dd02478bb1081d6bbeaae2cca4ae9556680e757bd554c256a0a9fab525e1da9c

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7ffdd252278b0c93234f0ad8238adb0N.exe
Size

1.5MB
MD5

a7ffdd252278b0c93234f0ad8238adb0
SHA1

7e42f15278a7c831d80f8f55944a2b873b7b27eb
SHA256

dd02478bb1081d6bbeaae2cca4ae9556680e757bd554c256a0a9fab525e1da9c
SHA512

a49a2248e89bb0f61b9dfe7e0d40b2fbaad5ac643aab2848293cb962445904cae766ad09d53ec57d5f1831b3985ced4bac3ed1249e327b928a22b034fa3d0d16
SSDEEP

12288:v0wVDgEZXIBaxqCKi60RoaItZICRtjch0Kp2H3HqFShkPUzlZjOJ:sw+EiAkbwRobfHRFcbK3eUKUzy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4880	alg.exe
1716	DiagnosticsHub.StandardCollector.Service.exe
5088	fxssvc.exe
2688	elevation_service.exe
3344	elevation_service.exe
1048	maintenanceservice.exe
2984	msdtc.exe
4636	OSE.EXE
1300	PerceptionSimulationService.exe
516	perfhost.exe
4840	locator.exe
1956	SensorDataService.exe
1692	snmptrap.exe
920	spectrum.exe
2428	ssh-agent.exe
2828	TieringEngineService.exe
4492	AgentService.exe
5076	vds.exe
1772	vssvc.exe
1500	wbengine.exe
3776	WmiApSrv.exe
540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\System32\vds.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fe4a49e15325400b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\System32\alg.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a7ffdd252278b0c93234f0ad8238adb0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e0f18f6ad7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030c6d38e6ad7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6af1d8f6ad7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c126f58e6ad7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000644d1b8f6ad7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8cdde8f6ad7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b4fdd8e6ad7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1ffed8e6ad7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000526148f6ad7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1716	DiagnosticsHub.StandardCollector.Service.exe
1716	DiagnosticsHub.StandardCollector.Service.exe
1716	DiagnosticsHub.StandardCollector.Service.exe
1716	DiagnosticsHub.StandardCollector.Service.exe
1716	DiagnosticsHub.StandardCollector.Service.exe
1716	DiagnosticsHub.StandardCollector.Service.exe
1716	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4012	a7ffdd252278b0c93234f0ad8238adb0N.exe
Token: SeAuditPrivilege	5088	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	4492	AgentService.exe
Token: SeRestorePrivilege	2828	TieringEngineService.exe
Token: SeManageVolumePrivilege	2828	TieringEngineService.exe
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe
Token: SeBackupPrivilege	1500	wbengine.exe
Token: SeRestorePrivilege	1500	wbengine.exe
Token: SeSecurityPrivilege	1500	wbengine.exe
Token: 33	540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeDebugPrivilege	4880	alg.exe
Token: SeDebugPrivilege	4880	alg.exe
Token: SeDebugPrivilege	4880	alg.exe
Token: SeDebugPrivilege	1716	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 436	540	SearchIndexer.exe	112
PID 540 wrote to memory of 436	540	SearchIndexer.exe	112
PID 540 wrote to memory of 3760	540	SearchIndexer.exe	113
PID 540 wrote to memory of 3760	540	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a7ffdd252278b0c93234f0ad8238adb0N.exe
"C:\Users\Admin\AppData\Local\Temp\a7ffdd252278b0c93234f0ad8238adb0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3344

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2984

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c32177f6886b6bd9c02927b0d777ccb6

SHA1
e5a4343fcc61888e7465e6c097bd254ec0ecc14f

SHA256
36cbeb4e18e5dc705696cf9534af93464f0cafad032a79f2a594aa9f018c9991

SHA512
5b789015a1efc595c0211c816fd70146d7c174f885c1a55a9b29571e0f297d423b6a53543b87fe603dda2a3c6e1277e8445a3f4e9f2dfc01b567f25a8fdc8cae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8972f81a07faf1138c168cdeed081809

