0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 21:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05.exe
Size

1.3MB
MD5

b62313eff063fe6feb12b9b012d87e30
SHA1

14d56b01ffe3030d49f0c8d81d4b6e13801daf97
SHA256

0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05
SHA512

bef7fd20d0608e147e76311fff570f62141bbf2b7504c9bdcc700f28085f0ef002c4f68f538166c66380875ca2c5cc49c4dff6c623c12d1f696ef07437da4fe4
SSDEEP

24576:i3LutmkEz+PAVV/bOInO4Xs2ztR4iegxLHgZpJE4VDdmt/sBlDqgZQd6XKtiMJYv:ibutmkO+wROInO4XrztygxLHkJE4VBs6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4968	alg.exe
1508	elevation_service.exe
3108	elevation_service.exe
4508	maintenanceservice.exe
2212	OSE.EXE
2900	DiagnosticsHub.StandardCollector.Service.exe
2728	fxssvc.exe
2328	msdtc.exe
2104	PerceptionSimulationService.exe
4740	perfhost.exe
1396	locator.exe
1528	SensorDataService.exe
3368	snmptrap.exe
1012	spectrum.exe
1060	ssh-agent.exe
3900	TieringEngineService.exe
4548	AgentService.exe
3976	vds.exe
1480	vssvc.exe
3588	wbengine.exe
728	WmiApSrv.exe
1912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\34ce14b399ad3704.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b15e6f756ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a81e0df756ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ec38ef656ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004823cff656ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a626df656ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bbd0af756ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096ce3cf756ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a135ff656ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ec38ef656ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7bfccf656ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1508	elevation_service.exe
1508	elevation_service.exe
1508	elevation_service.exe
1508	elevation_service.exe
1508	elevation_service.exe
1508	elevation_service.exe
1508	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1696	0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeTakeOwnershipPrivilege	1508	elevation_service.exe
Token: SeAuditPrivilege	2728	fxssvc.exe
Token: SeRestorePrivilege	3900	TieringEngineService.exe
Token: SeManageVolumePrivilege	3900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4548	AgentService.exe
Token: SeBackupPrivilege	1480	vssvc.exe
Token: SeRestorePrivilege	1480	vssvc.exe
Token: SeAuditPrivilege	1480	vssvc.exe
Token: SeBackupPrivilege	3588	wbengine.exe
Token: SeRestorePrivilege	3588	wbengine.exe
Token: SeSecurityPrivilege	3588	wbengine.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeDebugPrivilege	1508	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2432	1912	SearchIndexer.exe	110
PID 1912 wrote to memory of 2432	1912	SearchIndexer.exe	110
PID 1912 wrote to memory of 4384	1912	SearchIndexer.exe	111
PID 1912 wrote to memory of 4384	1912	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05.exe
"C:\Users\Admin\AppData\Local\Temp\0cc9e1b189fc2a74cad088db029d6c88cd88363ed52906d6cc143233e23e9b05.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2328

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:920

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
930a680773ef42e216a3976469f03318

SHA1
cecc29d28b689bf7dcceba1f0253b35d679a9aaf

SHA256
aa9f1abb27beb318066572150db59cb8e6688556cf5da08575d889bcd2d6c350

SHA512
d39e0ec700b40571fef2ae882a579b94776dc23963b0c0b35bf423fc90e5ff8d109673359119d7e1e142ab4e38ee96775700c67f1a0b5ecf423f7f71f2cf9d21

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cb678232ae36e0f4d490fc79bb94fb06

SHA1
dfd9253a60a2e27fee4ae998ab18d533d72da865

SHA256
25999c2ff47c14948e01b8e73d52c595a0336ad2c0b83976253fb35a9d4371c9

SHA512
aa15f06c3549651e6ba42748393ac3b5fafe83f049e27651d2d770d58392d57fb7deb1704aa5cc2d84fd607a289dbd7781799a3e87426bb58fc82732678b2dd4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cb9a81108fcbaa21d3a634dd086cb320

