d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b.exe
Size

716KB
MD5

63224479ffbd8f13c1b25b71691f3665
SHA1

efb316f9221d4a2d4f3417ca4d7d721e98c2563a
SHA256

d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b
SHA512

06ad00920898e69c0d834c1b8c886cb2bfef22cad11f86ec34d01ca7de6be77c6927bc34a9cb80c61b305e8051e82788bfe95a93e333a7dd487427a950553de7
SSDEEP

12288:M3P/aK2vB+fFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHM5:M/CKABq8NDFKYmKOF0zr31JwAlcR3QCx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3684	alg.exe
2892	elevation_service.exe
3552	elevation_service.exe
1688	maintenanceservice.exe
4352	OSE.EXE
3660	DiagnosticsHub.StandardCollector.Service.exe
3604	fxssvc.exe
2308	msdtc.exe
2940	PerceptionSimulationService.exe
3000	perfhost.exe
2644	locator.exe
3120	SensorDataService.exe
3084	snmptrap.exe
4824	spectrum.exe
4068	ssh-agent.exe
1536	TieringEngineService.exe
1088	AgentService.exe
4912	vds.exe
4560	vssvc.exe
1296	wbengine.exe
3920	WmiApSrv.exe
404	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\714125912b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000559ea3dd9091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fddf03dd9091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000205176dd9091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007331d4dc9091da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059e1e4dc9091da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edced1dc9091da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000102a6fdd9091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b5fe6dd9091da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2892	elevation_service.exe
2892	elevation_service.exe
2892	elevation_service.exe
2892	elevation_service.exe
2892	elevation_service.exe
2892	elevation_service.exe
2892	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5100	d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b.exe
Token: SeDebugPrivilege	3684	alg.exe
Token: SeDebugPrivilege	3684	alg.exe
Token: SeDebugPrivilege	3684	alg.exe
Token: SeTakeOwnershipPrivilege	2892	elevation_service.exe
Token: SeAuditPrivilege	3604	fxssvc.exe
Token: SeRestorePrivilege	1536	TieringEngineService.exe
Token: SeManageVolumePrivilege	1536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1088	AgentService.exe
Token: SeBackupPrivilege	4560	vssvc.exe
Token: SeRestorePrivilege	4560	vssvc.exe
Token: SeAuditPrivilege	4560	vssvc.exe
Token: SeBackupPrivilege	1296	wbengine.exe
Token: SeRestorePrivilege	1296	wbengine.exe
Token: SeSecurityPrivilege	1296	wbengine.exe
Token: 33	404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeDebugPrivilege	2892	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1104	404	SearchIndexer.exe	120
PID 404 wrote to memory of 1104	404	SearchIndexer.exe	120
PID 404 wrote to memory of 4836	404	SearchIndexer.exe	121
PID 404 wrote to memory of 4836	404	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b.exe
"C:\Users\Admin\AppData\Local\Temp\d1baa29c28939bdd017c051ad27e127be68b016e28a4e146e32dff190d52aa5b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2308

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3120

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4824

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4236

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0f3bb423caebfeea41868e07ea3cd485

SHA1
e0768001f135f98f81b2a8677769f75778e5faf5

SHA256
5823583b6c9b4d40c9052a74886f0280bd59fdb639acf5c294ed1dce73d2b9dc

SHA512
c4d69fbac2b010c9ab0436d00c9f3eeae0a5a908548c1924f7426164ab024e17fcfa2f9a8c5d270b00901beeb31d025bbd7065b26d186d72354b13db5dace45e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9269c11c628ed7ae7a2322eaca6e252d

SHA1
21f87ff65e151d782b0841ba2eb40c4a59d3d3d8

SHA256
1a302fdc853ad86d30ee81dc5581a3b248a938ec2ff3400868c52b559a6e6295

SHA512
091fe80088ef93df751d883af86fff330b938f9228651e9f2eefb4fb268bf74c2456406c501e13fb2c3d58b630b74203485a2bd58acc75c8954f1953827295ab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ac85acae39a05bd77d9ed2cd5d58374f

