d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f.exe
Size

657KB
MD5

7cb923c97ffa0deca4c71684c9e690c0
SHA1

753f174e79e0ed10eba6cf011b4c0b44347bdce7
SHA256

d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f
SHA512

e7f2d2a9dc9c2300afb33bd65b6024306fd142b8d2e6b43ef78f5d31408186f60e4c8502cfd55b3ce35931918c50cf29fefaa8d9e4c6385454525dcc324f089c
SSDEEP

12288:CUtSxxKPo2f3p6UjKvDhFwOz0/QGoFiYldaFMi9nEE8h+9oRWk:ttS/woip66KfwOI4GofidEE8h+9o4

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4808	alg.exe
3900	elevation_service.exe
1968	elevation_service.exe
4468	maintenanceservice.exe
4612	OSE.EXE
4572	DiagnosticsHub.StandardCollector.Service.exe
3228	fxssvc.exe
3856	msdtc.exe
2372	PerceptionSimulationService.exe
1072	perfhost.exe
3056	locator.exe
4712	SensorDataService.exe
1376	snmptrap.exe
3792	spectrum.exe
1664	ssh-agent.exe
1832	TieringEngineService.exe
4596	AgentService.exe
4816	vds.exe
4724	vssvc.exe
2848	wbengine.exe
4376	WmiApSrv.exe
1464	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e2f1d570ffa85a2e.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79609\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79609\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0FB57C99-87FD-409C-9C0C-AE5A1CAE1BFE}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2efbeb3e1edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0de8cb3e1edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd3b0bb4e1edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025cc79b3e1edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007854a2b3e1edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007117c6b3e1edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a8cdbb3e1edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3900	elevation_service.exe
3900	elevation_service.exe
3900	elevation_service.exe
3900	elevation_service.exe
3900	elevation_service.exe
3900	elevation_service.exe
3900	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1768	d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f.exe
Token: SeDebugPrivilege	4808	alg.exe
Token: SeDebugPrivilege	4808	alg.exe
Token: SeDebugPrivilege	4808	alg.exe
Token: SeTakeOwnershipPrivilege	3900	elevation_service.exe
Token: SeAuditPrivilege	3228	fxssvc.exe
Token: SeRestorePrivilege	1832	TieringEngineService.exe
Token: SeManageVolumePrivilege	1832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4596	AgentService.exe
Token: SeBackupPrivilege	4724	vssvc.exe
Token: SeRestorePrivilege	4724	vssvc.exe
Token: SeAuditPrivilege	4724	vssvc.exe
Token: SeBackupPrivilege	2848	wbengine.exe
Token: SeRestorePrivilege	2848	wbengine.exe
Token: SeSecurityPrivilege	2848	wbengine.exe
Token: 33	1464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1464	SearchIndexer.exe
Token: SeDebugPrivilege	3900	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2128	1464	SearchIndexer.exe	126
PID 1464 wrote to memory of 2128	1464	SearchIndexer.exe	126
PID 1464 wrote to memory of 4412	1464	SearchIndexer.exe	127
PID 1464 wrote to memory of 4412	1464	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f.exe
"C:\Users\Admin\AppData\Local\Temp\d39a76c599d5927ae083bb2b792ca11f8c3dc9827412ba72a13a4a310de17d3f.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3552

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
631c3607ba7d009598624a0b060921d7

SHA1
b57ea3687fc621f6fae32fd9f22f38bea88e26c3

SHA256
6a1e5bec2a7d4707e0e3c50829cd6c86d023322f9b2310cac66cc6e3fd20979f

SHA512
dbbf7c5c3c6671b0762eb597c037c1ba6279e2564ac5a6b29f1061f6311041d81f7f35fe7c5cc9d1b7b5212c5edcc293f2ca1d95eb675bfa3d06f8e5adfaa3f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
9d4c81004e9e46f8cd831255767f18e7

SHA1
f6eaf887096881b1eef30ee92aa21c3456665605

SHA256
c2a0b258a342171e10864b1e18262f9d598e02910ce10eb66a90a64ba2892c47

SHA512
086e147dabb45ae6e2c08b955a2f02bdaeed0d21293062add9e22b34a9758492e59e513d6aca1a53c4fe406435e513cbf7f4b7cb8ef7a4637268e3d915365a3f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d6625a5e21e27c9435ea9ccc52d64146

