b8a879e55684f100a1b8747450e83ef83abfd5fd7de7ce2513742f9cc8132812

Analysis

max time kernel
130s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 09:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3493e1aad0ede408ac5501450bf74290N.exe
Size

723KB
MD5

3493e1aad0ede408ac5501450bf74290
SHA1

0776f7860473c7294fcd8970f25ab62c9dd655c3
SHA256

b8a879e55684f100a1b8747450e83ef83abfd5fd7de7ce2513742f9cc8132812
SHA512

bf864ff6eb7a2ad62225101046bcdd6b4aa0349db1b18886e95e1486da05b3f46c1c2944cfd40658ed089a8a3aa030d63e589e6e334d55e35c90e25bea275419
SSDEEP

12288:xJFGzdZcEAMubvjkcH3467d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6Lg5:xfGxypdhCks7WE9F5pwg8zmdqQjC60jI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
448	alg.exe
4864	DiagnosticsHub.StandardCollector.Service.exe
4616	fxssvc.exe
1668	elevation_service.exe
3240	elevation_service.exe
1820	maintenanceservice.exe
3264	msdtc.exe
464	OSE.EXE
1616	PerceptionSimulationService.exe
2880	perfhost.exe
3304	locator.exe
4004	SensorDataService.exe
4152	snmptrap.exe
4416	spectrum.exe
4400	ssh-agent.exe
1976	TieringEngineService.exe
3664	AgentService.exe
3992	vds.exe
4616	vssvc.exe
2480	wbengine.exe
4516	WmiApSrv.exe
4772	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\System32\vds.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\805322e416be280c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	3493e1aad0ede408ac5501450bf74290N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3493e1aad0ede408ac5501450bf74290N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000df4b5e6e3d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8410ae6e3d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb58c0e5e3d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e8289e5e3d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c1be4e5e3d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eed03de7e3d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe
2056	3493e1aad0ede408ac5501450bf74290N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2056	3493e1aad0ede408ac5501450bf74290N.exe
Token: SeAuditPrivilege	4616	fxssvc.exe
Token: SeRestorePrivilege	1976	TieringEngineService.exe
Token: SeManageVolumePrivilege	1976	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3664	AgentService.exe
Token: SeBackupPrivilege	4616	vssvc.exe
Token: SeRestorePrivilege	4616	vssvc.exe
Token: SeAuditPrivilege	4616	vssvc.exe
Token: SeBackupPrivilege	2480	wbengine.exe
Token: SeRestorePrivilege	2480	wbengine.exe
Token: SeSecurityPrivilege	2480	wbengine.exe
Token: 33	4772	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeDebugPrivilege	2056	3493e1aad0ede408ac5501450bf74290N.exe
Token: SeDebugPrivilege	2056	3493e1aad0ede408ac5501450bf74290N.exe
Token: SeDebugPrivilege	2056	3493e1aad0ede408ac5501450bf74290N.exe
Token: SeDebugPrivilege	2056	3493e1aad0ede408ac5501450bf74290N.exe
Token: SeDebugPrivilege	2056	3493e1aad0ede408ac5501450bf74290N.exe
Token: SeDebugPrivilege	448	alg.exe
Token: SeDebugPrivilege	448	alg.exe
Token: SeDebugPrivilege	448	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2216	4772	SearchIndexer.exe	112
PID 4772 wrote to memory of 2216	4772	SearchIndexer.exe	112
PID 4772 wrote to memory of 3840	4772	SearchIndexer.exe	113
PID 4772 wrote to memory of 3840	4772	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3493e1aad0ede408ac5501450bf74290N.exe
"C:\Users\Admin\AppData\Local\Temp\3493e1aad0ede408ac5501450bf74290N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2216
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0b59531171c295cd71b92b12f75bb51a

SHA1
4e675c95360178288ca594f80843ffb613a135c7

SHA256
62d3073bc3a1edb21b7e4fbcd4906c901c21b946012e53ed62ada5af0d341d98

SHA512
e466096142393295edf3a6e58e4efa2a6624767d49d664d0bbc80029341f8d33841c8885ece6280200ad5462174ec95ebf02d1acbf967b2054e93ae956048789

