77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802N.exe
Size

1.3MB
MD5

11630c91bda711d69c0b1c80527d58c0
SHA1

9c599ff3114b84640276eaf25d1d321baec46c47
SHA256

77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802
SHA512

203e5aa9a2626e31c08bb151374ad5c2221eab381c73a967cb7a2f9010689de4d130ebf1da37ce36d992c664c64f6c8e1565628303233399284b98e25be9329c
SSDEEP

24576:ONiCgn16ZTlhtctmeP2kdk+V8q3vi0m+dn5hkoOWuXJE:ONcnUZphtcgePN++pPkx5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4276	alg.exe
3704	elevation_service.exe
3640	elevation_service.exe
1636	maintenanceservice.exe
5096	OSE.EXE
232	DiagnosticsHub.StandardCollector.Service.exe
864	fxssvc.exe
3388	msdtc.exe
1656	PerceptionSimulationService.exe
4852	perfhost.exe
4040	locator.exe
3188	SensorDataService.exe
4932	snmptrap.exe
1224	spectrum.exe
456	ssh-agent.exe
2968	TieringEngineService.exe
760	AgentService.exe
3776	vds.exe
3544	vssvc.exe
3948	wbengine.exe
3076	WmiApSrv.exe
4168	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9cf083a4e5a029dd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000510ff053b63adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ed1e650b63adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e76ef51b63adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df5c5852b63adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077d60853b63adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df570f51b63adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002696051b63adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef78b151b63adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0870252b63adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3704	elevation_service.exe
3704	elevation_service.exe
3704	elevation_service.exe
3704	elevation_service.exe
3704	elevation_service.exe
3704	elevation_service.exe
3704	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5068	77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802N.exe
Token: SeDebugPrivilege	4276	alg.exe
Token: SeDebugPrivilege	4276	alg.exe
Token: SeDebugPrivilege	4276	alg.exe
Token: SeTakeOwnershipPrivilege	3704	elevation_service.exe
Token: SeAuditPrivilege	864	fxssvc.exe
Token: SeRestorePrivilege	2968	TieringEngineService.exe
Token: SeManageVolumePrivilege	2968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	760	AgentService.exe
Token: SeBackupPrivilege	3544	vssvc.exe
Token: SeRestorePrivilege	3544	vssvc.exe
Token: SeAuditPrivilege	3544	vssvc.exe
Token: SeBackupPrivilege	3948	wbengine.exe
Token: SeRestorePrivilege	3948	wbengine.exe
Token: SeSecurityPrivilege	3948	wbengine.exe
Token: 33	4168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeDebugPrivilege	3704	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2936	4168	SearchIndexer.exe	121
PID 4168 wrote to memory of 2936	4168	SearchIndexer.exe	121
PID 4168 wrote to memory of 4820	4168	SearchIndexer.exe	122
PID 4168 wrote to memory of 4820	4168	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802N.exe
"C:\Users\Admin\AppData\Local\Temp\77198028aa9ae20904882c4ded43d5efe7588a8f5f1a90a83cd0e8af41e9a802N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3188

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1224

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2936
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3212845a67fb0449a139c45b486614c2

SHA1
18ca9e537752d5170cdb19ccc0ff9ba66e44c394

SHA256
972fb6211c5887ca854c8063f4ae5fa0775e6176260f7b76aa4d0d7e3d98ad94

SHA512
5f8326eff03bb7175a4cbd9245a72a4cda2e143848705b0f74459fc21856c4b4804a98381e56ecca4844e0b526cfc404209c4a9ca48e8f393a055ee66faee195

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
196980e80a3bff0e41cb104e551a48a3

SHA1
858d8a1be45a24a2dbb4b13247b3f876c5120f21

SHA256
2a827812169be133d7093bb104e3caed308422173676414fcb6e3169c9c8e832

SHA512
7e8252903898149684d3563349a38e405c4d7e3c2bdaad9a813d86b79fadc2231a4e3f7eb242e5c0b3bdb4dc70f3e04cdcd0be296d8072bea9943f0e8e7dfdbc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
af732b90878b9f4c47ae58f9b1358626