SHA1
f0fb5583b44299f5d280e6b09b39b2f3e4b4ba62

SHA256
640df7d3e54d56b67c06b5674e4f208d05c0cc28ae31d16e344ff8003ebd8b6e

SHA512
2be6952b72450e650611dd1b623f9ec8432fad97f1cece304d35e765ed7d828537ccb25416b44ea2fbdfe6cada27522cdc76cee6cfc4a544dd89ff607f145fae

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ee30c183aff84cddb7284479bf4bf460

SHA1
0fc74df76ad452f01bac3e9874f63eb91dd605c5

SHA256
54b3921cb5798f0bfd3eea7ba96cc32b9b38470096033cad12fc386a7df9d9bf

SHA512
7e82d5fa74102d7f7f9da638d869c471e8c2bfa4eaa2d76f49fff76ce1e89dae494a6bca73bdc174ad0be5042bd378c535b8301b777b5de6ce2d5abe5da1b78c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f227e2eb612da57226e982e8d9ff495b

SHA1
39e18b6e3fbf414881a64e4374f6581e310a9c9f

SHA256
92e2e4dd93719a1cb1a310bc064a74fc9d3ede6995df4a35f7fff4ddce0ff92a

SHA512
2b8ade05b6400f7f4140aac0033f3e2fd0e4495ff9c0d5656b67d1adbbf440a57033baa2a93c179c4f7c2b27e77a0dbf1d02b42bbf0db3320921b2bd009a2011

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2b0c2ae533696b1851907eeba66a3b53

SHA1
0ed1600cc7ed0f8d31bc49576f42ff57b2f3f167

SHA256
723c00e360d473270e579f9bd2fee84c0428c7a06e2315d1d0f1e6d838d116bb

SHA512
db28a2fc7285a1959c9117357a9e949005eccefbc6c81ff5b277f8d9a7b65242f174bc637dd966a066075807d06e8e84afe482866a6bb7397fd7054076555ad4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6cc8e3c5bac4470c8593d3c6e190d366

SHA1
fb5c65f1928eb1cc225c4700c666e837cd118616

SHA256
ef76dd8722609d9224e42a1600fe6b66c762959885ba5b5b54bb135e10f97792

SHA512
54ad9c4b404a47c5a9a07d86966e323a1030a03055f5cd8ff98d24e9b224618ea3310014992252843e8480d5a2c4b0651d59629c46547e90c95916bd146018d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fc0c3856dd3b92873eb0f2cc406c66aa

SHA1
f667518fc032ea7ee0708c767d16092beea2a05c

SHA256
819d3d69b066f2916cd7b3faae970d2c050e88d54e84f56db17f3a90b7dbd236

SHA512
3dcfdf21070aa2d7afb1253720f8f7a87ce05d5f43cf7c2bb930aa09756005a2557f29b3cbc8d75a1790fb48a45857ce402be925589c34f520bec549ef5bbe9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
deafe8d073eecfcf4e2bb8e63753b9ea

SHA1
0953dc04115a2307f818ddfcba54779df310f869

SHA256
9faf81e4f53cadbc52f5a175b9f657a7d90ffb95d9d356c41bf9082692aaf614

SHA512
f3e842dfcfc4044967f39802338507902876844d98ff995aaba0effb8b84c4ef2f69d11fe546a4bfa688af824ea7c38bf899519489b92f7f5ad36aefd2425cae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
016515dd167b500eee2982840f4f56dd

SHA1
f87d3ec853628be16f77ae32188ce6f2d99b6907

SHA256
bc8185dd9ebce172a2084e942696e5b34181365979ef146b9369cd896bd642d6

SHA512
99c277ae22a97ff3835c8c2f6918c80e3e2b318550cc7d42f7ed8562f5a2809470faab6fbe08f632bd92c2043297654cddd51c4fe95a38cc4232dc6d7073564b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
11774217972c8f00aa85dea54ced3d66

SHA1
44b311f43229925e93718eb24e72280ba1f971c1

SHA256
97512133a0d1678956cad6afdb1b34851b64beea840f7667757da1f535083bd0

SHA512
677f42222134ee6da231ad975c1781090546fb882d100f5995365f56741f13072e8e245ec94b1059b0f36df450973b725b32084531f8aa47d6df4363f3abfbef

