9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
Size

1.2MB
MD5

7f8bd945274c52394c19fa07752fc3d9
SHA1

5c356fe05bfcd71a6eaf06ed94fbfd625ec72a2e
SHA256

9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b
SHA512

f379791962bed1847347479e52ec7dfcbbbc9ed7a5c1de18e2c3d432245f54092d14a4efa0534d4c80a97af71143a28fe7811b353dddb07612f2d6357e16359e
SSDEEP

12288:A2K3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:tK1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4680	alg.exe
4732	DiagnosticsHub.StandardCollector.Service.exe
1644	fxssvc.exe
1640	elevation_service.exe
1484	elevation_service.exe
2016	maintenanceservice.exe
1716	msdtc.exe
2256	OSE.EXE
4924	PerceptionSimulationService.exe
1556	perfhost.exe
2844	locator.exe
3460	SensorDataService.exe
4536	snmptrap.exe
1788	spectrum.exe
5096	ssh-agent.exe
4648	TieringEngineService.exe
3032	AgentService.exe
2032	vds.exe
2180	vssvc.exe
2856	wbengine.exe
452	WmiApSrv.exe
4476	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\locator.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\804ac3d485dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dd20447f3c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ebb4e47f3c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f263d48f3c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2fb7348f3c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088f38747f3c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f90a447f3c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8af4648f3c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a3ed447f3c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000315a4c47f3c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4732	DiagnosticsHub.StandardCollector.Service.exe
4732	DiagnosticsHub.StandardCollector.Service.exe
4732	DiagnosticsHub.StandardCollector.Service.exe
4732	DiagnosticsHub.StandardCollector.Service.exe
4732	DiagnosticsHub.StandardCollector.Service.exe
4732	DiagnosticsHub.StandardCollector.Service.exe
4732	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3768	9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
Token: SeAuditPrivilege	1644	fxssvc.exe
Token: SeRestorePrivilege	4648	TieringEngineService.exe
Token: SeManageVolumePrivilege	4648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3032	AgentService.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeBackupPrivilege	2856	wbengine.exe
Token: SeRestorePrivilege	2856	wbengine.exe
Token: SeSecurityPrivilege	2856	wbengine.exe
Token: 33	4476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4476	SearchIndexer.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4732	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 6032	4476	SearchIndexer.exe	121
PID 4476 wrote to memory of 6032	4476	SearchIndexer.exe	121
PID 4476 wrote to memory of 6056	4476	SearchIndexer.exe	122
PID 4476 wrote to memory of 6056	4476	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe
"C:\Users\Admin\AppData\Local\Temp\9824bd3ae81d8fa9544446c9d540747d340572c065f84233f1c31713f7407d5b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
1⤵
PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
80370d3ebe2a0146b0d92f9964ae17ff

SHA1
93e60aef75c23a93b1b51f0b172375fa2b182922

SHA256
3bb029ad979e574d0a90fbd23d1f5db1e89ea915867f6daf325feea0c4f2e7ad

SHA512
45fa09578331361b76d2be57f8e16abe80b8c59b2def765e2b5cc7757e1459fe977e8b82b600b1e316f5496714efee4c0f10bef49b7a4b561b42507fedd58447

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0b2f2f9bf8e854f5ffc5165eaa9cc49e

SHA1
2b65a6ac05010f97fcc27197ead5da3539c6c971

SHA256
b9a5b99fa11bc4a222b16108a20817c25e7f9b31865f21b8108c76d8039c9199

SHA512
a290bbce85a87a8d47d6f315c6238214f3e8934161caa50bf531146428da76a4cbee6d0285aaacdc0abaf359bf458166633ac09c319cb974999d1b4693d49a65

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
018dbbca74de04a3dd29e11ec2bcf7b5

SHA1
68e7c08fe91d96977d52958d252c3534a8a711fd

SHA256
aa65fb1dba100d136ed6d8012bb5089957840f945837d5d7bcc8bdcbf32a09e6

SHA512
66a650f5973a8e8f7a66a8bbe61a1c14c945b53f289d93a8c49c3fc4d78abcac3f0a67dd670d82db1622246f60119bd90e22e0fab42d290caa50641a54d14c02