SHA1
1ade91eab964466ab06b21a3e9d84aaee85879db

SHA256
4d3680c09e69d2117ba1279fb07b6ed11a49a4cf038f452d12160ea01567dc41

SHA512
10d02913b9fa63711145f1a271d3a2fafb4a0f3e769d899af50a8a44f85e70e36919fb687ebb99ff13b79bd645e6ceeb11f7bb85284e4fcc4d98e936e800e23b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b9d141b9edc40825e007accf1c7aed5a

SHA1
d41f02bc6653552d09b0b98df62de54d763a94c0

SHA256
5ae34a65b406512a595a563defa4e66374d4060d0d2177aa1f2bee91248d0673

SHA512
61af1b5b7ad614714d60d3c3de839d64c4299247ec36f6035d1d7f6edbb2df9b4da33bd2418301af0a3581a04289cad7d738d5172b8cb0ae379097d19fdf55b8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45f66cd13ea43cb1764aa3d4929c04e6

SHA1
59d1c0c023f1589be7b7ad94d3cde0a52a820859

SHA256
6c0764a98c660f1ff51c7986e71b976ddadda3bc9c9ee85d5ac0cc837b3477e8

SHA512
f43ab168945e8943e0186c11c1f8a977dac2dee4b807a6c5523221bba72d479ccddc9f07f4bccc5d263c40a59bf60af227bc7a48681b5c8324e81e7f9a2fda77

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
dd5c371bf5583cc37e3cdcbe42663962

SHA1
abcdd820ea9c5ac6de0dde09bbcc790d068f9885

SHA256
cce1c4d40244937dd8f76e6e389300faacdba3372d274ec72bf94d9095378a96

SHA512
2cf0d30fe2510bb35fc85fd0edafb2a3fd1809891a25a8bb4d74a34de1b789b107213528b0345e220877ff58e509bdc8d5d5619da28a0fe53e72b2be9ccd5c5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
48fbca78d15d46bc23b08de227571da1

SHA1
db4d88614ce804614d040424bcd528a7c5feed82

SHA256
b12e519946732a04fb18c2f0e6f932a6c438deccc50f2576293b2738832cc711

SHA512
cf4b65d6d2e75f7b9d3f7facc9d618037557306176b94a7571ca41b504db74171b08dc1c53009e54fc8193ac46c4f461f157d5e2af2e5b8a2f435a5642513a2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1afa5d4b5177ce6cda27d246a85718b7

SHA1
70c690123fd19827a88afe70b427298765eb6555

SHA256
a54929711c7d71e4d9db18cd5594267ff503ae3893bcdcc471ab97ff6636271e

SHA512
3dad97638106a401e82000db4bc9bf7bcf52766df8e3c7fb3fce300195e5332e66330aebb26fecb0e1287415092856610acd73b575e38804613df74459ba554d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
263037d7eaefdc9a87a3ca705f181bef

SHA1
06b358711897f051073fe69705a44a53622c8bf8

SHA256
f6869a6586763eb4513a7a8af1098e1c3f14b807d738728a780f2d252973ef00

SHA512
e51636048131d7ba02a714c1f431107388219fcea0653a792cbd2caa81be0e4118b902d34ff572fca7f8b276c3fc01f16a648f14f31dfbfdd7a8e9cd64afa71d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a384c6f2d543181dde2986d1e6bced04

SHA1
04a39b89e3cfd4257952752cbe0c11059aa5ce65

SHA256
344bf1c865672da925a5221a8d0366a3e7aca41a08951f3c1ec67ebf8e37cb92

SHA512
e6210fc39a7f2df8695fbc899a96f4f0cbea6ab1bf3396b2b6777f283359c46bb94b2dcc0433e4b5e6728bbea3379ac941e22883177b1bb3384a73af38e137f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3a7ff2f6e1a7e958a76128431faaf0d5

SHA1
d9938b05121067121aa5203be0392c1bf4839c0c

SHA256
3fe5e0ac64cceb23cdd5e997c2859c8846aa9a8142232af49601c9ea2872dceb

SHA512
520e4df894d1030e6ea58aa39d2f346dbf88a2c54e47ab46b28b6422500d661698238a95057a0dc20872e382143ddc7c6dbff3950019f66df4b4223e72e3af28

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7bca2bba834911bd7a368e6d2f64790b

