cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 14:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828.exe
Size

1.6MB
MD5

e13e1e7ce0d79f5b353350f89c8239dc
SHA1

e620f5df57b8f35e24d8e2aec15541432ea05df6
SHA256

cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828
SHA512

ce9490a5d6f6554a642b0ad5da94c620faa8adf9af6267318257e896dc018b756affe03bc8895b2237d5808942b8fe0f8df46852b65f1cc394f57797b97e8078
SSDEEP

12288:YP9B+Vt5wKQLc+8kpgN6f+5wQHq47hJXd8lTmIo/phPF9/mefm9lY1RR:YP9BaBemN6fIHq47hXgTmIo/phP3+7f

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3520	alg.exe
3532	elevation_service.exe
4808	elevation_service.exe
2356	maintenanceservice.exe
1660	OSE.EXE
5116	DiagnosticsHub.StandardCollector.Service.exe
1360	fxssvc.exe
2500	msdtc.exe
4444	PerceptionSimulationService.exe
4216	perfhost.exe
2536	locator.exe
3280	SensorDataService.exe
856	snmptrap.exe
2928	spectrum.exe
456	ssh-agent.exe
4784	TieringEngineService.exe
3008	AgentService.exe
4732	vds.exe
720	vssvc.exe
3972	wbengine.exe
4404	WmiApSrv.exe
2436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eb0f223574f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004782f7418995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cde3f9418995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020c776498995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005370c5418995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000559df6428995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecb3cb428995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b078b1428995da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3532	elevation_service.exe
3532	elevation_service.exe
3532	elevation_service.exe
3532	elevation_service.exe
3532	elevation_service.exe
3532	elevation_service.exe
3532	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3344	cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828.exe
Token: SeDebugPrivilege	3520	alg.exe
Token: SeDebugPrivilege	3520	alg.exe
Token: SeDebugPrivilege	3520	alg.exe
Token: SeTakeOwnershipPrivilege	3532	elevation_service.exe
Token: SeAuditPrivilege	1360	fxssvc.exe
Token: SeRestorePrivilege	4784	TieringEngineService.exe
Token: SeManageVolumePrivilege	4784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3008	AgentService.exe
Token: SeBackupPrivilege	720	vssvc.exe
Token: SeRestorePrivilege	720	vssvc.exe
Token: SeAuditPrivilege	720	vssvc.exe
Token: SeBackupPrivilege	3972	wbengine.exe
Token: SeRestorePrivilege	3972	wbengine.exe
Token: SeSecurityPrivilege	3972	wbengine.exe
Token: 33	2436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeDebugPrivilege	3532	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3736	2436	SearchIndexer.exe	131
PID 2436 wrote to memory of 3736	2436	SearchIndexer.exe	131
PID 2436 wrote to memory of 1404	2436	SearchIndexer.exe	132
PID 2436 wrote to memory of 1404	2436	SearchIndexer.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828.exe
"C:\Users\Admin\AppData\Local\Temp\cb12d2f94507777927cd5d39dc4b458c01ea8d947086ce020d2f0a00675d5828.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2500

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3280

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3476

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3736
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
77048762e61fbc6b8bc9aacf90209119

SHA1
7fdfe5ec2ccaab51e99e1a4b3309a7837654df11

SHA256
b2a8627052373ce8648f7bd2f77c7d581c74cfdc550f5499a3632ec11a55426e

SHA512
72900c06b55487bcce8d02e6d634333ada38c772eab48f0bb5d65aeb20b7f487a4e381e131d2b4cfc1e65aa11789b831e828c79de73a3c58db6968c364c1162d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
8a11c39732ea62246c92c7cb68d9554e

SHA1
0db1abbfe9b6f723f72b7ca9c65df9ab9f36f567

SHA256
80f6b31a0c0e20efa969241e9cd7e4ab5183b63ebe473e731a93275efa5b2511

SHA512
968492551b6269f1e276102bbcee68ad5a81788426b0a4d6f261601f8302f34b9c4b7c1974489043c17970129e4c70ceaf8d0a01f982eb75330fcfd2984344af

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
1a70bc8b20fba238af4729b5fc5c3f94

SHA1
d2dcc61426e6f0477f854de75604b0ec9873d6cd

SHA256
53810f4d93bc2d2184dec859aeb658f8a38509ba26a79097279e579174d9e9e2

SHA512
37c692511f21ccba91726ad83768a8dae235946dd2326a6966b3245f0fd822e23b213e27819eaa1b8927eb6996c7b1fb975586264fbfe97f47612592cf0874a0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
def892b22ffdcd17fc6b5e63120def8d