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2e86ee83ce1cf727e076bad5332d1e97

SHA1
05e22b82303a962e38c1579b2c62c98089ce4af1

SHA256
3c3a2f8d31c33d4cd8444d0fe2b1a0d268ab661afe09d43e3ddec146b7be39b8

SHA512
974e6f6dd1a217cf1813c3550360288c900df4bc69bbdc4325ac0a6759243d114ff9e2398853c45b4635aa15ac494ef293c6aa58547afb0602a7b2d99b1753d4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
63796b85395642cc539a201b404bd983

SHA1
b79592b697d24c9d93e09ec4b1dba19da4bae902

SHA256
4813b85939ba6608764be5e71fdae6fbe6ed6a3acf80e60d533b9f2061f4906f

SHA512
426d0139f7ed60f627ab596efe3267e76afe4617a3f6ff391240cce10a755206b77bfd01811a1596d8c119dc0718c2b3c194d0c01c20c098f79c11bf36e10b07

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
31d052cfaa0046c851aa82860cd38711

SHA1
ffe06023b9cab58e7e49789b249d239b0179400f

SHA256
730ef1a159045fbe750661f1c269ddf5bb6fcd95de7103aaad7584813e12e4f1

SHA512
0628b9dfb751e3cdf1a5450e736df8d068749136e6cfa0ab35ff7f90239320cac908335f529bb9bae6e9785bc237f7ce117d7a0d9035a665d28aba6fab291dd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d3d6135730a05b081f91b16e2088f84e

SHA1
e5b1e3ed594ea5a84d356e32108eaaf9287334d5

SHA256
27e97670edcf6da2159163be88c9cf88fe8540e0a95a6c7a2cf9382e8c43116c

SHA512
e9f6c171b1ec04aa0050978e2183c2c76d66bf7a960f17a8507559181aaaee66aa43629252d45b022c462d0cce6fb0c8befab71e2663afe8a63dc02822309612

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d71dde8c4e561fd447d02535ea8d2801

SHA1
f39ac2704ec6d65143231e0be0bca9c66a17305d

SHA256
40a4f19335bfc3034406ce3a10496f68f8e6995377c80ccd0adf16cf61c2fe05

SHA512
6a7c338718d376e8e9569f2850b8748605ee4464bff899b38e0318e02398c3eba97f9b8db67b61a8efd5691c653f40aea492f326dd96edaf81da7656ed92c41a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3d1ec480b7fc98dab4d7b1389d0b5942

SHA1
361044f5d220183f8178137db1c0f493a6cf6538

SHA256
9cbc502cb4dbf633caacfab78d01651c7e139329e08c69a4ce4b65a6a7b3a660

SHA512
26436ffafdafc54009e09e550b3e838f9d1c08d54283ea097335b43c74c240aa9c85f43e8380ff14ec5f816886b3c0f191c680e31692e5f64fcb3aa0065d1817

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
07ac3f23b9e531e71c98b54a5198e204

SHA1
ade6c42b81f4c7993f2cf203a175221924ce5b68

SHA256
5dc48a95ff0008445758da1412096a572177bf66bccc5dce1fc3714b5f717a28

SHA512
ab43a0ef145962fe37cd916d64137037c06cbe0c3dba59cc6b0eb5c99c57c539eb54c18f715815dcfe90cfa1ecd0247652548279e8158ccc56757de7c44addf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
154223ddf5b415393b33581102833be3

SHA1
0e57b2ed0b4813f7b7a05b8d8f315ac74d303ae9

SHA256
15c693ff98f95d8a833bd06b273a9816b7b2f28f36b7aa3de8d82f4b9a14bfa0

SHA512
a7456c437487ab49542faa0cc44e348b6b4310582a6c8a1355b2c9299a20dd196e2c61d133c02fc51a6cbdb4ccfbd991aa469ae500a07f0786b51cd21fd33633