SHA1
31881a611d2aa40e539788ffe8606681ae1db1aa

SHA256
edd65481be2959bf2483711e9e584b585e2fb3617a21a575d6b87dfe147be614

SHA512
2747a38ec2c04b3dcbf8e71b4e56f7e672394eaa8fc120af513fb32b2262775efed95abb355735551ef7ca92c5dcce762735cef355e687e9a51daf78fa100b2e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b79f93a7301524dcbc19fab8dbfda558

SHA1
46b710f74a430fbd9f8456b030dd128c9d83ac3c

SHA256
f2ca0f97cfad6178c07f016f40185a115aaa685b73e4afb938cbda47b7757c01

SHA512
549b899f7b7c6ea06a17aa3c796f4e7283ac22e76bcb1e0ca75636e1cffd76441522cdd375751b3159197823f5f3727c601cf82c187d37465d14917faeb2f229

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
781cbb6f69ee5993bee14af21088f9ea

SHA1
dc602ee11bb2818e07b0114eefa005cb575b4156

SHA256
474942a6fcde54628fe6582d6f84f33b933a5eab69124d87f49c06960da313c7

SHA512
1e7ef764dc7413bf1c601b960397d87a342279bd9863cc401ae4ec62e714e06c1e3f3cc174d01d577053910e0b5d00d40bffeb50adfcd730e50ccb1c2136ab37

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ad39cf7b3b081f32d78e04b8cb9bd0bb

SHA1
943bed30e9288ff8f6a30e71920b64134551d449

SHA256
245041d63d09d0cd06ae66841f4e5de1850d5cb804dd4f956c6045863687455b

SHA512
d49b498007e81ae4965ce07ec2c85d7c607e0569449c32976c1db7a21c040fd67d09ee2bd6c78e83c66129fff48193f651269300a92c109f6ed666487918669f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
090c557fd841b167c6e94317282e55fa

SHA1
75d9a41d3a0de446fee8aaafaf70aa5c37b244de

SHA256
24fbec2c8278c6f93dfdac842220891926eee58d3c97c5aba1369da96fa64905

SHA512
62cd9cf199b852c200b95c3d3664702e654dd6b03cf9e53a08b504ec758b9a167b251439d1e362eb28ac8d24e4ab844e3f291d0ca49a6b62244b0b1fb0cb5dfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
32be36319984cadfc14c550dc77e942e

SHA1
9ad8defbac13558ee10ce7a028fcdacabb02db56

SHA256
ce787bad8bf7d7bf92283f9ac24876f6fd5ce61db6ae6d5c0a89e3a03fbf64ef

SHA512
1a82116fb044527405ffa523113715bb4e53bf1acad86a54ac847242515365b871c39cc7e165b5e42ffd2534ec29e6dcba60897199c6fad59c8c911b4b8c407c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9d589be55557869aed7d4383e09b52f0

SHA1
6e36622299a174f5ad544c6be4795deef7ef6405

SHA256
f58c6398fd5cd13e30432086b21783e9f7644da9708818fb057558488379e1b1

SHA512
8e05f34bed36821593809db46d17effe3f1ca26e9d3039443d2031fa76fb72294848c95a8b6a8905bbc11883d6a4be3408cb0579f2d9844e2c69cc0590ba610a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d7cc91d97f5bae91d3ca3994b7212429

SHA1
f2ca6e9b9431902f0f9543b365590eb3fd730ef8

SHA256
946232d42e0ca30c33a468118d603759e7e8621c97d1c7fa643f9e8e80dfdd06

SHA512
c297aefa85d21af9ed18575ef1fb2ee02b1e68203c82cabab7b47f5f51b8c738181b1ceaeeb23d34307a472d78b0802be20b4695551a74567fae3a274f6c5da3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5fc7962efb4af58398297cc8ce55eac3

SHA1
9e749e1567604628d90792f1fa9d4a4ad8c7a531

SHA256
3927965694e522fcfb152c0681a0c48b21c65e6a24a340bef257337799dda431

SHA512
2b6073c9813dd29d5c195988297765f74f11cd7b89a2e275a6d7ec16958ff3240f4dd5543332ab205c0d8db01d9dccb8cf8e415ebcc9306eb43e132b3effe438

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ffa8bd85f501a04a79dd024093d18007

