cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 03:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150.exe
Size

1.3MB
MD5

1e1df214488562e6177ec2d204b7f1fb
SHA1

e5c6f18a7423a1ea690b93e6ec21aba7787a1cee
SHA256

cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150
SHA512

5cee5df7575c0a904f6368ad0a5e08ea6d7a5c1314d8f4e446555183ed4250cb87d3da5c347d3db70e26ec3e109336bd3602ef8f744af0d4da2bd77faf8623f0
SSDEEP

12288:qE9B+VoGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhq:qE9Byt/sBlDqgZQd6XKtiMJYiPUq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1800	alg.exe
3400	elevation_service.exe
1072	elevation_service.exe
1592	maintenanceservice.exe
60	OSE.EXE
2904	DiagnosticsHub.StandardCollector.Service.exe
1736	fxssvc.exe
3980	msdtc.exe
5076	PerceptionSimulationService.exe
4432	perfhost.exe
2404	locator.exe
1844	SensorDataService.exe
1092	snmptrap.exe
768	spectrum.exe
3300	ssh-agent.exe
1292	TieringEngineService.exe
4648	AgentService.exe
1388	vds.exe
2500	vssvc.exe
5084	wbengine.exe
3928	WmiApSrv.exe
3636	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\493af3257d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000328820de2e95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019cde8de2e95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd2967df2e95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000994f8ddf2e95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062c31bde2e95da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5ab65de2e95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3400	elevation_service.exe
3400	elevation_service.exe
3400	elevation_service.exe
3400	elevation_service.exe
3400	elevation_service.exe
3400	elevation_service.exe
3400	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3004	cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150.exe
Token: SeDebugPrivilege	1800	alg.exe
Token: SeDebugPrivilege	1800	alg.exe
Token: SeDebugPrivilege	1800	alg.exe
Token: SeTakeOwnershipPrivilege	3400	elevation_service.exe
Token: SeAuditPrivilege	1736	fxssvc.exe
Token: SeRestorePrivilege	1292	TieringEngineService.exe
Token: SeManageVolumePrivilege	1292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4648	AgentService.exe
Token: SeBackupPrivilege	2500	vssvc.exe
Token: SeRestorePrivilege	2500	vssvc.exe
Token: SeAuditPrivilege	2500	vssvc.exe
Token: SeBackupPrivilege	5084	wbengine.exe
Token: SeRestorePrivilege	5084	wbengine.exe
Token: SeSecurityPrivilege	5084	wbengine.exe
Token: 33	3636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeDebugPrivilege	3400	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 5708	3636	SearchIndexer.exe	133
PID 3636 wrote to memory of 5708	3636	SearchIndexer.exe	133
PID 3636 wrote to memory of 5732	3636	SearchIndexer.exe	134
PID 3636 wrote to memory of 5732	3636	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150.exe
"C:\Users\Admin\AppData\Local\Temp\cbb47397121a4e36d45cff70cd535afac3086fa56327e6f6f73d00632cf0b150.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1592

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1844

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:768

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4e851e3642c223261516ce351f98ff11

SHA1
91daab52dd6d851fb9aa22a477200fa217707067

SHA256
756863782fdb4230fc7c62b36dec9291bca55164bf223d7a0345c71dfdc55980

SHA512
760f07d0cb0d3c54b88458caf31595083c971a2c5f91b7d13f61931d8d687fe3ffcd051fdce005e146e4ca85ceba8a86a4c44f334ff3cd1092b3375f981417f0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b2b55abb0a9e14f33921bb85d165e64c

SHA1
156109cc8c358c41827aa49348bfd2ee571e8e5d

SHA256
5a961a419ba30a03f6da95698bfe312a1a20a8650dcf393cb32c0126866c5023

SHA512
b5e6a098cd8993af12f987d605f2c8b21969423792beef58b6d949948dabea37500000ca0fafff7e6acaa113390a163e780d5fc298bea043cbadc61f3caf6710

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
68d10cbf101d35e7f83ce3682da6d072

SHA1
731be011856ae9d91c5e38df94e59f17b6bd8544

SHA256
b67c1626514501fb22f550e177d0914918fc8e399deccad4fcacb605629ce52c

SHA512
1db4a35009dba66fc3553eb794be09f93151b8e7d58adba327aa6e41476c1c985200b3bceddc44d5622c7eb30c332ef271fa3ae6e546b1b22be2ea000cce01ad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
053f83c9d9a25d9b7f957e8afcb5ba5d