SHA1
ca083c9995acd33d8b97314b86c8614f6cd54ff9

SHA256
b22db5fdaa06ee4a71be00a142654c58a32f6bc02f85e3108226fac4020ea95c

SHA512
2e7364b0ddd409509575860a507a10cd5b1b8f4281377e773c0e52ff31b5d04679e5a17024d98c38876363b2dbea6561b9472faa570bfefcd1d57da635561aa8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
00702250acb5bc5e801b969376bb2b35

SHA1
7eb7cb4539dc78c003049037fd90a39e0ccd380e

SHA256
357205f14154831051b19dfd2aae3e96e8e9e93035af69b289f9c6fa54ee2906

SHA512
52cfc2bda57647c9454abcc2779a88c83f41f72f9ea2e192890d1705dc8fc5699dacc3ff03e94b31394f50623c450d4aa18b63679990e2bc4aa93950678b6daa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
7c1cbbfe7aedb9c1eeee4ed0633de45e

SHA1
d041f1d86c4452e00d1c2f32ea28008a253096f7

SHA256
0118d8670dc2d70eba4301d81213455aa8777fa32a0d00e246b92f6df8e1829e

SHA512
fdbe179c0d3cfc81249765c4a4d782310402a30eb30a5d42d8f9f67b05b9ac2d77958f2e56a7adbc1b6ca44d8f0e882967f617607b6f4c6117b810b9862547ba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
acd23ad536aa05efca2207a1db9a608c

SHA1
5ce84157300521a9a95b64ff9119cfbb485ee80a

SHA256
5085d6b259c793a8c0847a687ad252e6c3e04c779f25ed5e187fe87663ced2d2

SHA512
31369d997be8d8e6dbe2e700d18a56f070a7456254617f051939b05bd96785e48254584a09c10e25533ba7e310e5495c5df094a4f1ae20c9d781b30a0bec3233

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
45e867b25b71f09b286e7ca8bc5b70b5

SHA1
bc5031797dac9dc3c8e56b58e1b8cb93c3649179

SHA256
50cd0817f35578bdee93fd308a05db16e7a5efed1e3973b767929c71e96d2daa

SHA512
d1a52612f65f63ddd222f5f6fda301ac8e837c0e90153b827cf180c87af750cf735f3638073990c9d37c99dfb8797fd59972068508ed70bc6345b58de989277a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
771422245f7ecf6bf9c36ad042f00db4

SHA1
42b179c28f53d24441d40cc4fcd0eb746af4bfe2

SHA256
289b161db2dca142e30e5cc7875ce1f6a0a549ce677ff65d1ab55d0e83488ceb

SHA512
b5e76bc021f33df033d6e621a0270c60ccdacdc021fe4049d57846a5ae943b167edf1a713ddfb94be8cf85e8c9f1e66bfe3269c4eb85a1d1a0bd09c6b2c33fe8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
04c60fbeada5e53bb6720b96500252ee

SHA1
ea41e37fbff9b4f2cf01ca4e313c64f3f55be928

SHA256
f9ca60a4b834962aac1d7299f30269a78948de2a0b7990408148065e2419b868

SHA512
da6c526cfde3983a0673783e37a6731e21d9005150aa793a43de6edd60a4479887614f4cfd6bfaf2071db270d32faf3c0230923ea8bd2b0a8226bbbab28c8747

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
cb6262d75f39f3ce6db780ccfcc96664

SHA1
ec42176b43692a407d20973b383a16f80491aa34

SHA256
00274a573eaaab8970b15e6ec4a4ebf5660748088bf9011351d9dd7893cbea88

SHA512
e9e35256175ee61a253e040a4bb3ada0e2f27c2c8237dbc304ddbfe374db11f9e0d85fcadf241a3c3a15ffd43fb5e179e10e22260e5a25c07abb3bcc9f56f18b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4cfb2eb2e49b81805655fa716b0060f0

SHA1
dd608235f4f08fe070c422fa7f8777291e0f6649

SHA256
f0efe15dc177f605b7f53857b3ac4b9989bd2b0b5ec7436f4476083da4efc2e5

SHA512
a9eb920df9efe4e6e1b861896c99df6cb559b0f527b608bb23c8e0ce08954e31af8bf05fbdea870a9ee41ab078a2c4ce0d79a4826f09afd8ae8b5076c3aa595e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b58cec16805b939bfc5ec4357220c566