SHA1
344a843d217fda21d9bf98e75dd029b05f72e7df

SHA256
03bc69fc798368f991f81f7b801cac1a996ab3a8ec92d898de606d3a04aa65a5

SHA512
544e9a706047a6fd9e95450f3a5f159a82b08caf4845f70c59f2de914b556526bf0afab1b064e89c37f3d7bdc641f38edc9a853140dc421d7578aabc4b1af1d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
dc4f898ffbe2edae19ec3286b36df84f

SHA1
17368095ba839ec9cf8206481f1e372b9d266481

SHA256
05c11344412e2116b3c2b990510363efddcd22dc589ce902eb3b15e5144d076c

SHA512
ba6e011d1496eefd1a02a080e1f62f5313524a02fb8c62147d78a0a18ce1afa7a2aca8acf0b457beb6d17c3e434889a230a7842068c4d9738ceb5b53fef12b76

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9573b696b69a3308e9316ee36104cf08

SHA1
5f931f6f13f2b0437173c992c0514e23fbc1afd6

SHA256
2fd9b5b723c1b33e873f0fc1de26f6ac4c14815157002226c82cf01f7e185c3e

SHA512
4a24afa34110102148d3b2817ffc8e601006080cab3f0f7d631d8e5d03e3248f9151d1dc4c031567933a546956cec58bdfbbeefc4258fd1136d7aa8be2afdefc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8f1799e14a87659e98a91b0375ddfb00

SHA1
f01b981a53ddb261f0a85c211ed24103ace6f5af

SHA256
e19c327a9afe52680bb3dd1b47eef3a2836500d6030c1000fba3e5b181865387

SHA512
22aa1b527cb37d68306f6c5bc35e0723804860d402279969b42b096cf11c0296e02907d6a3b5c39d8c76ee27a9c7cdf11c0799941b921dbe406b669fc10afe33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c722c8f4a6121a58906bb1fc27a26172

SHA1
e4e35dfbbc56f9c950de0c75858a725a84688998

SHA256
8c20ee46c8712b5e7d69af2203fe9d15528f0a9af3f0b7da76aabf5430f0c346

SHA512
6a7a94326dc6d9f331209982211802ffd85f1ac388517621fdb548f6dbdfeb62fbd59025dfb28965d20fb5dc401f8448cdecf893593e43146c0b782f06457ff5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9eef4018f0df4b6ffeb727e04f5c6540

SHA1
a1102e8007a7ff201bea48bf6f25ed48d37c755f

SHA256
7568b01a1b656ec5eb7275af7d71fc7857b7cddedf58743f59442b4b889a006e

SHA512
b13180bf146b87c31d47f4287b4b1d4b24d1253788f57a32272666a917b19f78bdedfcae46cdaac192b1c68740601bb4cb4ac8d15fa139f1e492c85776062934

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b67df618a4279d3473db1305e4014b7b

SHA1
cc3280a33f35d72958f86ae49f510bdcb50ab355

SHA256
976aea5229f6beca91e3d202d88036cab4c67e796d3f3f213f0a4828a21ed800

SHA512
25e1ef89786538d812c3a6340de75d43a885cd325e0c379ccf6c452b18deedc0f854797f2ed8a0f2d478f313d4da5c7ddc8340218d5faf17e9f56ed680c74e7b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
daa6cf6abb3dacdc816078ab9c8bf583

SHA1
bb769ebbea6e84ecf35791684b2184c3b67b4339

SHA256
7aaa84df21d51041fc1f735ddedefdea7fcfbf38d51ae18d7f55c35a862259c3

SHA512
f03720c2377627bf806d3ff896f678c5be569efc76133d26dc6a04337232cfd5b74506df670f2dd31a9b4641f8c9e0c91896f2aa5dbb1fa47a3deb6f592f4dd3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
83fae42f8d6f130360c41369822fb7af

SHA1
e9677c3b11672f515198d80ef58a3fc8ace36cad

SHA256
be728e708d02b04d9ae852082d3a3d2db15a99a3611f8a347159c6c6b96765ee

SHA512
c57fdf7b590a10051c69ede4d1f60764a9b5284663ac3c24a69d9c68c46e349eabb6eeec32d91928067b32a99dbb59d23dccf836ccdf15bc79627019c3b4f7d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0f71ba698c814e9a0d42209778419078