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d5215698943a34982c07fcdde80690fe

SHA1
107ef1c7c49c8cffd92f2f338db5578d98b4b05b

SHA256
de4cf61fad51e9d2c43d3290f154f2337b14e8527bccf51d79141c0dad24f55e

SHA512
5513ec80447c1f6201bbb52ec2d6b0ed2bc447ebc139f2da0150131777f5bfc6b45c70732ac5b0b01bffb360098e9c5ab88cfbd195749630a0164fd3bcba490c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1a7d211598e2656238c7392544cf048d

SHA1
70225fb66f976b109a540973470c402bf614f5f4

SHA256
29fa2cda917fa9d5babee123d39c51eb5dd8bfda5444313d09b0b9f4d115d95e

SHA512
42fdde8463e8fe5e0b124f865ba342bdd68dea51c88d62ff22b5b6aa9bc177294cf374fb8fda0d00be30a07f75969a10fda8d43673e92234e7688140c020e4e9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cd98ade64220e84b606c922ee87f9639

SHA1
6168ee75adb3f523282a2fad42dfacb9eb8ebf38

SHA256
67f9a6d72cba14315912a20189786af86d35829fce9ddeb2d673468ff935e7a2

SHA512
fd69fa8e01b3e1c07c144b0d26f53f82614b5796327bf61a92fee1cf6e3ac5d4bdb6547a06d7dc8fd077b9a70e838b731264246035ea742d050c4a101b6b234e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8641a4b35f1992572f61ab3400249756

SHA1
4a24be7cebfb42acc92ac7c72d3170950a49c6de

SHA256
c5d6d8733b536941e99e4cac1de678ca5b0b41291de58172f75344b8cb768685

SHA512
f22ea45e21f7b6739eba549648860c1412603a9dbafc9501a1d5636575a392a7b8fb78fb1f12cf8658e863f2c2350d46080ed45acbfe4e877c0b73def37582db

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
7789857d8409ab30af953ab63319b451

SHA1
3754912588d2917b93ee76779f234f4ffe1c3236

SHA256
36bce76c1c44e6d4b99c2159d60d13991d7a934819985b1e3d717aef64ccaea5

SHA512
46b10ea5bb7e70e31e7801b12247a6603aad87fb6284d544ac5c01175762b4cc25c3ce924705e026fe919e211e2ab29954477f846e6bff4bbe1ce1d4ad5856c1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a14a7e19333d6bcf781dc47a564d882d

SHA1
88caa150a3aa32f8fb7193a8a283e9ef3d5cdf4d

SHA256
e440f9230b8905f01f36d6dd1ecfc8dec3d7bb45092202099f4d9a595563f8ab

SHA512
b9a161acdba68082b6bcfa8eaeba482b29a393efd5b51c3f6ed63c38ad633f5603aff75da95f085be526a5e12ddb2829df2664aea18cb93634d0d712696a5925

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e68e7511a87705fe9be2c4573af4db96

SHA1
8bac8cfd8e68d2a7e2027d95f06d086f53bafe1a

SHA256
f5437efb887aa06860011c4d0210d0612792f8d1b3c76f485b1c410cd16f303f

SHA512
29863be579af98ef48947a39c76fa35ad848f730fce531d2c82ce8a25243f69d095bd657e95fd1dcf99c533e1bc445d2bef2969ace0057e9f64a1d49b979c370

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
bdf7265e7c5bc4fd4c2028757e5be368

SHA1
6468cc3fa2f66d68afffb3bc09882e1b252b9187

SHA256
6e7d3c1692cb8fab31478be675f93ce954331033e5a066040848991beb8c9235

SHA512
111a8178da1f443f70b9570da46df6478417d6e6cc2f97d030da0ad720d3a8c1716ecff591a29433f1c64a50078034539b0ae9168ae80c46b6a57e6bd0d48ab0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
766bb5318d4f5dab0e978478cf02d98b

SHA1
622d485bcf9e736db87adcf2f33ce6e20da7481f

SHA256
69d7e2eadcb5cc64e296a4d2bf4f758551785e813e6a325ce41231a58f36d5eb

SHA512
3152902d916be6f5d84c94372b4bfadd13e4f469ae10ee5bb0f2169079c6cd69dfc131ee9119e30e1d1d9db52a57bb7e9366a378e15d6a2fe1bf4da8e165179d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6c41fb7f083a1d9b5aafdd8850575576

