8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a

Resubmissions

28-04-2024 10:27

240428-mg4hxsdf46 7

28-04-2024 10:21

240428-mdncjadg51 7

Analysis

max time kernel
291s
max time network
290s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Size

1.8MB
MD5

632170e99a4c30b8ec0d4cfb3a1cecb9
SHA1

aedda2d4339ff9a90d6b3c5438549c5833212f4d
SHA256

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a
SHA512

4a58424ac1d4807fb665397d36fee6143e20b7204ae648aa2ff996d1383cb033d2a7de39487d1fb36fd19d483ba68ef0a8a226d7d9e507f7597ea5ded30c6d56
SSDEEP

49152:8x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAykQ/qoLEw:8vbjVkjjCAzJNqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 19 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1048	alg.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
2208	fxssvc.exe
1008	elevation_service.exe
3884	maintenanceservice.exe
4108	msdtc.exe
4860	OSE.EXE
2844	perfhost.exe
4744	locator.exe
4204	SensorDataService.exe
4884	snmptrap.exe
440	spectrum.exe
4648	TieringEngineService.exe
3888	AgentService.exe
1528	vds.exe
3712	vssvc.exe
4360	wbengine.exe
4728	WmiApSrv.exe
1912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 51 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exealg.exeOSE.EXEelevation_service.exemsdtc.exeSearchProtocolHost.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	OSE.EXE
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	OSE.EXE
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	C:\Windows\System32\alg.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	OSE.EXE
File opened for modification	C:\Windows\system32\AgentService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	OSE.EXE
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	OSE.EXE
File opened for modification	C:\Windows\system32\AppVClient.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3071c824b00c2a37.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\vds.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe

Drops file in Program Files directory 64 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exeelevation_service.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exeOSE.EXE

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM5EE9.tmp\goopdateres_pt-PT.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	msdtc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	OSE.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	OSE.EXE
File created	C:\Program Files (x86)\Google\Temp\GUM5EE9.tmp\goopdateres_ja.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	msdtc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe	msdtc.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	msdtc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	msdtc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	msdtc.exe

Drops file in Windows directory 8 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exeOSE.EXE8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exeSearchIndexer.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wm = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice\Hash = "vSTAotV7e30="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000573c31a75699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice\Hash = "FL2CHnLVJYo="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice\Hash = "hNLTsIBTcCw="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mov = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\Hash = "2I5aNugvJx0="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005870d2335799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\Hash = "XJW/JvNSrS0="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wmv = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpe = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice\Hash = "S/UZwUyuUfc="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.gif = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\Hash = "NyXyB4j7g4o="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.TTS = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005835d7335799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfc53aa75699da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exeOSE.EXE

pid	process
2412	DiagnosticsHub.StandardCollector.Service.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
2412	DiagnosticsHub.StandardCollector.Service.exe
1008	elevation_service.exe
1008	elevation_service.exe
1008	elevation_service.exe
1008	elevation_service.exe
1008	elevation_service.exe
1008	elevation_service.exe
1008	elevation_service.exe
4860	OSE.EXE
4860	OSE.EXE
4860	OSE.EXE
4860	OSE.EXE
4860	OSE.EXE
4860	OSE.EXE

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

640
640

pid	process
640
640

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exeOSE.EXE

description	pid	process
Token: SeTakeOwnershipPrivilege	4240	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Token: SeAuditPrivilege	2208	fxssvc.exe
Token: SeRestorePrivilege	4648	TieringEngineService.exe
Token: SeManageVolumePrivilege	4648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3888	AgentService.exe
Token: SeBackupPrivilege	3712	vssvc.exe
Token: SeRestorePrivilege	3712	vssvc.exe
Token: SeAuditPrivilege	3712	vssvc.exe
Token: SeBackupPrivilege	4360	wbengine.exe
Token: SeRestorePrivilege	4360	wbengine.exe
Token: SeSecurityPrivilege	4360	wbengine.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeDebugPrivilege	1048	alg.exe
Token: SeDebugPrivilege	1048	alg.exe
Token: SeDebugPrivilege	1048	alg.exe
Token: SeDebugPrivilege	2412	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1008	elevation_service.exe
Token: SeDebugPrivilege	4108	msdtc.exe
Token: SeDebugPrivilege	4108	msdtc.exe
Token: SeDebugPrivilege	4108	msdtc.exe
Token: SeDebugPrivilege	4860	OSE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1912 wrote to memory of 4876	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 4876	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 1212	1912	SearchIndexer.exe	SearchFilterHost.exe
PID 1912 wrote to memory of 1212	1912	SearchIndexer.exe	SearchFilterHost.exe
PID 1912 wrote to memory of 3916	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 3916	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 4252	1912	SearchIndexer.exe	SearchFilterHost.exe
PID 1912 wrote to memory of 4252	1912	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
"C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TapiSrv
1⤵
PID:1384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4876