SHA1
2ee050b2ca8d5ffe759524149240e760dd103da9

SHA256
6955aa1180d08246da6fbfa127f0508774f1eb163676985ed8975f4faf5e07c1

SHA512
d8ef54a826ef9085d70dff87460285e1b0796d4b7c47fbb2cd568b00b45f398273275777ab0bcaef5436ec44aa0f9e69c4abd067c5f20925381fbec24f96d9a6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ff41428aa8cb30c81bebfda9b50e4b1e

SHA1
4e69a8d45c660a276e7fa082865b67f2139bcba4

SHA256
30796d25cb3417c89de3bae9f0c8335c4620f66196c95b63b82c6e133e44d7b9

SHA512
e3ad789f65cb4a27cc35c481df60393ead31bd538c0c5a5f58e2eba7b8b573ee9b8ba3858ff397d6517c9be4e4bfe82418cf050701fbcbffe0d8fa9240bb8c9f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aeb6bf94366fdc42cd2e4dd3d404649b

SHA1
6e3efcf2cf38920601ab5306608f64038c7cce45

SHA256
4abb7661f1a48cc0d4f26927a3524c44e8fc7949267e43953acc27439cd34ac8

SHA512
6d251e4b0ca50d95cdff883ab64d8b08522c6e2d313584fc2f57459d21619e84cd72776b4ea22505c5f5ff30a6b34c10f005223ce60a673529075abc1608cfaf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ecc3fe54b33f8873fa224d40efea722d

SHA1
b5c53132a3d3eb5fdb329bf4dcf5535186ed8f19

SHA256
3bc4a2694ad55b38ac968aa070286ead72bc9991770132e8c48fc4545e9c2ef3

SHA512
63366717eec6c4677ceee2543db335c4fef85e75bdb30dc509c9d0178c719d2fc313122011151efda45a45f4537ee6b9a7343c1b38133c5d8b5eaacfa7e40d69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
dc7b5ef45371d5decb09975d772eac19

SHA1
11ad841e414219b6e92ad8e6066957bb618c0568

SHA256
909df19f6e10e74f38d1c573e258350bbcf2416e3b5f925c1ab30faba2d1d328

SHA512
e5527e158b282e8f6052f42c452ef3279eda658ebc52e3f0d048113b55e48e8f530f162419eb2034cbd66c4d4131b4d976ba7e934d727b1d1833546199f07dbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
530fc1f21e1f9131b1e2ab38e810fcef

SHA1
f464ccfbeec5bb5f273cd11a7fd7f3b5ab6da3f1

SHA256
f74487400283831556a914434d9aa03b0e29390ff7ef1d7383b7e79b836e3d47

SHA512
1f100785c048456f259fd73f17680add42511d158d50bfde693e352bb4b51a903142775de401c44c32e46d4089754407f9709e767f7936b3711f44ea07921784

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5b969f3ee75e770b006b6b3013144e50

SHA1
df9184e80a072de56747ec5a13976744bec2790e

SHA256
76222e31415fca0ea4b9b4c8940720dc1248efda1da50e2b2dc7f1ab4d606cfa

SHA512
38a00d0ba939f5a642e17b48ea0bba6f1598746e832505f91b474e3c2731a636641a821a8b29ca01dff8bebc0a7bfa3a8db84381637def85f93e2a7f7f073fce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a8f712bd64731d42c2cb55ed4c0fe64c

SHA1
b680425457449dd19025eb00acd75c017d27fa19

SHA256
c064abdc732e5e9156d4b248eaa7cfd8614ccda1f97357ef65b944345a7fb408

SHA512
962522b433e52f481d472c4a9d0212e426e281a35f721b34b834f21e8646c790c9c19e102f8900c1487e0208450e0d856a4701b7a66bf5fdafa7d127d0306a5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
da8e06d013d909e680d143c41c76614f

SHA1
78b04c9eb79413d28ca84b7778fa2ea668da6433

SHA256
142664fb0c7bcd9284a11dee1991f2fd86489a4ba835ed14729a2049068355ec

SHA512
baf6fbcc92447d729b15896607a4881f6d10fedc713af858b7ad9083ff83e19214664c006338dda64d60a539ab66294c5a536533e636dc3c8f9171f396a86668

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ff705bdf0ea13b520c3ffd7ddbe37e12