SHA1
f7aca60bf80472a6196d808114ca973a6dfbbcef

SHA256
2be5dd7b62b45f7f6d30a15e050b08e0d9a2667252ce9af1d6986d32691f9acc

SHA512
a59270f0858c6053291defbe2ccf7b4ba34bdaaa17bb839ba6ac4146bbfd6b5a95f4484fbb2aba4d727a5cf9fc0fe01de0e872f06cb523e5e41e05c0ad065f36

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f6f85e1504593ca3198c2fe3407a74df

SHA1
ea8aea66cdc69206e610ee3d344e11ebb9b24041

SHA256
4881c4c69465d5a72f9a7fd12a8c30eeb30f37d594572bd631b8e833b4bb4a34

SHA512
5235aed52b70c85589c65e50c6d7d775b2eea941ab9a87d9e7b329b944cb43c1470db96b9167e1fff3febce222813ed277171ef124fa79e202c7b6989c1fc50d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
4c2dcb61accf99e00291a60119225387

SHA1
69a9ee6ddbe01a2f3a975756b647fcfa244b4048

SHA256
6651773eb23b6096619183ba1ec6f43394bdb78b28d6ccfa7aea0066b15cb22c

SHA512
ba483e046a9e37237b06a8f8010b372ea630111142c21c5a24371192b0905df805983301c3365c3d7e25feea4e7ae13d4367db89e7d7b1322a8df20e69cbd104

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a01b5a470481b4bb1c44698930a5b482

SHA1
17452dec357ee07155a8b9b1c954730bc30cc8be

SHA256
02f53c74f90a7c86404668e2a9e31143c14239c8f99d6c9225cdae850a820116

SHA512
9f24b0702fb86d520a6966c100e0756f1b67bfcf529977b4e0402912f631ef01eea8a8da906ca686f0c30223817bdcf039dcbc8feda67453410335f63c9f8ea1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fd0865443076fbdc9d5c2fd16a713b30

SHA1
23efe05ba7b59a53d28135c8e5995d55d23619b7

SHA256
c5060638b71616914087f3cdab552d3995cd08428d61d01d4bd3d3c549e2a0e8

SHA512
8751bb157c0379136313a3d58ed3fb2bc538b33c2bbca53988add92c560d41d1c446a212e1d16b56287e56f474dc2e182a3a0f7c107d4b70ede3f9df79d9f46f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4f269c30b8f7e4d7542140c055f1ad01

SHA1
74abbcba52975c8825c8c1ce62b9bdf94a276b6c

SHA256
7b0b36a69c67d467d28fff9187959cef7963f2f2bb9463840ffb52aca14ddf40

SHA512
1937c6e36906d3378529a01bdbd9afed58bd697b4f54d8d2c929e02dce63e4ccdeb058c8de11cf7416c9fd14312326934a69cbec0ccbca4affd2bbb93abe0644

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
52f5e1e0230d1492bd0dfead73f370f9

SHA1
b582c25bc5fcf6240eb95fbfa1300addc4589a76

SHA256
863edeff1e8bddbb60c1bd750e36b1e801a04d870e7b07ccace0ebb5cecfbfde

SHA512
f13cb7456f068544ad1c2d3e6f74a8c900ed99bae5e23c56efd9abbfc3415f17301b9b91cca78b00aabed7a71e61e63106d41e1fafacc449419809b78fc1f4ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6c2276e71fd6156ea5748a0e59af01ba

SHA1
61a4941fa8bf155ab01279257181591d56889aa1

SHA256
689c8d947d599ecac81d6b6503665a86236d0122b8709d9b72b11e3fe737dfc1

SHA512
f78968f86fe353210880c0b6ca45c1b3c491d22fcbee0ec9acbc22261ed7d489ceb60ae99ec612c4e0ebb1303c055350b84976b3a0dfd8eee4c4cc210024208a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
05d9efe14542f0cf3f89b0f425480f82

SHA1
a032adf1d37b48cabc53d26da5d175eabd239b57

SHA256
d4456851ce758c2a7529bff9a3299a76dbfce7c1385835b78d067cef7d6c9ccd

SHA512
d6c75ddef1fa32f2e6ba2487e14233b9ffd6c72ff0591d8fd861ecf2bdfefea69257aa7c65e8804e81dc5fe9234df780ed4ed8f714b3e9c8a530042f1a195791