SHA1
76c85fb264ae8ee681e003c2485266d9f40ab31b

SHA256
76961b0283d96b3ea57c0b502087207f1a58bf9f015b2a263baff1cf2ce79971

SHA512
94b80f6130e9167601a5587a0dbadb9c86a814dcf3e36916d7eadcabcc17e584e3ac84a1f3046ff1388d9038fbcd65a83a33eb7a573e7ee874f420a5a9b656e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9087fe0c01d35b5e7031df37ea34d26a

SHA1
a4a87476142d6e3362c449b23071d726a0b75f35

SHA256
bcba41cec190833fe88d3e7515a64a1086e3c1590c3b11e1907a877907e4ff89

SHA512
c6972e50335a01eb2d8d13355752e9dc4a1e76190d2de3871fe0b3a3ca63a203c64d4ab88fd5f1beeb89e542be0d61b3c0a9fa6cb286a17403d1a5561fd9ecaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
67e75e40a76b48c0ea6cf0a6bd3a4ccb

SHA1
02bf24f0d759d916dd555ac45c5257ec1faa8344

SHA256
d5fbd77ccad788f90494950a5a91a79ffd3f43d93a80e91f922ad5d432aade15

SHA512
c03a7e9a7a8e924842aa0c4ebd9ac10147de16825a1a5a9bef844627925728be513c338e73746d2d68818fd4f43325533d6b44cb0380b52ac502ba262f0d623f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
857bd8b02d6ac356a488e2c94ded5708

SHA1
a1a50603e3ea0127e8865ad31e78df53db7d828d

SHA256
4f45893ef008080c1bcf947e30a8f90fb217a7c285f0183aef235cbbf3f372c6

SHA512
fd9c974eacdfaa77396a58730d8780869aa60a051a25c15ebee61e906c544a4690a0dd90a9141abfcd37153dee0414b0467b049d49e0b188a35d4eebbd4893f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
bb08b51cc99447b4385c85edd52d931e

SHA1
fa2e018d8844d609fb3e1eaee32d959648436362

SHA256
d469ad5b5688f2d70df9773006cdb7271f9197fde33ee310234b440dd125b267

SHA512
95dfad5d3219d77902d68d1838ea987faab4a1c22782c873dd42d3d8f55e6bb8e41dda182869164dc012e06491547edfe6f9a7614101dcec7c2976f273c885a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
389215ec4a64553039a3647d7ca498c6

SHA1
fc894f9400afd0b1e38b1256fbd4735392c547dc

SHA256
f51769745d31b75b016740d19e7a095ef668d4497c42566fb397497303131789

SHA512
6dcf0444e97283261369c69b64189c78f6008fa8a7893691290ccb8c0be011aa2abc2daa83bdd6447583ca26984f5679f2eaa1bb6c93e17842b39668ba8413b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3a5955ab92e871e964e6f06059fe8561

SHA1
bd1e9ee2dae96765b0605e679983439793eaca8c

SHA256
d234d77c1946f8490f18e2034138f7342207aebd1552fb2d02905ffeed32b861

SHA512
753632ff60189c0fd975f2c64f63e112e226ccfc324b364a3e8441ddd6b453f8e37899254c73c521865566be8ffc288524bf6334ab34caaa83de21d852de9cc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a91fdec0df9badb939b0d0ec46a3a0b1

SHA1
c7ba06096dc5df5c31290b8c3a56826aa0538bba

SHA256
d7c896d9cba934822661ad5ed36dc5626684822bf502e8662b53161010a1f793

SHA512
2c40b2ea1a1cd47c8b90e82df576d38a316b0f839e89040ba96e550d27969848367cadc6b501f2d513ecd2c9ebce8182798e5be11862d6d1a34623e7accb031b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b997b48bcf49c2d9183b1e0cffe7a2cf

SHA1
4a7c26cf3f7d2c7e6bf5b508e1ac0513a5a21125

SHA256
6e249b0d373d96d0fa9f6e8068c215f1b8b7453781c3b93aa4e3319f149b32e4

SHA512
3112c8a89ecc3cd24b4ef3497c8cfb40356520260da704173c98c4043685a0f64a442619991ecb8f123c46c83985d862a14952a97c7ba0a9648cf39656426071