SHA1
1b38cdff3b0237fcc6d84ab04e1bd2f28c710f9d

SHA256
8dab152f25a686d8c2a8b939e86fedab615612a9da09bc586aabae4ca6bcafcf

SHA512
04508bc16a8c94f47d959af1c8a7c7272ce8d0436979448dfa9d73bc4c9545a678e0aaf5c247dd6088822e76d443da8b606fc839a31bc95417f0b86e3b4b19f1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d60ef4db0311c549bd70f9435bcecdd0

SHA1
6047f93300f37850338323954845f005244c9f97

SHA256
e6b69e9c523bd94ce2ed0e1523f08cd0d917a5db47b0a69b7ffc584486dafd5e

SHA512
f38ecc6f0d1199680cd0a1ca02d7f4d5e33a0f7164d9d02d2c94a3dca9df3f6e4344876666d24cdca05940e21b807d979317c8bf86f7702707fe0cbdb18eae9a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8f9fe6c6fb1b04776cc3135ac779852d

SHA1
216e2706796e60794a06c38b24227e2e3c98dd14

SHA256
ad5d19464aee6be8c5957e92156c4c2b646c7d17da0bfc83e6c0aa12d9358eb3

SHA512
4c985896a9c36638a12aefd7af08fdc56fc58c0830bba05046c121179f25d60e491eb68385bf49789ee3e04900b3a29fa5bf4cadc56537907b850c4fd2424536

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a96691b29d3e4dd71ef7ec72d457bf6a

SHA1
9adb18657a9432e2a4ce2fbf1fdb4ec9b755532b

SHA256
b37028a733c6d178d43c9a0bd2675d68a678e7167d51bcce2982b877d08656f9

SHA512
3677ec925e07a45e9293111fdb8edbd87e4fb51d3cdf32914ea70704aed9ebef6cff24ea2ceed7b019d12ab10c15f29da30c21f0162ed8f7cc097ab4662dfaa9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
90b06456045951448bfb2d111a44e2bf

SHA1
30b03be7bb20edf72fe26939532a5266ea725be0

SHA256
fea01b008e241ed506924f282a425a0740ea4742882ecbbf9ae1e83a848ea2fc

SHA512
292a06e0d87cb233948c33dc4baab446fa9c6aa8ea29b65c71b6e44b6a233cac0775ee69168f798a79d078dd16d20a8a23d73e4473d15127facf541483af2ece

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
cc6cce17971ab1e623da40e2afb01f03

SHA1
75a6ddf91901a3919d5395e42fc458a761dd96bf

SHA256
9fffcd8f565096a12e84d8df04a4321ea6092812f42a1df57228a990e31a1d2c

SHA512
e1f9d8c0110e2d57b5493eea29fd974061132a65a739ffba281a576030d124882e367915d2232a94f56c3eb2bb91cfc3084e9b6a71637f92c57331a27eb527e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8dbe3f5c3babc3c680cda4ce1514a31e

SHA1
22860b4897969301269a90c71c0a13012d86616a

SHA256
4428e6738514785640827e0b6cbf84619bb8a7deda8f1c271f09383bde995ad3

SHA512
ad5a12db106f8e415db55853efa2121e89090c4773f60fb6fca6ddaa35cb7e8997170c659d0d16a6478d40ed7d495d3c4350942073bd0fbc6e4e68f6f48ad4b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a2bb54740f21489eb54830e283753761

SHA1
1591039b1b84a326562460cfdb00241a36e764d9

SHA256
3a34b30d5dda5f157de76908cea878485c15271e424cc4cec3834507ab7b80c0

SHA512
bcaf8ab6bdd450856af36ac515868d2b72a3745f14a688697c4995de4d0cfbea4a77fa56075fd2a413b9e96333a51ef55ab7d7b3274d63cfbc8687a8271dbf11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bec235137969410e26ab56ff5cafeaeb

SHA1
5749ac3ba624ad44a8a20d24c7cb8a0153f62197

SHA256
d79a9999cb9a7d25ba88267818a316ded811dd2d5d5cc9f461e1090e15fecb34

SHA512
bf440588ab54b93b618f5af46632bc300c61f5e7b5c852c5629b692dc356c88ea84e182b443765ba40c76b8fb509bd859f24da1cba3d53cd2e941a13043a6da2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b202146e04ceba462645d6c54cc20a5e