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ed79462aa90eed0c6f56c83e43d7ff51

SHA1
d37bfb8c0347aa984daf4e70d52b2b3fe61e709e

SHA256
bfd712d936b8bdcd580e194d98f4e7372daa1e36ffbe97f9ee704038dacb5f25

SHA512
bcdb74130b95cc52160d15930b47ac6ea8c20ada4f579bb5a206394b31cfba7be1367487f6fb6adf1a7bf0cc5ec958db3020b91e7e92238ee0d8883a1d41b3bc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
d39b573a5c55756c5fc5ee603998d09e

SHA1
1add9d5133d31a35aa596afc6196a712f021460c

SHA256
d08eeb8917d8a67de501b2de98cd6501a0b75832c4fed7ee5ef0be8afecaf62a

SHA512
ed50c23bb7a453999623cf9f5146cf286c48cb8c8fa6409a83ea9cfcd390a4d058fccef7a6c7ac5b1c3816b8b03bf72d228ab692014ceb2d45519a90010203d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
30bd095d947393b4da3173f40900650a

SHA1
6c097a7edcb3e52271a6465f8c163cc109153c3a

SHA256
38147902ec56cd1c77864aa6efde1a5560637516faefe537d3f933964e60bc3d

SHA512
efd02f97cb0839152190465abe59315dbce4b45c49d661f60b007f95c44d26fb3575c73d37fdba3d4c518b7c23159497d8c33969c5bec817966d9fd96e5bce14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
48aea313d4a949d3605e5e6228c468f5

SHA1
c2540fd000940daaaafb8e09d11abcd26557d380

SHA256
d07d50ce673261d61646f3679fbf4fc11d0408cdf9c2daa789b5775ff66b0299

SHA512
9a326ab44ceaccc3bcc11a2e40de2b54afcec7520ce64bab8b5e7b525209eac2755a4388216a3f4c4ab459ae28fd9a7720bc5a775da4f12828b297dbfc826358

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
63521204192eceea6b58497017906a19

SHA1
a572f525b71ac2c65160393ab4d04ac7dd380b8a

SHA256
555a30e889ef0ee49e02dfee4d4993571e52822b60d9e5194ac5c95a71aece11

SHA512
429357365f3077bd9e12a3fd3c7e76b19c37688d8cb100076ed13665a88f1931122449b3601c48fe8a992e62be8ab7359382304eb6f7933330d6eb9cd9495fe9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e7378cacb659862f1b97d516238fe7b3

SHA1
bb0715c4ab1dc0bdc08c8134c413e54cb641bc52

SHA256
d8545fb807a37f4cd84efefb18f3435856f8028809d3f90af71ba25c19ac830a

SHA512
aeff05b15ebf1eb01c7cddeb2333c477152358d0ea5184b467b297feba03033109c9966a01fbebebbf17a5bd923e8d754bda14eb53061e24a025ec5f69ec7d3b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5b4c355af67959d31b3e8c4d0e5f921c

SHA1
ee7f4485483c9aca89b7f6ef12c1feef7ceb7d3e

SHA256
14e8f56ad7e7218274c27418864649bff5ff752d94893ecf0d6305192382dfa9

SHA512
e44a94034fce3d15da5f2b9a69b3eeb81c093988c56afafef9c1bd4a993042658ecaaf03617a586fe4c5013022d73befa4b09d15c1a4d09ed93c7272f135a0ae

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
12ce82467b97be2238fb95a4506bf693

SHA1
7dc667a768d87ad440eea0c70bbbe7dca71430e7

SHA256
214ad98709af89a1ecaa1ef1254bd3768e5539c7f639806f8b954c4040905b73

SHA512
2a09eb394da66d78f4041d5732d181ac002ef1cb095fd8d3dca32e7bff62da34ca87208f7cedd5333f13c8c283581329d9ad89bcd14586c88b0778e476ecfd1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
4070dcdb5b512e8e18ea270bd8eed928

SHA1
d281040dca69bf7deb6b80fa370c71818e94fbcd

SHA256
86d2cfca1f412d7fb8acd8463df365180e1402426e4bab0a2de046709405de83

SHA512
3b075aeba9b63928af0ef39f519d0cfe1955dfa69629fd0a8db356148da5d35fbb53030d2aa70b022084ce44821025cc9bbb40f2639d5e6f062d3e3f26be6c4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
4bd4409c4151841183fb0ee73813d78d