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 784 788 796 8192 792
2⤵
- Modifies data under HKEY_USERS
PID:1212

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3916

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 784 788 796 8192 792
2⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
389c4d6efed7e9dabaf4715cfcc6b55d

SHA1
53d706b25675cb106195d3b05a49b61a2aa5e9bd

SHA256
52fcdfb67ed543550f32836909e20baf1a9dff144562c7fba47f79cff6d6f204

SHA512
7a7ceb1eed925c6c5f4c38a6cf66bf6732b9604607dea4be06165400304dab24dc99c0d573bbabf59d8cb6a8f2a5b95ae5a3740426eda873c0be66425bac69df

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
61351b71028c89fb7c70dfa476a4de20

SHA1
f676859fb8490a0e684af8656fd12b642e77440a

SHA256
52f96f9b97640d50af545fc04ceee1cb7ff7ca31506ba73e2c9506a98524d5d1

SHA512
8abe811beb3a9b632ea54b51d2fca994955f38a37add7b9d41fd7102dbbf46a282e8f6e73785fd861172821242ea150bfd7b0212d77123a691a816de1a5c428f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
327bde32ccd32784adcc381ca4786a87

SHA1
2d37db19e73cb88a957215cc6428d1c0641da363

SHA256
ed681235afd50837f319a1b721024752d91359fa983106a2f6ca2a6a1bc4f7ad

SHA512
cf35d5ca6633540d71bc66702dd62b91e24f28e4ff4d6359c20d9589dc6719087c81949e213abd0885dc338d5c9011c66af6c3ff930c99eaeeafa8e9f7d764d9

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
0095224f036cd577094067e21143c68b

SHA1
cb6b7c8dd8d390ee24ead90013de012c0e69d479

SHA256
57452609bd92e2baa829a99b98b19f098d8e8b4a2ee54c296f90cc9849cf8fcf

SHA512
1b14f14790add448577b29fb506ba1b397e44746961d9ef9f6843568102d86b2e15855c9578c51133d58a5c432743ba69fe8f8d8de26aca194e72250aee16b42

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
f89f55493306d767cb68952379cece8f

SHA1
c0279b09f1c2a5f8e07a9bb903f3979e39e97ddf

SHA256
5404976529b50dbafb4b6e7120270034fea3cce250216fdc132436eabaa8670f

SHA512
df5c91a4737cad02c460f2a30df8540310c7e9734e0042a19fecfb91b9a3345fe448da84bab684cf295ac89141f4c552de0dd3da004f8cdef3347a8a524201c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
0edb54196d9536568e2eac3926be5e76

SHA1
70bec4c3a3169107205882ec5a0d040e92162d01

SHA256
7c0e28701a6c74ddd9cfbd258da75787951aef573d562637dbeec600ca0ab1a9

SHA512
7476dcafc59578641584458d455d74794c5baaeb6aa61ad7ddd6336f45e7188eca5b20441436f4cc7bbe4ffe77ee0ebd002696993eb9d68df7388ad9c30fd8e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
ba4eda4a4f78895dfff6cc921fd7ba30

SHA1
e0834d055eb8d3574646125766eb599a42640f47

SHA256
42bdc1586b94faa7b4f767851b8f52acf574dc6dffecba138753e4a69d2d0431

SHA512
2ee720d7903654ace2700fc58d7b9b94a87736999675580ade07a64ad93ce0eb3b4191a4c656d60126c795b2292136eb567b3a0711479452e0847ffafff47444

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
852e93212d3bee1f23c688988bbafe44

SHA1
d3a1369d6a58be7e6d805cbcdf931875eb7e2f9b

SHA256
e722afbeb812eb2fca158218624a2bfb8efec403d095ea1cb1714655c162ccc9

SHA512
2a4ef1109209acbf6526afd685dac2fa0b34727757c1e0bf9ec5d9f5c6c7a185fffa2148f0ca22695db61adfc177a248b0cf93b90783eae2a09666e3b39f4faa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c5648d9da126ba3e30b48c805a269c7a