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
423df36f3413de3dfe6450603f80b2a3

SHA1
639002f9e995c8145fe8ceed6a9306d81b4f066b

SHA256
7ccafee62c37648b817e54ecdea8183045bb1bac22916deccfc96f0703b96891

SHA512
6f5fc7a8c3edf2476de158ecebbed05b5eef4e64696945e98b7115969a76f8ffce883ac6bdfe1745f2e52e06b64789ddb0478fdc8f2f89b092589f727fff217c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5713d383c7baced4d410eb1af7acd6a1

SHA1
79ef5446b5c9027839735143326c0e8e299ed04d

SHA256
e934c0275517f797090ec1fe9e569b3bccf4335ddc1af0abdf98a8b3c6e6e05e

SHA512
37cee915420c043888beb8b50a37ffb9a3fcabf4615f786fc6128750c6bda13f8bac23d8b96641039b71fd7c1227446259cef7573e634225d6c5e9880a057a6a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
61ec7d5bd9727dc364fcb5def7851284

SHA1
c2535e10cac5af737f4b06f73a5425f6355a116e

SHA256
18c13234b53352003e0d5ffe964db40b483052068b2d4f753245f48e3fb1ee02

SHA512
10b3e33bccf3af03574c920f1a48747094c2ba948f6df248bcf4b81524ef5dfc0560f975c36bcc8fa45f69899993e3e0cd2ae810b27c8696cd9ccbf5db855d4d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
27394f05c0bd9ac8f6e3e18eee71a84a

SHA1
f0198950ecbf510f6070b194347692f53791c620

SHA256
05726adbf26d64060e50c9b3a455b91e58ecf03724016bd7c21c5b2c2afcb3e1

SHA512
90f18d3a234f5aba09c1539de34abd2f66930648165627f8dfcae0fe162e9c98dc837cdcee85aaba6bc44a6b25895b2c778835cb64e651a480f802701ccddf2e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f3e5f89977f02e195d14392f3297c12c

SHA1
969b6fa5dfb7ec46a377784f5a92806f175bdf9e

SHA256
cd237c73dd2d7dbc56ccf41fe907ea3a3f0813e2598e59ad05bf5c688a7e2403

SHA512
7eb01638e90d456d7438c11dd06a1c302709f9a26b4f8e7f235a1bbfa8ff3bfa12e81013e9f544e468f18a031c4d176974a8e20bf1fb197c26f8d05cf087b4bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9841e4e191abf65db5611066f94db6b3

SHA1
845a2ee96ac5b98c990a9bc36653a7aa7079c764

SHA256
bf0e52e3390985cfebbd89597269a3afb81ede1d3dbd68297a4720a86e641407

SHA512
aa5af0021f9390131a9b53df297606476ddde1f59650a954fa88615e7b7bf504055efccfb0722e170bda98c6fbd2f71516fd1442718c3ae2e66236b04e842a96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1a5d414cba934a7d069b891cd84999b7

SHA1
bfce6723afb50ed3cf42dda9708e9f0c3c18c4e3

SHA256
447e960d11548c628913f64cb668d9d4461a35c41e483eda8f81a76ec3449652

SHA512
524aa56cddda3bcb822a8afba9082ee1435b23c72691a5289cbde640e77a8efb417c586ea3b0422815aef93e4525bc2aa972b761b8a882e6f5996536bb3d4dec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
febd4d4a41df44b6032331034a0e8405

SHA1
34cc14003bf4b60695f99a86e76735099b4ee24b

SHA256
fed76a27560ba4a33e3148180b0931c47fd7f9a1e0b027c840ce71d3b8d5396e

SHA512
1c53af4271f6b9c3662031863f16cb872bfa8ffa295bed71a11f5489f8b10141525985fc08c2b68521063d16f968c04375dbd507dcd5cd2f0574d5c99e7c3331

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e7945fff6397214ac6262fd38a7d43bb