SHA1
42470d2c5e598b498e7b9cf54aaf5d7d9191cdc9

SHA256
94f2cf2dc240ef14c244489690a95b18b8fb60b266863a1ade6d3abc5131faf4

SHA512
878a63a71661258fd488f726ae09079538aa450cf083a2baa1eaa4c9acb0fc97b9652e41fbe3b4fa245504a7af21484ea8717e980c8761df3ec6ccc7699d46ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
26d5299d0e5e4a3c94f573083dabc08e

SHA1
e16d4c318a60da8f52037f281f4015847cd4275d

SHA256
e8ba357c03c53435c812025775b18904ef63e6e33e742e9e357d2af9c90f9405

SHA512
2de15af6fd0207d9394dfa4726bfcee955a33799453085d99c6123fefd1f861728a0e891c469cdff6fb83589b9e7385ed6ee84db7bed4b0a4e8a911a990d68a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
d3be993a711e4dd633bba41b19eda646

SHA1
565b2f218e140c595926326a414199c19afe4566

SHA256
91c99036b0e0f8510a6f9b97f0a9399b46ba74173b2c7e4193d1345526973e4f

SHA512
2929cba0baf8d3c82d1fec3d7428f395102f379959dd0a2767454bf7ba34218241c090df81e99940873a2196c172df0b0fad284ff4b5ae4ba6f8a560cb279b08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
1d0cbbf1591a681f530ea47e338ddcbd

SHA1
aaddc59e32fdab880d44c90baeacbea2bfdf22c1

SHA256
fa136d35afa95321870750e68cdbab79a0f233b8240a16985e3820122ec7bce3

SHA512
8edb7dd9e844c9d142f2e900b2b6ede6339127404093a2c646ae6766903133d8b8a87bc5ba235602766ec3df19dfae08dd341eb6418d96cfa0fa896db2831d1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
5653676104f267f8638c0f67fecb1d25

SHA1
09519ff31cfb766142debc2bfb382122e0008506

SHA256
b42a596cee07cf805bbe71584fe10d5e2f9265b1c4e876ac5d8e6892712e032c

SHA512
e2f474081926856cdbf97337de44a9045e34a3940d5efa99219cc18996d676c65ffc3b6c03ddaf65f5df6912624179bfd20218c7cd2c5228f99b6e6ba860666b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
fca11ab487dd12148558f057c9dce887

SHA1
a356eed04f4af44c4417bd1f0cfd4fa2efd9f929

SHA256
82d4249f3de397fa65e81bcd4f986c4826986ed4825d8ea2b08843d4ca971297

SHA512
398e4090af8786392f2bce671f3f97e412b496f7253db3a2f2f1461ad88bf17e8a634cdfa5e18fab5feb6669fe0f48e5dd22c6b7235ab6f47f4cad7f4d5b7d6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
8b6df95db3012c57288c73756087def0

SHA1
1655570b6ff787d0a54d89558d1a7808cfab1c00

SHA256
9bd82333651ca05637d5bc84d0d1066246904bbfb03bdbe5c0f4a717705071b2

SHA512
6c0720f0a520f49983ce9f47abe8b0811fe05d353e7c3617a47ec4c8b124303bc1a0326f961d081afaf64ee57a9375ad5563f512d5b925c41526ad643b6a9f14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
0508ebfc3125e937ac13e1df243d8def

SHA1
65201653fc47549010c28e5ee84874692cef289b

SHA256
49b1f90681a2f753afa404a50c2255a5f219c0a2c06f7f6a7c15ce5755936750

SHA512
5c5f981a8457237266d2db686b9c3abf07da0dbbf187013273f5fdfc2318cf6747f375588b0629140993a53c7bc13a037b09901684eb373d7f3665087e968146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
9ad5b5c0a7a27079a944e6b5a367fd39

SHA1
8beffe90d09670716bae124c0a8f4ccbd8c85cc2

SHA256
3510e0d90e3fd5c6aaab8623e1c1207901a2e9d7172293d7ed441027079a7574

SHA512
d18bed84087d6cc78ecf6afd25a913e6a646cc6735fccd31709c72e6b479ff5c7902528168cbfeed43cabd34a817813325b1308e914de8af5af513c4fe089e78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
b260bba4d282126e4bbdd79372860841