SHA1
1fe16114e136c90f42a422bf98d01c9da166c589

SHA256
4689aa3885a5f989806c99ee239889b0dfaca64879e848a443b9941ebc14784e

SHA512
9a781eb76fc9b64713dcf3d13a4029042430323cb666b09af780f442e3be61e549701f1375f7f19b230bce2dd8798b72c2bf1639cb9882d29845f524a2e72301

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c0a21d069a57e620ca71ae1b7bb4c38b

SHA1
3ecd60a19fc191b64046ac215ec51ea3558596a3

SHA256
649197ab276f19a59d2ef2b14b46485a3038014a923ac7cfab5d0ceb7ffd1e41

SHA512
67275dc39fd36412227fa9815ee8cd6ff2a28ca7ae4fa4e22bd883f79f19917b382ad9cc784419c94b06b47a01cfe2e3840134cc5d4ad794e2d2bc8ad9847e00

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b9abe631d5bc78d1c03d355bea5413b3

SHA1
a712f979fc3ce55c6593ee6155562bff30a26351

SHA256
0a7f9d5e66bf7667b8f29fc1b012b2d232a55c479f3ed9d948ccd8346ff21fa1

SHA512
9f12c28e651ef7cb859dbaddd99a9bf9fdd6818790b44159819f4de587c31901a92fef1aa74496a03bb1dd9f90b5cad8d1cf802b06f6d6500656f303be86a1a2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
a2a895d710f0cb76a65b5a418ed0cb21

SHA1
49bf3691f59771d0bbe223095f63bc15f4165f0a

SHA256
327fcdd5348211a2bcac73be6be5369c90cf22f2276556300166d0b57ab94431

SHA512
9a8bc1387cd797385291573ff23ee167feae0808b69268c79ec56c10c49c5103bb40ce3d363fe3b3bc858a8bedf5db90950921a49a967f68e1b39e1abc693974

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
7acdf0fbedc1d3dba29f90a195062c6c

SHA1
534d828de2a984afe97e4bfef8e7f70ef1411794

SHA256
3da79bbc2dc35a221cb34113f7fa0aa0d03881c2fa5f19bef43810a8aa9c6d63

SHA512
70709b1d6782f8eae7b3f305274796623109d4305bc59e1300e566f0e59a05e12e46ecb40adcac6b4c67c5e1c1320146e06b331379e5e06e07b0eea8e09437ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
3609b75356842fdae86192b32b74b570

SHA1
ea78d7e09353899302c2df353d2759f93b7d9b74

SHA256
967625f391de50114286ddb1c90704ca761236b591f468fede86f22b2261411a

SHA512
dadb1946c2fa69a951098011ae160d906f513a3b2d0b0214afed680b8bef067186c562cdbe47d9aef95fc083fa78f7eb5ce09d5b978e4619f1d96bc93672aa2e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
62f1c1c66d4ae03cfa6a4d21a298e384

SHA1
f7527831ffe5f8c6c6fef009cfb4c29a8298a4c5

SHA256
01d2a9882016f77cf1ab49943eb42ab6ec6c80e32b9f0f1e29dec68228f8373b

SHA512
8e84417b027d6ad3bd4cfc10ebd71f53d725d4b8ac2dde0d784a7292a326b494580788bfeb6d61eb7b3de3cde231a6a120df9ef493f802e91f3ead34ec1849de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
8f574e438d3fdb907a571d0a752a6a61

SHA1
c33acf4f621e3d012aa40f0a6f883fe5fed721bd

SHA256
e0ac108c021e1cb9d18811e2b11b7217c4fbdbdba034d2dc53f18c56ce4b9725

SHA512
33141ae9ee7805c4d7baa3db54d18de037e28b1f5bd5acd4b6ac730cc39c9731e8495f50800ab5581e27e1b9820e842128d3bfd63726b2f572ed3c3dced8f296

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
b7d2a3098dd69f3551aece441ceb9b21

SHA1
0e87edecba7945284244bc0047f10ae63b60e271

SHA256
588b48f614f9c8fa4c427c83486dd02463cc89fa9591f05f933daa3b8575a286

SHA512
e5fc56eefd2520d7e1a11ae3e0d92a16ab3a3ded108c86a00872fb652b868704217422bba4b0044602346eb3e87eb325c92a8c2f1d2abce70b2f7f3a0f07ac07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
7940f7cb27db39e1413fc061c2a53ab9