SHA1
3134f024a144227b3f37a547093fd51b4a704e70

SHA256
436c7a90e4d47579b8ec3c547bb8be8c207024ea5afc30acc1bf54a2f5c44f71

SHA512
c331481c515b80c4471ea98132d4cc2de20de8e12e618baa98907b03fc411a827523ef5dee406c59a4958304c58ca5c95ed7d1cca6a6e4d934e0b616830014a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d797747bc792668362f2daac9bb29008

SHA1
4330897204c5106cf52c13b0e3e5111d96a3bdff

SHA256
c4ca28fd4d2317cab0a9443dcf94138ac6c4dff4c0b62e6aafbe8bc93b8a1d90

SHA512
5026394dda31f7ffcb0231bb75101e43f892f1d18ca2a27c435a156cc45a238b694e945a6cc3ec2b04674f6a68b6abbf4fd74b4e94a60f5fa643d78b56ee43ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
edfb904f1c17e4a8054ee8ae60123e79

SHA1
dc0dfa550bb8f759475d911ff650a953bf82d33f

SHA256
edab73559bed24d0e915ec5b008274eba22106d64ce3cba6af1565225165a787

SHA512
fc7c1c57a830fdacf3230a14293d019ffe69dd6a297bd74f1f3630fb7b8a7cde8819f720e6083f6199e3c7a6d993d4df3680867ff9eb0cc01d241f6cce45ded0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
beb1132de6ee4b399da05727231c1b67

SHA1
e5334837e3b8861df83c03c3f6a71ec7e6640f26

SHA256
1000456cb0bd02e313f0a47ad7bda43a7d39e0ed30d1739e3bed7e1b408b33f0

SHA512
48f007022f51421a33a88e2feda836c5fae7b1b41d1b87b9d8cd0cc157028aad3079fda8709ea4c0c3bbb4581879368323f23e26a003c5a4bfb951e95b0e88ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
14c5cb8d1cd437ba2c6b4910d224ce5f

SHA1
ce8eddd37171bd0e1aa85ded8e356714d3748d2f

SHA256
4dc6110daceac81818979bb559f632cd0f4cf0bc08f8e2c9dad8f4233cadcd18

SHA512
2c780b3be7c5c9909ec1ee81d2075df264aa94c2c33700f3301d9aefa8c6754706f145a479c71c837bc3324415fb203f0985d29ed37b4800e99b17268c986798

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
36e6a7ccd05abe09e658dd3b4f6d2978

SHA1
fe4c46b3e5fc2c24a72551cbafbc9eb0eec02085

SHA256
2d61f9ebfb6b0f8140885a4e4c1f005746ff6955df3000ac0f77da0c6a0deee9

SHA512
39c326e4e35c09a441985885a8fec23775c1bb70827e731b206414e3c6bc3ba94055d37c5af31c700e25ca040c90d321c2fb14d3f74a3fd04ef79216c6ba1c66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
438368a5f121deae6cd115095f389027

SHA1
06500713065af068a61232dd384284a01a0a92e5

SHA256
5a7927b00ba7d20b3cfe17ea3ca7d090117c262142d502396666d339de43a471

SHA512
33c8f8395fa7d9c27474735e041479ffed9a3d03f91b393f01701fb361ff45e95fbcfe467ace42bec2929cbe89d3a13a41f9ff2bf2f790d09b63ef8bc960f17b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2f9e919a238101dd2ed4cb9e33f454f3

SHA1
6d41733f8ffcba65b031d5835c3db3ab8e37a785

SHA256
24273372a56b81b5ca86f0a1484b9fb14c993e5ef55aca86a556a612b25c3d8a

SHA512
7e8086d29e1832f55aa4a91e4d16ec828572ba5dd00eeab9916b823adc67acf6be2a724dc69c1187824811eea8125dcf2b0c48e3079bfd95df8ccecb48faa6fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f5c893833872e6728a94fe38dc51cba4

SHA1
0d6bc92235c87cec512580f67364f3fd50c9eff8

SHA256
a0a06cd20ca21e66f6f4afeb109e1959179b50a8f43ac2029d19c67d82b80977

SHA512
8c5940d4515831e959bc9919b40bb8de1eef2cae9650dc1df801113907333659534653035332f2036d3e878330bbe641525ad5947d46fc6fcef79d7dbb31d0b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
35490ad101e5aec1cc3d05469b5398bb