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d7ebbd300d8c99692de1021c87f21b2e

SHA1
94027957ec915d228ea1784762d4f58f64e2e534

SHA256
3464fd67b06c069be7c1e6e1602268125f32fa7ec2a4d885ed4f9c28d73542f7

SHA512
7a72c0fdd4e546d43d1751b8092d091080abc4cb8767f7bf3e01e731b85f780382b6684c3c3db4df68955640987749aff270526eba8388f7c61ae302b453c155

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ae5d818141748cd9d736800e236ed288

SHA1
f487dc16b4ed88acbfdb22661d92a7d9d0c246fb

SHA256
015e6e6e0a76d0b59b6f9dfd8884c0f0e2c455c2ec37c5d84d0c676a55387802

SHA512
d42501b287d53b31625834bbe3e9b1036943f202f4dff1f1e6e8ef45d4129063ee02c62c6c98d9b9352dcd258e49e88e34dbc83bef1cbe88bfa1fcf8745495b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f16deca3508de253d19074bed3817bd1

SHA1
a292981fddf3a09c8265ec7ea4b83f6a6313ecff

SHA256
9840cad89e28e1a608dee7ee6c8bf8d0d7b591de9f837b790f96e4beefd3669a

SHA512
d248d3f0f9f697e6f077f0d724f7ac55310c79649768c7bfb5fa46e745ccf34da8c8ae05630d45ba845da295ae05571f30fd8063b82aa87c9242ca7f68acd7c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
88ceb1a975212d13d84c7a01957074f9

SHA1
2287193323240d0d404495953f9ff9255d12da39

SHA256
094858bcbad1f1ff3bf53cdc7a490fcbe2d78cfb79995f82803b05fb30fcfc5d

SHA512
8cb226d17b27ddb35f6026653f3cf4a6b90cfb8122938e3b0046b6eee387ed691291ec919dbecfab42f185ad9387a1b958f73e13ed2d822bae4f90c25e4517d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
60574acaeb07085a15e5b7cf052b5d41

SHA1
5c34bffc59b825a9092837dd30baf05eb75b8ce3

SHA256
f86e042e2f2a8059b605abd6f5511e1df4c10b5109794916efccc62d0350e754

SHA512
322303ed0174f24e82cb1738d6e55be38f4390d0dad3e0ff24260507183dccbef171484e057c295b4055d7b3d2145b3afd423642c12b9bf8ca05b9ddea26b90a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
457a45819f8a6e94a396eb8621acc9f2

SHA1
5384b4385017ca88d720c0b400fd9e9a923ab795

SHA256
08fc7d44c76662be6c80e5b8a0c7a8005cad2e155c34d15f2d8f07a6593d4ca8

SHA512
68fe01961b57a5de1e05d30dbad00eafdd1a619d4bac76c467a44b383e23586a6255e382578371f5718b010bcc6977b84da00c035f742a050cb6ac611a482391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
687d27bda89242bcd616ea62653ff671

SHA1
402b82873813fedb6686333b44a440c17cd92ce2

SHA256
b8f0239f3959f1e8d073cc9f25e3196c1d3ef75a5fd70869b3862ec3a795be3e

SHA512
3d81024ebf7bc9c39f0a98886871254436673a054c2f9e50797e448ce6790126becc7088d9509aede79b7aa79ba4516e87ed564de66a9269c74e2c05ed729f5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
36c3a59922c86a249de3434ab0318a30

SHA1
750bedf197f5acef134db1a5aa26b0c59fe9f20e

SHA256
6161bd6ed9169e007ab336744c91d9bba34c5ffa67f97b30047642f466aa0b39

SHA512
97db5c9da387d53c0728001adb5ddf323971ff32cd57b758e3dbc5ff6bb22471a9bff180e9edd17d3ec1b788deb9e99cb591f17b7d7a9e5dc1782faae7857254

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
d96f9ff5a8763bdfaf405dfc0184db26