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a698bc67e7636abede0e9fafa04789a1

SHA1
5dd741fdc8ac952e68655a0e788f4cac67157472

SHA256
a1b576912e045b419bd9e0656e931acd1fe853e8fef0bf613fa25e58a79fdedd

SHA512
1012de2ff66cc38a2b92ec9819f6dba6ae357d82b3caf8f5a95e9702f1b5368d97a104952edf6b77419ec39d9c81052dbba94b58b3535758095d0b73b8a276ca

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e9c84eb8b6428b5f65245d56600a97e8

SHA1
fdbb809b9bd83ea7883c1becdf68e2133eb3732d

SHA256
18510be312a152bb0ec04d36c18a69344b00e07712a4ad070e8fe5d4d22f749c

SHA512
4dbc730e6d4f3eb74eac205fa54ba1065ea5f8e0e8cd1a7ab042ba9632ac9dd71ef94580696e9ec88939515c608c930c94e5c49c50de0aa9838137ef59d91c52

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d70f70c30920764e535b1b1b40b567cf

SHA1
a910fedaee09dd4619a4c476a6fe7736403555e6

SHA256
b31b3b3cba08677611681648d006a0b9ba905b5fb4418d0c3b9e1e8c0ba4d92f

SHA512
f872af60069d8bd143c69f15e446eb5c153b68e6c5d5fc79345454b7f4012bd3470a10ccfeaeb6caf588d205dc6b9ca13e8c6efcbd5520934476dbaf5376a9c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
16a06735aa06f9c47b94893a82de1a7e

SHA1
4d53d2d2e8c977054bd0edcc2a963ebc6caf38ad

SHA256
afc74314efdb76193a4d50e67c6971a5a360501fc3aa9ef04c469de49e0948f1

SHA512
ea5948d2305258b38eed35531fe3d823a8209d29b0074e562e5024b8473185f2b759fccf16992e576698ccbb98feaa05b9d682ebb8c639d330e3a0807c2d26fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0ad1af173d75d88d59bd1a55efa1f282

SHA1
3a96a748f58347379561a9ced40fe7f8e736e28d

SHA256
28b35372679b88f2db05e99347c71448bbf76443f04127bfb563495a5f42b6f3

SHA512
f50dde921b326cd9f208951d85de5a89968946ca2ec126b1d5b4820928d07964ff5ff5f189eb786c26f7c6f1de55251c6f0f67898cb4a7e2eee2f27b30674ae1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
43612eac1c58d5415f9cb450d41e2e1e

SHA1
9519d06bebd548a89c4dbd926151825196f9086a

SHA256
1f8e578bc3e342e1241106653d759eb5edd09faa1a598b33a41d99eb0325d335

SHA512
699aecfe6a0bf19cea8225589e8e671676f4b6ab46d64da23051957ccb6db5d46a0a11f2af96b72f7ca2f74b97ef5e99d368506b3b7434e524da3a0bd09e8b8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
df060572081149afde7db55f9701d191

SHA1
85ead5957d255fe77bdbf6f85df0523b3fb1b7f9

SHA256
a97c0267feac7ff90bdf134faee86c9c71df454a816ef00d654c8833133ced46

SHA512
73a67b0aa5208f5820893e38575fa957d3b5fc74460f10f87d3a7a0fd26181803575048b42de86f41e691f9bcfb817c4a965acc9e55b176b57ad24e49ee3d386

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ce61e1f2f5a126b799514e8b33c622b2

SHA1
a0c15fca371678ae71f7bcfab44a731250aad2ff

SHA256
cb51a3c174815fb13b8f602e3e54387c388c10479ddad171589f1ce5cf107e5b

SHA512
5fb257d39af2ff93cd56088433428951678c651d560d5fa3f40820e2a8962e593f2e3c015bfb4c94eb3788e716a4dbaea8c95d8ad3e008f6f0eb3942c07efdf8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c230dc6494f89eb32105b174629e78b4