SHA1
c1fbf03a654165943fea6d8e661d12869902fa38

SHA256
8cde9aea3b19358a50c50cf0cc23dc790d32f14d0969b86b097c4d79e74a69d4

SHA512
75c0dcddf00259e6a7d4a007f5f683bf6cb3f1319037c57b43e657f2665d91f0164f88410240158bc88de013dc724a44ed0637aaec41cbc75b393123eea83fe6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cf3c918a3f05d1e24145799ff8e8f241

SHA1
af37a367b56c26a23d5036a6430476146de3de11

SHA256
025342488d9d814d97396a3865e4263a258987f159a36743f39fee36d0f82018

SHA512
3b2021ea436688f8d13ab39d974ba862bc07d31b75e679cdb25c28b120274680ef831f2b369f25360218193c23b97775b8f30804feec0071a00026ac301d6cb9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
dca1209f06e5629c75d568db5f6f4f34

SHA1
73d023175a9a57d864b38db92eaa61fc5aeeab8e

SHA256
73eaf2eb1ae2f4410cdb788f9d276bb18f8ecbcdb9e81013f63f6a98178dbf8e

SHA512
d38464f271da8341c041f2cde843f35d6ec110a628c6ef0095b7c0f7c59db1f12b20119df9b3201a9246a4190c0363717fe80bae2bc42f80db5fc42d163438b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0475968d1febb36f72dd93ddaa8f1b6c

SHA1
d929cc5079ff271a8ffd4b50986c798271bb8bd3

SHA256
b3412c82b207bd9b12c3ceab110f75fc6420f6a08cd93959952695d86503ea56

SHA512
6d493147b8863e38e943ad3e9f14d0fa36109794e9f509c1820e1779bd5fe6557c9d4261952c567445bc2c7c4f4a3bdb33c982d501c52a5d5360447f999f82fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
80d7601b54df5371ab0c1cf045800c12

SHA1
670cb5ae639ac0b34adecf604885f43a58201b2d

SHA256
362e7509ade8afcb98f030d73258c9112b35aecf738039e1ed7f3e138ad16663

SHA512
26feeb3614381ffff66013c53308a15f348e0be2638daf660e96f1218aedcc9761d497f269d95430c7bcba12f0449b1d9591b6afb2ae46c0ea050b48f7c428fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d4c3ed550c28d46fee3251d2577c5be9

SHA1
307027cbf1e8d6ddc710361c143aeb86919329bb

SHA256
d4702969875bea812ce6df7818b5eadec9f7ffdb21c61191907db3a6dd7884c7

SHA512
89da77d8519367cf182d1df8098562b38afe82cf3fd79b044bcf7414abf6942c8d55de52d39e62a1332d59c519f6dd0a9ee5a4d56c6b152dd4de4a6d24504c7b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
caecce0e74a6420a5d4d785d8e26d0dc

SHA1
66c26d7e5f7ba5357187fb950be1d420f8180d54

SHA256
898cadd6574758f19abab50db84539245b99e5b931a08e4bb7b5a285d79c23b2

SHA512
2bee5585c48c5c70bc510e03445100a452b32486f4c216662d26e650c0bb5cae0d7ea8793d57146550679247c399c03ac62197345557386e08fd1fcfcdbb3399

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ed8fdaaaaa07c83b976ff5d7d4204332

SHA1
750fd6d558ba767c6abd4ac195f75d2f81aa3de3

SHA256
743ba65f63e1e17283b9cc4f9f3c4ea7f424364188032e0124216524839f03dc

SHA512
145611e39466682d841c5d2dcaf2044c8f30ac9c279c25c8b1fce6cbbfac329b7401e50f3ee03973b259426e4b041968f4374b203bff0269b52eb738f220787a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b8e7c6d10f193a33bf8e528cf4591af0

SHA1
b444df9a2536147fbd7fa381e7839189e0670813

SHA256
225a7b7fd65292ae461b0ef4e3e3f9cc4397b0bbd692a212ca1c89ac922d04ba

SHA512
14d1b448537f428b8db5728bddfd695c24781fb1b7179ff80397d19a28ca069d53b6eb8d14b7f34996ea1d7d1395f8240750aad6f1b3bd3398783489305ec387