SHA1
a82d83183eb31091a95e20cd22a707482ff59482

SHA256
2e7caf1adf1cddde27805a8480f2ca8fea38e05262ae36ef9a11cbd6d1f8fd60

SHA512
866d56e5bdf2e18628d1383ea88f5d1ce3380d41220cf5b8f2018bbb7d64ede421d38c7eabc55c2bf8558f9b34d82329a26ea508a22131907c9133561e38cc7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
b929999a6bf176e6d997306326f8614a

SHA1
93ee01325d9259584d78f5ac1b7bea768778b5ca

SHA256
c352a6268eedd074ac5863585cd870a31084d15e1529411f96cf4759d15b7023

SHA512
1390f0284205c06b870c155e8bf0af15cc716b9f7c02883fa5b893a95db73b14a225d85856728f7e4cce28904c21519c5e04adaa0faa5a7d31a0aee66d477731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
991afda8f838c759f95f530214175607

SHA1
ced0894521de919237a34e124e92d9259dfc81b0

SHA256
4029e38011d405c2f19fecaf6022bb86427b325b156c15c77a3c3c2f38357993

SHA512
d0a746bb009f504590df7b0c03fe0114ce7a343bef376a498ed0a2619f9119fda534548064f83bc9df1aa3f36e53c5c8c5eb66cebda2ea0c8b62b60001b24da1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
46b6e2d02a1b7d42a3fc0dc32e843f82

SHA1
48352d153a8f1b32ab71d9ca89df6d913a2aa065

SHA256
67aa2075749f2f707a3a455e9256c9bdf1300b71ca52001c875e3c2060fd0229

SHA512
cfd2083f98cd094057ffefe8195b829f39c376f95e0295f742e61bb2620789e8f7a33564225f3b447fb91b69a9ab880f58ff0b1a3a4112b57923bcbacf458cbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
282e05b1a20529e4081257ed620a6642

SHA1
545935aa9c05bd9d5598ac419d79f58dda6750c2

SHA256
2aeb1cd1b1d150c5d9b0608fe023c0b80fb6a69bd6ebc8d4246414c880891f24

SHA512
8c67b9178d8d4c0679cc89c66b8ea38bed2f965625fc6330179110955d8492e3c7f09874525c6435c675c22bc9cb42f98edfbea6fa15a44c74f7a6851e30513b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
09afb7c47496587b8c438c432f8d0648

SHA1
260672f053edb847da3bc8714a69fb1764519313

SHA256
ce3b2f7779b7ad1b9cdff043cda7e4ae8b9d9dc76ee0c029a18a9d302d556e20

SHA512
f08a1d99ae75c79d02a64d2a0e82c11b5a2204d16677b5f3babea80408f7d01746c191570215a21e341c7c89b5269852943c1f7fbbf32d3a41cd6cbed6527659

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
950ef5b5f8b812d9a5abb85aff7dacfc

SHA1
a9323c01f322bdabb874ace5773b49e9e829f357

SHA256
63a26bf0cf3b4d794b679968f4eb16f2656c30ceca74757237ea756b903393de

SHA512
4c2de5aff2bf3d5aae385eabb4be908a86105c833d1706603f9342c19fe4bec6539c095ec41e7295614d5832b1dee6e5d3d047bdfb0ad588c638f1961edfee58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d6738fef69f92a3b2c1e7167ab5478d8

SHA1
d12f3728a3f2db74bbd70b8010f64ef0af75e791

SHA256
31d41f96fa7c6007506565a80c0a44599bb3c66d484feab797f058bcbcc1aeb9

SHA512
afcad1613381d4dd377be79c4a4a99a20e42bfa7e44e5f21d990e7293a8f4453f3aa28ec817b688cc78f241266b2ee07c88899d1e47d62a2072754b0cdb54113

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b5f35bc51a5f25acb2595b703de2b858

SHA1
dac97e789dc9dac4ccdbdcedcbb7d85016ff24c3

SHA256
2f49655f91819e04788ea2a05504ad4f3ac0893ac0af79da06f6c961760fe16e

SHA512
ff86dccab17f123d720515d1e93e7968886ffe51f2e74a58beb8dbe9b26817f52d77ba0f44f6dc2591cfa5b3a3e201fc014edb282bc488e56ba7dd56f223f3b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
119aad51535b34a77285a407893ce6ab