SHA1
502fe19f96484a5cd90985829aad2c36b0707c4d

SHA256
6fcb01b1dd96963b68c8214837ff9d3bd96e50bde578b9462cd953400059287f

SHA512
cad8feab4154ed4b1aa650584c746edd90e0e0785fd3aed43d028ce041e13666baa504d8a662ca4e8363eeffd55cc968318cff4aa2665f5c19ced7e5993d6e29

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
cb4244706c696cf47e850fa2ef3847cc

SHA1
8cda34aa1ecdab3f2111d8b299546e3d6a352bcd

SHA256
996f1c7fafe1c8f2de3677c193b6579828b5c39ec7db9f4e2c3fe0813cc22492

SHA512
7bd09ae696acd797c897847f7bae704e76cc5ffefc8cbc6d47f9b33e59771a36c4991772b45ea515f7fcfbdce337d6881973d704a509094d4fba8d5a933a63a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
21f497f21b544669ea34cd0e6f0bf12f

SHA1
df10378bb8913fc98949c899f9a60469c4c86f9b

SHA256
3bff13c1da6ee23ca386d58310971a0ea5aa90b15392a7ee6c72153115240734

SHA512
6f56bed18c26517c83f23d87dccaf536524d38f1edb3441e1278e5f1bd0fd1c520a470dc2a4037bd42c0d748358d6d4c94d64eef7ffab0747f8dd9ab89846877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
c86db1a30928cdc3dde3578e3c41d767

SHA1
28047a1fa9a74e93e3f7671c5525263eae612d4e

SHA256
355ef12d7b7db814e8be7d6de92a0b2261ea9c4e22d13d4b2e2a3295745e2dc1

SHA512
9f0f92bbbba62ad0e5cd2289dbdeaa79b0d863c0dfde33ba31c04107dd4c2c09180bfc43db85430af5a5352e0c753cd91fa85d7f33d2736c9732c367affeed37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
076486b3888bd1e3babc4902cac48873

SHA1
cb5192e4082ff2abb4c26d1c9a77338fea1ce852

SHA256
87618e99d0f0cbdc05fbf3817db4375dde74a1d5d92ac8e19ae1844a07caef20

SHA512
99d4d5d8d88e94b028065d37709b5808ae8ddeee7c0f10f73f171f376e9fcbe337ada54178903e91d8ff59f8f2deaab13658410af55fe20a5b7bd146c555701b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
0fa01220f5df14bc7856639dfd2d999b

SHA1
11aa31efa886de506f1a8d7d09889c98e4296269

SHA256
35004e2c637b81496e5510a1326026b80c9ca61700f3f9e74f7bd0a06a73805d

SHA512
b40de31cdd92817259fede1522407a9d7e9757a8cc6de790c9f7a44a882a99684ed16c2f7ed260cb26f7b280bc863f1c41d25ea406fffb8a4e1352e6b1e8f8aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
e97558e1e6bba752f81368453f8592fd

SHA1
634b88b58e1696afb1f0eb09b12f69237c1e8df8

SHA256
72395fcc927f961ae5c25714322422fb071374b805159fa900b757a2f98d4ebb

SHA512
3d0de584cce57e90e17b1aed8f2a97ceebec0d809108aa1fe06019465df7dca4f86fc3501e6e4087ad0cbd72cdfe758137cc744e50c7ae625521772287d4a06e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
baa2201816a2d3d30bdc447ad06cfbfa

SHA1
06ee2c7c32901e3772ec6aedc1c04b5c9a164d0a

SHA256
63afaa5566d03d34bd5c8ebeffde12ccea3df40f4ea93e4b867bdff50c8bcfb9

SHA512
fc7cbcd812eaeed7518242eabaa69b4742df1ff0e59511d989d70c7924c459cd1c5b25df540a564035c35128030d7a698f68fc2501786d895b75b09ab40d7b92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
db66a9a5b6a7459cac0b385f4cda2939

SHA1
2d09fd21a90018af26e2e76b014dbd29611625da

SHA256
6a38bac8e695d9b15d67a3a2bc112ebc84c1924b83c103382975aee1d90bd711

SHA512
5a227596fe9b1decb4183354b48e7fa5a03db167df02ef62ac6c52b6f3e758746be37242025b31a636a366b2f8a5e135ce920c866daddee54406c32402ba8813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
408a966c5d4aa6e025309581bc6d0d62

SHA1
c0e84885ec010a2df5efe8d5204ba1cfda08071c

SHA256
ee55a9e7e13e6924f3431f9561684cb799b47242e57c9e827b7f6e32e26403eb

SHA512
512506d42daeebb06e651614e0ae2c81a67671cf0d4a83614189d31348f292369331431c6e6a6420b48f26aa2e903475cb24f9a11c80aebb5e30871c9a5f39dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
f1ab62dc38386aebbe48d919eee7a328