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c22ab1513720e8e84ed7cea79a4d9258

SHA1
e05aff81157047d26e312e746b5201548be355c7

SHA256
a003c366567d06d9366cd5bb1f9c366eb0667a31e798a30430967f478befb0a2

SHA512
3768c1f64dc1e2bcac62a2c28fd33eb0b9673cb01675c39be39afb46b638debd8ff0a71065237cec29641c8aada256b64a496a06c223d76ec2fccc4deffbcca4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
272bfa81e118e5ede0c20f9d9f344b19

SHA1
4fc02635f5c8b6afef8103ed02206c81f2e6be73

SHA256
dcfb27fda1f18e85542499b28cee22e4f737d031d24591fd4ad7a85eaa2d5779

SHA512
ee08b1e790ec7931daf78fbd6c3d22d7097c783934ae7fd421a861ccb77996da9599d558761f51cae106adf946471cc8c34cbbbfefed31c58157ea5544377217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9ad88c442b6b356ba829beff9a7c3775

SHA1
f822b37e074dcf8e7b48082ffe14f71d2843a738

SHA256
4a1d1658896db7c365a072068f13cb4f183e08798d7ed3c5840e02184a6beb92

SHA512
2e17ff4b51497df0954193fd26752c3489eff3ad166438a9c7eaaaff5901d62e2db1d7ba3d09bd24602f5a9689a14f4ef8fca9724227c6cc0eb50f4dfbc5c650

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ebfd2269bb8ef1d5a20da7383386d3c5

SHA1
a326c99a12f1677a7713f02075c326a5ec1c627b

SHA256
7519fcf80925e95a1a27716a626f9c6ff9db417c7d2db014eec776f98cb5011f

SHA512
d804ec8a3e4f9e8e8810404a63bee2831e9af9497765982ac40c6d12f18b25281ea5d027a3df5c2c7e60d18b28e661e1c4c874083a5b770a9c5018e94a0777e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2d22cce20e4b4a8ca6361092e56333fb

SHA1
8b9510935992a87cc7accfc0280f85c18986c9f5

SHA256
bc0a93d45b22d82257cfe18e49ce2ceef46fee5779ca2c27b775a63ef6ed2143

SHA512
a0a4a37aa57130b565b066f392e306af6eaa1280035b682180828ae7872e6f92dd53c90b68de4f96a01e8a26295340b5e04378fd03f2d26f09fa3de25c54421c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4bac8315c347f04c47d6a9a85e839ed5

SHA1
790bbc3e2e26132d77d297b23ddf7f42fd1e36c3

SHA256
6476774158ce547e753ba099cef0312a6d9f9c0f9bc6d5519d21d3d927975ac6

SHA512
db625b23d9e7aba24f2a951af035f0987566bc3bd9d76f28996b321ad69875352765c5e115c420904dbcbfb98dfca83d2c52222b0fe281cc9c183b8baf47eb28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0efbf548d9fb4018242b61fb12a42322

SHA1
27d1829affb2d03a746ea810bf5369fe78bf6639

SHA256
6ef8a6ad06c60d441b3b86bd4f43e3228848b619808bf0ca44cd3f1fe65d7f9d

SHA512
be06638b7be42a1c33a4f2fc1dba41dd37c6f6de9bf6339f5bfe1400c9f9168cb2562f6d5b34f87a829798a1755f9687503e2f5838865bb014b12aece11f781d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5b51ddd6bddcdfdf2edbb416d0f75fc3

SHA1
5bc9b2ce9d52a458a32e2c7738939fb7681f16c0

SHA256
122e83bf0390fce7ef1a65e18b87d182829372df3f70f885f6905f9da05f4086

SHA512
66951bfdb51469659950eadd918d2440a2345b12e97a50f69585ef8c6e55b4f9eaa9eae90fd524c20d783f072b4c8474ee42c245c2af1354e66dcb2817ddf66c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
041d05d415153db6c61224607cb55fa7