SHA1
243ad98b424099722eef9116c8692fbca257469e

SHA256
5098b42e145907ef8657960a18635adc469019acb54e6764170829571b21c1f5

SHA512
51d959b1cf0cdf4ffad8a7a30bd677267a94d55bd20a7c712e3a949dd3e5f837d79445317585a84631afa206aa0d4bddaae6d86e86bfdb67121ae18ea4f2cbd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
cd6811d2146551f690412f8741a13252

SHA1
56a9a1b74eacf750e4b740cc57ac560a9a97ea01

SHA256
8858572b0ed10f33f1d78dda7138fd6abc6c59f2497901034109d53c64438cc3

SHA512
6e9b67c33738fcede7f4b77eaa3ce3acfda3fd54c97e394d53b3ec15db77df5607d228dbe0a94dace2b5d53520c683800f13aa6b3679bedd813c888d3852ff54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
0621741257b56071a8bc74f88bc59a73

SHA1
78cf7b35102d6962f5c17b360112cd661546d472

SHA256
32c32828374bad9ac101e6808cda4dc258b9254ddd2d7401f01452318798d8c0

SHA512
c16960bf9269e50f260517eaadc221a7e9be2ff8adb1cd38b042ebf02d07115a63878869135b240c367fc0baec312610edaa04470baf2ae420dd3961afb6833e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2096b7eb2a513ca97b4752756c4f6979

SHA1
8d67f24f2e5be3f6650fbe9d2c1966352322ccce

SHA256
86a6a4ca77aee24112c75e8da1e1696a5f5b791e67d53fa62f4bea88c0fd81bf

SHA512
a6259365f375da37d1a1d9682b4f3d3a88d6dfb0f450f5adcfca579370a1f9345ac9cca8710d92fb2dedd701e2e202458b0eea6bd950d46c6561849d8af008fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d023139483986e9b233617a249e4290c

SHA1
e0b6005014bedacf2d47bf7f03a18cde5b90e929

SHA256
20a55ce491b98a1f1a8b7b83aaf636158192bd84e4dab67012bac5a81747a0d9

SHA512
21e0cb673f2f1b8e216f6fb269a04883733efc66259c7127366356d2ea899c72f0fd7c355610c8b1856a1fcf9583deab5a1a2004f9243772513218710d78c47e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
dba18d925b841a046931553f721b51a9

SHA1
3c7feba005a637b5ccff10b128bfa22d6f6da70a

SHA256
9cdc5ea709e45baa6e0b4d918f68f5d141ae19e107d061f4a2ec3e18c4108de0

SHA512
b5aadbc44841e2528294352788e8992b4274869fca09970caef21800c3a3db5f53c35db816a885b4d7702e43a02d5d39ed004561709e0d9e56a6a72a9f059e4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
ed5de65d4b9d264635b5e857d4fda396

SHA1
7e5ac9f7e5975ce60606d69a9f4ddef365a0abee

SHA256
a95dc257aaea5ccd9f3041588dd791e03be5c9e4b9fc3a38a07aaa21a0acd8f5

SHA512
80898fa58af53c6e6620a46ae16b418ecdf630cb48b6aee1050e555db1e08ca8d579f5f9af21144f8340a2483fc9b4ca5201c2eee6b0ba335901aca71cad46f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
5008da84cd06ea103a700162ea90aee0

SHA1
ab29ce5e9489214b30cb47da72dd7386509c61ab

SHA256
d183846b132803544ba2421ed6a2d9e0cee8e3e5f4800c5798c1a3ec46f669e2

SHA512
d6e6fb51f6bef601cd87c090fc383e7979e6a642b8a8c1db4c976fe6cf8c21179694ea7d9e98cb6db393e05768ada4a83089a78d51971827fa03dd29418c8ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
46ba129567f4bc9b8a1e4286ee5476bd

SHA1
6b749dedc3728916b4cb139f1d82df81bec14d9a

SHA256
752f6d059c4f59ddf51ffdfae92292e32c62bd8a634c76157b9842e8a8da6a3c

SHA512
b91208d8c9a715281688ee660040486f1c523f94a21cd74149d2debcf53d6b5d96d6694403f6959f3cfddf3b48d3bae23513b861239db83e5248ff1e4e37e6c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
d9cd2e9b266429693c5d021fa3ce8a74