SHA1
cfba166404fd399c0821595da34cdd7c30cae5bc

SHA256
14c34975171dbf53d8f84257a4f89add81df77e52be7c508cbd7cb518270617d

SHA512
12884289c172a316f5e4a473717eb8a0530e232d1e5615f434bb2d6c0db5075ade49db399f6cdc83c2b5008331fc999ff9d4dfde4d6e48117429ecc76cc98fff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
959348b707a2db6b925c1511e04dbcf2

SHA1
7eaf1b70f4f70e720eee55cb43ebfa2d0b56294a

SHA256
046944952e35f15fff79bdf56711664dc15687adcb7516ce1918003ea3b11689

SHA512
3bbbcbf74075125dd239a3ce2838e34922035e4d6a250f97e11974927b56fe4ce550cf5436c5684932b03ac4dfb53b1b7216ab76252dc219250c1e941562bfa7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f8c94a6dea1ed4f72ba5ad9e2e6bc362

SHA1
98b496b6bede106359cec24e3bf499c0c9be06d1

SHA256
e73fd31e19a3659ef6ac35cf7a0c62ee7362beb8f86d4afebc2710e85e627daa

SHA512
f77d62da2932db37ec342321aebb3ee72a7978bcc5fcdd695665c67c31dda15d47c752ed8d53626fa1bb0744be4452b7bd1d5362f324cc0403e23b9bc5dc1a0b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
934541a543b1b5295898b0eec1dd50bf

SHA1
3be9219974f6400608b376b42b87e8195914c378

SHA256
e7b050ba76923a317885a695750d9115f96c56e35580c5f2a23ddf51099dd85a

SHA512
97e44fcbe6ec6088993c1d8efccabf15775d0e41c3fd97c8b4b12f77f715c2d3822727fb887cfcdf2f2ede571043b6f9c7897296006f117ea3fda8df8163490b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
864655282ba9db57f4825ae47aec0ed5

SHA1
a5df40dc57c6707ade63cf33ce927201433b853c

SHA256
90b074aa7c04f09034c526f713f1b03c1beff9a92bb861c9edc05f4a9f58dfe1

SHA512
17cca4bd90168ca8018e7c0056972d2fb046abe2ac7719297bc5f26d4e79bc63ce8fc7e86776f989738c22b0b11a8619df64c936c5301a18bd8e0966b7e2aa75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7e75d23cb556f4370faaa479e9617b19

SHA1
c2df5b426ba41f1569619bd760a05516ed8e2e07

SHA256
7041d0a287dc45783286b0603c18393a4f5b99e021214ca3eaea4582405cf970

SHA512
b3d20450e0049032cbe99ed35b32488e37f4c553412289736723a56292457659d23d6a1c8b9b981abc5a2361c7b4386ea6293f6303215c5e1ae102c7d1ed2cc0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fbfc4b560fb11895966b2cf3c4737d02

SHA1
f5847ebf8e99dadf05a62705b67e0f28c56fa8ff

SHA256
a74ab869d1956175c62b4ed1b9ccfb7a94cee0c0efa01617b1a32b4dd4d2569d

SHA512
9aad468848729f52f063590ff1316481b2cbf848ee9fdde8956c9403001dd88cba0591b64e4a27aa4e67a96ccc6894a4bd791c4c4a6b0a484d718e2fafa46bd7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
10660344c734f1a111feb72a92704a7b

SHA1
f2ab556a46c88f4ffff9c9a1b84648c5b03efdd6

SHA256
4fa96c6d1bd20efc4e3ff69b99945c90187822c816dafa5133e4dd12341ff17f

SHA512
e8acf0fd4105eab3c0df5be51f409a5cbcc0fd65286dec10ea721fe5d40283c073ab2dcbd37781f5015bf740fc09679258a434b6710d918c270d1a21b1e6c448

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c49c28b2164e3a70a703b99e8687b626

SHA1
aab8a452470f42d2a508822c2961b41e18a4c7c0

SHA256
429308877cb1af5d69fa78220dd9e8d0ddd32fea1ad0e736592f79f4cbf91666

SHA512
67bb8b94a71dc4ca62b4588fd1a0ebdcb5a5c3d823d145d851e6d6377a046ee5f7de0b52265821b61f1182d2313248eae953be01190e55474392988b39960beb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bb7de4ed6cf9e690ac4c33c505acb810