SHA1
735229249e892ce905fbbff7f0dfd2d0611e22c0

SHA256
67bdcbd6f161f4bd190460b9d0dd7d580a78f91aa2b43a805ae734bc8cd7a0b6

SHA512
9fa31ca9d035aa3316b0fc2f911317bd5e96a910ba7a113ed71b8fb514684ed28ed607a410c0ddb8d54dacaf1770fb983a0dc86c02e102e2cf2d6ebd85218ebd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7266df5f45b67f01615d553cdc10c110

SHA1
fb9706849f10d3d5625a097eed2053a75bdb5fda

SHA256
6c84665444d6331cdb7a9185a8138495dde9853b63b37256df4aace50c9ca92f

SHA512
9525c365db497bb71813018fee2b20198c1b12ae7576e67837551f637721bcd366e5e776d03171188dd9a340029417a115df04cb2de296982ab69b3ed6d4196f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
abc25748c8fb04581b5937aa1e991944

SHA1
983b71d2864dd34631360d1969c42304b4f9eed4

SHA256
b3364a12faafcde2c5f41e116fec743b76295f6c78cab0c4cde9d347720d9b05

SHA512
a024cc91d964bb757a225d0a1393d939561120e810621ef9409148fecfd529ed228d6d41555b512630431212cf5e84a0be8fc78a6ca747b13a989036555f9ec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
63a78f107618f4e267a944ac24b2c84e

SHA1
e23534a38e78ee4801c6d5bd0dc78bfa4a4917c8

SHA256
6d3df819b077e07f50a53f92505c0cb712ece1508130ce2a7c4ba02afd8d5bd1

SHA512
1353014a0edca15d23853985f7793347cbffb78847b7f56c45f6f234db5f88bf8a3937ed2bff01357c38a2b1e97ca7be6bded95d3c48299f5eb5ff0f82f70e4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
162db311d17da36efc00c5545663aaf2

SHA1
b9f5fc7739ead271e3ebf988dcbf5df3860bff38

SHA256
be47d2765067c83f7f84bb849891829420e7ac603f933261d1bc3a0c227d2556

SHA512
65cb6ee913567d5ee43496a006f4ecf6a6e18ff9dd8a5e48b3951ace13a764bf109d5e60556f8019db99f23ccdbce0ef19ea6205ae66e202705c9f36754e5035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e4bdb42181be6b1adf499f29e1d18512

SHA1
db7003ccb2ead887cfd4a52dd6e78ed4f0cafbb8

SHA256
fef0ab06c33eb3934cd3d93a9027985419b57e5c508fef642f14a45c9e84a48d

SHA512
13ffe70711a259ceb8d958b57f514b762c50fbc50ac2e5650924fb4cad6bbf936f8f50a2d32a461211c61941edef19d33eac9e50cfe4b7436b4f8e9d8434ed46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
200ad6c50af93159e018539848c76e25

SHA1
3c74994f80c91701ba5341b6dabb481ba39bd447

SHA256
0fb81de6d453b06c8d450b1d8b311f33515c64cc893bb707ebddcbe1c4c41989

SHA512
f13c739b815197f0506263568fbeaef02d6f66c3855c14e18225f43db5912ab056aca00f370b4f00622647ee1aab91654d951e493e502404b249a257d0949cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2d7fb0d8d48cdb9a91b4729a20dfb0e1

SHA1
51acdf582edb9a956c90e5b4a6005cab26efd902

SHA256
ae6df1eb312123a515fd961e7b89bcb9880b54f1f9ab0d6469fdf168fce97a00

SHA512
12a998186748857195cbf9f1490b2c0daa12f271eb69fbac321ac7cda70a6d971ab5c10ba8a06e0964ab28f79af57af4dec2d38eb3c53450b8206cf4e2d92fe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e77fa8e054d766e412030249a14ea9e8

SHA1
086fcc7762fa5a892c4646ac14d1c6891548d495

SHA256
3920f2bd50d969244db773054af81184035d45fa8e6a6a997e4fd7299643e5b9

SHA512
74f308484914283f8cfac7378d82e07599a7d5b376c894a49b1c72724fa00c1415c0b9d156888bc643beacdc2a5950f7f81e141692100a9e305a5ba226c0359e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
344eb257be9a94d0d99a029adb749bd6