SHA1
491080fd729fff0999eeffe588efb73fc7cfb6c9

SHA256
85dedb38318619e1b38647a46757e88eaf9f6a89e5f3f86b31aab3b4e3dd1fa2

SHA512
0d9bd5a917e4349658da633518f25cde265361ced582808c01db3f2347a37f4286d98662ca1e9a15d3f29964d154e796c3d7e0bd90cc573c0df344eecf428ce7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a01500444cb62565ad87ba190bda61d8

SHA1
a487d5c971e4b131d17f0f0e78c6234fbb0c3259

SHA256
d1321c5fb269558d922a95ff74a23297407711528f2c237721512267408d3dbf

SHA512
a6dac2d911590467cace7bbebfb690f3c6395aa9af9ae60acc254513ffa6ea1451472914d0cd4ae3d1b49961c642be09c7264ccc69bd3b143eb155f62282796c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7e7c1649f684d8503f854135a2acb997

SHA1
b1847522901912674da883023ec6af5f1e96e683

SHA256
cbb133e8d6356bc139bff6a8311bf43fa10849cbccd4313d0396a93469b9021c

SHA512
57ce0c00d93b5bec4c92ddcecb116a7f419fada702bed7e0cec1b5fe4ae7a662b73d63a5e9c815195bb0e7d81018b2edd7e3c092ebc0a0ecb446c91a0b8bfdd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6e063f88dfeb6997bb427bc5ee744757

SHA1
d0cc66c9bbf0d02d16b31768e36d1febfd6fa475

SHA256
5ba040f27a446c2d430b39b0a1ff0c59762f74af3433cd5734f1447bd5c8aab1

SHA512
e3b91b79f44dbc115c06bfd7f0aab45af9e7b13077476f0e4f4434a3ada1bf1399e3c52887a4fc7a41b66d410a3119ef68ece224f3ef3c8fedead9dadd98fcfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1acd28fb2e3b0827a216f95426eb391f

SHA1
890185f54482f2a182999ed76ab927a520b46f34

SHA256
ed6c365c0c7d5709b7980d9eaa8337f3ca65a9ffa15abf23acf289bbc5cf067d

SHA512
e05256a2091f4af38fc36d55f3179d1f947d9cb5f2bb1df513fdb0ea80a2c69615981106190330bf56919db1b7041f4dac4484e89062533b747f0fbe6360718e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
809eb6e50b66d2ad469300f2e1b18c7a

SHA1
fafa583b19ca98642d8cd9ae27fbc568c54f5944

SHA256
2f8b45857aec01a2c67b617902af299088e16c21339de259ac88478241112ddb

SHA512
4d426a63ec84a8fde40f414f282980eb4cdf0b13d86bfdebe98dbb0b0d58ffe40e1ebf8ed2c69930fa74601a3a6cb01f3807fba7406d0dabd0ced226c8c92d69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
382c1d8997c8ec04f3757ce2ed60231f

SHA1
a2181110e8f8e6c757049fcf4d7bb205f831e314

SHA256
e0918314c7b47ea1f24f3f44de68350f04f86e9e17ac215247cc749420129af3

SHA512
fab6c45cf4ef805bad86fbbc2970ea6ab5e98e716e2cab091df3c567b2aa016a99dffd9e277a299360416f812edee4806fb5543f106ddb18961bb02004c44524

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1821793254195ecee30abe5c9e4719b2

SHA1
5676776202514af6dbd1d747899148b047d3074d

SHA256
6ad8c6cd5027c69304dafee758f95cf501b12037ee754b1c983b9fe22a51dc75

SHA512
f6e6151725955ccddf3c63635321febb7a5f81ca83fa589752e81c98a6cea45e36193270ba328f572f31d1580eda6cd39696c6e0f29f2f166e74e80c5ca2fa62

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
91cfab640622998dbc8028ddcdd0b5df