SHA1
386bf18da045ed5d94e8867b0c86ed3e4f9aa449

SHA256
e9f258fc4d86a5885644b0d053fadddfb5ba1615c1f06d5f47ef353cff09ccfb

SHA512
6087598edd6096f99a397aea1b23419c770ec0ccfefe258c090677bb0f81f03b7a327ed245b4bc39487fc0ef08e9f40433d2deaf9b9786c0391382c7ff8c8682

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7e50ebfecd67d17e9d3b3646d77a6e97

SHA1
f1bba0d72fda42f2d7b198bb9c1153bb8bbdab08

SHA256
7f6e68b7ffa56f2cb2324b5e09d42e4e525d4fcb653337bbf089a5a639303afa

SHA512
e5c31bc1d68ac56ea41faaaa66b0f81df81f5e7cf5df58dfd0a05635fc6bb785bb8b6f7f8ef3c134f0d98a6a801000d75d0d600ac0a8b1662d0569c6742649f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b35dcdb2fdb0db90974fd7645f105ecd

SHA1
1b43ae19e1d8ab6541f81412891a50cbcc72dfeb

SHA256
901dc66bf9374f1de81931ccb75b82eb9cf0bfd48428d6cce9549d37207c60b2

SHA512
ba830e0246d6d5e055edb3ed1dc0d2b601be55859b3757249d38e421cfccfaa73c80d3ef84419123024c8465bf8ccf07e844a86fc71ea53c68c2c74580ddadb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
36dfdc82f867d830d2adf1dcc9507553

SHA1
1e6255f026efb923111ecef592d02eea82f396e5

SHA256
834a448057c661e71006e1a046ad4775e89bc2197f7d06a47714e02ccda3db51

SHA512
835588c2c752838372734269380acbed165cdd505dba0082478ef03b90abf9fb1afb0efb47a8e86cb1c8bf6e85e8c50bdba700d1e66500080aed949df34723d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
eab033a3a70b5dc730c65ade38cac134

SHA1
144fc2862f7677bf388886f01a3fd56d89c60d1c

SHA256
18fe1d2162f4fec5e0853c0cfc874f97d8517a19667941aa3990b7d9ae4e0181

SHA512
7dd48c8280e07922fa98dea5a955f456142ebb5f16bb5bb0fe6c6f824de8d330aa1398a64175236a5deb3effe5e9cd93c99e46f80c047a7cedbbdddf620ef0e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a7d92c7046af217f4bd2a42ef075261b

SHA1
7b1692cf16c5e13b937dcfd8c4eff7fc5ce8979c

SHA256
a7b454a7ab436b87370abdc3f091c1f458107432b3f8ce46a539832aaf86f227

SHA512
3937e3470d4505854bd9574ce068bb4b5584303f6f92fdbe9617c5b931f27e5ff9a4bda4dfd1866128b1c546b41466ad022db19a2c4a5ee3e86dc979f3aca5f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
786deef373d8463e833f7170f2c75061

SHA1
da81ff9d8064b564c4da84629dad0b0567a8ef7a

SHA256
52dc4ce00a9c204e4db6c419390b6de333c3f1fecbfcdd882ad08712fb5bb8c3

SHA512
33c060ad317c10c4c8e97226cb3dec069b7e9249ed45d612a7e4489d86e00011ef8bd8f79022d3d1fffc3a7234d17db4c94a79de075df3d483637095ebf4fff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
145b3ac8bc3801bf59c5c9cfc9485683

SHA1
6f7155066264ad4653c100ec9925203f66fb58e6

SHA256
8b069df676df443933ad180ba4a56d8dc33804dd3c3f89f9a64b52a809d664f4

SHA512
522ab29f5173b21969e67ae6612e83f7c894b7975d5f6bb8cc9431a1290dc966fdcee5b3e3617018ef500e3bee6931bc4c4b5fba33e33bc72cba6c12c86f10b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7840458cfe3c00d56167200dd0a8f6f3