SHA1
72839470b67cefdc5f5c646259792d2c873b8df0

SHA256
0581dd82b53fc91d274bc56af8e9c7c5cc14a77a989175db1bdcfd262fd14b45

SHA512
faaaa0cd24d1e164f54105f6bf1a39476d488f9bacf92482da8337d71778e6e77d7628c44eb421cd3952473606b55c2a39570701591b8081429c7b04ba5a3abb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
f53cd2d6befcfed6d40655b65911607a

SHA1
e3d73120b2d4bdead533c446dda162adcd277fb8

SHA256
00349d77351ed13b85f46c3ab023c712e334039d250113634be68637d2963821

SHA512
a76c3c27a20d00807dc0be72bc29e3c7737e56feeb3015d91cbdfbabb3a69a6426ae85dead59093170e7c3fdd433e9271e1e12cd68973b98d6af13e31543feb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
9adac58e2df890e940588eed6fe722bd

SHA1
af76c1eaffc2588176b630d2e097a6d5e8a3abd8

SHA256
13075786fc171dcda7098214ce729a1a874f78f85c3e7bd45313fbd34f50469d

SHA512
1060a5efd7f1e6c172c64494bed7271bea290260fb13369966917832fae3dde4e74e9a86c1e7465b7121f19a4de6fb829e0cdcfa1c48a80fca1d56d31cc94b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.5MB

MD5
4a5671fdbea50d6879723a29a82d19b4

SHA1
808e972575ba38252b90fbebf420e2f32cb72259

SHA256
54fa0c28e3c59017ae258c1a162b641b8c5c219ca676ee7be32a01149678cdae

SHA512
b3f15021dd5409c412d89f6e74808dc008a590fd6a4877c19bc5ea624c5076bef485ebbb220ce938fafbbeef6d53965dd18e93eabce7755e2f57be82134a160c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1f1d20d98b2c79d16a27f2edeec3157e

SHA1
6ca6497af97008a95c040aa52b4dcfdb725d990a

SHA256
f6f6819d98a7dbabe572763fc88215423a50038790cc3f451a8dd8db436ce1dd

SHA512
ce2d55086c8946c7af6032a4e893e8946bb629d832eaf5f8b693d4881bf43250190c0c54d0763b7c3092589d8494411b3f618e44a157161790cbbf44f651d57c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
cd92b95a53ba8b15388ae05442ae1aa5

SHA1
859ba165474b4eb997c97b52231337bb62f248fb

SHA256
c4f1eb8e5dc69da5392ba309fad6131ab571e7a53861dea6362a995c4ad5b7f1

SHA512
a9d2fef06a0cfea4f2b09be10ebec2d0d6eb8be35c79502d4524684ac287aa6da6ab8be5c8041000075ccf2ba6105f8bb0a55e410eb7f14284b0b74f054c83f3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8081797463d3b49ecd9133258a857013

SHA1
72f714da3a07343c63de143c69c2b09bb02f4728

SHA256
10f6b17e42b4125be8e3c5cf5411884afa87fdc60ec9932787893f000321c6f1

SHA512
b30314f7d2419eab9f57b23ca87a506970252e2f11fd2b519fed67eb35e97c6117744c7bd197461ff7492a85d94ba7fb3cff925c57e1bbb6d00529f0c6285123

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
4e4de97191a9ff915bd57f17138b1dc0

SHA1
13ff675f89202a23c51e9517109fdbcf0c53a2a6

SHA256
47e119abe569a387bdebbe2e03ed13ff864d304820c0779eca575208eaa5f964

SHA512
acd1119249bb94e1052ede3d7764ff6fd27f049f1a94d0d6253516bf4ae24408a2f1e03637533356d715a8d3f7462162b2764ce6c206c624dacc1128f18fedcc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c4853a0dfa9c56a3b0a2dfcbaec9bbda

SHA1
ce27b4f7a257e93617ebef43e6fe99bbd084778f

SHA256
53bad63ca75ecb964dcadaf10e5ed28bb5d5e831ddd1fa6feb21074e31421150

SHA512
434230fcb523897d267392b5dadb44ef7468d5c1c4b728673f153aa11707d57d87acafb918b9c5466ffee5c010a0abb4ba3bb389b61e0257ea24e187c22cd593

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
87ea1b62689f85810609e04f0803fbc0

SHA1
0f2e2bfd4f6daec2d08f154621057b601d72629f

SHA256
63e21a3d82844f79fc891b4af0ba258635e02e8893a35e1ab2020a7ee2c780b6

SHA512
c72876f9d1a8e9d40a1d6b4610be18b6969915565ff91a604e74693d11eebb83d787d0b1e773a18b00877b53c8feeda64e6007ba8ec6641796a35738ffa4c2d8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
5b814e3b4194cfb90995805392aa3d9a