SHA1
7dbffd1ffce6e453afafd911e6bbb226a65a7bb2

SHA256
440b835afe968b8fac5411976294a84e5c76a015ff609b1fb262a8cd6f8a2b1a

SHA512
c6b79527cce5273a99f69cbc0608f0e384ff8f8db1902ab9f28cdcd3ff9fccb5461b08b23620f4903e7313324d61c8b43da976650ae9318f0b78c7398b27fd10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cefa27096dcab3ed225e14472334043d

SHA1
cb0bda61e22267fa47022b92cbe4010037c1df47

SHA256
0bfa1bea27c807dbf70ac2247b5fdcdb15f74e4aa314cb26387b8f3cb6588c8e

SHA512
a9f1fa425f5fcbaea6bfc6609298cdb3f3aad2210709bb7c6621e057e6f486a48b58751635a1fd9a3784769726b81e8ea569060d4349c5e924fa2ea42f9522a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3e1f81f0660f7dac58987686d661e6b4

SHA1
f619a78166e40d3eed47953c61e1bf4e0262eb0d

SHA256
d95c5807b8fa60a23e7f12df755330dcb1b1c0736d32ceed2aa23e8acec71af0

SHA512
e0ede3422c93af456f8332d6524e799a8ff8cb18c24185d39b2e4e8a070d97a339eebed0e80abbf2fae3c572c1089c3528d186b4dbd17f028a6ce856ecd62aa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dece538d5a956340a3f4108421ae807e

SHA1
7e9d2aa77a9879f42c547ce4b9d19dc4fe9069eb

SHA256
00a5030026630f657936e0bf414c9b4845c826fcf91a0f6c75c5d1f1da422aca

SHA512
16c5a1eb55cec826f43fd8e904a8f8ecbd2c1fbf57de266bc39bc7b6617c1a47918f2bbc351861454f222a8d463147e6bfbb585983ae5b9728deb1c5c19f870a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
737f95d0007f34e9329fd218369fee99

SHA1
03c0fd48627ef9a705f205bfa57aa650e9997e5b

SHA256
e09b881ee8c9fd11c379eb49c2b9a6979ea4312caa010025d763ec9b139a4581

SHA512
23d31a7e603cbd0556182c360cbc458d01e910f49b8a91f99c615d2cb58bd96c54bbbf22f75740a59001c67050e11c5e0b965ca6edd46ab5759edfd180c9251f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e8cc99f86f995a5ac1a69493cbc118ef

SHA1
874682fe7f4a71bb02e25b39de843e29cfc8fbff

SHA256
119f0d86db110ae218853a3acd275b283987f2b4307afec23803dee47bec2f33

SHA512
28f0b7e8983cf4392e46fb0249438d8f142cd364add9d16faddc12b99ae6be6c4b8296f00f3a33b5f85361f374d07d82150a1d3bc617e8ee1ab36243054473cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c903b33b559ec59a4b0ff3e497db0fd5

SHA1
9360d3f9a3fd78f0c8ef73d1cbda715ec4bed971

SHA256
b4e9c9c5063d0aabd9d96ad4f1224cc67ccad600aa9b2a71f1679ea0a996788f

SHA512
a8c1bb400a6436e5199c0fa1345c194aaba86f98441f19d976661faba00ebdff4124d588bccf2b71bd8a5f1c2989e8fb431a030cacd168a19b816a5bc9dd3ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ba60e490ef97dd8939fa00fb40eec2f1

SHA1
e7c481f188f6b0d6223a4fd19014741fb8de3e35

SHA256
e9008d388f8dd77662b2002082669d4a4de53c74aff0faddc09b79e9bf84c7a3

SHA512
36aa7d31a1b365a1061cd3d75e70dd8eaa31d9298caf3bb8d01b375bb635c6e681b86263b5d77697ad9619a0f1518ce2a000c346f406a4c8fa365b0d59661972

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
8b8dc27065076184f79375352680683b

SHA1
1aa0427953ec8842c99580d1ecea2663868fbff2

SHA256
7eba9a0dfbf5ae514030b3ba99ae8d4303236fa44f6b75efdd96055e07e5725b

SHA512
0764c6e7a6487bddfa461fb7b29ec40a77d70984c7bace591c928fd67bbc081e96e5d4e6844ea53016d0513e13965345a13453c66f58312ef20e9346743da329