SHA1
dbca13deb61126a88043644a68c0431eb4912308

SHA256
4a35ad6a3c71f2079eb7d956a6885a7649775205c546902626fffe544fc24d60

SHA512
b9072551b5b50527bd6fc059123983fb33cd779db0325f7d2fa899da8d4419476af9406f713071c12b18182af8c1efe71f7c423e3344e4cc5d0ec11e01f1f126

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b5b2b1642283f8dd82a2b85453d5ab21

SHA1
ae3e8805b15b274fba51813b7dbce2ef0f61a9b5

SHA256
8559ac87f24acb827e6a5c4425988f4961b1b86f9369851a07d5a59543df9edf

SHA512
47859d63cd09e7bfa70b56772f583bd4573bd4cf238b3018840ac85cb9abeabf2c9077533486903368d52364a4ae46a654d70a21f81c142c3f6d309ab98a059f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
48c04ac81ec939fe92c391038b832d1d

SHA1
52d8005562255d2d08df6a05c1bf0ae35996d2ee

SHA256
1f5237cbc28fe9c230bbd171390a3e4c8ab94c7f4a47e47eac197414b5fb7412

SHA512
9d103c46df96a1aba8e70912d64543b6b882b0cb330ac22d3d81b39f8818a1edcfe04e8649cd75eeecf117334303e2ccc451847f6ef3db7ba13a08843d668c1b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
3845c1ccddfee695185105fd0489ce2e

SHA1
a66790471d95c5c2b78aae352df01686bed01ac6

SHA256
9cb1821899bfde1b6d9315d4f3b90a094b1c39ac17ebdfb2cebbcf9ebe719d91

SHA512
0b8144e788a561950673eeed4dee5e8ae688e68de1748100c343678379912a2c27eb517abf12c7dcc1b1b25ed911944831cb7aca209cdb624cd2fa2c108eb584

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
587232efb8a661c72016461c725a751e

SHA1
4cfd2338607843c5b7e7eb9beeaf7ac48d438b46

SHA256
d948c5d42a35101a039542356cab3be1ea5dca6388516cc4ef56265c48301710

SHA512
0abe81ce66605e788c8c1f532272e8d4e59a1b2c36b32ef53e9747ca23cd318e553296bafe32d819423fa7bf8cbc2afc4f80f5c206bf64f6d02a61073bb022b8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
0e65f330717562a4d4cd9d9d3f30a95a

SHA1
0d8d99f87595dda30660e2ba56c31d5c50cf546f

SHA256
cfbcf9ae771167836b5ea25031d5ccf5d83493baed1db634847bd18d728f1606

SHA512
e326476f0fa7e81c4e0465e009ea0a03bf4d06f96eac9c4b92f26dec81be493b02f07567e737d357674ef864e5178a11aeab9d9a850b05acd5293f9fc3095d80

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
eecbd970caaf7e2950719852a940e6d8

SHA1
d9334a9613b4ed1c13874dfe73e3a743827ebb61

SHA256
f3b75f70db978c957992e9df7a4dbdbd7f8c7cd4e992eee4552b43218bdf8e23

SHA512
c296d18155083eb430fd41376a4363dacc686389802708263990fc55a70a2766da7cdb1242bd8191bd8fe40a67dbd7d04faa7665b60e78bf423fd3ff0a621fc4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
0c424b6fc9995601ed1115c9675169b3

SHA1
138e7ed889f5df05b335e36b71ff9a8b7fd51e18

SHA256
e2193265d9545a297713284528228d7d0913a54f2fcb07ef10bcdb45f843c8ce

SHA512
4ae8a83661ebdd1da2947740dfd4bad8ffe84e1e7c1dbaec82af2424e84c626ce74735effe488a4c503537e5f61be6e39e254a3702ba978a3b31c80e343a70a3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c3fc18ec4e9fac252bf294711d6c5fd0