SHA1
f3cda6ff804cde84db45b81c1fc74729f810b9ab

SHA256
48e4e0d439e68384b7706f62871620dcd6e74570c4a5fd17064a015c72cf5629

SHA512
0e580d4a42ba593d54346a7ffefd1487b108865c0682632f2ba133b53fc7d5833e5ebf94132e4f2aa0a1edc35fdce3548b676466ea7b065cec357f48b2007f5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
0fb67bc4186b4172884607ffbe7d97b8

SHA1
24389a6547cd7947acc8a20fb8b5d0828cd61d2f

SHA256
79e46a288f6b6f8469d65dfcb3d54fd432800f357ea8afabee85f207568ae22e

SHA512
e4de682d2dc31071e37ca2cfbb062142114dfd01db337fd08450645507da7ed356da576f5cf9dedc836b90220eb4d8c64a44c31013f5ceba0933189e4d129640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
4c794166a5efa08e0ec563a287cd9cf3

SHA1
aafeea33c3ac7f8908aadcf4114b7b3622c596a0

SHA256
6eb7ee3a59846bb4b5a1828fe4a9dc4b892401b771ffbf886d7385386ede434a

SHA512
c3bf40cf679903989eee8c89228453fa193700b56ce7a95909e267e3bfd8c88665957a84d86d3f3ad510e41395a8a2b316ca3c4fef8141ed67fcd18293154aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
f89dfb7019d7c4184e4c1e52e21639cd

SHA1
c7491e9c67b681171f68439c2b3152d01570772f

SHA256
5bcd5d0f8b4d6fcc66a22aad5d014c7389edc9012883cfa0083600e13259ab3f

SHA512
1775cb9b07333916fc768bd40e8a053fc2f8d1e7db4dd06b7cdc616fd6c591a5e9a88ba80f616b9da33e59c88d453d028b003adc69ca611d2aa4ca7669bb43ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
43f9fa643fa45e379d2172dda385ed31

SHA1
cb5e97df18ab765cf9ca654b8552fb2130212dd5

SHA256
27c44a1c9a4c714a45479071b1566e1c8dfe9e77c9b5e99c2cbea87de558b24a

SHA512
cbf9f7dde2226a15f0d5d3cd958762c548960ee915ef6eeb124790a4be67efdf0d60b963f86c46e7fc4a40eb58394b39936593cc8530decefa0ec0e040547e1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
3cdca40918b39ba029280b75fd8355c6

SHA1
a0a2f23f430e6327050f3cec9bc955399b77a803

SHA256
0e37935d7083c6e20fd6ead2a0641d857f26e48919df4305060ca8e428e9f232

SHA512
70584f2f83aa8b25bdc511b76884a4460c724c493a586591fe958c570c267a1693a4e0986881592d95db7d7c84a311c3724868c22f2dd17a81fe10a3f38e9d4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
d706aa45d8d4d0be70803aade2d2b6d4

SHA1
d52e4d6c249be0cf87007b68a0e63945623acedd

SHA256
e6c71d6415f17dfb7a1c0c866e901c81fc462e672f2e5fe7d2765a93342c66c7

SHA512
04b5af798a9a9093ce0c84b39d428d3e51d37df149efa521f58705b730cafbfe0a0c8e60b268cc0cb0a14a26a08342dd5430a1598057eaf2f287a0f05703c2b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
7b9791f619993f40e478bda078bccf53

SHA1
4b8089fce3331e3dca4d7653a19bb8acb34f7d7a

SHA256
86e0bc0c5acbbd3204355f62b0c8fb532325910c9f84f8a33d362653146247a3

SHA512
627e014d5d0ac368780820f18d39bf0d66b4493fd929a695626f518be5323b8f4dbad751ce7b4f8f07c5c9fbaabff94c8d3763f530fc8d199b7d1953b115eec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
1e48f5dbedc2356031a6bc1861df4e6a

SHA1
47cc9590cb829ba03b0a8fa3c879c9e65c22db1f

SHA256
9dc7634f4478f663e4cae29cc37eb886e3576f0c6c1588876f03b4c77dd3f0c1

SHA512
f7f8f54581b1ff425791eb6b1d658ed2b9c0956c459409f9c06bfe1b40a6bba9aa255221b4017f8d080dcdaa7d61fb5ec197c9ac93815bfee566672dd4c877af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
97c946b0a750bd1bafd531c044052f2e