SHA1
43e21e0e567351534d67603b16f5f82bec88d497

SHA256
845b330ec0408b1759ab45fc8c787a69e1776304b1be8bb429fd90d45417f427

SHA512
dc448c89021abfd2e7993cadffe0e897eadcdcf6664cb6d10435f038c0a7c64d4733d2947f4a581acbd26cdda0795b3a7063965441bf5e39b71174914f90f94f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2fe2e5afaeb084ba45afc18c17886d1e

SHA1
64f7021d7f88ab5fe96b32a70a462b30ab99806d

SHA256
e4de02ec6d06223f3b9a2116693bb00e1a52daa067f2845ac9697d71197e088d

SHA512
d5298bb86a5fca4d5ec21e440035e7d8e8f34ebed57b2c2fb3417930666cfcf0fe11ed02023860f5959e947bf699deb33471574833e629dfafb4519631c16100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
63ba85e07fb72097fbf2c887617e6669

SHA1
3444198bf63fd4bc3008ce56417106cfbbb31266

SHA256
753c36adb6261240ec4718b4d23230064c3caf602fd80cea34e9cf488bcb4aac

SHA512
b91a3177b679844843cbc070413ad7feba8ed2ee76eb9310192e9cd442b4804c1aa7c262077df9cfdb4bcf543d2a6350e906bd46be547f4d7f45a0776d50a271

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b32bae34e675d8c4e8503b8654f2c069

SHA1
5a05b3830339dcdb3652342c489e341aae55cbff

SHA256
a3e5a12e76520f61b4ca8b88a1b30859485145fa40f22beb5001248cfc678cf2

SHA512
bbca67651e2750102718f3306785e5ce6ad4a4a44b0800de90a05d68e5338e9cb739f763d03aafcf473bf672bc8cfd940070488eb658cb3fe341082df83be5cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
62bc50c7096016342042a64abed25738

SHA1
f9e217b72a41b51f98d60df813d36ff2458bf839

SHA256
ac2e7de2630430860fa2fbd0eda5ccc3657e9ad277b3902fe506fc35a9464562

SHA512
7929d936047d36b5c5b78195c41f78d4ab6b4f3e3e111f452ef93e0d79249ff16832b9a620f619657e407bbffcfac1fe760691170f4661f2b3c1b6fb64bcba0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
75e74ff21aa27adb4864fb9af01c436a

SHA1
ef46e6008c0ea8d1f5e6a3db35d450bbc0118c08

SHA256
3296c2d4674bd6ef059ffc102975a8d544b1d3e8d1e401842516214c67ca64ec

SHA512
0d1fc5bb45ba5389be22d135bf1034f8e95421a6b94606eb4446cd782541c50b1ca88a5721b28f53120c71e5fd7f80f988adb051ddeb8639f7a8fe13619d041f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
34a6e732f9a268241afe07d70d97e9b6

SHA1
b802d2634654bcb5d3b0e2b451c7cac712efd057

SHA256
97f7297c5fddae122ce6dfbedc1ae8c05c8a42c60f3ceb2f89dee0e93b55d36b

SHA512
f1d54996a4aab0a910f9c60f03d3dba3ed550150e16091da01627ec86fea77fd3a2d9472bb5c95eeda25b1afde95f7a9601c0a2972d2c3b7608b47fe208fc637

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9a5a221da94243fc618d9b1b591e7453

SHA1
e9257d9554c52db3fd022d597e4e7a3fcd402754

SHA256
0213144b59300a533b6fc9d834c251ec502bffb5a5f9c2b02375062e42f8767e

SHA512
e6de0b39e4b110c85584039816cc27d01fdce2623ca32b410da19c397bad59609f00badccbd91f06a27a4d7a7e9e6c9aadbf344e7c98852c30102b3aa6610f52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
cd96378b128b923f0b0f258c33401070

SHA1
97942cf87deec74a4be40af1f59b129e7bb1a1d2

SHA256
fa014c689f62e4b92c9fcb26d7010a17a437ec614055ce2557f503736cea67f6

SHA512
4c5e05b5a813c8ff9f05eb5eed76e0dc972c5b508f09f1ce81e6ce60e0c5fbfd693040074671e5ae2868a1292555ea1751c9cc1c169e38730b6ea91530523469