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
18ac1daad5382becc3a0d1a6317fd44c

SHA1
ceaa9f6032e4a1240b70734a13b20b96ab359307

SHA256
0603b5007af61a05775ac8263952da36efe7d520634c16df8bf3c916bb0f2e82

SHA512
8765d3fa800382bc383c2f21befec278d5c71a9f471a6bffa96c42f841b896f2b2c4f527f19ebdc0e846d84311c2aae1fbf29eb0ae79ecc5675bf947797ede71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
d0e9eb74b296b735f1a1ce3ecc45619a

SHA1
6173c92a9a2d20a55404b7b8d23a73b7e7e35044

SHA256
71a4c8c790dd1ca9f32bc42e9bef731b9ece598359d7a72e728beeb427dd85e0

SHA512
556f40c70202e063f9d1dc3a163fc015dc76b0c50116fa416c03a10c1668ac47850cabf8d442a74a735f34cde3b32c564030a2546b8a08025df7e4f9e4682b1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
3d80b3f4e942a6aee39cd32aa259ea13

SHA1
5d1a217e498625c75ea86bd55fd1b9e64a5625c6

SHA256
dd9939e7fa286770d9106cb072a8226f3bfafce95493994d540b98c3fd8b8644

SHA512
86b8077693213948bfcb00b493f266986debc8f2fca844483ae80b8d064b72cdb61b2cb4e32a3411fa3338217d6ab6f9c0ac0255c2436e6dafb05f2d692a58ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
8d51c0b7a0d7e5f400cb735538e21821

SHA1
c813d5aedb39341fa21c33fc99c1d88b6b9fa6e0

SHA256
1d3cdd39ea9c4786bd9bcddcc2dfd26c5892cdff7825f9e1498cce5111bdadc7

SHA512
f1c67006f3ece06a686988c471bf1fc64eda1be193d295d2aef8ad97f4c3ffd8b62c59146ecc0ca939c6ebf6ab58b5a7a5ae7640f5a63bffa797d00ecd500ce7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
1d2b74fa53ba46b6a25d8fe994bfcc74

SHA1
42466a5d4c17fba053beb21e7a2c972b06c84a8c

SHA256
5c1622c5821c2b71a46057c6588af4252aecf5f457de05ee3532c1966d7ce5ba

SHA512
1a364b2e598b394d88c923622dbede1fc7e7546c87d0a2788396c452d74083d47108d5d7626de8bf1ae3bc47271596fe6018d76ef99a9049bd143624c348aec1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
eba7a661ec87f29a818d55d6662c665f

SHA1
14a87b631c2b2e8d679ee46f1fdb7fb21bc045d5

SHA256
fa733ea766bc978e39baf96a4dffb2c7bb915635ff019b8a3bee19e5929f3d8c

SHA512
c83b030b6393d091cb0c0a83fb2b113e2cad18658c1cf78df7e4dd054684fc3e16768c6fea534fd9993146e54c9e4a6b984c348df3023749856137b0c806abc6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
23b206e2941d984d253fd73b2a397cb8

SHA1
e048dae5df365c03ac08086220feb4ac6b5cde02

SHA256
8bab82e082ed0dc7c8a75073412afe904022ec24c3d793aa8bc448712bebfc96

SHA512
936a7b95cf305b955c30ce9b42f58921b5c0a3bd1473b5a5104d8c187de4c4ac92164a25aac480740a2951bd18869631b73c1b8ec40cbfc1c73def42ec0f62ff

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
eeef8a2598fe45fc796a263da312d29d

SHA1
631cbede308d691c6446923c7be18198014b4f13

SHA256
99812a371f703b3d88cabb7c95da4fbf959a00c4c46cc5dc35f20d158f666b95

SHA512
3ec6a544382851c128798ea7ab9e0ab850b1214d247c45a453cd56d88b2c54ffa4a20a760569862a7ae20e7588f288ddc5c35c68850c658538a757f6de6b4cb5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b27b9983a63a3b116c45f8af51753110