SHA1
7ef27f695a453276c800919d1c2936e14515f70b

SHA256
22791b39cef76b9adcbe97cb027ce3137ac2dcc165808a49e07afb08af5dcd03

SHA512
808c2d535faea92ae4fb326e2f66e3286734a52d8dd961dfe6b0e35f65e0b56224d25f9bf9ed555fe6570aa500402d6435d8236332cebdbbd271d7b3358e7546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9fda34263a6dcf70f9a4bf5e8244e8f7

SHA1
68691c55029d1fb22703bd45ed6301d9557b2517

SHA256
271f170541c5cc6934a9f7381d7a7534aa28eaace3c7ab654b1e122d2bfbf18a

SHA512
eb0b00a8b981f10598c9dc3476e06b4a6c32241bd2bebe586643a58f5f566121dd06c5b0549b81962b4634123faf6ed22368fa8b85337b2c8298626561477952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0dad37e22af337f0bde90bd493b2b889

SHA1
03e80ea851482192676150ddb353fa2b0958f5ab

SHA256
c4278333e08e21f36e28f66e81f0ed2964533ac75df33b06104548ff492e4e14

SHA512
fbb1d7b9ca86b49b0fe4dfe23959a435f9210bf07f5c58e55a49b31d5c08c78dde565f1c7c97fb9d644f6f679fb2799884f78d3460c91ab175ad88c53ddbc90d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fe91669c649caea0214b5f717fd41cf1

SHA1
293f820e1e617393df8ae256d255fe3cc4bb8553

SHA256
244874ab7a87fa5db22da204509c647b08b1696574b86886701bd9418a102927

SHA512
43abb0bce9f55673f028c7d1388f2c3e28042695cd8d22740c2199f1d81586afdb4a081170e27d46cce987a22c12984fb7828ad4f9a5261d22f2a76847697fd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d9533a268bec60c415f599aea1339cae

SHA1
cca09b0a44f12dc07b071989acdf69c3a5b37489

SHA256
a84dfd8b1a9ff2959f31278e938475853414e6d7e9dbcd52566c06d2ef24376e

SHA512
2f2828cdf16397dea679567e2d9abc8111729e3abd408f55c73f6c7e17d046dd108d2c9665b8ce73acec4f736598c70bed9f691f8488333d47120539bd976d11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fd17d19c2cf2bcc9e69a2b02b05baa41

SHA1
0081c92a7dd70b3e345aeb840411d4a69867ef59

SHA256
07e7f2fb79c6f2ba89275f286726958283f789442dc6f3e2e6466157ab3a25b5

SHA512
4e2b30e8d5498d8ecc25f7425909ffd0c3708ee15ec51a8e74d6ab6f9576e243b97ebd5fbf5fcdd79f3b6f8367c833b7f6af34aee0d5e42e0e651249e90e2864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c357d0243ef51538d6db4afb72cea26d

SHA1
dcea1ba33ab11fe9f7e9c1a0237dcbac510e88d1

SHA256
281ebd597c368cd8a3557a1cc98c3aae3050051e473eb39eec46b2ed2b035702

SHA512
820a60bd13891a16c291b550c9bfa787883f637fbfe0275e5e8c526f8cd13a4fc733e3d00942a856c9005b8c90f66e1d7584a25235cb870e4994b1d55738625e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
28677da6ba53149d5a80a3d4e1aea52c

SHA1
4236a78c907e0518e53dfd49c862ff8d774041c1

SHA256
73a9cde65caa3e6534ccb430cd249a4eb859b1c3299c458383e2716b5b4106b5

SHA512
e2d83d034d1de92b0571d604b79937546a26959213a0de7333bf7d7083fa9deeb174e3ee26c0fdcd4560c4a0c3aa888821f7a87f226f4ebaa7b881a4f19565cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a68b1a277afac0d060757b48303eeedd