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
61943e85c9099b9e272bbd49eaa5f591

SHA1
2fd178afe9156ba17d6bf6b04a2a8a8b8d2e26a3

SHA256
9fabc01e4aa8f7a80aab998612c5a93b492119cd7c04f8a0c35d05cdfda39df6

SHA512
74967a1dee59f3a0530f30c7ea20563ad0a00fb3d587f08e436942d2229a80d5e7523e90b5bef3b50492c77c9e7a933f1a6da9985f429b10c855ce98324c5e85

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e5dfa1e676b4c65ba6dbef7ad44e5787

SHA1
38334df0e7d903f3f31523082e6183bf98af204f

SHA256
312f3b39d6c019b830111be5d46306ec9ad1c5e355b059a7960569530f0b7b29

SHA512
58a5fa247e8597a0381df73f9b9a670703dee19db190299cad38bc21ac3fe282e529b267e61d9a605d615cca4f28a1eab2ccc785cba49630e87409e1b7312b29

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bd00ffe9ebf2ea9d8340ddf16b1f9292

SHA1
60bad0bbe64a9c1dc81f35586a1e83ba9b853063

SHA256
0e9b8b419a9635ff47dcfa92c0c06474e5856740d3ba62c4118a314d19aee45a

SHA512
ee46169ba56ffa293b2c6cdbb8e3b6e1117c3524606d7f89031c8593c01af2f9ac89ffb63ff3f1fe21310584208017789bb8d5bad3707c66c7944ace71410125

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
877e9b9d7ac5fb88de334997140f9a88

SHA1
ac633c178c0a000ef1bf9fa2af3281865d87f87d

SHA256
5d389fc754ceed7f281db2f5fca2bbf253414749f9d1b18c5eecdd3b334f4d0e

SHA512
71fc29cda376031fa14ac33a2e579a21810bb0ecf73e0538626ae7ba52a91b44cc77d51f01527f9e93df669c50ed70ca5032590e561d15ef7011c46e63289de8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
139587e21bba7b299e0cd099fd47984c

SHA1
5c313ec37988fdd416019c9514636df26f012577

SHA256
ec327c853958a96d62d3cb5a9491605b78c764d804a51ad508c35ffd6c23b753

SHA512
1aad9710ef22abf80d6419cfe07e513408ad5a5e461103259464c83f721d21476eae858936ba996d35239909243ca5cbeed3094200eef28b572fa18c9170a7b7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
943dcde1d5eda34d7048cdf0cca0b9fb

SHA1
c9f7e2f670a35b2edbc160f91cfffc6ec834a039

SHA256
0fa3a204ad5277f2b2e877ad092beb643791b33523bf1953e16b8554f7ab1323

SHA512
e691e4f520802573f5643b96db94cf8d0940fee214d595dd91fc1f700300d43b7ecac65b00bc842cf9ee543885a31690e989e4089b1e008aea028152d6a0ed97

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
60ec234ed42f9e86dfbb259424d880e3

SHA1
190de7dbce3745b5affa2ccceb57cfeeb836c099

SHA256
280bcdd4408ce02649989cd373ea132914f4dc7f0fc64555a402c3843cb7d74f

SHA512
b2527ddb4b4cc37142472d92d74e16551e7454fba58bcf2480632671a96ff6975f29fc7bef3e82ef541327f312d97fbca63e694e86438635464c71af950e3580

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b61ffad840346d3c90f60ab50b49a774

SHA1
efbad793965da5998203e6727a7defc884b27104

SHA256
86f6881224b9b77012f503da360ca33690c505f49f76790a59e1e676259e95fe

SHA512
662fa0262f6ae65eeb0a0ae61653c1c6ce65cf86d670958141a9f4a95ad2d93b3220701d3c57f167e7f243c8221dc15c3086b3087e0b983f6103b3537617f22b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9908f1c39d53103290b3dc0c30d1a80a