SHA1
aed0d58770ebb5cebb2974688ca4ce0dd99c1e57

SHA256
d124e39bafe7757d43e70cc9baa50595405c89d84f75ddee78425cce7d38086b

SHA512
eaf5e6565279517df0b92727af0445bcd4673d9d9377db39c5eb88d2301abb4620930b4fb455177b50ad5f61def5dd7f2b0d6d38120d1c55ffbd049669ff8c6b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0911df48f81d79dbee4fd59259af1560

SHA1
825cd42a2841578434c83868827e112ff1175cde

SHA256
ed39038ed65d037a4e3c1c045b74c0c387edf8bca91f30f04c30957bbc1fa71e

SHA512
a018859e199ba337bdea07781ca77e98d231e2f7cf341deeb737f0d3533f4095189a53e9691a28d557a6e7d25ead4cae3db20c97e7befc091251e9ba3dff17e4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6f9f68a39f0566c36df28de64c5af1c4

SHA1
5c47a5e1ce6ebdbf2b6e3c1de48ad04e326884c9

SHA256
de519cede9dd4476296feb2be418fc56e80ab3c22d9a989bb6fa340db06988ea

SHA512
da7fde2a08649fb3ba6fb3c69d399e0f187891827b9b149f428d787cfa9319078c98c1c20ca4774156330a7c48e66e0c1912dbab93a14895d35f8adbbe95d234

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4a5b362e8055863b3683608f083050e5

SHA1
309f661fa12075fadfb916388e195782e2f9d686

SHA256
e9bdeb91e8160d4e0b1f0345b9f8c209c267cbace18a65f0ad7fe2649ddf8077

SHA512
18111e7ac5c18559307edb8c69973e1fe1f514376b14b880b3c55c70b961c71415580f164f8ea1a274d72f3f0e0c8c91d72628aafab5a5d19cdec04f79f822e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
56b40dd829c186893abea91f10333e3d

SHA1
f6266210e8853188931e8269b939a1af4b2bec28

SHA256
dfc38b98e120381c17ef65b277d69f62dcf1e1c24fc156e56cf4f78de2c6200c

SHA512
04e9d2f544a2077a503d4042eca069f637b3c341c21e9866053d4d0841ca00513c94ef87e5d983ad2e57fe7587e50a54ad58a8ccb27343f32b3cb1a6ff9356a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
300f7031a0f3d69bb89a9062cd31c6a6

SHA1
9fced86542311e771c44244f45c66bb5e8db99e3

SHA256
2a135b4f10479c24d666f9f3e61a9ad35e1a9a99a30016b8a235449b6277ae62

SHA512
fc2a3eda26bcda4ab9eec61467ec2963c25db1642097dc3020dc333a0f8657f13859293a4c97090c8ec58b788334dd3af49d8c274a35d21ebe33b536ec57cc4e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0eab3c02d44007f1bf9c9eb852f43515

SHA1
d6c87c314f8c46bf157e71838ff07c69ed5dd14c

SHA256
493dca946dc52a7f9c13ad03a057833b8964008009e49e91686003ef73a5f3a7

SHA512
85a8359b957ef81504b1398dbb6d7097515111fb635f6e544c07b8cb3e0f5a9882d85ed2adfb130b581cdfbb5ac3812104111e324afccf381f10fc0354583d08

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
73800d4000bfbcb2434532af9ced9eb8

SHA1
6544f434ed1779317dcb6adb47b6c7e481cd6dd8

SHA256
e924537127fa4c78d5e1a30cf62cf7e4560de2ef2e140ca8c969f85fb38120dc

SHA512
b581caca68fc718e44b3cb6c5d9e30b561a5b2b5860c49a1a8dbbc187372d42c3721dbf0989c72e30ada9b4d13e7a415f8aaf7b5276214acb35975c268872c65

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
727336bd2d18ddf31305c0d0d0f2e652

SHA1
6acb709a2e62b3cf160d03db540a0b43011e9148

SHA256
1cb4df906627db99e99469141bf71e643d0ecc1fe610f5bae38ed795da467d87

SHA512
f2655b20565c3ea8653e9f09226392dcf7329101d563bd73de9414c2ad717e5a0f0af539584ad1ddc08403d9f87eb3ac78bf4f7190a2011730166fdb8598ee9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0ae6ef4c71456cba95735d3e1d06bddc

