472183ba29f66942d5586f09c92220a3f6e23e5c4461d1b5c1205a26f06504c7f088b36fdfcb386f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5c6e1767c4b4a48aade532fbc95f07df

SHA1
4e3b8b013d04d3abd5a1c8c61dd0689ae9ed8bfe

SHA256
60da0d34ea76d091711754ce6451c7079031914cfa5c04915e9106cdb2e03397

SHA512
839e1cb396f120e5ccb06f32465125018627f5954dbc907c62c9b6f1426933a3704d73eaf761b7a203e300124d40fdf1400d2d6c482038bea67993b3472468a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f351402a0142142235c9d00e7396288b

SHA1
a0919b60721e33b1fd4ff50301b5ef852ef51adf

SHA256
d3a95694e58a20c4a88aae3b3c956b2c738084c705e3d636e1d5c0703b0e9d99

SHA512
1a3a24aff131319f8e3bdae60ebc80ed23fd4408bb31ff8a4fe31ca0b60e885fa4639afd935ad5a5679d0d1905935c4c3c81c26cd3625781e3e28ca9d90dd0ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
2b6d5c7d86b6adc668cb7ebba2b0e9f0

SHA1
1c04630478a391a1f96230880dfbb8096ede636c

SHA256
b1922de40914a67413c25f8b89ba474246fbb83f473a413b74fcdf98a5311c5f

SHA512
ac9aa08031348c894eb1e8e5ccb9a3bf59376a7cd24c4a12a3a86ccf14c2062d99a1178d83adbb5b12a9d24928dee98afeac1f3940dc8d87e960e4e106304c32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
c1fe7b74d34291c85979a10f08587ff9

SHA1
a64ff055f574cc7f9f7b174148129a4e7484ea39

SHA256
d44e5216f54e4d533e5271869031196251b70f5e67fe112792fe586de9ebe54c

SHA512
53b9326029d0ece0e5210181a0c76b9fc85af5a5fe7e5d766af718d017b4be7d7bdbb1f0bbacc45aa96f60ad7d8c28d18006d4b3f3ad8f156539f4c22d8e650d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
2abbae5aba01f82dea8e8a123c4a6bc1

SHA1
a4cf654117f46a041962452a7f96dead70b17890

SHA256
8647b8f0c9c0ba6ea5b815173417d6fa15e21701c0f310e1ffb16911e827c59c

SHA512
d1d205c3dbc0a1c40d2a5e3f3446041ee23042d7b896ca75ee023087c6427cae85d24484ee0b441fa5eba8928fd8287351fe2b8f0ccf8c83e76e223cb6a948a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
8dae6fc14d39e720355217bf7ac70aba

SHA1
7ae99564edc399f4a980887f8b3abe406618afa4

SHA256
e1d47eadd9607e905353ff25f46c53b7ed0c030a5d18f9757a13345c5b7e8d0c

SHA512
d2585ede68c126a5e38b17ab3ed45733827dbb5587445311fd1f8f813193296e52349bd0be3c9120105d69f71720df711d74c699a9c798cdb8ca8fb6e3c08e74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
7dc143563cb89e37c2fefbf2940cb11f

SHA1
caf6938d11aa668d26d7eb1a96d671df323c75ce

SHA256
99c9775e1fb82fab004b567470e3b610e1e94eed10ef2ff834b271c4adb790e2

SHA512
4d5eff803faff6e4a203928f05d027b87e349ca06208dff9bf4f25d2ddd0c3fa59a0f7d636d38bb14334302b8277f5096bcd0cc634184f6ceba08b98a7143502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
795e50f4663aa5ca3641c76092da65f1

SHA1
632e2edde62ea9802d9a4069bf998a5738b87f65

SHA256
651f7b3f1ad5d89e11c918a4ceda6bf59f2fdc119c26324590477e03e7c63bec

SHA512
52f680837fc20e2a1225881970c81eab024c6ee2f57ec4e7c6114d26fae7394ccc138372197ebfb5237219f272c6a44ac93aebe3efea74ebc813673caae2f00f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
09cab8c246716f07b97c7b1e708616db

SHA1
6c0e58b3bd79afd3c32ffa0cc8faa28deb6d1ebb

SHA256
2d317e57ddb01c404c505c960435a01aca58b2aa5d4cd5fc95d765c6078eba35

SHA512
7ea655099a5757b49fb4a13f883fa40553e3cf83c7379bd5130b545f2d0e3d7e36dba025a0153afaf4452267dbe694293f428735dd3b2e0253f0aeb6a2767c6e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a63b53dcf11a16ef54f2714df46cad5f

SHA1
b672994a47daf0e4656fe9db39627b7754b1ebdf

SHA256
2a30b3efe42c1568cb29ea1ad1dae52f0f3b7dd78ee2c98294c99b5fe5c95d52

SHA512
4b164f22ee321ee4b756e654495b7933b57a78ca1b67697a079c14c0dec2d9f00491df62f667680f25b2e8594f268cddaf09ca62c20fc282ad27f05777dfe599