SHA1
e55865ec4fa67feb037bb98d310950eb0050060b

SHA256
9c5ffa267af2d92e443f3954d0ce3a4500911dd957c2c620bfe109e0b17f5167

SHA512
e1b279f0eed8c5e880da1a06db224f52fd1df0028561927d660d1cfc53493b7e96f8525813aaa75423ec6da2b7cf1bb3a7fa5c6a7de8f2871e4ff298785db90c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7c013008d81a7525470562859b7fbeb5

SHA1
3e06676effa29a0666ca958b6b51a7f4e8c8fddb

SHA256
83d7ecc03d8e2d3596553b0d223d262a24bca2ad7394162927171ea1943642d2

SHA512
71cd849fe298f41983af37e0472e0a172f7fa0b2c342dd8e37e88a69abf64d4d706bbc95d4f76032dc90ee0a39052ff623718d592e878b6d3562b8dd0f9b7663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2f01522f749aa6b3aa501cd518acd446

SHA1
7dc3bb5f6d02d5547159528858a960dfa982b76f

SHA256
c1e391e77acb1eb0407a99915a96c9b56bb04761c756af661338573e947d3fe7

SHA512
9077d3374522f374baa340bde37c3a583c8dce9edb9e76eafaafb99c3a1c64161c16265794f063721bddcb5e7cf5d738863e40210f0bc152da0fa1e8e35fa0b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
909f38f2bf22a8a0852ba32b7a802045

SHA1
1a7c31afe02533b1416bc04a40eb9aed747402c0

SHA256
1c6bd7b598cc661860199eafc4dfd27dd4501abc1ad9097bd3bd5fa7502c7f2d

SHA512
289d27911e65761a1fefdf03d630ca3e28125a4a78463b2455070a26e41575f6eabccea7a00dff6dfed1078c365b07e240d442c0ba65db036d1928fb254bd61d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e896295ae6c498d7300bfbf08a03899e

SHA1
af35e82f6a6a0412c24978dae3ea50528e0bf46d

SHA256
9ad41f69b5c4b32a22e7129225740100497e5212157717f519310f3ba31df998

SHA512
46bb04093929a12fe5271c8db7a91249766274d9d914a51e75a87c41f23c2df5bcff7f89e908f3f0bb7590e1ae62278f27bdeada2a2dbfc1d292c3dcb67cbf60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
30019c8fa56702b7c0c71ff54ae39dde

SHA1
d109baffb7f456a2fef4ba73312970fb9a16990f

SHA256
5799f85a84caa87ebbe1d39f2ce2f1c0fd4229704553c57c4e3507b2ba9a42e6

SHA512
2ea99df727d7f00eed6215492cd2b666ce2901611eaac7b50d90f0378d7f7b6cc352a009cf578ad56b13a6b2434d89fcd317ba78f84af37ac1cc163571c7a862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
33664a067544cb1fa3688b510aa87f61

SHA1
2c53176e5aaf371e97a35c3ce23c222e5ff43ab1

SHA256
4b134067d85933959a43ed064a04e68f2afe23b80fcd584afdf2d45dc33b255c

SHA512
bf90fe97179934efa8899ac9f389eddc5fc7c1055cd0654ecc2c2f3428e7442f6e535bff78cd44c085fdd9c12189f8e86c1b770727bc32801f7425cce13c6feb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
61191fdbb9e562086ddfce42652ee860

SHA1
d46c3d7b0aadb12b5ce52bc31c1775952cd43167

SHA256
b4b75fb661592abdf061a67108110612bc161d4e4b9f34c6f5ce21bb8cd8635f

SHA512
62752691c468a6e255734922e04da7c8c233399f984acbb4a047add3ce22f196f2ec3a9922af8f816202ea562223dea9f6ca8d93a19b9cdbab01ee26053b6ced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4a5dede553dd22b924a9b80f4c1c8c64

SHA1
55f4522b458713ea3975aa6f6da007755b2603e5

SHA256
6c9499e6ed38ebb4e6122fb0f572a6c6dcc4b702bbcb3e724533feb4cdbf464e

SHA512
681d912750ae7cf5e9976b19ad8698765861796a2815df27e7b966b35df414e18bd852ce0ab12fa62946ef1a33aa5fdf86194469e1b6a64c8cb7f3b8390d376b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
9a5f46152a58c6c2fe7732e33148a9b6