SHA1
d49951b30e5704404f3c0971a73aea7b72fc338a

SHA256
3fcfe2c5e8b3e9d9983976fbb910ae4b24d923fdad4bc500aec33a5f2e979859

SHA512
6dc83824644b22bcced23b6bd2b3dbd3fdd1adc2f61e9bd79bd79c74ae08205080954138e20ccd8c0ed0b4c5e65b37d4cfc0bc0641d4a447295eea3745895e87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7269abb89c8d8937522acdbc2a645886

SHA1
303464f191d221ace234880aca2b53cb59ecfff6

SHA256
7ad24ef3ba5e90fa792c7ce9b1f283af07236009474067a1d1c5ebba643522b1

SHA512
d3720343a922019d28eb4aed85ebb224be54dbaff85d287dd97dbde97f2fadc1184bae590907424cb1d232c52a5d580e61f361709527061428a7ffcff07fd042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e233a0c57dc3048239afcbcebe3cc978

SHA1
bd64b5034030025003bc3d9a925d923eb2182d57

SHA256
6378add55f0a7ec36e5c7f407dd7a8dfa49b3177352e4667a9d79fa553f09f68

SHA512
fc75d26e4dc1184f3988eef5974e867f75340dad0b431c36e0aaf9d82a4d20bc9c7dd549c75140e61f0677f7da76a849f26a7343b53a18e4ee961e31a572aea7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6ef5731d26a1c4d72d2c93f31efb2fad

SHA1
8675cd0396d387710e58a5a22d20083da3daea74

SHA256
3ba3cec5ddefe55b695d54988ee2bfda52945697973b6bec7bda34c581eac5f7

SHA512
368578025ab7020506e0dd577229ef762ecd765bb366305a667c3c5af55017593f1eb217097944b27c6f66fb7aca3944e16ecb403caed3bb2e46d47edb806520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ee9ef4c8f6ec6e89b276dd0fa1727b33

SHA1
a7035a07e08c4b087d8923470ece7061c726c440

SHA256
be2f8fe7689d315879b175865179edeba269ce0eb1590aee8a2773428caa7cea

SHA512
eba20b5c7675475d1c9cf31fae8e9a81cd54de8ed1e5f6f223b45356d7adaa9e891363dc80135fc9e5e765a949455fb40bedd28dc3b281bb722e7df5a6f66718

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2b8ec80466ef12312ca8e8b952f242ee

SHA1
2c26dec187e5730e99e842233c30a97b79c859bb

SHA256
b0e067a21040fef729f802c622c4cb484638e9e892211acca59205b179a9d556

SHA512
bdbdbc9ab7dafa7c3978f2487efef239bc41eebf83053e483ac8f1169c4e333af043f58a188f12bbf755a666c8aecb677a40bf046dc5f0f10ba65b32e4a8d6f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4da1c2f0f155c286bb26fbac961d3105

SHA1
61fe46dd22019f8e45f95a6a5b7ab00aa36bbe26

SHA256
21adccf9736759b99bbd4b21a69827f94086d24434d5819773ee9df9f2aab6e1

SHA512
46776e20c89fe7241f47ee4c014425dec91c385074ad3ac7e65b369a0e6d374a935683a81831efa052d86cb94951580d525d440085569c4475f4178a4e280700

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
23fe3edea05bba90360ab235dce199fc

SHA1
ffe49ccabfadb19c36c00ede9a06fc15404b0c22

SHA256
50e3e2905c421388b25486447c3ff0abbbba061002a31abb8e7c40325d459ebc

SHA512
77509b91a07c0269b7c36be98c31c365842c8a2147a0858176b9bd11e1e8b4d67943e9cab45f1c0164ca7ec2cedd3b97401a5ba71d5413d658302ad497d54496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
3a8899ab2d2b92eac33da9ab8c8b9433

SHA1
f62774415a7884b02780af377d31189237ac2285

SHA256
258ea0ce211ce2899a367a4d0a1e24c6425006140d820d115cf4dff42a7f2429

SHA512
1aad602a22e055445a9f871bb917cba7053a3b1e6c4d1b3eb738d65347cd9af58b1ad5620b2151595ed371e2552d8c0266831716c1e25d93e633c19a1faa3e33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
34c001915c0e12a80988e5c4b9de6867