SHA1
834a8a94192fed5aea12fe60a8b3eb2059b739bb

SHA256
bfb90bc2029f4b469d5e9d125499cde4d0e4823e52d195fe4547e30697e64717

SHA512
ddfab06602c8e538f4e209df8a8dcc68106fa1d54a3f197c35bb94f79820b63036a68a2be01daea88d35efde60e93de7ade6cabd4cbe3c35dde7b972cfa7e147

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a39112c682c1028b1ce646445889db12

SHA1
90c00ab88f6c7d5bd2c4cd2c4226577dd41741be

SHA256
85d2b90872dd4ba330d6cfd86089ba2ecbde461d969227dd253715c17ccc2ff2

SHA512
5d2ac0ac06535f8f46e502641b4bde155807c1ae2f5ab1bf617578f79989bfd8b35d9fd13cd9b64af04be767901ed4e814a6083e6e4234501b9f3cb1b49bd2fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
935faf44cf587aa14596dffe1e807baa

SHA1
aa643ef73656960f2ff8af8f75cdbf9ac27e724a

SHA256
829ed446b04b9843b43a5f16efe0aa224b7ce8be5a34ae6f223d1606bedfcbd4

SHA512
ae2ebeee843250d58cd091283998cb4d7f64a5b10836c47b2055158d86d10253a7fef57b4f38290ed74f54a20ca5d40fb08349af943ab6dcd8d0f81a042ea0e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
44226ae0473752cd6ddf85f2fca90e6e

SHA1
7021ef3828d53e6cf359c0f83d244904f4821ff7

SHA256
76a48c146c1a6c9de11289a1994a4771f1508bffbe1e663e289bf8bce58dd6bd

SHA512
4c64b1eeb03899a3facc97782120ea46c1a59852e0786c73608cb204901929a68dadeaa1fc735b975313113f04942294ef90c97e9a67a381ae04583f0b76cb51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
87b31c791945dea168624252d5083c1e

SHA1
d91f58d492c89705a706956a544b983b23eae76b

SHA256
02866a0832f8c9ca9a156d935ed04ad88500b43c53ac4505e535b788ac572ab5

SHA512
963ac11d3d1506a497150666a70f33391a1a3084f78e924a04fd24b4d7230e54749193922b821080b547f87111380b43b5f66db62c6705a228533b7f15227b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
dfe82fdb1b7a776cf64a846f4992ea9b

SHA1
c511054bae990297089b38198ed18a713f72e5de

SHA256
22bc38e080174046de0f4564fb9c00816c50b313cfc27df4a18510b1d7770b4e

SHA512
d8f75ba11f6796091606c4296b72d5f6768a41e576cc33bb64a5fbb5a62967ce5cde3f1921506299845b54f5e4e3aac17725856241acfa9be55add7475810879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f90ffe10b931be407655a637596658e4

SHA1
653384ff8494ace3265ce06d4a0236394817a9c4

SHA256
02b3fa7345052ae571262f7b71a2f020683cbd031c931fb1bb72753ab835c47e

SHA512
1b7ed180c36f6234273fbe1a6aa35441941c0ef773f69bc10d934a834529cbf348fc2e5db88ff9ca36af0ef30840c2a90158564215f84ae2bd18174fce03f431

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
f717eaf18dd586106cce0f30cdcd6bb9

SHA1
16852050575b0080dd74fd5e88f0c807bbb7eb89

SHA256
0095dad6bb20d21a3b0f0110cccc01bbf6872b79b70e3e6d1e5de16baa6c3372

SHA512
62add206c9247a639850f948888a541fc22996dc442e2f956df86432bd7c04ddae9f4f629f598fb86f8a32d7c51288b2914dd44ab886c834dbba90d526613fc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
26d1c17a6899b04cf983984f31b04ff9

SHA1
da13a143c8cc060cfcd8dae0713f6e3625b8c508

SHA256
f36122c68c0fda7f3dbd9cd0f20f870d8c626dd1877206502ad92e7aa7a2506c

SHA512
32144c0f5b44c3137f8543365fee2b4408edaaab695d1d59e64aa640ad18fc4e4d40fedbdb62d7c4755d728900d387d93888c76e8e85b8390ef5a6102b9d11c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
34b63570bde3d3606c21ebd1fe4d089b