SHA1
2cc033788d3183cb41d2de675691a828df580b44

SHA256
e6eb668c5396aa8b471f91203cea49efb56ac15d9b80b622df363aaa8d2cdadf

SHA512
47f44151f67e7510bad48556c2bf80e4fbc7084817e82af9943249e962d5ce7464396afed99b893ea219a1b0d845c3ce5914c618051746d8e14c72d847ac13d8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
382ce6124468fa3b6762590422fa2fdd

SHA1
d91aec4215f40f111d64f0ce64997667b9ff339d

SHA256
ebed0cc1f9a43e7976a0cdec7ceafdaac16e3c56423e0b8909faf9dd0bd01ea3

SHA512
cb014f4c06820d0f7c2de777a6236fd82e16d36e32f53dd07fdb306c7ddf2e6cc33f162a642c597c1055700c95185cec0a17409a69e0f9b22bff512077b291f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
c695d48733d6dc66567b7ffce2c53667

SHA1
c139d773684b3890b0b3d8faa6d86d3696348c7e

SHA256
8488b32ba238aa9c30785ad25c11b23de2bb8ce5621539acf1dd8d27310589e3

SHA512
666b29c978f628b71aeffe1850503792b78751db58a4594ef1675475f9e3c31b09cf34dfb2314d94b16678b45cd85512d9b580be0133f81e66b7e70d0e0d3c2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
e1e59422f7b55c9672f7ffef828a0f88

SHA1
8b87a4b76754742ab1a0740222025c231d7019dd

SHA256
6a702c3be1bbb06b928490931ae60be04e68d58c31c7c142e91dcd121e824bdc

SHA512
b590a58f390e1c2224144f1a850811acd3647511d06101836c4cf8832b872cbeffb6e0a2a64a92fad5366c61bd51f9a61d80922676e11e581f0b2579f1037785

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
893139178697a871987be711225838cf

SHA1
0b7748eb32d8515618fbd3c5d0e923f99b27867a

SHA256
e9a4eed6bb1cf23aedbad6c8e0ff7d96420bcd4188ab430f10cca33e458d1df4

SHA512
424ab5a369102da6a26361d741dde45f9ef5cedb125fbd4ee3774255ac9f3de8802a5343984da6a482d3090f4629f92bcd52ecd9476ef4ebec06945fa582fcf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4abb8000d469dd47fc879d04a95d60d2

SHA1
a43d659a461e5317d0e97a38f92bdf7cf48a1ff5

SHA256
b72f60ce2fa972641bf5490c50ade6bc15fd42b6909c2a77476ceeb3082db670

SHA512
07ae1624872bbd8c56f8382c9ac991bebcef5609de910ff268fd1aaeea5364c6f294229c69917e8267273b0b59424bb06e48604b58b1d6bab9fc97b451031424

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2caf55db164c34309276be398eb7d359

SHA1
474a9fb8cf42eb1a0dd90a6b67773927c8ac20d0

SHA256
1bdc914f3e71e8aaf7baa5528f9bd815a1a64b1d85ea8c9da6e82a390e12b632

SHA512
4d98aeb61109e88951762b80ece67c83b9662acba601928966743bd70ca835001cc184285244c5e7bf4e94f4a0cbdbc13ae79ec2ce89031eaf9da26aefd37444

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
85b771a6b6439ce0f9831ca4aa6be164

SHA1
f80d02c343b4c9996294f404edc20aa48b23d7b9

SHA256
26f29fa5791c092732ef9e4efe75f97043640338642339b177a77f758f471fb2

SHA512
58fc31f3419185d83f5734300d195af6e3c85e8b0a0d7c430dc1562283c1fecd2df7ba3513b9535dc9455c227335f2e5efadbe5be67049aa44906c40e2c3899c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6729ac62b27f5a4e77d5681c26c2ba5c

SHA1
c5918807b9caa5b1f9fd5bdbaca678e69e4f295b

SHA256
295cb330b7fb6f5d9a5444b1bf06b95d27c293e152bcdf78cb42f0711ebbb4fb

SHA512
7d60837077b2b185d21f0b211b28ae9ef8be9436cb53af84ab1b7d9f7dfd747e97668e23eed5871c6f9886ca59be78424952d5a9da324ba142467ad2556ef466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
9b688bec8958206d1c071275fc0de399