SHA1
1e6a24c3c7ca44f4ecb26f22b4ae18dd9c9998b9

SHA256
f9a36398a42577233a4d24d6317bb4c483f363feb9d9f75126ad9e51beedf2f6

SHA512
8b2a66b42f63686bbf2bf9ec896fdf6a19446ba91811e1c020ac55b63a5d04822888df9e1156b9ef3668db0e89c9f6937d1265755adcb2faa8d273f2ebd6b7b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
c5c3436c8d3b5de0c2bcd8a8dba3b67a

SHA1
c904f0f1bbb5788e5c191d524a00501c37e41d69

SHA256
a605946de6d943dc05e12957859bcee107eb051310139a1638b2c43dbc987a1b

SHA512
3520666e619168360f43dc1fabdb1eed712ae35a1c6f61f7585e56da505740fdd576ac870beb52c360ea32c77066afe6b28f5bc3a8772e9f1911dd8a47627881

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
9350774ad464eb19ad9a8a8ef9049e6b

SHA1
e41ce861401fe0241b87f12d3db867c3d109a666

SHA256
9546ec4ab9fd45d482173e8767b0323d5e7090c6461bfc125b2d3f5239662be9

SHA512
a06c0fbfb248743207864badbd0efeffd330dd98b7465dadafd686454c4d79953b0626c35d8113ee799a878252636f5d554da269fed03ce1f1134182dce881ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
ae353681a8ac395ea983f65d478d75ad

SHA1
dc310d8f05e8f6cb8c2c2fcb247481532feaf705

SHA256
920540f6fc3239e828a13c984599f026cff4ef166ef403de21b28ca0cc28ddb8

SHA512
6da10eb84f033cf770497a741e157e27360e8ec9b4a2709835b6f047c2eecac199497da554e48cb78698619709adb315cf29960ff1de0e8ed64d11dcc8e95837

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
df1f2c19c60fd71d4881f427dbea62b0

SHA1
83680ace5dcad5c7174561e7d12e5c4414eff5b8

SHA256
c22a26be12fe8a5c0e646e40d944acef8fb8c4b3c24e4c582e04ce708bf3ccc5

SHA512
ebec5dcb8785ef1d08a0aacf5fbd674ad8473e682e02764d4077f211396141f6126553136ccef07ee63ed491b5168b04ee37860c7fb6da2a16c478204ed3cc43

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
31cabf5891a4a080f8a099d1efa46fd2

SHA1
7355672342ab6f91a4b1ade7c325d4cdc938e9a9

SHA256
c9b21748880dcb2fa7559affd335e1380a32f18504d8249c9c5c29cf9585df3c

SHA512
7459d9f1f1876bdbf87fedb47c91b8fb20c4abdc81d446dcdab0a897a0cc9929d0886a510cf6f15e051303aa7b7ab9e14591483fe1489af06d8a62916359f3b5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
25a003aeb9f726da2ef72b74d9b82944

SHA1
dbd78e29a6bb3fc345671e252acfc7a3ee645cb6

SHA256
f584302f54ac6003bab332d52a1a2769cd0ef12947f066372c47cc4dd0f41594

SHA512
0ea6c1ae5fbb168d3f5dcd35c64687b4d9c2cde558bf5cfba5dcb90d3c84555c02a2f30b7c2c46f5b5d8afd2946ca485911b6e42f1a041e250958797ac41f528

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8e7aa77c7d86f1aad7dc0bf22901f021

SHA1
9aad99c0861bd1bba6b043ee8e95f6d5ac6a1dc4

SHA256
be9b8d65e46c7ddc1dbced4b203fcfd09cb81017015c1466e52a9ef03c02fe14

SHA512
c3b74f2a5782021a8595fac35be4c984270331ce65c37f1d7d48233b1d1a00a4068b84aa51d534c1673890574b7bf98dd4f68bb1cb6000fe6d39a9e48d76eaf6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ed15bf59b93ac524fe948453514a217a