SHA1
ce2fae1bb426b99f06b28b5dae16cbb25fd07acd

SHA256
8d4c8b11c23b5ce6761644064c7ef264c05921096ad9d694f432f20c546c5409

SHA512
fe2e0ff7e433be76cfeb399260bf1b6a87ee96830d65faf88cd761253a5b64a6410a5c55c83cc8c293ccbb85b0c2c65c1737b4582f5fa22382cf6fd417e5a8d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e7388b0e6031e71a629faa2125f61897

SHA1
49dd1cb971ef462bc790ea643c624d121a8258ec

SHA256
a4e47bc05f24a8582192dbd02a7f486ce2008cc863cb771245eaad048d7f7555

SHA512
e011b24d01c29d7d578ae615c1bf9de26c37657c3300a1ad195f80f1b782a025c797dae5d3150fb6923aae0721da059d2101a6afc920d3651cabea38f749164a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
22e999d168c137382951258dfa1cc786

SHA1
757777541d592caa34be2d6d119086b487f2284c

SHA256
14547b14609585f6577a8a64e02d4e8889724fd04ee338b6cc8250c256fbaa3a

SHA512
e979bd8b41738eab1478ed0678f08aeb12e8035a2ccd15772715a3528364db716f24b3136ac4004f5485416851f2b9a0bf4bbcda6b830f53d496043260f2c8ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
05ec357dddba8d0670b1caa7db3f5946

SHA1
b1a8628204b2c7c67d7b775729fff819c4649acf

SHA256
e5b80a23610ecb63cca30f81130a0094c065de3b74d0305449135c84a4d1f9d3

SHA512
04497ecdd135c8d8e62a13a92d12074fa767eb4f8b7d5adb02185b0a84573257ef78729d610f063329cfe421a013af94f181df82956a88fc37205d633cd5dd0b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6e94e3bd40da8b79fd78f9519be84b56

SHA1
583f8532bda30f8f0461eb7d7f3b526a2e82f650

SHA256
728c789bfb6693a2f7eca453867e8247cc31bfbc36b0b1ea89c97362d1508d2f

SHA512
4e617937a42fecca31bb47c015ef68b6594586c0aed3b0962c628e848ef8f24b52e0852de6bf541de6804b9c4ddbabb5a29ac1b2b32bac4131876c3e7777f5ac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48934cdf16fd96d936453742fa7c8159

SHA1
379e7f4c17c200bd8581240a6f90311c2c23d10f

SHA256
5e8fd23c87de971c777396faa888ff9eb6983c7592639656e89b98e3ce2dc31c

SHA512
554dd41bc4fa944b11a34ec3ba1e93115c74c6da96c6aac1f3a391438e073665fac9464aa02e84405a221677714270bcc56bb77bf033ac6270e371c8630a0575

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc91d6b952b3ed21357d2646cc7052b2

SHA1
7eb7c7c89a56471c7fe9c22dbef470ab95eb4538

SHA256
68caccebf64f513dbe58ead8d7b3c7603099dc6af8b6cf760e634ff5f6c93f96

SHA512
0e6001dc27fcf81dd123dab4569b1642e604714f25617e50f0453b1d98d1f89a9137b595934884df8c1688fe92287c833929ecfc92380d41d11b2ef905c432f5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
811332a4c8abb2c8752c35e81d9c4263

SHA1
18279f0cf01eabcffb3849635b6f0dac89b51798

SHA256
cc490e4595c9ba3fd02caaac6178d75941ccfc9b7604b8a2eab0b3aa98799f6f

SHA512
fc378dd4b781cdf0c0e2306514d6749258f1cf6deb3a7aa7f5cdb3640bb50fe1bb9abf87378253452b04813e8605819bd1bfa7d4739ab6b153b15bf4b3c5d518

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1903cca486831679871d5ffe6c4f4887

SHA1
fe158a0e15fe3cefc67a5f13c04935479b2a995c

SHA256
18e4306bac1a3e5576e95cd2b0646d00206f4f6514cf37f0c784622480497ca9

SHA512
24bfa8504f8ed07ee40290852386f10d8f099ed282a582dbeb98c6de1674bf497f851e5b5af07ccbd4372ffaf13595362c5912b615a12e47dfafd06df08ccf38

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
db47e7d0b3daad39f0f49e2c03edd689