SHA1
226c228751c143910506ce4c0a1a3b1fd92a9604

SHA256
faa637af1f2047502c20b91d5ce17736ee6b8cae3dafb44fc9f531850963aa11

SHA512
77658f9e9279c110881c40faeca1d154c8aa246561b2a20f932bbc43b449c9a4919da84dcde40a4ee4d96e07d55966810f6409b05fb56441cdfc74712b455a7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
7af604389c8e88a7e6247828afd28719

SHA1
064abd76569e063ab6def517b287be841e2404aa

SHA256
f5edb401461e0f6c1da15d0f66de4abe169ef5e865c991044894c370ee8f2392

SHA512
dc8aeefb3708870a37bc326ceb802dd70478c60c4d771a0978e09fb7d59218fd5f6eb8c43d1b232179b98602d5b2587c88f6f7860a42f93ca22b8e04ef864b27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a59a8f194e5c6725dbc6a083caae70d1

SHA1
c1bab274968bf2b33ab62ffb5fba04674489950c

SHA256
dda584178091d6bb329bfd605052cfac0ffb23065dc25dbe13a4707b03a165ad

SHA512
dcb2ba696e23c42a75290133a2322a4c63201e081a8a1bc9eae0cba6a8b322fe950d99a972a01b85f6f310999b998e3871ac817f3d193776b43ed4cfaf5a3f15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
09fc2a2e70004b4af561adca3b07ac6f

SHA1
38dd13a5d69000650ecd7f7cb131a57c4e926b16

SHA256
6365934b4d3ce34aae5ac50fcde22d4c24f0cca60f0b6de6bb38cde74a7cf35f

SHA512
9edf2f4d36f49cf38992d91edad97a8c85acbdeca4f893b2540326d4a5c8a44396e159d6f6d2da70962d4295d8a27ee1dde165d059592256a9a37d5c090c2727

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ef6a1ec2525896d99f30ac13bd69397f

SHA1
d31e2024dabf3e66456d386417acf6a85cf02583

SHA256
e83bcffb8db8e47d8340092162ce86d96e4b829735b2d030aa10056730295053

SHA512
5264de2849eaff78e4c8bb966a567f0f0314ddafd8b5c65a074372eb6f85396172bf1839d1906a46a965256bf85c3792be4e208d97a1d7ddf26f9189d71dea49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
dac979585ff335d9a3e8ff7cdeb5c470

SHA1
9fe9c4f7801a4f7edddaf938f4e083a58f345407

SHA256
b3a4f881ebdb3248017060ec99ffeea2598ed72ab7ddb7ea9074bf79e6d7025d

SHA512
5930cdd69759647ae724d26ad0b10c2ae05cd3cea56cda7858202c03e2c127bdb6106394515bdaf1f586d9cd1b70324b60f3d97c92900d18ff3ed440d54bcf9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9acd2334f2ae4f73337f3668ffb88a74

SHA1
e94a24487cfff87808228695f097eb8c3e5c29f5

SHA256
f5ba413eda0d6781c46b8db7d210f4b80751bca9a850ca43f4da8ae592fbffc2

SHA512
720e90b352a1c4c1130fb29f52250d2ae9ee115b165a3b2736f6079a123510d7b7c5632e835ddb18bb03fcc26ae35aaadda6d06d783c6930a7ca0a06490abadb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
ce76457d894c93b4362f12ddef8d44f2

SHA1
1f8e65b5ea53bc662cfa7002b6c3c4beac974f76

SHA256
f4fe8c2b18919165bc1beb79c4219d941a4dcd7eae8d322a476c7d24e7dab7c1

SHA512
63a8b5e07907501ec92ed8f72eec6f6343f091f17598547a69e8db1cd6d6eaa9c654efe93b538633b108eacec2741183a5dd650d6b0cabce6e4b1ec9bf7b9eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
e47fdb0cf63948753299b4676afc26a6

SHA1
050756bc322821eb1ff3a2be9691dea3561dd0fa

SHA256
62a58ced304dccc1f07e3dbf068d5107ae7b27e49d44471a329c6950e31f1023

SHA512
66b31625fdfe5ffa7d37ef0c9db65b635294ad640b5782f840929424eaaa1dc3583e5fd67fc9c53c555758b91c5d36bf0778334142f57451485ad5d08c7d3a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
7338aa65d9aaf93a63d76ccf50e11173