SHA1
931b855e5eb7e4a13da82c6220b82685d2cce20f

SHA256
629d2c299e3c4b35ba5ade11bd44443d004a84608c9ca6781638bc5e55f59ad6

SHA512
f5f61c4af8922315fc8f1298e8c2b04649f16e730fb4321260d883a84ce0083ac4ac1b63a854a7f090d90cc791a94dac21c542f67ec7fdf46c9face540de6f38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
80afbdd0477dfc5f41b252cd61c8c354

SHA1
04ce543de27c5a1da9354e600678ae0318f65dcd

SHA256
13f2520ddd42e983b6950e13b9bcfea2ab0eefa1c43b26df0d6d0ea294a5ea04

SHA512
a23df087c453684b789fa5c2f588c0793c6012fe9d95170eab074b8133037a4e43eaf53eabd8d9c1576dfbd7d0b2ffaeceb906472223e3f5cabf0917ed74de07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b681d735cdf07159539e837a024cd2b3

SHA1
30002f5beb5f8fe3ad7a3ad36b1e9a050b6b34c5

SHA256
71f65f8b27069640576af5865c8b5503181e3b6190df187b6caa62e2b6418bd2

SHA512
22fbdcc015b2adeb4c89a3736fcda708bdda58212774876e4388512e13d98e25735462c69970bdaafc2ecc265d1ef5ae70ad9945d52e026725698d3badb9acba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
daa54932ee027bc67ec9a26303f23fec

SHA1
9f2cd781f7bb61255321b5aa93a2f299165f84fb

SHA256
a53c7ef586e7ee8dda6277c45957a3ab0c59a2a2782afa5117378c75dafec780

SHA512
b16c55bea82568471d0cc9fe03165a5a68b13631e9a0a1cc5f3cb4307251277a376b5081d0055e5851676c4fa7f5c474094a492ffaa803665b3a49d957eed449

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
9d052d0eb1ca3069314eb390988b1e2d

SHA1
a04f4bc7e6ee2dbf49e60c71eb54d42b1978291a

SHA256
556b79087da85d575094a5e009170ffe819eaabcc54e7308179b553e7345d53a

SHA512
e351e621977ad98d7beb925a9260fe22be64dccdd06d94cda8fb750b43d4f57972eaa55a63ef4a3a8b9c732e3fb55ea5215b4b07da891975f8bfd77499c2f24c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
0a1ad20de97dd67122179902476e0d80

SHA1
64c2b4da68f7e9ce68df62607880bd1e678fb22d

SHA256
6249edc8ef7dd6d93908cf805114d3cf173a87313121e896497b82aad7abcd65

SHA512
65cbb9d329d6bc852eeb2910616dee16e57f264e54c874bab09a35d85175ba95e7da852ede74a78bdebd36f2c93b6fff2e2bfa1756c8a3d72a30949dc7b657d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6e0702a80663b87902de67fdf461e030

SHA1
1fe38e163022e168d5992b535864973709a5810e

SHA256
e396945b4662b0e3fe533f2006a4eed2251cc62a7c33965ac5211307c6b8a26c

SHA512
44b486b57c618a1f0dd928df83a5d0b70ee8d0d63b5272bd26fe5755ada71b0f7dafee749713025ddce7a98d5a660315bd793100c68da830c101c1d394a398de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
e9ee6479aae5df5cf92f5b47fb036f1a

SHA1
805a6f6ede27ed05858cbb1b2eea2d66d2cdc4e2

SHA256
4850fcc813cf5af8703fe6aff44f93894beb5e37ccfb84f0b778e315d9ff07de

SHA512
69eba71e1cf54b7d6b09ffb71cd4801040c5d5ef9756d60622e83528374b2f6d2992a6af08959acd86e839a233fa482bfc55e65b9e4941bc93a00fb6e0759b68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
f35c72457e2934f0c2dfba24ed5e13af

SHA1
ab76ce577da3e1bdef8a9da325a17116b0cbce6e

SHA256
12afa7c8d2fa6196037abdd5250c008fc55114d277494884479ee26098a176e7

SHA512
16f56b6b144eafad526a1d1a071cffad1bd38b35d5ff327faed593fc4bdef7a0274b84b3f2d664864a6ed9870abb9292565585a0e773729083af241ec604b70e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
d36d38fcfadb28a7cf72a3a3ab735d52