SHA1
9811d0220a02268b160a84cd62313cc18aed299b

SHA256
29fbf1289e515ca9c6a30ae5c08ae9944f0506c20569241d7804b8ec37f2532d

SHA512
a9cc71f06273b9d06b342047075236f87a53a329922f2dc875b31d64677fcf40a2eb66bf97416f50330995d930da6e03e16ad9b67caa997df715a4aaa06dc636

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f3d7488614af97c5e82f9890912f115f

SHA1
1d9f6dfdd7329d5d8756a1492eebd027e74e6433

SHA256
e1830bdda9874ef1812296268a46270b6f3adea1a43cd888cb2a2a29cbf11293

SHA512
6d0b39c2ac9fc3cef63967fd15ca1028f59f67aa29cfd012bdb66cb9d2fa782734f49d0665f9aacf1d444a26221830498d86fbb6a0e1114ed2a7abfab8883c44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
0fedd80d4b427a1674a002a90ecf1b81

SHA1
9d650b110702fa0d8079a28087d0c347f6a1c542

SHA256
c68a42bd48e139a8addfdc1859f7667891e1072bd47cd66c9e1a33349f18545a

SHA512
f2080e11561781f6e6a642ecd2df862685a819cc80f4573e4deecb799232133dea529e47e5498a298fb4bd6bdef353bf61fcc0a4db2e2cd17e7b75026d0ef94a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2a79414b7e212042a639baad2ce012e7

SHA1
abc7ea64f1ab3580e93427cacbb9cda2eecfba06

SHA256
9d8a201d1913097f3e0d1cfef0a80b441fc2a9f1c6a37205c1fe2cb9edfa03cb

SHA512
4446887105c55a7a9b82a942d07c76228b3e769b60afabd2d91cf76ec7ca5f0edd26dc12e1569c56e144203e07c09298c325f78cc064ecb49df0a9a20e817924

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b1728086f8cad429a2a33ae0c78f8ca9

SHA1
18838f660b324d5b0c7a9643c16d127d8f2a4ca3

SHA256
18ccd22885c9913472c873b5ee71c87095fecafbe55ca8284fec563f3f0f1784

SHA512
cf0d12c37fd424f3f7d30f13dfc99b93f2009536de42792edf36a236541b7cf7d211b6586c898281acf188155f6d4e224d4ff7c5be395638d71f321a1556e3f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
021d3ae84385d1da0268731a2f469f4f

SHA1
b0739bc1f011114f635ffcb8b27615448f08f554

SHA256
a27c3a10edfecae065298a6fe327c0b40df847c53976fb06dd69913923eeb089

SHA512
7bba0a3fa28e2610e562671aa44c6619dd074d315070dd1eea5b9d8a064f6ff3646f0ff0cfbe1d8ad4b78af1aa4b88874f9c851438f7d612aaec384a0a711d04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5b94be0fb43ca262cf23e91b3d19d123

SHA1
4a15544ae514bab06213d4de913394bfcb16cdd2

SHA256
5efb346a980936f1cc5918e8c6f3e522faf6664eed6f99a9aa9a29939e5a887d

SHA512
3e6041dfd282f3d8440688e74d4614a999d15e10846a39fd88a919c34281e9090e27c4180a6ee549a1534c83ccb11e5a0e024e18ca6056dad7ac18a2ed4d0eb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0a8a7cddeb5a0c10cda759c23642f94a

SHA1
2c1be8138d90b238e2d4a483252e981c49f2b56e

SHA256
6a083f4e7bf6f0f431e450bc68e2d4bf2b7ed9e2225ce06d4a0b26927dcd0d0b

SHA512
5dda26e1b15f61914bec616ca2bd736f8f2c02704e34a50df0bc69bbd19700fd6bedcfb443e7376b7ced5bbd1e9038d5a3c8514fb96990318848e4d0345a2baf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
606c861a15aa861b952e90a283a14a90