SHA1
16404fbc36e9907f7b171d073c3de2aa8a7fd38a

SHA256
0dce6ab219b52bde59a8ab003e6f2c20eb780c2ae50cb2232a54991424110310

SHA512
6263875cd653b1d145511dfbe6aa50cebad923d78162783accfc2f652ac8f2ee10c9571c4ae14350f06e52988692d2fd00c84a46ce9e085dd18722a18a524dfa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
a409c884914b11f042f6be168413af58

SHA1
bae710b203e1b98d7a3ec8908c5850525f05b37a

SHA256
a865c0e95edd28156534517e52f825c8b225eaeeefaf7a63face2be78b0b7bbc

SHA512
7c2b9a5166d26f5313e42c374b923ff2c98352c5263922cdb758a32e8d845f3e10ceddcc60b18cb467c1159ddb45173f0015b98970550227a791c6fd0d8d3372

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7d68eda7d12b089253be2eb596a08aa0

SHA1
0f040472549adb2681ee57c395e3f4e638e7e143

SHA256
581b43409c070a4dcc7971bbccd5380582f06d314b10a28fb82beda795ebf682

SHA512
dec702bc08eedcedef2d24ed4be645802ee1a3a73f5e770b110781cf2cbf867e79704cddf25eb37fae83aba403a1844ea0ce332710877b2e0d525ad435ead030

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b29cd2815338429885be4f03b685b181

SHA1
f477004291a83030b75c1d89d7ed950ea4447722

SHA256
55353d8a7a03d1f0b2967bec60abc3c598b699be23fc35fd507339f87ac3245e

SHA512
f02bc075369fdbcfa829f9b4e93d861f18bba76286a1f38615745d8c8cdbccc5fb2fa05759e62fbc63b689389cae53ebb5f3809d5cfaeef6c8f590c77708295a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9efd7aa283dc968f147f5b4dbe2e5b36

SHA1
65628c7529a9ae4298d928466977a107249e4ed3

SHA256
696e1f64897489b742251a4b8fd1b04acebbe332db1e2f82642820cf2124de9b

SHA512
cbbaaebdb0902a54c4a95975214d84d752dc4398a5578232390cd0d3be5f98bc20d868332eba59f7320e9e45322b74aacf2cece49d650baf5d0c65323decf7d9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
fbb23bb6d6ee3105ee14f1366e844330

SHA1
74f718f73ce1344ad77ecbde6674cf076a095f6d

SHA256
1b08025f9fd6acd5dfdbc5d028a3e90ffefab1fa5aa2a020373da4c33a528ec3

SHA512
17fe8aa1534a360d9c2ea77d14239045d2075aaa827c52d468915975ebdcf24452c0ffc46a8a6afc259d88c2ce68650b1a50ec1a3f079a2e474b2a329863bb46

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ca172a9e6d4d22915e4b22a904d00b24

SHA1
329378d40d92bdea02c198c8da9f1818a8ab0ece

SHA256
ae616ff6d4ade33706bcb7a27085f79f92366fb75efda3238bea8354e95e02ff

SHA512
21a2a058e2a9d3dc7288201f13d4318fed4a6aafe8f1d2a91f2d9a0eb130af409229740a948623d8fe091ffcd9f2fdc3835401132eeaf060c7f9cce3e13760ce

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
fbf5d9684efc8e77360f3c457fe22a07

SHA1
37ebf4fb9c7f9f79d7d1d664769e021de2ec3e01

SHA256
f516d98be01c1e4013e1a9d2cc0b908228b3de8e6e5395359f33599729b7ef9c

SHA512
a5fdc8ebd65ac31728385b9187325d2f59f7f23312cdf1a31288475f3eda3db46c37b8c23e9aa57a20db517cb04ead3b9e57f9ce18c7896805d74e221ced7ebc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7f71ea1ad49c963883ed2c0912c9b259

SHA1
f19b50b79eccb707e3265c9b5de989caa376b721

SHA256
bb128f98a8ffdcffaf80baa732ded8f63e6c94243ca15a53c5ee05feb372ab90

SHA512
6d723089d76154dd9c9377b5d940530b662e0424061a3e721c88e75b50fea4b1ee80a33c75b8b5396e8e04b5b8084181185aa86a470296a74661bc7f492ad8f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
c014b71220bba245dbbbc9a900fd2cb4