SHA1
eaaec6e513145833700ce04385157d7babf62146

SHA256
39ee6c2cf2509e26bee1a931eeee566de023cc21301c29c377c07603ecf3ce52

SHA512
f33577d38d67c02bda2a6f2aeb51484330f72f3261a12c7165c560fc1f58c4c456159251498ce5426d178f2246e1682d7502954e5e387e192cc1cf37d0e266ea

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a92768eb97a3eeab90d7341b126f0071

SHA1
d47553da4b50da012247810db59e9ab2c534371b

SHA256
85857aa01ba2aeae72c958ae1bc234b532ca7b4a82cd2141ba6f206512bcf263

SHA512
a5e7d14ae00b5a82513c6227a11d495821388f7b5c8c6a0aa4ed1d15b757f757decdaac90182258971ed911e8c132148212e23548278e336b5f8419be1d43131

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f3882c2ce6ce4684a3f452a816ec2b04

SHA1
03043bccf847f49f80649b5381da07eeb1761a28

SHA256
2aeef2d382d66e2a484ab741402cedf22c151beb0e72bb822676967071365f60

SHA512
bc1f49824e4a0dad5e9599c4cfea4cd033a8f996e4971fbb740c772b8a1cf8e9357a80f7a4d00e2a530ae24a45f518a79e9a6e4c216f56537285a7859bc86ccc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
dbee8715c7bebcaf06364316823a71f4

SHA1
8cf2233cced53ab957bfbec5b2acbf7e4663e480

SHA256
f4d94da2899742d1c8df3a3049e0175cdc50b305f7a56a93c02bb331d0284043

SHA512
027f6cf4c79cdc40823e8acb643a132bb83967322d759ae6a8639b949027e22860399836c56e4b434e52afe633878121f0de48bafc7dad0f0e438d58328e1d39

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a1e94c92f50dbc7c7999189de1e6c914

SHA1
abea7eed843cf2c6eb133c0963e15f0292672eb0

SHA256
b90aa507166c4b650d718fcff6e669db34419534dcd2bf4b013bf99f1575b45c

SHA512
03e9b0fb5c1b86a87ad7dec81a082ac00340ad563bcc33da720d5284b233a55324a7a9cf0d2dcb349d6a372acfac5bfef267190cade8b15def305b65e5748bd7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2c869c8bd9e6757128aa79f7e3dcdabb

SHA1
0d64c04c8eda25e68b13aebc1d1ffbe2a371727c

SHA256
f22b38556a85df1f73fcc1e53ff80ca5534439aed40982544d9bf2b064b3ad3b

SHA512
d2ea00d9a14306fb4e4f4538d1dfbc2226db1af448255b467c3140fc02984b2754f3a02278a4584135c4d222ca3068506def669a0079bf6059a11f99cff45fed

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b3ed9d0fbabfeb98ed86891489ddb206

SHA1
568b378bbf2bca250c4b362e23935b9163a0c401

SHA256
d7e8754d004379866260d47d49415799ecac0d0968da71c9ac6e57a588d9f140

SHA512
c7f41ceeba2117ed159b4663258e0ea2298d88eafe1f290024b659784c91dbbfc2aa90d71206600e079bc9e740c9b80131432f2ff477668f262e24ae4cdd4d7a

Download Submit
memory/404-469-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/404-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1088-400-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1088-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1088-405-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1088-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1296-443-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1296-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1536-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1536-386-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1536-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1688-60-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1688-50-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1688-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1688-57-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1688-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2308-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2308-277-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2308-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2308-343-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2644-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2644-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2644-319-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2892-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2892-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2892-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2892-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2940-358-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2940-294-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2940-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2940-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3000-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3000-306-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/3000-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3084-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3084-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3084-345-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3120-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3120-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3120-332-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3552-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3552-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3552-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3552-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3604-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3604-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3604-269-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3604-260-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3604-254-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3660-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3660-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3660-249-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3660-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3684-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3684-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3684-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3684-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3684-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3920-456-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/3920-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4068-374-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4068-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4068-366-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4352-72-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4352-64-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4352-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4352-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4560-429-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4560-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4824-360-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4824-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4824-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4912-416-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/4912-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4912-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5100-15-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5100-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5100-6-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/5100-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download