SHA1
35895b426f14f737ed186e4f177c210355189cc7

SHA256
3237a30bcc25014c6559ad3f57b7249a4a214ee4a8b59de50082dda3f9553d30

SHA512
b034d44598674ca64cf759bc11ca75f6b0cba7a3d41fdc7e5a6e5410b71be3242fab3af9d953ed4ccb2cde27f321297fb2dc106aed8e711e1f14ad5e015f55b8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
622d01d7957cef9766b2613ed9671213

SHA1
b5bc43b69499b9fdb1573b428eb9d001bc60d548

SHA256
706aeff3a59a0b2068d2baadda4db9c072db1c9ec9b2d3980ab348643b9cf3d7

SHA512
f58931f6b435b6df3d62f40b0ac2cba1b9cdea683b6fc3553e2042dafc5a2a987f1c7f2a6c1ca5bc48fbe643f6696d4e52a6138dfe00e37401ae4bf20b26807e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
e20144f56c64c2b9f2e47199e5ad3783

SHA1
de7c5e2c890338ecd06939d494216c8e368c5573

SHA256
6960496cb5d388785ce75bad92e3f0b9776a98e1b2908dcedfe3d6c1180ffec1

SHA512
56258968a80b31bc0dc3d491238219eeb5e8b6b946ef29fd8169a49685555a0f577e2090525945aa3bc895738e8a70d90774f2293c27fa31f06e4acb237c5441

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
f9694967ff2651a7865ef07980e501d5

SHA1
efc5bdc11c7a1212bc8ccbf3f4e61480e4bb01cd

SHA256
2d24f770f99f3eea746102efee0bbffaa4d44ae888433b28b79a43eddf149574

SHA512
a529e4c4291f6ad4628cc5324f58c187131e1ea1bf342d8c1bbe389acfc5f73ae7a545c868cf2212487fa780aff1ca605d3f3ba3b1ebba75f975c2fc23a2e342

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
821a743345d3c7f8dde6c0b16a0a9067

SHA1
a6c14f3399929af2b1f4d03a3a798d11ea6d4102

SHA256
312dca5e45c6f03dd6eb7663f029707f2c13b60f81e242f6d198c24f3aa76eeb

SHA512
c1fccd746e7defb8fd551012234e1c9be06ecc413661c784a674d1587184f78317ae2c4c2d8adfbc0b7b7211bdb4e8642344f4501e3dc4dc966bd6f3b2220b4f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f2a50229372348b1134daa1745a40723

SHA1
5067921e15c496ef0ad656a6b1cc002d307081a8

SHA256
96b6dbbc68ddaa549473eaf874c75752f3ba7e4b21204dfd5de72fe34fe0a698

SHA512
62f80b27c4b5fda7ad1a84ed9ca6bf8448ffc73fd849046ed274ba91fbd3581a4d43a929e0492ae170b56479cfc7815b76152b5a902538ca1cc5e77d38330643

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b2c96c9aa916310da02a451d5ef31bad

SHA1
c927014597016a9281f5e57e72ff6310ec6877cf

SHA256
87ae0338c6edcb833eee3523abeec94ca4fbce38e41cabcaed86d08e61698037

SHA512
ede351468a6b222e6fac49c6b520c4c34b6042fbeaacd29c1af1c4b694bd1d6d760f9b53f95206a6bcda96340b94af9c041b57bd00beff692beeb9065737be4c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
46b958fbd937d0da184e9b07cbfbace4

SHA1
8c4e6fecb957ae111e1cac588fde587da04f8f59

SHA256
9746355aea858aaef368cd6764b9de807323a955f38101a8cb3ea4074b808b22

SHA512
16691a2bd0392468d93f79af2f6ff2cfe5502eddfd7fc817435c1f1f96073124217f5aaf05ed26083bc2f8ae67a12193983ecaec7ee1334569ea87dd43c1d2a2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e355cc42ec0e240bc5db7de2dec26459