SHA1
980ea0808254a9ec696ff275b784285cd4485958

SHA256
52c5d26997001ee3afea86b7aa80e28be3a84e6ed1de911007b74b868e19f5e3

SHA512
10d962033f9670856687b605c34a3dfec3092d7888ed445ed5daf7e623aceae56858647c550a153d3dce17bbb48be9f9954f15adeba632d5782e64ce2ca6a92f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6e98ed2eed378dfe0b3b85ba4ca6a011

SHA1
b4baddd27f42bdc64076c384975755c31a6ed03c

SHA256
03df303992582d5d1857aec2deab9447ee5f65bc046724d6eed64c6be0b3f585

SHA512
abd1a29ce1d2587fb8906bd90c12a3d25e061080ce05f780d20e140056b53aa292ceb4883a3599a396dd7d6afd3ab2706841e6267d6c4ba80f5ea1b50b54600c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
a086f7dfe056571b293e44abd50a8aaf

SHA1
76343058c613217a6f5704a19162f39f2b8e09a3

SHA256
1fd282d10b98e870d84f6186f3af723a9b6d112ed48711a2d67bff58fd01c0d8

SHA512
a4781103b362c75ad9d104e540342428818c3edd792c2149f62c2cf627bd684f91ce0ce183ea08074bb65baa1cc9d96d01636166a1b4bfa32d68c3c348cf46cb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e18d7ea8041ad9b9aa8ec328585460c8

SHA1
cfde6df089ce3664247b26566f72aae74dd3f7a7

SHA256
417edab35354f549a5a1cc2d6da83fc8ed4a0b0dfa95e144b164b45c85dc8c57

SHA512
72033a6bd9967627d6fd2f84e7cfee7e6595ed1c1ca68dae0956ba4e1924d03c3259644074ee2b73926f1505e16074f58cf038e4dab9a1463d1f2532e36dc50c

Download Submit
memory/456-373-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/456-365-0x0000000140000000-0x00000001402D7000-memory.dmp

Filesize
2.8MB

Download
memory/456-433-0x0000000140000000-0x00000001402D7000-memory.dmp

Filesize
2.8MB

Download
memory/720-430-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/720-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/856-406-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/856-339-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/856-344-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/856-416-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1360-269-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1360-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1360-263-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1360-254-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1360-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1660-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1660-67-0x0000000140000000-0x00000001402A4000-memory.dmp

Filesize
2.6MB

Download
memory/1660-66-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1660-238-0x0000000140000000-0x00000001402A4000-memory.dmp

Filesize
2.6MB

Download
memory/2356-62-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2356-50-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2356-64-0x0000000140000000-0x00000001402A4000-memory.dmp

Filesize
2.6MB

Download
memory/2356-51-0x0000000140000000-0x00000001402A4000-memory.dmp

Filesize
2.6MB

Download
memory/2356-58-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2356-57-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2436-468-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2436-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2500-336-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2500-279-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2500-271-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2536-319-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2536-376-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2536-312-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2928-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2928-358-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2928-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3008-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3008-407-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3008-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3008-399-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3280-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3280-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3280-332-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3344-6-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/3344-0-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3344-12-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3344-1-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/3520-14-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3520-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3520-15-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/3520-227-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/3532-26-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3532-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3532-34-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3532-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3972-443-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3972-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4216-299-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/4216-363-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/4216-306-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/4404-455-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4404-449-0x0000000140000000-0x000000014029B000-memory.dmp

Filesize
2.6MB

Download
memory/4444-295-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4444-349-0x0000000140000000-0x0000000140280000-memory.dmp

Filesize
2.5MB

Download
memory/4444-288-0x0000000140000000-0x0000000140280000-memory.dmp

Filesize
2.5MB

Download
memory/4732-417-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4732-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4732-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4784-378-0x0000000140000000-0x00000001402B7000-memory.dmp

Filesize
2.7MB

Download
memory/4784-386-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4784-446-0x0000000140000000-0x00000001402B7000-memory.dmp

Filesize
2.7MB

Download
memory/4808-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4808-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4808-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4808-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4808-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-244-0x0000000140000000-0x000000014027E000-memory.dmp

Filesize
2.5MB

Download
memory/5116-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5116-250-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5116-311-0x0000000140000000-0x000000014027E000-memory.dmp

Filesize
2.5MB

Download