SHA1
69c69d81e96010d9ba2a08ac966a78b4cc4ed989

SHA256
4e9a3d7be3c40fa049758843f8d8b887f8def5daeb4fdabb67fa7035e9ccdb05

SHA512
c5cc649dce1f7685c6b83b2e7c7dffd5f84e81762c2d6738729f8459ef85c8391ac6b83c72be90892cc46b3d677d39a8d0e11ff14464b96f720ee7ed6bd9e1fe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c8928ae65d00f1fd4be02618a4984180

SHA1
04b05b60a69f0c49d40d2ade0a6ea71a15b4408f

SHA256
0c0995253e7429646671b1e46c15034c0378e4b244dc56ada576ab4822b3c188

SHA512
74eb733779bced822e040f35db0474c430eb661c84db3b30488a56b5a6ff635047b0733c33b42179c8c7fbc4f9f2c7e62f9ac6988259d84f1074caabf339dfe9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f5279f6cd82e088895d6db8d13baea52

SHA1
052e17a9b2e9ab64472ba837d1227cb0eaeafa26

SHA256
0fd4540f98964538c2c60828c79c21f33010c94bc5a8e2cd5bd2e4d662cc9c04

SHA512
9bd8c6572a3b78df72f86810a1b5e58f50a278299f9353e675aa5cdebd40aa0f46ed462c157d008703fd5a1e3a4e2de6be566e52b6000a979f509576c75acd7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cfae474593aa0c034ad929c36c036203

SHA1
c583730363c22a4322fa168d8d4a1882d4dc78bf

SHA256
c4213fc329f63dddeaa9f72e882ce29837a7e7e14578fc21a6561740f1a47c38

SHA512
0118a40f009b820c9945bd8a92ed03188f21f9cf0bc324ed1ac07334be21774b21e3ba8f4c305ad52f8d1740fcb45bb686439c8eb6327ae79a0bb6b47a63d4b4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
de23639a56a34c97c5d38d280af88ea0

SHA1
ef16beaeef312278934d4182a48a1ced616cd4d8

SHA256
9b74d0b527deddab6fc0ba080386a594d43929c5a433e04525e27cb192e376b1

SHA512
c01d20f679556629e3fce14dc5466455f5c12fa66731fa46247469755b0cb4c3cdaf305bd4f3be0a455080cc7d0f02a7dbf7d303293d7ad27379f0f7805ac3a9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e6c4ac9fb634d5e16d7a8f5ebdb57367

SHA1
bcf719f31c5738b649137b22a16872b533a0f373

SHA256
34d3b08416dc76d2f7788913a7db317fb049916becd6fb85655e70b5eab0a1db

SHA512
41f9a33bbe63e2f3d9c82e4133b1af335d7434c726ee86a7144883d7236229f77f43eb9a9d632703bf6390678169832a4e69721247bcdc1d6acb117c349d5456

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
007ec7077e0e321e412aa3c018d8cadd

SHA1
29e8ffdfe3c5a3d43de354fc2aeb3254639441a6

SHA256
841196a5eda77b7a8a32c7bd9feaa92b26c2f601685cc6381c924a696ecc8a05

SHA512
61f6a09ba4ce475a461222aa9ae4bcd74bd830c96a7a8757de06f4bec3af36a8306b11947f9eeddb1bb73543c3fe172480cf5fe7b1b7acd7a97dcf96bc391250

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2f7a25e683571016e9412fc8db51a06c

SHA1
0ed31ea8a42f7acc6dd2baa59b76f794a27ae842

SHA256
fca1564d4fa47d6c77db72bdfc0e13dd97dd02a4ebb44ac3e0aadc27d25cbe16

SHA512
6b7d9aa53925cc7b5f17a3eb5576d3adececaa644d49b31bf28c38d341f908c6b116f37a659175ec2077fb03a2232807d4ca30610ad39471bf75f71dedb61dba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7e30c113fad943816924e418d6882351

SHA1
34561a52e661b6b0710e7e190c22c02126095233

SHA256
4b47d13f11ab26e5f5cc4ac937755c487e5384e036f7996c3539413e51ee01a5

SHA512
3e8c5dbca66dd8034413945acd67cb4539d373604e35ddb66fb636f53f1ac57611361ef86dd3f6cbd311daaf0d241f35c01d5e87edc41f0f325905ab1cbec68d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a0537ba0de196127cd1aee3adabc178a