SHA1
7a16ac793ef5167ee35a2a3bc262e268b0149487

SHA256
898e371f380d4088f782b270aca49db84df800a3dba54b4ff1f5451dd1597b3b

SHA512
24b8da3308325c6ae9ed5e1ad90f736a8ffcf22916cbeb6685a5e3129c3768d410ad7aa13779559be5ee8ca782cafca8fc067b35a9acd2b6075da9ed7c7a1c37

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
29729247c3024ee69af95596a9a8d19d

SHA1
e3e054926aa233942d4e379b377a2ffaafaefe93

SHA256
a6b9029ab5b7997f3c2c802a5a2eb20770dd8940f24104ce3b5e036f40ba0c21

SHA512
7a2c8f61cb04b3fd0c4f563dfa88af32320ff0f3ab9c54f531288c4bf18f8f686db482726ba7ffd1459cd07b2db7148273a4bd3ce611f89b0ab6f0d792fa4b89

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
104e9062a20a2fa0a078a9d3e4eb1770

SHA1
b3c2f913e93880a880fede13cfcf51c727de95a1

SHA256
53ecc0ddd4a2ee76bc72dd79e34e32afb191bded2c0debe23446481f3c122d01

SHA512
3bda9b65e7b95e4bb3354812453003c0575fd5fd49c95bf9abcb2cb53e9486eac58076f223ec0e30c15f79c4571f3766ecf925c335f09d7d356384c202c3008a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6c06364c773d27dfe1a04d75f35aabf5

SHA1
d84eaeb73ad85e697b9cb69e8706d8497ab04c7d

SHA256
fb3b1b687ef23e26a69c560e0e1e8ec3ff22e851bd3bf722ee6ddd55bbe37709

SHA512
e4e96c285d1d973e214ca267db39a4c943ea793f3962bbd8fbe0762c3c5a32198ce8ab1f2f0f3a0ee92f918fabb1fe61be3327e0327424209d2c1d20e1e629cd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
794eba88bf2435167cd33c410052fc54

SHA1
9d3a7a3e800fee5c71148987be28a23e77d0ff73

SHA256
f5b8fe3d0268b3773f6df1196c25c5c1d1dddabda961649190cc1496916b2234

SHA512
948390cd9db83dc80fc0a992af4904278dd10af07a29e95f92297151fe3abdc85752cb52fcd9cb1ec25e6e1caaf1503ecc89c68ae50c56fc28c249a92dc748f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a848d4f6188576ed761f59bfea3f8240

SHA1
c98a69b1153a3971b62416440b4356354613451f

SHA256
046b81476e761b81a8ff7ded11d8fcf8c5fa9d566cbc5be78660e28cc08eac42

SHA512
99032157e4685c977b2854e68c8c6b691f0a65b04763003957d396e13c2fe0377a12bfba117cb87d706432e6ca9b5f570156231dd3e1e50a2117441d4d0cf23f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b6039a913df35eda14f5d484a779411d

SHA1
643ea0e6584fc9f2ddf1d775432913b28385bba3

SHA256
9b9a2f2d1cdc2f310512890161f00347a80d64fea2dfbae7914052085bc14bfc

SHA512
333bb4f0c11368a4a3f5c01413ebf439fb116a125eabce40c70daf4f23286de1434636231a2864486f05c35c726dd9108adab9274ae364291d3044bc955b7df8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5419f2477e161d044f401fe4075173b7

SHA1
94e6239c5766ff8823c2bb231f8c739e1e9b8c3e

SHA256
d4d80c113d66ad094a4698b912e1763f3d8a6831351b68bf46e15c9aa4d96329

SHA512
ba31df0cc0db4d8f498780a99220553b4598f2d11622f323b4cd6ccc978f550480440c504e62f7df7c31cf77e13cbae289f0dbee5f8d0ea8066360de482c4300

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8dace1d23789415af4c43fb4233b8487

SHA1
605d06b3b3c947850002a4ecf7c3e9536c8d5f1c

SHA256
783bd15b315c43fd036082a6ac23375333fe2f880f881c504fcb45a0caf922f6

SHA512
6f36e3dcafacd775bb00e37757e49920ed1e568da5c304e6e2427f24eefe04c51b1a14870275b6e516254b8890411389dc60ad1a25e370663715b1eefa5a3e82

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8eeffb9c58b7039372beb5e149de7ff1