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8487d61b3e36170eabe4fe27895662d7

SHA1
1aa057ddfed03f593adedbb66f98db80eb928355

SHA256
5ff101d428781838e06730e0362d2dde6e59ba62b5db5031d9a8f76de0a83b41

SHA512
636708ed4cc387b598591831675a7fdbb6813947e82c310fe74ffddf4aa138dfefd97f85710778eb6071a675674aecb8e6bc7759436063780d51b50b9c139556

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ee83db4376a56aa76537bc45dda79890

SHA1
4f4ccd524b7f425fa7dd54143a17c80b7b0646e3

SHA256
5802c0447213485fe08b607711ada216c4f814aa214553ffea1f10cd5efc335c

SHA512
7630982e2683d5681189226e139d8d61a01ec628b1b69d563ed39e9d34149a0a0f8fd21a4b2ef07ffc853ab14253ac3d8c159266a1e1e83600fca62be00cb414

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3eadc1b9ccd358aa5a24f8a1d4546999

SHA1
51dc1219f5fdd2d7bab5b0ef08f676ba3cb76c78

SHA256
bbe774163ed2bb04685c070fadb56abd77a8c178f22b8b95740007b9ac280517

SHA512
d23986992df99bb939ef30b7dbc1d344c0afd4ad53a6b2c57a387ee4e72280cacd9070f0408c39eb8800b97880fe5de0ccfa5b1f336155e6d905fb7e1199f4b7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ad83e5be44e748dc9c8a16f92f079132

SHA1
147188e3b2a17e9d4380d685fb8e66ec065e828e

SHA256
3ba32bd8595b2038d81393ac563c622ae6d796cbc0193114e0a174002e71751a

SHA512
346359afc1838aca9b20bcbd05fc87bc6e1c5c448dd77c11181e8ef41e26475728d8e33a9d3cb30e3662fb74ce4c335d6aea444d097d81a572a3e1335b1a627e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
073d395986085b494ebc4547d354282e

SHA1
ccfea73ffd7bb5ce59c93fbd80050ec5553ad5e8

SHA256
c8218481d0f1478f25a30ea9bdcbd6b722c1332302f8a6b4bd8c065308d60f7f

SHA512
efc1531b02cea9ad3a071ead9a7348f1bd18e49c93c02f6664837e755e54a5092de3fdd4122fc93a6b6f2b8f88c988343283a63bfb1056d96afe444330b6b46f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
af2107e7f5a0aff7f35905f0f3f64398

SHA1
d38e9580c7767880495ecd8bc67f93604a0eba35

SHA256
da15a40f8b3ea593a8034d45f766f2da0c8cd1aac1cb9d7214525cd1d5d90546

SHA512
b1a95504b04cef8a114031084c5ada3e128ffa0b74e810867f1189dfe60c6cd98125cede742e120e2d990809100dd6b3eea621f4b065334199e2c94e330979e8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
34a2d29f7a13abce41bb0408bec7089e

SHA1
50c2450b2e9d37b69f673e932dc60c0cd7c1c1e8

SHA256
df39289dc694a1a6dc431a72591d51aad7b074548d1ea30c8c75f113668fe5f4

SHA512
d19afede3b57438b372c5d35ee1ea09b09e0bb2a7f34d597da712ca1a1b590d817cbdd156c4ba0bd7e1747c2666d6434277b95f64b49c5eedf7de0a03ff6468c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
45f7d5cebfedcd97eef541389eab5804

SHA1
09274d33ddceb8ef666f53954ea7ce09d6067cb6

SHA256
789270598ce0d87788db029fdeea0a04cdd325e4e71b6e9e187f5d5e3baafdea

SHA512
a2232ba91e52ccc48768ea580cce342842cf36b1b86b2ff9a3bf1e3aee69d18a3815320a800446e39e459a985de50c49f7e4a5d2ec315c2532b7347bb44c2d1c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
27c291fadc1a759949e9bd8595da6e32

SHA1
73fcbb3f5078f2356601c8d881a662e5d5d85345

SHA256
5d70d447e8bc3bb8803dde534a4a90865fdf3cbab0ae6b52f4f1ba6bcd68d7e5

SHA512
cb6f1a60d65f63b3ce97db6a255fb51e1f8bf8516ab6d3393879b983c8d03bb5ad078ffb296145c1c491829bcea03c8edaa9ccc455f7971307ef2ed258f64759

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f70808172b896bac32c10e09f4ece99b

SHA1
36cc30e526c717908ae0d6983f94c2c2a807ef9a

SHA256
62e10f7551f938eee817dd7fc7a561da39d50048bfb85374ad18f5d34692a502

SHA512
7eef3842d1ade9dc6568708acce1c75a88f5b10a02cde60b70987f4bf35fb696c1cbbb34e7656042fc7be2674680a88f57c24e6a25a7741963890b55292919bb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f2ca4d9cae9fe2a9912784616b272ff9