SHA1
67580678003f87d091a5dd9989618453232bfa10

SHA256
43ea2cf3176f3f907890cde27755f96a4c23b46042cd8bd448531d8943f0b455

SHA512
30b1fe5cb51514d80519983e604ff5e49458383330bc4657c4db3c09cd35d97ea6e2f6ecec6614b3c33d6589dafffb38b314dba047e6ed58428dd97fea675ae4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
e2ea7f4f8980856d44207c06ba049ff3

SHA1
4ad10cd676552647114a1d7bb24924aa7a3e3c57

SHA256
b21d712fa73101e753131c822024e408d05092121d1bf538871a92cef692cd1f

SHA512
a16db5a07e54ea5d894efd741c36f3f235011390715e17d7213e2467225654e69406331c96c7933bede884c4348c5740a06ffc7891a2a38f8329e932b2c8cdff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
4dd0d62b674e20f1387fb537a9a6773f

SHA1
45194b49bae4ba855176000a67531cb4c9e10de1

SHA256
e689aef0083dcc7d36d2d62974fe2ceb9df60f2553834e038af2397ff5aed8f4

SHA512
f94e6bf37b27f8ac3d3facba4475b19dfc8617c5cda8710b6461adeba2668d9ca132d241ffd1c2758f2e22510d180680d939c1132b320acdca865aceb28738e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
9b04f5e98a3d83ac36362c2b7e1760b7

SHA1
34696d2e7c12a5255a4934a74de5fcea5f211858

SHA256
1c66cbf744310795011bb423504e0be7f7843ccd844a3ac920e5667acb8a0c83

SHA512
42984dc0816061cbbb3159e94b2c177ea8fd8a95232dd3febade076f8d1d71901c06029d8d493a34ddf967bf4f073fb9cf301f9e5800c669241373442ac632f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
65951a152efd65b4ea72456dec6f4623

SHA1
b17769748e17b648e9466fde7b56ca9c5052c62b

SHA256
7067a0bab41a343cf6816b38790c4edea9bc1298aedc9ee8c7826532d6379e90

SHA512
4e9c6a3d61f9baf66d38ac9ad1022ee12eb4ab5d9cbcd588fac4f81a12e263bee84283682ca16f83273fb65f154d666a46fecec7aa10185b4be697761816130f

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Filesize
4.2MB

MD5
5f9cdb55ea3ad17ad27570fd968554ac

SHA1
f1064052c4110a74355c1dc62d532dcff3f8dc6e

SHA256
52e22cba776030c378faf9b458f6c730ab5648da7973e32018d86f975cfc4a9b

SHA512
5f34e3c7bd39a2355d4348f78eee1016cf234d5b72db5f65b606b689efb43aa2067be35361042f7328d7200bef35d2d00496ef6ea1d571288d47f4cbc8442bc4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.7MB

MD5
dd21f21dd179c4ace8918c21340a5268

SHA1
00099a533aa7bb751cc772ee88735e2b15820970

SHA256
1bd03cecdfb07485dad3684e46d6556dd861fe6b8ca0a2f002c39cb32fa1be79

SHA512
a2696c443598f27b3b1c9c4a27f62896b12d235a271b4fb40a6e5a9800b1d49925742133a93777e4dd7ce1ce6077e9f20b8b19987e0ee008a313bdf3e0a62f95

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
271f6b470a7ac16d48cee81e5e9aa5ca

SHA1
777d899bc0541ce04b5b138e221b989c20bc27b2

SHA256
28a2953216a487bf9f74f42f0ae970248f8203f80d1f7d740f89ee06f3f0b1f4

SHA512
256c89733a7a8df294ec0ef9d5eb1e038efeb234f4ef2b90b01da81a33b51cf4f32e09866106fd06260ffea8954dabc423ef1409cc59e99f5fa520677c3d6f70

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ac5da3eaebd47a67c11b197b5f5890d7

SHA1
adc45df624dee54a3847a3a7f5bc3557d0bc87f6

SHA256
4ea0f12a5df5161113872b9b7e189e5297a0a13de016f59b50d9f5cec47d24dc

SHA512
e3d320115980ca81215ed9f9ae5c4d5edf599d28ac06a6ae75204e830f8796efdfb21e60f076564e82dda92c574234d112810fe89a5f93a49fb8d6abedee7abc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
652KB