SHA1
6b9ebffd3f3271902943ece22bc235c3cb879bb5

SHA256
9d3ea836984fde2e84bee662a6d88fc6e763bcb0393cc1b02bae7d6dec99bf03

SHA512
7a448fc6df6f48a4a8023c3811200a74860d514b7d25ae7cb3cc7d86ab270a8cb9e542a93a64325c69104388b8901ac1c0fab3d666d40894b38408f72e14530d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
06cccbc9f104ed15accc087149bcf709

SHA1
d29f1fda80ae48d16d1e05f6ab1f9196e85adb20

SHA256
97f4710afdc739c563fafbe11c8f94104273b3ec9163f4b99820764c35e3fd5b

SHA512
ec585d4abf4117a6061b92df110a58c333310302dcae75f9394e3bdac1cc1114a11f627c8a9f9525fdb9226c1a62bd7e0b0f4b04a8b411cbf806aeef1e31168d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
07eaa9cd7bc8da569b90b1c1e3550328

SHA1
f9382f7cf8d8cfaaadd54d5105d85e209013763f

SHA256
3247abce7d86c9b8552e9917b3995923cff5a8770c40ea86586259def7a51ba2

SHA512
2cde9e899203e99618eedd074b2236435aab3e3ab04c268b09abc275cd661811bf18e8b154a9b91010c383fb34c4c9cf6498e1ed4c997f8fcbde90e4d9096d90

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6fe90406ef677651a69cb8bd998283d9

SHA1
8b44f78170f19534a9644837fc0a6d699b47c155

SHA256
735162b15ab023093fb54284186fcb62c044bf5f9fc5c201e1f24df888d0129b

SHA512
52384826e1ecbb49874c644e87ff5ddb26377a4e0d206e4e5bb279d8eba9822eeb7661ceb8de1ff1d3f1262fe15265a0f98cde08929ad2eb3608d4734dcea5b2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
75c374222ae3f667634029600a338d41

SHA1
017e01c2d86759cd77af5aa7b66838a5f28167dc

SHA256
cb2a28c4caf2828b9071e932d9edf7dc227bff5f804e64df3dcb9a8295d7324c

SHA512
1853ec0b48604800b1888c3e90bf9b6975c672740e6bba8f37cf7b44b9280d062a7795a9f915fbd127a04c967710b4e513667021ef30fdd78fda97962c3e37e4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5d47ea2974fed7cf4d312ae7e4b5311c

SHA1
003cbef943e08c61850f186552c9c0522e578b2f

SHA256
7fa2f21f772402830c97c3ae112299dc54390f4234f11dd7f2d0d892d4db27f4

SHA512
e18f32d70925343747a4f268c7d803a962f431f4dfa9206a3d446664dc7fae06d8dd3c281c6e909ea84e1a36714582798b73b0f992c2dc48509e0cb93af30eba

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
15385bf474315473bd898e9a75725651

SHA1
dfb3e710cb5757e57602ff76c4720596998bba1f

SHA256
36e1ec3ea75b64e34a99ac7b9758024722723367af5cf2c8752822b839387c2e

SHA512
78360fe2cc79d20334809191bbd64cd0fb09d25259bee81bd9add0a93be1107320e166c3240fcbbb9c5fbb071998dee600f866767ebff980e9ff087d55210e03

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cc32bdd8b6d493e0025b426b36e8d078

SHA1
9718e491d52a0c138f1a33413d1fb405e992c840

SHA256
f7d909deb38a6a1015040b7cb99c3728275ed4fa6744cf426f53aae6d7c80bcd

SHA512
8f77da23968d4471e68315c3574c5784aa2ab9c44d9c2f0295e4ec1c43e7b808c8cebe54adcbaffcf04f59914bc5c63d1c0f4bc1a7979f03cd73f9f16a66fdd7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
15f8f81476d978743a986bb0975b8968