SHA1
878babd6391f5ed732f7d8efdb6fd5d705b0515c

SHA256
badaca7c156e11ed12b4b324e9f95748ecb04ae23c3f7279a3d35dc561411d65

SHA512
7ada9ca465486a02866cb0fff4f3d8cb8f37bedda6b564458173ff960392a7f21f8382633288fefaa826129d5f7eb9841e5525fea0b2ce6212f9766fa04e2278

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b1a9947ce69f55692b955542f8e62dd4

SHA1
d538e6a2d2034cc97ff2de64f9a6288cb9fab49a

SHA256
0d1977de1318c5e8d596d78e660f8023d8ae96eb7d771856fd6b158353f834e2

SHA512
fc0ddc89bf888a4d593b366fd3b20230d89b592008903b7c66eb78ba4612464c840771a2c73a2c72c17ae5ad9da912fd00576a9e3d6222c1c9a3df3b03fac41f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7608fb0aa6d7174fced2ef0a07034735

SHA1
a6a2e875d4722ac9ec0b617abc97b9805b4647d7

SHA256
4a4b2f301314c6cea70e11929ebdf9b9a2de3c7319ea1166d294a3db5f83717f

SHA512
02c54c6360b45ad91db23303e1a9c50d9e13812484bed658b02ec9fd660ee96fa6e0599e23b643233c43be105a6a553f2828657cf0177314ca3551abb4ede6b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e38e385d596263b3205afbab3554ee3f

SHA1
9e10677cf724a8baaa1c6dffce38b5f763cd3c8c

SHA256
2a2200ab1837ee8588286447c2612c23db40c0bd91c6200be0a5a9dbf0fa7c88

SHA512
7f839dd7f32c6a1fe292daa77e8b5a8b6e9a9de97dcfc09b3983952ea753fa77bb3efea3112cc8928e2664d8c5acf77e7a09fc928e79506fddd1cdefd3ef8ccc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
662ab730098b718422ed087bae2baddb

SHA1
e9118b3ceb0ef0bb93bf49b68f861a555cf2dfab

SHA256
1dd076987fd241833067457b6dab1c77ed23195fbd4c427549dc241ba521a38c

SHA512
0d136afbe233feaa60a7cd1557db8f2c9af18bbcfe351054b3de438e7a516263854416c66d72466f8291a76bd5c34500415fdf3961f2a8a854d194ef402e8eac

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
464599bad9bc2c161275856b0785b967

SHA1
e22bbd7f9064824c5afd8012d8aff555c23e03be

SHA256
9feb354aeee4a845146a9e61382435c2f57a59826d3ea839a00d18d486054286

SHA512
4fecdb825cd5622e92a6cb8614d4f14303ae5ee58cfc55a3e1297198920a9554be81ef502cd8a4db540311fe37c3adc25c1a41f289e90e2932a3aee8d319dac4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
794b089dba7477e782d29baf7f5961b3

SHA1
d8d28fc8aa1b47c28bad64d5a19356ab4d3cae31

SHA256
9d1004b20c25dbbaaf84495afaa95baf58af496c5bd11b05bba41ff04d580c6d

SHA512
7cd98514785cae0aae45703340f876182599dbba1f545056d1a0b823a439408f5b4af20591e35b221db08924cd5dc9d67c5dead56bb487f8c606b1b1fcccdc76

Download Submit
memory/448-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/448-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/448-19-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/448-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/464-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/464-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1616-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1616-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1668-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1668-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1668-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1668-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1820-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1820-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1820-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1820-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1820-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1976-471-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1976-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2056-6-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/2056-0-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2056-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2056-7-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/2056-2-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/2480-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2480-557-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2880-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2880-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3240-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3240-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3240-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3240-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3264-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3264-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3264-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3304-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3304-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3664-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3664-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3992-507-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3992-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4004-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4152-394-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4400-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4400-467-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4416-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4416-449-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-560-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4516-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4616-37-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4616-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-43-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4616-556-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-71-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4772-561-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4772-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4864-142-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4864-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4864-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4864-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download