MD5
2bd7aff0c68cf96d853720997006a47d

SHA1
7c8a1267e2cd22ae80f360191cc0bc28618949e0

SHA256
418473078d851d6307b17a1c7919d00f57b70fdd2edd1035d87dc80bb170b58f

SHA512
fae4410a32d1c9cb5a023601788c2b50d38e117b88b909dc578624e4e73527484e4ba7e115642c01729fd52f6117cf6be47a37ea8d2c553b2b1285638d35fb67

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c90866196fe92462b7d4481f1c6480d5

SHA1
3588b01b953e5f548bc74c1854db44b83a04ccbc

SHA256
0c19370016fc6b9e4109665caf757912490fe8f9c0e19dadbe84e6c76fc0c2b2

SHA512
28570a6f849e404fa96be02c0790d1d049d53bbc8c4154cd16aa4816f16469e6ddc1ab952d94e7381dc73966c188af8c38a493cdbfc056ff67c76b9a0aeed3d9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
dffe6fd05e89fbded4eb16f869f3bf92

SHA1
7b8f46993b52f25fb130b3870c316079d1faa1d3

SHA256
907b00a005123eddf95fd95857a8730788af51b8902e82571a2df83c75d3e8e4

SHA512
e76fb511c1e5dfe5f22549b07a46a0926a221a9f3a640c6c6a57403da06fc8cc6911fc8c0c25ef2189b1e373a0d243767f9efb4eb4a6b7b0b667936b0d4328cd

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
63435643ea0a61a1f979dfd7707c472e

SHA1
aa849dcb75287a5ae3bd627e31458105379db631

SHA256
bdd2d6913ea967902df15d8fefc4de47ff22edd012da588f0c64e7fbeaa1d854

SHA512
4436089e8c8ec836e362cc8b6f07f9b792833586a182786e876043836068f407f05fa0de802d4f47ab8456e6e86269b2c144ed83ef9adee26ad2246e41df891d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1b2a96da57a7bc1f475da917b1fa8b7f

SHA1
81002a64d1f6c534ad75605133550bc06bc4202f

SHA256
67e1af2ad833f3db9684c18ab0943cd0c44ce86016a8fc73a78abf87e696aea1

SHA512
944a8e9b9916385af9646a92e40fa184fdbe3617d380da0cba552df856c0699c8e10c16ec8f3137af7446475cbb19cfae84041ec26e220cb3d0748630fbbf6cb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
efce8dcefdf51b88363e601a57b14290

SHA1
be381ac8b38c5c2bf51ec3e4869edfaffeba8d6e

SHA256
4af30b5bc096b8755f0aa7a76169a917384db0adc4230eb8740932357775ea43

SHA512
5c25f62adedabb59b5e233485dc1cff83e125d824659d30aae3d7d484afd698910bf2d0c40982f43c117596fa579219cdddfc7684795a331c058bb9dfa1d5f35

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
863KB

MD5
8861932c3100a84ea0db33e2084f5b20

SHA1
64090f84f1982642f1e0e23603dcc1c13a747829

SHA256
06553ea3ce646e3d14c41d5fcca95f772a691d4d621ac9584c4d8bd471599427

SHA512
ec3d651a4a539f22c53b5b1989652c6f4612553dec1372a97db632a68c62600cc1b0faa5938c4a1598005ecca8cba12759dca6acfa2f6211f5a52c86d3bd35ce

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a4ee5767cb3ae57ad52fd3872aac872f

SHA1
a810e18828e3886eabb6feb77fc9471308bbf12a

SHA256
4812ae546d9429e9c7d0778152234495d28cd1ebf781bb8e7dedff760d198437

SHA512
75301206d659477a273380e09dd4f66845644ee234be669cd392e2557bbb4555d86cfd62df8b9df550631e2a34efaf2b6ae79c608e58f56affc617cbd7808d86

Download Submit
C:\Windows\System32\alg.exe
Filesize
658KB

MD5
622053e15d640c768b1b85343f9edd12

SHA1
57024841f355116092eb7c76197c6a6db39e91c5

SHA256
de62c8f90dbe9851ce242985fcec0922f889ebbba41cea0395482e28e7c5ec76

SHA512
75a2d0d173bd063e6c8ea9a6248fa3eccaab9624ab9a719f2621bca5d4bdf51040b98305058d4dde487f0ccf45fabe228ba8673ca34644a79cd90ff015c07959