SHA1
14d526386e07f8976b21f932c779e85ea28d14bd

SHA256
d1b34617bc0d46d9490708bdcb5a30272cce827fdcd54374dcc995a4ce70def6

SHA512
feebe22a0d4826d9f7deb79a2e5c36f141fa8aa8adaadfb28d5136ffe31ad2327184b76dd99657d4afbe602b36213fd8903464e235867f25a2f2accdda70b673

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
9bf97b359399d5adeafa1484a13995e9

SHA1
89bbf3317ee5ec89ebe22ae7a4980cdda3201ed4

SHA256
afd5419358b621a2ddadad0b3d411e390da869107b8cfd3747b1385694e7fa33

SHA512
650f88ac4715e384dc26eb41a11f01a88ec975a4f425d652ba18ece24f6b465d44c4f7de979f22121484262e27cbcbf26fa6d787526543306fa201578f71a33e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
9e14c684cf8bcdeea00a547f66fa7b4f

SHA1
a76db50114f4d1675e36f271485fc434911e32b5

SHA256
00e9d2a3f95646862d8ecf7e5ce4cf87bb7315c333cdf7a82394cd7b2e130d4b

SHA512
20ec344502a5ddb71834471d294a28b6ea1af402ccf1d9405838c8181b372b0d156c78a76a68222b2eebaf2927a03e1be442da884004e41ef4f1212ef3675890

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b739deda4fb97cfbbde6e3144fb97268

SHA1
61c509a4ff778a13b84efbd6a91b05d9b259f6a5

SHA256
0cf8f5a9e6ee248b7c49b1ef02f32b6f9eab70fd64159e4df8720f4c173227db

SHA512
7ef193723ac8c20dd31c19de0de3fcd8126711d9ae90531f787fda4bd85370fad0f79cfaeff0aadcf17a43e63640fab74c8680163b7b4f805fcdeef7b3fba20e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
17eb7743bc89aa1fda1a2f5e1eb5120c

SHA1
896293d08c77ec93165ad9330b8a8dbe02c75482

SHA256
9cb6a7b739070d4a65f214f7196f98c746661c92e072144fe243c8c83647464c

SHA512
6f677df969f968b219d4bc50bb23e1dd301b3cdc3661dac7e5558753c3e5a9cdaa02b5230c33bf9fb61553bd12917ec02c0b3fd3862c54bc0e4975515985d8ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
c1ad3ca9822bae46463bab6c1028b8e7

SHA1
8c9ae5763d30531e27ede09a071efe2c788cadc3

SHA256
e4553ff6267a2da7c1efc1f206fd4914eebdae762e43f911c4cabd6f933ccf0c

SHA512
587f7c0256fe677745ff39fddf444dd21b29711e7c1e4e78d819a13d01efd8e7bc566608f98759abf4421d5d6145a5b320e5e17b61db5881f776a3a8e3582367

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
114614dc7979190267c1ab74adfa7010

SHA1
15660bd344b1493c359137f172cce26df93c4b1d

SHA256
d6c19c0add11e62d31ed3e618591f93632b1a1fa170b503d7a0a3f8ebbd310e7

SHA512
1343795974c12585cdff5203a46f69072a56432e505a3c318c917aad02ac43385998d453ebea9019f673a3c25212f0d253c6d432589933b1578357d37a1181e4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
56f6315ef2862ada18f279fdd8465b28

SHA1
534d47b5f0dca1175c67fe377b370627b3da801a

SHA256
9cd3bf315b063a012eb8b27e7aab1b747571b26f63886ba52cb13af4b53dadf0

SHA512
6f4680b6c456ffeb620b9a7140d596ea99c79b47dd036dc62b1d23781c1cbf545345b55ed997ab8a8f17e45b8394b59c6004541d55c6031eae8bccff9beb4be6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e3b03a5a94a0efefc6a43b5b6b00eff6

SHA1
3cad7f41770d2f922dc98dc38287f1ab0b3ad59d

SHA256
52f3a2af8df405aebebaa5014b739c298446ab6d5798c58814bb262d438f3b61

SHA512
3af99839850d0099f48d36cc4c729ee3e5fcf1954a97ef1ed3f6a4a2df6fc503b258d73a6f9a5728d55bc469fb73c29131d7e0f8b584004720945cb68c17d6de

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1673dffa19bc8e3f321ef2789bf23f6e