SHA1
f3f96415795a776e8a6c63d9d47c8f3da23cc05c

SHA256
b9ba084cb80bdb93d60448f715af9f289785dec2155dd2bc5b6c1ba6d7ba0915

SHA512
0e00823d9eaa0b779b774370469570292bdcc4049d59215ebf92279c0f7e43b41a509479aba0754ec79d448b6bb7e21cd459143cb5e32c512f9f1b9c0b091a08

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
df27924f77a5a4a6d44551190ed1b415

SHA1
785972ef193e74502e3b449ccb7c9475ecc9a0bc

SHA256
11aa1b4a4af365bc739f26f0cd87ccdaffca5f2c2d05cdd53f1bb00fdfd6d753

SHA512
5b21a9b036a80dc0647fb7cd10eac0d87419ad067c56aa98307b2340e58f553a584f3a1aa1c234e89b8f38646aa6f6ca2e9268e119b3badff55a6587a3bffaa5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a92276f23f390438b9540d7f917a2afb

SHA1
a78864c8376745ab2f6c792899c538830565aa37

SHA256
8b6c94e0d34411d5ac218f272060a7f7648f3d1e501dbab380bf705e2cdedf7d

SHA512
3efcc8cc13e9aa7c18ebf5ba591462f61d8193349e971e8a126018bf3a7097912d04ab563518161b5fc2a436a928896bbb4a629021b978c4f9e071fde816698c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
17ed74d5ff44aa15f29f6bbee63c7a4e

SHA1
5c3260af278f14a6a6b22e15d7f9d42428f54dc8

SHA256
8404288d732b51ccd4d1da0d6d2a36eb74a08dd6c88bb89f70b1775acf596d03

SHA512
aea4caa62b91b9b42ad7fd45f57f8661a6a386bc63b4e5020599da4ac01c689323eead1a7e41f83d072aef400a86819828b04879beb24454d390e29126caf39a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8bfaa75122d64cb39585bbea661de98e

SHA1
a0e4872398a7c2062dafb1c1d24dcd0d2354436d

SHA256
8059fb0b3c5d88f126f4381e0313c08de3674d0379d6b3ba9fb59c16c9d04a7f

SHA512
516eae78318144ee742bcdf9a8593a22efddfc462f45cf8a880a259f600e22a91b0e4b824736e822c653ffd6ac0cf8b5fc8bf7665858c5c4763b4a7afaf907fc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bb1c0a0c5b8f12be88862ad22c4f6e17

SHA1
168664139afc059b7dcf2deb2acda8198ce56938

SHA256
50fb07a8545b8bea9aae8e146356176b8328ca861b184a7eaf13044c25cc5b1e

SHA512
a453e70e7f19d179a348e00e6242f4e86d2a56f060c4eed18180a4293f478e605bc447f6dec255bab21338a5b322fbc35fbd0d37805c1f6de4274799c4b9836d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
18a58fd205adbffb40eb25fb05b10278

SHA1
6ad1c6548fe46b10488a4133ff5e39e317a1efe9

SHA256
57df8e9b9d744f8658aab775fd2a4396322c80bbc488538f75cc103a82dc09ef

SHA512
b2533c08fb0c03ae006600b651b82af23b0fa0d9d6ba681c741de6518ecbdc862b1aca6cff5818c7a0d7620155042bce356394810c176e93c544a23cb44c1461

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5ff246160247ac337a38f9aba8fd7d5e

SHA1
7f35c80d6eb498da39f5517ae1ae45bccfbcea48

SHA256
758b232c8866df65bc781d7d9e509f24e6cf5cb55e2b134f6fd3beefcb1ec7a2

SHA512
76d6e363bf1f17d732d27397e7dae89abdb19818751995d33037915c6e9272b5d6da7b566a341e96690247800ccde06a06da2590201ac628ebcbf1958ecb1c1d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
64e3252d680cc1ed35563fc5a43a2d84