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
711KB

MD5
7584b920996f60ca9fde26095bdb50ae

SHA1
76c855e150363ff766efb6539a0b98024fad7586

SHA256
61d232da1fb79ba0d7c515152eadd28ddbc74596030da51bfe747cc62eec38e1

SHA512
a8cdfea6f51a179388380cb414841ee78573ff04bb41b9aa720d5d717d6a945e592ee079df5bf8cbb66bdde998a149a57def3c6e2ea790cdb7bdc74c6eaed9c1

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
583KB

MD5
e6880f15d0bf87c28b1be3b72efd9e0a

SHA1
b65a8f0f9789d6c492804ad1d694a98b06c615b1

SHA256
809f86ec9466149b2100caba9d676dba5788edac93b89da95fcde9bf15b06616

SHA512
4bf5a97d9d43316fccffeb49dc64f067edcf8b3873aadcb3a77289809768a090b36208d56a925d16f80b8bb78b0da9ac58a809ad72ee0cba63add29cb480c8c0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.2MB

MD5
86606ba4acba8ff48f0f380aa42762cb

SHA1
2892e47c09b0c0a8f043da377720f48e1f4abe8e

SHA256
3041a9ebfe68ba345417c601cd99bf3620483b6462c022ad1c886bb6d14aa1e6

SHA512
1a7fdd44ad0d4457d38e716b6f0752ab3a978d1b17150bc0e64a5d04971874b3cefed45fd6a5e730c4419fd2118634cfdb72cda2f7476edb4f014be54a80c83c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
761KB

MD5
9ed5fcd7b5b74593b680406d137ad7e5

SHA1
b239bd94a9ea19947b7b1724ea3fc77d901408ff

SHA256
4ad7ca841167e4a50e6b07e45038dba51bd6ba9408194927df04b2fe88b735d0

SHA512
13bd66d26ac21ad4a41760f72eceec4627232281306ba37953cf1dc80d2976b563cb3b66cb162263bcb5ddf0fc1e8c8b0295b772d9465692cd9f8639c582c8fe

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
f2fa2c2f55515797ca6f7ae101766c9f

SHA1
12e48f0b24c55518e52603e48d5caa360ae87555

SHA256
f6398a5842a6c11928eda4303d7037273fed75a4a6668f7306ba57325c675e30

SHA512
8959c25fdbbcb3cd76a5d3b56cf9ee122ded31cbd6108bfa371e039854f3bff44177a8e3d2dffcbc3ea1a2e560f1b380c657175304404697514235a5354f6815

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.4MB

MD5
73f6535596d90344920b07bd96de49df

SHA1
09cea521bbd308ee576f7ff28aa9501905ea0d60

SHA256
7427383ec54a49a15ff7e7a1d46b580c5130b486dd774dc5d1bab257c29fd8e0

SHA512
856ef68c78ec083426f2e8c59372830d6ddbb9d7050e58c184971312c3cbc415a58d9b0664f132beb74e8b33af7b7e083a50859623bbe0c73a5312faefc3c953

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
632KB

MD5
fd3c92f5dc9269cf861dda65cd6bafaa

SHA1
d4cbc227cae265a08be3aa331ab048ec91f248d1

SHA256
ba1deb57f883a89acb36104aec1cc62d8f58f2e3878d0b82c6cf1b9ea4a43ce0

SHA512
99fbaa3e7d41d488961bc2e33e8de583bfa1ee8709fcfd1dd6d059ad644ae4bf782373a07e92da0adb5d318cdd9c1c2065d56d759c410eedce30bbfa5a445f00

Download Submit
memory/440-216-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/440-730-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/1008-275-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1008-122-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1008-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1008-116-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1048-238-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1048-18-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1048-12-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1048-20-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1528-869-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1528-253-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1912-873-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/1912-307-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2208-113-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2208-126-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2208-104-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2208-110-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2208-138-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2412-57-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/2412-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2412-74-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2844-189-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3712-870-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3712-264-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3884-143-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3884-141-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3884-135-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3884-129-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3884-140-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3888-251-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/3888-239-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/4108-187-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4108-151-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4108-145-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4204-199-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/4204-769-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/4204-476-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/4240-8-0x0000000000680000-0x00000000006E6000-memory.dmp

Filesize
408KB

Download
memory/4240-212-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4240-589-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4240-1-0x0000000000680000-0x00000000006E6000-memory.dmp

Filesize
408KB

Download
memory/4240-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4360-871-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4360-284-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4648-227-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/4648-865-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/4728-872-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/4728-295-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/4744-190-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4860-188-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4860-156-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4884-600-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4884-213-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download