SHA1
8bc5b0ffa4aaec2677126cb587609bc10471fb1a

SHA256
ac915e92de7dfc3f7df92e474c80cd79078b5f5e78aca430845e821618ee2fe8

SHA512
2cec868978a7e92bb593c78d49d08591bc75c8f8fde588017d3ccdaaed188252c7198e64129832cd27c6b9c25d2a530c60e42c43939acac6f47148d31b1d31c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
88089b3561df774b3a2ac94e55f9dc99

SHA1
e13a3472804752d8257ac785c55b7b344db2b4b2

SHA256
03646786c4552f45ef92de16cfa28a43271705ddda8da56e65ce55bbac7a0ad8

SHA512
8f4e20bb022ece79b5843e6339e8eb2f19c79ee6dae07af3af9bf53abb9a2356fb7ac6355756b1fa8e470b26fcb3852d9fe31b0e4e8df00f65bd420433843854

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
4fb488f6c17aa56d331f15d6fb9e8098

SHA1
0bc3d7591c49ac7b2c00f654c4a8c8810239f6ae

SHA256
2fd1b99bd57035dfcc01634a2ff5c6e4147b7817803f7e2ded30b836b4ae8bf5

SHA512
ab175c5aab7cc74263288605eb357b1de36fac3ee841b1327f74f4d95e03e5765c46bcc83fffa30e4f20593f55cdaa7e7685edb6fa209bc922e15978d55ecc01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
325766202e54e1097ff53f540b49cdea

SHA1
896a2ff58cebf1513e58083131b6675cfdf856b3

SHA256
dd1fd077353bc1bc7a3100493088ee03f41bea3e8d40ae8ff33b00edff83195f

SHA512
b4155df0dcc78e409455c992eed7ae944e3829d1093d1fae1dbbfe9172512c10b9cee4e11500ab1dd2df4697c362a181403243f5da9c8eca7742acbb4a7c2686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
8fcfb559c078dc838d45c6eab1580c0f

SHA1
05bf46906d75a7ab321111caaeac1e6b45537645

SHA256
a76ccaa2a436ee89d5afba0694c585aac112fa1bd61e59a49c27bea0455d74a9

SHA512
5ef6c5859d98590e585bccac68659c802a51937416239a23ee42651aab7dc6b6df979f98f266e173b318d8f4e82d9e4a200c0b1401bc838074214b8920963ce1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1c46a72b6b9d9ee2a5c0797599e42566

SHA1
5652601debbdba42d4f58f35114eca78ee751916

SHA256
8dab97e24e8a3f0d79da35cc025c95cd9cb147de6a9ffd09bc1e8ba1bf0a09f7

SHA512
f90173546b9706783f0092a0ab869c6f876aa52eae4dd021d2947108ce0c94396deebb87cb11b34b1ca813de90336db1de298fc0a247da18644d94181b9e2899

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
939ec9107d32344f336b7cc2a1c709c8

SHA1
ca701743af1d60b827637d08313d6547381eac4f

SHA256
567a9ab353159df6063b99c6015700457a357563b45e4e5c3d81e31facf989e6

SHA512
6ed7fb2cc0203089bfe2c81c1252502a5deeb1016536e2294a3dfbd17427da3e71f5c87b10db6a93a6d49aea0be070010cafcee9a4b9a3cfc52d52b85f659963

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cbf56f920c6578993c35aa0db65e23ec

SHA1
a876aa21a2d3678ac33b35d78274ca68d72c1df8

SHA256
9a50ebe5bcc37a2fd1757af2eb148879cc3eab01fa89e446fb7cf2f29171ea5f

SHA512
4212284ee0c54b248dde2d2a34807d1ec3e71ce36f416569861909e00fe001f9359c9b40c74416563dcdfecf89f8ea7b0c490fcf0ec3cf1db777505566e70941

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
aeb6dcd2d715430eaa22c6fa15b4a9f5

SHA1
b69450b6fb50fa357aea75becc5364b3eab7454b

SHA256
5d847d3ce909db6d48c099151e4b9319848138a1eebe4a47481275e4aeb4786f

SHA512
943ec890c811b2f89e0d3da218e5adff531c62170a4d1e877a408dc7fab2e025f12d995cf0171357e17dda887800382e32fb96f395bd3d1053b69c3831e45d1f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ed22c880508b463c3bceac5035f1c7df