SHA1
4e8b2cd035f242488b26392121847fbfa21a9c84

SHA256
c4d22584f7c77f3ced93156729a1fe623d7feb30f61fd735254de53904bcb565

SHA512
22572daeedb2b083610f5a7c0414abf2fa02e3584e2a2fca196741e0a2106c89c6a7658ccf6a6edc4ca71947a2a278c3975ec2211231e04885674ce64b09f88b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
305ece8b4b213c2b1d50e5a30e6d651d

SHA1
bc2d9c317dab6efd93a0d95b2bc05303003401d7

SHA256
df57f1833d3d25bd9bd81ed20fc25ae384bbdd5b1513ae6b06baa0f7183ff5d5

SHA512
c8a698e25df1a1ca19b5348174e59a5e0c0f90287a75a4844c114bf416492d11dd8ffb6e94a7dd984a7412ef4f033c5ca63b9739b03d7e4fb4182b438bce3e80

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d5528c1e78ecfa2dce36e01b4648a421

SHA1
c9cb33cd608205b85ceb4ce9a2b9a7436f9fcf13

SHA256
7df7a44cad14ad847da68b5408d0a3bfe86649160cd13077c2b53aaf76d9d0a0

SHA512
74980a976f831b7caca6776855007e72515374f57a8473d342c07649aa08363d1f6b64b1c8d45ceca31467ae3c29ab2959f79921b00147636da18d05d6c065eb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
62c9a84c349e370a091134fde6a63bb2

SHA1
283655d1eb6e0cca8d2e14c9362c8e7b5c43cff8

SHA256
5bbd3735c9c7e8aa30ce71653b3bc08c12e6a7f028e7d9a58c4daf9630a99a73

SHA512
559505e2ecc77646597eba65841a30c98a03cd2648de8bac56f7488f975d00df1f6c7d34acee057daf58753e6794c953f1603b89e175eebf69642d27e9f5e9f3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
999a525804540be050617f03a23d1fd1

SHA1
32a345c274ce97e1b653de21529e9b7e9e330f8b

SHA256
daa81e3aeb63c7b9b0dc95f8a65d30e90295ee512854a977a56b7c35aec2e12c

SHA512
79a704f221304cc5001a1a9b5ad76510c62df27f4c8d8ccf623b4c282d148c63be5af503dae947149622981b8941a60553a09012dbfb756839ae858a97a82a76

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
03f4a073aa0e18cf0d21bfa2ac14cd13

SHA1
6c2543f1dfad0617d0905330fba02a4d687603fa

SHA256
70030ca2218508b3f85adbf7c802616ce42aefcc8c78d842697068d9e8e2af32

SHA512
cc08161c06aac00f284cc4d467cf489edd347c890557b5768a9d7a5a77a19127a738ffe0713801a6735cc7e94959c07d0ca328e7f0964dda73709faede97927e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
82cd5ec03f5f881d5d0445b56c8e95a5

SHA1
73eec2073f6202471b5c2ebc3783699953638e3e

SHA256
c6c98a5082f9cd07ba6e2b3c31351210568610db4f7021cf6084028f086dfd91

SHA512
4b36cb1c4377f3d49a55c572a3022918bdf53ead8cf8582f2b7f3de5a796ea0707c9fdba5a19c9367b19607b1582a0a6f2df49d2efef632bd6fe7d84d528c85c

Download Submit
memory/452-267-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/452-640-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1484-65-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1484-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1484-185-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1484-63-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1556-136-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1556-255-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1640-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1640-48-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1640-54-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1640-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1644-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1644-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1644-61-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1644-38-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1644-44-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1716-88-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1716-99-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1788-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1788-496-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2016-74-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2016-81-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2016-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2016-97-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2016-85-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2032-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2032-635-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2180-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2180-638-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2256-231-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2256-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2844-138-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2844-266-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2856-639-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3032-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3032-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3460-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3460-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3460-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3768-336-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3768-8-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/3768-1-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/3768-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3768-98-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/4476-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4476-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4536-495-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4536-161-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4648-506-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4648-197-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4680-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4680-113-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4680-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4680-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4732-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4732-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4732-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4924-234-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4924-120-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5096-194-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5096-505-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download