SHA1
05b3103b3500aff63d40eabdde5334e72d9bf79e

SHA256
06a34c328a12f64479add8435d86be898e027cf1eaef6d030bcf46e9e6b8f428

SHA512
c0a8ca5dc5b4524638f97c92426cd8843a643be4b1ad4eaaa6fb31a6bb2b46aa3351a3895a1465f6221ca8b2ce7916040c0634e40f7afb90a45bf5262894f49a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e86e1c4c27c27f56df69e570ff5e7a42

SHA1
540d600decaf64f08fb6bbf13c44b61d2792e9b0

SHA256
c59480e27517a198fa7d2778c541403d568dd6c1b9c8d5aafdb9349047d9e82a

SHA512
11b3320b4fd27e3edd65597f313908d7a69badb138793e083784b22bc3c9d5b7597f1eb178affbf33220296cb47d44cffa0555eed45ae7bd6f3733d4a3d8cda8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
36bc5ab1696a83848b2eb9e0b1add882

SHA1
ad7d6bd45a7985591b4cdecae6e6924248a94a59

SHA256
41cff269ef1ab40955a096d491ac836ba2232421c7e16ab1d75320d9d66e30b2

SHA512
8e5dca165af6ea72a29234e93e7917b1f0c18e416b8e70b74f6af1785827336692c2fb473ae624af2fef937f7c4e8598f182f89afa9b1463756d11c17f3946ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
df3ab7b71c37fc5f56386f94cf6a9fc0

SHA1
6a1367787f92eb34a625daa0ea9e17cb47bd34e6

SHA256
b3d07113291909a8f45d9202b38998f233b66a7c04f017974eae22cf42e664b8

SHA512
c680daffe430297f6f821a3a1a5148a80082caf96c07b45624cd81417032eb4e57a73aee74a764fdbc1bcad7bbe55ab504514e8a54e1a820c3123320650f15da

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6f15766555e8578380342f7c62f87660

SHA1
5f867ce6485129aa3759efc3f1f468af248c9e57

SHA256
ed4e53526d8679abf2da1b221065612ae2e06c07d049b7b7e22770c159e62b39

SHA512
73be1b5591b5434c124d4fa17ef1391360065621616f7d7063623a45cdac7e9086ad338ed3ef6bac4dcfa9f3adb4be07a19fc0b6926f42c15d36a230e9f86987

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5649ccfc8ad7adf418fa90469903f854

SHA1
9bbb086352a020ccd4681e23733d3d5afaccbff2

SHA256
e9f1e48f5aab86499aca9f8d8e143b688adf2697bc96fee5b48cee3232b56dc0

SHA512
26bf1015c1ecbd377c7f922afbce7b5b2064bc4450188621317fc3ba6ae801eb1c461fc1817c62c794ae82aa24590d375ebe139f19ea90135c5fcf265888ab52

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e6a30e30811600359d359caaf396912e

SHA1
8e32d43001d154e2b6820a94f825025200bbe317

SHA256
7a3ca59164a89dfa94311ac4f80ee22396555d638d7c25b35ab6600c3505c19a

SHA512
79dab829a554007c0e4d970c31b594545ddaa85d3360151f216aaeae34ec575279d4d6f91cbf75ce7062cfff635b0b48473be2e051232e7ffac3d4a50be0afac

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
05570980780053a840fe9ab757b81110

SHA1
dacc1ac731480c3fb83695d9d6101e7482b9a83e

SHA256
7e5bb343524fdfc32a0a0abaabd53a09d97ca601cfefc163f4cfb042a0e85621

SHA512
914c7cb966c40cb02e563afad1f7069d439694ca1dabb059cd2d8b0c9fd463548bc252b2e08b3cc2ce1c6fa68839dd6d92ec9b3fe2033cbcd347deb843528bb7

Download Submit
memory/1072-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1072-633-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1692-643-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1692-419-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1884-250-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1884-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1884-356-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1884-244-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1976-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1976-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1976-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2340-567-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2340-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2356-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2356-28-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2356-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2356-37-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2716-642-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2716-407-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3260-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3260-632-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3280-51-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3280-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3280-63-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3280-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3280-60-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3444-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3444-641-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3504-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3504-68-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3504-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3504-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3608-406-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3608-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3700-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3700-636-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3700-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3820-418-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3820-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3876-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3876-382-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4008-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4008-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4008-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4008-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4064-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4064-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4064-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4064-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4128-357-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4128-637-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4180-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4180-640-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4192-23-0x0000000180000000-0x0000000180228000-memory.dmp

Filesize
2.2MB

Download
memory/4192-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4192-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4192-0-0x0000000180000000-0x0000000180228000-memory.dmp

Filesize
2.2MB

Download
memory/4192-1-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4472-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4940-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4940-394-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5048-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5048-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download