SHA1
420c99ae65e24ad957d978932dd0fc2f468487d2

SHA256
5578edc8a881e0df3d25ce68ff762d019b9d489fdfe500bdc1b4b5a82ef428e9

SHA512
4644e5e037f6856d0ec9166ee580fc0d7200dc25537a87aa91a920d9f6d9eff60d319a43dea7ea0f3ac47b62cddb5556aee6224997608a729931293466661996

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a4288639c1b85dea20b0925b4045f3db

SHA1
2cbbcfaadc41afc13575bd53ba775f05f8447cd7

SHA256
9fa89003eea07b806e72c1b5ea78da53bc3fa3f93f71b748be66ca60b335c544

SHA512
c38affd83905caa2c45362529ee2b1050eb4dbfdd4675fc6cc7753105a783654fcead0a74453494ecbc4874f8f83b4648e4adff0eedc5377f52e2e7d49063447

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
160224c34f6b9bf6088ce766606a343b

SHA1
83daa58ec62cc66e41d5355e9307578b20538f4f

SHA256
31ff670dd5355c2aac9291334c9d63202fdd7fdecf5e675d4b1f635b2d665ae8

SHA512
818de68f75437d90970ba67d022400565b8e368d922a9167e70c73c8751c781e652d871183b159723b3f2f3e7b9c23c4db7834fd9573a3a306ec5bada88df322

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ab5fbaee89d6df51501aa5686afda3d4

SHA1
f00c97f090d95fd8ec204251876e1a45a23e556f

SHA256
7ab5d2ec596773d509cb8f4f8180029ad7328de15899ad1a1bea38e07fe6d616

SHA512
6d8b49f75bde61ff89ff77b047b5a1a92ab76d262533accd2de984ddaff76bd8874893d52aa0938c7e3aaf568175789c13b9ed890a81aef5d24f5e44b9a378df

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b157c33953a994e954afc7dd1fa56467

SHA1
86e297b3748a601fa55426032ddfdb980f8d4e1f

SHA256
3e688a65045ba956c6e40fddc183b06cb33e44ce9d3f617e8e0d8954adb38a36

SHA512
ec8a7a6bc9f5f33ce4b1a07bcec75c7d3e01c256244f6e0e17bb3f0fb651297c2b0dcb650f0c6cf2f4c0ded1569681ffa3f1b027ef5a3e102c3dd6ac3bc51a03

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b1110f55848a1d4d4bc5f3afbedf0bac

SHA1
aea7cc5c396b7423d915842e3a36bd3ce9192aa8

SHA256
6bc660a14af34833d2e412bca4a36282e6c9caa9eaa028ef5d222fb199b02a72

SHA512
bb42506fb39a87a4f03f34ca12c1c053c0ab31f05d8943e87af39d7d170452c3b2f8130a955f1b1fa08d39d48504fd208bd26a178761005b76b33885e70beeda

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
04cc0207058b8d93e7ce350c3a281eea

SHA1
c9d636e8838439bd8a9638535f6f198780afffc2

SHA256
35d222e977a61d5163db7bc730c83f29b6ca8b164f4dd0af4825c858bf4857a9

SHA512
ed6710bb1993aec57d1cf8a504071d001dec127206fefe18142af0da8f972dd0136f989fbf00b799a7cb261f2bd1ae677badb01353c9dd588dfac11e7ef2a212

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
71f436e943afa400b26f97ba02778858

SHA1
206ab2e91b68306acf616cd3cda29c958113af1a

SHA256
f7b72a82d50e09fe5a3f26fa2d7256f6e6cea2cb9c244457791394a67bdaca0d

SHA512
8740e60749590b7198b698d4f044af59f5d15346478eeaa739ff6e55f95ec0f516dc3f21ed51df4703caeffb0dfbda4dba1290e921f36e20259e7eb459cb8e91

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a1b5748f0bc0f2068307987eaffba345