SHA1
1854788082c6a8d5dd69f0d17d524fafd77a5261

SHA256
6cf27d931adfe02bb4cf29bc806c82d08dcd3dc4f24afc774c93cc99bdde1658

SHA512
41143339b893072169e5c32f3a54bf7fa7cccab5432ef9451099f1f2c5c3c41b4d269b2bc83560cc7d7bd90f6c0a3e3ec9ca19d6f7b904d4e9a3b821a6056563

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
65c4419c7aa052dafe32bc6a9d4c8f27

SHA1
75b4ab3abe301592cc376f85bc06ca8af7fa4371

SHA256
23cbf6908ba1ad8ccd3992bb6aec4cfed06802cc05566e12ce33272a0e9dde06

SHA512
7dddecf3033ab129fa0b3032edffd22383e6a62a354336e23db7b99013f11010ae8a54d60b62b6883bc8ec3d5b86f32482f6be0dcc9ea68d37660890e3750071

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f82a588be78197bbba67e57a0ddc2ea4

SHA1
f510e6014c8dd8cbd4790c972966ebc17f78c15b

SHA256
bf7e9e569e3ced8ce95e51cfefb07eed54a7adf56fd33f17ee7ccdd59535e47d

SHA512
abcd6a0b1c4b613ae8bc4046458f8072ea43247b7056eb7ce68f63a7f11c9e181a70a7992ced51cb88a3345fd58aa690a42bb80150f0d819cb9142816488a51a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6d539287957d7457861c60498d88299b

SHA1
95e1e9914107ab51d786d2783cfce44fac758d18

SHA256
420f34572897d3b7b77a3efd4432beb223ea5873286fb15339f1986c815a8616

SHA512
46987f39de6e249de997a67963c4dfe48a929b628da6f3c84009bb5262dd34a4413f9c026cad56acee9f6c6bb64fd717d29f824d4b5e89bcb23ec9de11c23f5f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b06444b092c156597a4d69cef40a2b2c

SHA1
1026970d1db8b46e3b7f2699e90b2a3e6b93fc6b

SHA256
4355b06891a0a3fa0e06e61b7903255831c5707c395029684071b619275ff310

SHA512
98dd31b4c5e3bbd01e529dbda785948eb7b995b428abb9685b0ed28adb446b6d6860912ee8337234db992d94ed4b2b4ab3568445daa587b8dd9c0b618ca088aa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cb66603a798d4577db2c9abac7bedc14

SHA1
fdf999415b1dbda80d52df378c0125dcaea20df3

SHA256
74dea779c9eec01d625a0bc876388799ea9f2a839d9aebab9534cd16edfb7e5d

SHA512
09179cb071c786cdde863504eedeade0cc32d4e8805d26b38413229cdd53bc145d122b64122ee0aa69e6583f78b2b7f2a205746f0e4db6d4d8f8ec0582b93ad3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
517fe74816107be882f25fb564e5a63e

SHA1
1b6d2107d82c896009d6e85d0df9d89e0af88f8c

SHA256
01f1bb4e388057b11e4169cad107e0150c17bde6a353410ad8b05bc45d5a02d1

SHA512
6974b11d5622fc4e538ce18e0f0d2e8a2b817f79493b51ebc9618c60a945a693db27c7d71f21669f1b15c4c23d77b677d7e60c0da5d32420002c1ee724230729

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
91a38884f7afc42b6e93ba24f8292e48

SHA1
2cde3af2cbf9dc62af6d9d8de6961ed765e85598

SHA256
67ea29e9cf4497336e489eac9b6fe413738e4ebeb604695719f36bdb4e52bea6

SHA512
7fb92e339335853cceb4f657a7c9dc6ebde56a07921e759265e1cfef3544c26e9cd09c2d016c1b779390149286cce559fbad203e91f3fdf81918b83b48562dc6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fbbe957c5576c930eaedaf9b862644e5

SHA1
e569c3c135dbaa5993b7014e0b408df8f1dbb119

SHA256
f7262dce40b5f7afdebcb5c63118f4996bb7b3498905af7a5df9f9a8b292a564

SHA512
489a8750e024a6912619f642cdaa691b0dc2e4044fb259a21352c424744b965bb4b66524c8581214abeaaec6cd1e6627cf1ecd2402845748697db45bdaac39c9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e5ff9c40d87eacf237b2ff522a28eb1d