SHA1
1bbe33cbeccd36a19a8bb3bbfa2466d53a9676bf

SHA256
5f3104b416d4b8b37281bb528ed54748808199debf4927bdc89f3ed6ffe1527b

SHA512
471d3f830e13a2786e1cb89311d618a6477648011cbb29f0a5f45546f1ac237d3cbecd2efb7c33dddce187b1f3b359c688bd86f9930be9e9ae9e2bf10552b211

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b7d38130dfb45c5d5c50ff5d24915046

SHA1
d28c14461534fa65184a725b15cda3eb19c31bd3

SHA256
0d940511cdd58e8caf69ae71c217c692732300b66b69077af2ae53ef5c038321

SHA512
7d0571ffa575db8b075ef3c0b58384dc558d64e7952e3dbf2f2f0602997fac8f903604ebd8d68599c8088b528c5c8086c06f98dab7028a27e90e03f86c4cb102

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
157e2f612405d0e571c9386972d3b9c5

SHA1
589a25d35cb80008155189460778e5d93b8d7bec

SHA256
fb832c075aad09ca67c6561ff23b7f325b6b25c596c1c3dbf5ebd8810588c511

SHA512
c77b06f4a5f0aff2f628e3ff743329f99c42beb3c7c4028aa316cc936a17b2379f0aa0136e1be9701f2aa36e9e61083b4709cfa3ac944ef3637a83dfa6bccaab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e8d4074f7247333d8a06537af6a84a84

SHA1
0f484721d6587cd01fdedc7af835aa4bba2267b0

SHA256
b5dd3102c84097c0f82f28f550a8b572f280add0d239d51e98a8e2a61a663120

SHA512
22fb6df97f66c097f8e2b9a9d7ebea4628f50aa020a69b7d09a686028d5f583fd622b661b1a7f5b6e4ed0c2e946391535e51b4de130423ae0c8594301b1bbb67

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9c519024e4208f2de9809565846cbbb7

SHA1
6505af486c9d1dd5101706c6a0fc750f9fd16b88

SHA256
9a3b3b0ce6e8ba9dafbe14a0aa4cac17a666b51cf94559d06dde0102bc5eeb16

SHA512
a7335169fd98601679f256e5c03b117911eb0c0e92afcee40685075ed3c3d93f6c72bba1c12f7d525b6a57b4819b54846c98a9c53be686bcff4e872556ce0baa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d52d5b4770595f0154ad5073f9cf58d7

SHA1
c0514d744a0fd65df97cb024719a5f8638d1051a

SHA256
7219950ab586602e26d7285f18639eb4491675da8777f1a31a5d11775a0ad952

SHA512
14ae452fa1dd7365129f916079363ddcd64b9c4f92c34a203b27be502e59a0503ca0b9d97d8a6dae9b13c6dcf7281fc3b684cdb5e0b8c8dfceb2bebbe56f6819

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d49a158f38d9ad73a95fed3981c5c390

SHA1
8a33dcd16f5c4baa9c9135f2a6fce33510d43fba

SHA256
1e75412dffc4a7dc79d228f18bca0802b30b3b4c1893954116ea6e0286fa2ff7

SHA512
a64b56568cf2ce5760422f0964397badb1acfa90320278e8f979e294a4935d5ec8eacd63b5440a096bee5d1e8004837ab346ac2f54e6c7f675db2f1e29b5d7c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
10211a9e993ac59a92cdde2832a2b7c2

SHA1
7e7421ac56fa27030af38ff8e9661a6e714758e6

SHA256
e6bc089bc2b33c2e90e9fa15eada07d1591aa80fc1316f59b3174caeee058a31

SHA512
f9c28470c5fc706f1161cb4dbccde4bdf75613a894b9597fbb9361e2ebd70bf8077c4853a58a76dceba50b4c94f078f2a40c922176e3c64d2a390a1862e6fe71

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6b570967be3425a874adf0ee372adc5d

SHA1
b0d369da0cd974a66a998cb4692ccd4e8b4119f4

SHA256
fe1f1c803a467509f731d4cb67637c6248a3dbb374d7e94a612f492450d7404c

SHA512
84d706cb1eb3c78929c13130542f8ed8ae773e4597a9fb8f50331d0e6bac28759a6e96018a2a9afe267679a64e367bc0ea3cede5d56e31d9dbf0fe1e5a400bd5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
761abd2e38e2b608e0e873b0f8ee90cf