SHA1
714c908d4867da1849bc2e60a86d308e5b54433e

SHA256
2d9f07547d5b41b946fa097ca80db720324b47096bdac12c1a16c55bda81f5d3

SHA512
4eb41eedda79fce318821b769276b7e10a5a3486d0a0f7a699accd2c1c826c149ef7ddff5f3b0df61d1a37e7edd89bd9a6ed62c2907d99bbf7fccf487f9989d1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
13cb25efff1087e0357ef6ecb8d0033b

SHA1
ec4565498dd4c340d69e3e950a268398f5877500

SHA256
71a98d3d41210d4bbb0f2edaeeddf0cc13bc1686b809eb3041b35e557fd1df25

SHA512
1096b1202841735ef9b4bd971a7673ecc464970e24ce961cccbfa66453969bfa328b2886886ab4dfaf2973dbecfe5898105f992192845b03e58c33a8d014df84

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e78d5c3c338a32322fe42ae24c202107

SHA1
6bec372adaba67164b8a6056f9ba114791da532b

SHA256
3e33a94bb74b4a3f1b053f38dae8218cabcd37509779d39a017ca8434d4c71c7

SHA512
d2b64fd7d1989c8610007ae0e0f6a8776a2f935bfc5a29483ba2de0ffc67b919d6c130f0fd313f1632449d0cda264b2f4e3d079b2afef49cc1e76ff884ac359a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
de0c2b83fc3bd7ad4ca64fd4a2d21727

SHA1
daafc9b678072838ce5034a90d15b883e6f231c9

SHA256
afee304e9077c6452957df44ea80d3063cc008a8ef69f4270ec3829b25865085

SHA512
2fe25ee8269c84203f5966e835244182feb173a5f6644182767396312b4e065b4ee1c2bb50f3aa25678aca6958d34ebd595c1a1e2c9b7f3eb3318fb64dde4fd4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
70a602b0ed60b1367113157bd92adae6

SHA1
110bbc9ade4d54ba99780f4bb723426b8cc2b854

SHA256
53c4875e6472daaf719a4c8579fd137329ef187731b3371c6aab94f94ee92c27

SHA512
4f27579ee422914152c35eb1de9d833b0a458943368409360008ac3cb4c3e572a7e172e2da772ea970c324e74ad3ce02a2c0038ddaafc28863ce6e2e17f71979

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
13e90f5fd24813ba458fada2bbf4af8b

SHA1
ba0f08bf4811c4365c696add15f8563c6f487bb4

SHA256
91f95aa08addcb8276ae101a6ac812ab17b30d67677ac70e87680ba1f5d1a8ef

SHA512
f731975983842683fed7e077482cb60ae7fa15f5756251b176d5037ca9632435cdd53c6dc1828dacc8fc3a63e288c3e175158a3709896dd06a67b7b447cd84b4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4e4cad1d984d9973b409177dcc245ac9

SHA1
028ee199f33f08d9b472d3ef8176928c6a8cb04c

SHA256
fc030c8d977ea81aeef8d7ce2d2db42784f63dfb7ddaf565f53e20ac62d15e13

SHA512
0f9dc7289d652d20c5ec60b43e3b13eb7d2b0d7e739e442d3b0bd6355d727aa3fd980b784b5918198c200ad5cbdd119c7fc849054e33f5ad8b06e2ccfe2efc51

Download Submit
memory/60-68-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/60-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/60-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/60-66-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/768-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/768-360-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/768-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1072-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1072-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1072-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1072-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1092-417-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1092-408-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1092-339-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1092-346-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1292-449-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1292-386-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1292-379-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1388-419-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1388-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1592-52-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1592-64-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1592-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1592-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1592-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1736-256-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1736-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-264-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1736-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-274-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1800-229-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1800-23-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1800-17-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1800-15-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1844-398-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1844-332-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1844-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1844-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2404-377-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2404-314-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2404-321-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2500-432-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2500-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-250-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2904-312-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2904-244-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2904-243-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2904-251-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3004-1-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/3004-6-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/3004-7-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/3004-14-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/3004-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/3300-374-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3300-435-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3300-367-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3400-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3400-29-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3400-36-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3400-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3636-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3928-451-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3928-458-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3980-337-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3980-281-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3980-270-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4432-301-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4432-364-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4432-308-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4648-401-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4648-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-406-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5076-289-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5076-297-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5076-350-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5084-445-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5084-438-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download