SHA1
332760cbe78cdceb1e9c6fb15c9acd30fc59c788

SHA256
8efb6615af6324e39a6841d9f3efaa43d0b10e6c2ce45559fa2de71db0ff5cc5

SHA512
e36a0ee521538b8171b0097faef9e24e71764d00f0eb51ef882848ec552d68806f1c6d6876206fb3a0f1ffac4de2ebde256b0d309ec73bcdfdfe4de961e13c13

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8714320e215e1cdafc9ae772100483e4

SHA1
3482a839acc2103db42d04fe41038792c7045b7f

SHA256
7db8baa9b2dbffe59a6178f58c00230bd4efff2482435dd37e38ebc1a1e97365

SHA512
70c0a733abf37f26a07c785c0110214fb32d814d72a81ebb32a65434fd5946021e4ee19a24a09ccf10d837249eb5ed95b7b5751ccfbc6e07dd49b6ef88c010ed

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
009df57bc15d232c3d0d185f95fe74c7

SHA1
79e70252a5d4fd6d98a98dba5ce05a621494c221

SHA256
57bcb7f655fe5e2e2b5f74354f890858a36c175c9c88d2c18653ad542f53cc1b

SHA512
4ee1db1bab482c6c2734639757810207d114b858184b181e7c4f1bfdec4a647c3fb69c1ecf2f82911aab536ff954d0a3a5ab4c6ca2c87b2f23fc48767f8613e5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
54814e485acac7f0ec48b3a7aaaf08c5

SHA1
3e8b884fbf7d84e3d3a583754290a93a74703594

SHA256
9066beeca6b9ab606511b433300931dd5c7bb6a343517843c39d2a7e583675c7

SHA512
f01ff602ab42671835f7a020af6fef9efd51514894432696b9cea41325dfc6a5d6b0c4ecd289546c4099c7c5fe6e1591acb5358773388bd212ad7f3b29390fd4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
35be7f15bb95a5de24008a173821d7b4

SHA1
5bb8bc80cbdab01953308ec0bc4967fdc06c787d

SHA256
473e37740fd6ad193fe983cdcdb4e54dfe2d2d3e3845ffc711632e583ad4343a

SHA512
824332fbf7df1c6a2055b284623762c7a58635cde826cf755c43cc0ef6ce46eb2428b1a7ef3173c788f66c8c881e468267c37e9d5ac314a28d9c9ac077a46c45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4ce2b12b468d7b3638a0e9755aa2ebd2

SHA1
f191ae82df44f6b163a9311b65e8cba20b07c366

SHA256
df39b4c5383c5b51e6b45231a6447473aca79db432aeba85b3f9d6a375f647b1

SHA512
49c507bd04ff8e72d97c7353a2cc69216950507a1c71c17a4bd44c7aadc037fcb8d2202504defe9a24cd19bead35b764a97a0668653b40ea17ec4a3d2297847b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ad5d988e266cbba588c7b543ab3aa3d

SHA1
56b426f977b9f714d780e9a29d669ba42a9631e0

SHA256
10c50559d716d95069eee3c8a841cda1a8c4bb99faef1d8e8a393ae96ca34525

SHA512
d85351dff3605120fa50810e4638a21ceaa36d0769a1999d8d9a7d3dab76ae5e241ac65ed64d4fc7470d9fe93e0b6e69cb3e8f6db8334e7e6bd3c662d0b82dac

Download Submit
memory/728-605-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/728-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1012-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1012-593-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1060-598-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1060-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1396-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1396-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1480-603-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1480-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1508-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1508-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1508-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1508-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1528-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-560-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1696-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1696-27-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/1696-0-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/1696-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1912-607-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1912-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2104-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2104-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2212-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2212-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2212-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2212-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2328-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2328-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2728-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-257-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2900-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2900-247-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2900-252-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2900-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3108-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3108-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3108-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3108-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3368-525-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3368-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3588-604-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3588-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3900-373-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3900-599-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3976-602-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3976-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4508-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4508-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4548-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4548-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4740-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4740-414-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4968-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4968-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4968-26-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4968-17-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download