SHA1
db921f387d03e336b17eef7afdb363e90b65fe14

SHA256
f0031766c5e77caaf82d303589a53eb0ceefce38814b21e461144533f40d3005

SHA512
85d3e87fc59ee0f3f463f76f2525f0dfae054e073a60db5078602e3e34077bcfb142584d4efce466fa488053d4f591315f0a3b21253931e16f3573454a45e121

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f3b56b61c74cd4551f22a6496da6ad40

SHA1
316bf6027a8cfdfe32b78cf7082d1c3656d48fad

SHA256
1826f121b03eef547b1e673fd71b00649e9f38bda12142d213e073533b29de49

SHA512
2e28dc188418f3cf333ce6b46c153c07e4e9623e56aef0b9e618a2f41ec1a0f3d69ada08eb7c6150637b501473a72222de609e7158541cacb975457d5b49fcc5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
28e40cea51d33f33ad3276014484311d

SHA1
f84d9ffd30153cbbee6467f1ebb7d3817e0131ab

SHA256
9071203eddcd6e621f4742de28d5e6bee86e12096c87fe6e9b265b842ff6956b

SHA512
47719bcb7e6e550dea4c404099695a2122aa1522e7fa3fa6cfa7d35da20e47b15e053e01f18b1a1252814b7e7c2ec1c2af9b965178c490516ee19d1dfd969d83

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
eaf32ada35fbf01869d3d7c2e7b5c307

SHA1
a4303ddc454b3bbc120405fab279f62370dda46b

SHA256
26948b86bf55a4a4a7497e9e30c8688768c90b57f27d7a7e6510af9a56471b8c

SHA512
2e155acb3ed2633db44734efa81c6ea74f0c0fb1e391f1d79ce0ce2b3430c287da2ad1bb1033a970447bfdba90ef8433c47946a5cd2e7c5c53da607dcc8f4524

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a703cab6ac569497eb72e0cfa618e6d0

SHA1
a90a9c4c79e24b4912dde6279f9e93dd7fcd3c48

SHA256
e9901cfba6f0fc138beb47bcead7439fb31af37180097027f17819e9ee72d9ce

SHA512
dc34de7eb8ec61b1641b20970d4329b18467139cfdfc790758967b4c718c12737d23baf6ac39b94fcfece0a7a43250293ae914919906829d103415897454999f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
80a26689551396146e8d10fa6de37594

SHA1
a08cf49880a7f76aa898f96f1e33b8fd52779c72

SHA256
1fad3f811a85a25d2966f01889355cb475ce6327b7b00106668c9851af917ba1

SHA512
03340f760aeff1db7efd71bd122078a24556eed83fcf0748935c39d35cdcd485b4b201b1700acdc02ef0ab33d6fe1c6e5ba65e3ee4d1fc436f7b9e335c370088

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
43c2c2ed977a9ca2592014c2aa3103f8

SHA1
b1a41c49fe002bf7f270e9a10451c162024558a1

SHA256
cbdd6a582c0c94e78303e02b798eca8cdf58c8d984671fcece372a953b2c9558

SHA512
e726d5a135276b6cd22764fb26f6e99f21a94f1a34af592298e331d451124013fb269345947a8b779c185e8ef3a42b0031ef4621aeaf37154b5a2fd175543fef

Download Submit
memory/1072-409-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1072-292-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1376-334-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1376-544-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1464-443-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1464-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1664-623-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1664-348-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1768-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-13-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-8-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/1768-1-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/1832-368-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1832-626-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1968-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1968-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1968-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1968-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-397-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2372-278-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2848-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2848-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3056-302-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3056-421-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3228-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3228-252-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/3228-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3792-619-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3792-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3856-385-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3856-266-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3900-28-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3900-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3900-37-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3900-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4376-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4376-422-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4468-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4468-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4468-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4468-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4468-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4572-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4572-241-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4572-367-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4572-247-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4596-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4596-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4612-67-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4612-73-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4612-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4712-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4712-442-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4712-622-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4724-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4724-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4808-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4808-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4808-24-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4808-15-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4816-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4816-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download