SHA1
8843763a58aaea40ce7b695630ddb08c2798d0cb

SHA256
99e37d2130c5eb4c7952415c29fd90f196123365729e8ddd78388c5f2d68215e

SHA512
bac44c9e3cf4061df7fad0ce9cb3eede9a3dcf1436d671076f1110c4af2d809352910cc1f34b423ee4775449de79f6df82eacc00358cc00289d4e5cd142eb8bb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1d17b4013e5be01cefad38c258882bf0

SHA1
9bb5f82de8748ca92224b8b1039b32bee7f0120f

SHA256
d26cd2369b3bb829ce37fe86d6e21cb1ef7a5179ce6ca356f07d245d420c9226

SHA512
9211ce8011db386737887bb311c9092775870724eaca07d4c73068b6d51be51567921aa35f748410b9d90d82b57ddb7b0871c3f2fe208087b2694044611e8e60

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e104c99edfb86b8b6a505765f1b682d7

SHA1
c5755f3bb9d8eb6a80e5bba5250007c8c18b3979

SHA256
d6ca17c9ce022f6e6d06e356c51c233cb83ad0663d63795dd5b418f1004329dd

SHA512
863328fabc404469e4a280130f4b6d8ab6b9ef19dcc38c2a5e4dda40ac5a9a4d87e61bd24e2d6f35a5829dd81ab5dec7b172102fe35634bdf655e8189896561e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f5fdb5fac5f99b778e9760c562d4d997

SHA1
8b1d4f3c19b620b0b4c22e01d2af171146e654f4

SHA256
18a4323e6b8edb5dc81d2753a885d7d474c698dc2ecafc7a183f1bb2972fa06a

SHA512
8dd945f1cf1a67109a0d7364f18e250a2180afeb630f886379d8f48d419c3599c6808e55d4d77025a57dd68befabb146766ced672152a28ef004145cf80c01f8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d21973d9ea9d775d308f8e22243473f0

SHA1
ed4777b4cfc69141e7cdec31d9c4c8c725f401d9

SHA256
bfeeb43258c7c31d74064acbd1b5172d1df03a2201ae500da24a09ed1e745afe

SHA512
cea197c5d1abff4f0f6ce25e65ca07e2deb8e019b228edd9a5ee7b30069f7b1dd336efcf79044b0f23c1a9bcdbeb8aff5a6c5f727ef42adafe6d9a714e4bda4f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8b04c49c7a4447594f0dfade736ede4f

SHA1
3942c93c22dead2f7624defab06f91cc3a55722a

SHA256
3b1205c9a4e982caf24ce0af5a2e10361109cc0168e31dd762294e51be14a53a

SHA512
0c120250ad9cd8917fa89128d048ada66fca7a47407cd6031fa65f1e4c3a4e47274194c736864aeccb52662edd60e2d9d9f3fc5ce7b1e6b2c6db389af2b6a11a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2729ebbd5a4dbc5eab9f1666b4d2ea6c

SHA1
2e28f81e58f38e12816bcc2f340f1fb012216260

SHA256
a2c243787b8ff7b760647ffabb4b78ce0eb926a205baae89b92ec303cbff0e52

SHA512
e344399da9ecfe04d053fed99fa83b4aa94406b3ccac00d22a1d113c7a62134350b6f4c4ba4fadda3f37f2c02ee0bf5085215a494624009c6147e9a1340e2733

Download Submit
memory/232-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/232-351-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/232-247-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/232-239-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/456-517-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/456-339-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/760-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/760-363-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/864-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/864-251-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/864-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1224-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1224-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1636-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1636-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1636-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1636-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1656-389-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1656-277-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2968-518-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2968-352-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3076-620-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3076-414-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3188-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3188-513-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3188-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3388-264-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3388-377-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3544-618-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3544-390-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3640-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3640-160-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3640-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3640-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3704-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3704-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3704-156-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3704-30-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3776-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3776-378-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-402-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3948-619-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4040-413-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4040-299-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4168-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4168-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4276-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4276-230-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4276-27-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4276-24-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4852-401-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4852-291-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4932-510-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4932-323-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5068-1-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/5068-9-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/5068-16-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/5068-15-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/5068-0-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/5096-70-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5096-64-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5096-157-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download