SHA1
8d436b9f5e1db9d9d140cc5591cbf4c392a9ca14

SHA256
298575122e647279646356f3c6c00c7638a70c4054d9fc41eefd476fd649dfc7

SHA512
54e2748e4753938acf5795e335b0b0d3252464e34a0f4d2db689984af2eb3320b9c7ae34bbcdbe8ae5eb3e502d2e4164cb9282edeaa843fd9beeac0b72c39249

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
95a58db36256324608a7793fd194bf72

SHA1
f64221195d12a0f49ff76bf11534909fc813509c

SHA256
10b4d66faad25b556eb18af30c40874f36f0495401ae87b0835718b8c7f6f482

SHA512
17d1b84521968298c455b23291253ee6f729ad30aab7988448421cfddca714ded97ecb6360aff868c485017ebe310ed6557982c01ecafa098f8ddf0610fe10ee

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f412429c7d7fb5786be2c5c36b59fb2

SHA1
d8c7124a6b20c89a7dc29c6d5d29d836fcf9c694

SHA256
e0a83b70b5a2b23f1e540433aafcb629a70849a3deb935fbd18460b159104e15

SHA512
dab826fa6726fc5f70ae8f3555a55e822a7c4ec34b1ed44fd1610e1c5d729605237f7f71ac480bbe82c43982f258c1f2a26417d63f977acb7d17e6eb5a1767db

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
31e8008df12cab2a39b194cfd73505de

SHA1
47b1019b9fbc7cec865d3a175a05969357636361

SHA256
9c1ff323d3765b1ac82b081a7b5e204d09e2365b4d6a3c345228d7968aca49b5

SHA512
b6992517691f2d46178b8c8446a59924a5612e0068e5e8a51b7043bc830cf09377288408af58bfe2695d625c2ed06e9b0c0ba954241825aaac9da00a4330c98c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dc6e5a7251d6bb33a0f24d79e1acb818

SHA1
6c53943ecab716a9700edba819a55920804cafa3

SHA256
b5160c471e1df72590a88ceb0fadcf4367942cbcb486d3f84da77538f07840f0

SHA512
75ebfde949657e6f6727d333cc8db839adab1f275a8b582bd1f6818b948c9c503e2c2a8f4538f6d6467b01a9014904a5b6a3c0617d297b59fc761e93aa64ee26

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
850cf6e019fc35d7344aea93bf47be98

SHA1
a65a336180837a4e93dd74a5ec5219f29ca143b3

SHA256
c60c1d896128a61ed83203291f7d6c5bd53e38d5c159e266cc144959d6b77177

SHA512
17b971659f5112f7172e6a3d18cc759bae940b2bacbcc15eb3a5b4d30695511500f6bf31a842304e391e7ae34ba6c43e84377911a7d96d4b4ed79f2d49619c81

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1c6e1541674d9979ed8c4ef55185d59f

SHA1
9bda53a2b623ebe65c04c61df1611dcd982dec78

SHA256
8f67cc807c9d4d9f51c13d2b393394397307c6c99086c3624dd9f36cbc490cdc

SHA512
f9eb475535e80b6734b3085921e61c3e05162624d9d8ee6ba85a9ca32157f27ad0d34fc9eaafe0f7d3dedbe2b880d3319360333ae0ba6384c7717a69aaaa7256

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
21e4c5ce7e0b309679255ba74c5691c6

SHA1
6f573274403760cc3deeb252407efa1bc528a6e4

SHA256
4c208f2a8b611e0872bfd21cce366c984cef34e13b64b27938229d19e92e33b6

SHA512
fc6d26649226b05a51431cbf1c512fc64868f8420a9a7378f8be43e47ad94865a9128ce7f474794352b7b7b6d90aef9a4ae680803e593d042130221c57b9ccff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
89915c046adbaf8c7939adb52f656a04

SHA1
07e597c682e87eb8b5853709b151894dc4835688

SHA256
438ec298f4238fd80ddf7248728650b6d0f69587068f6e2103f747981f2046c8

SHA512
17b1f80477d0d7260c0153f4e4420c5834adf6b0479a9e5465090e3e2befa0f52a596fd30ef175fd3c0bd2bc1d6d38aef38ddbd05f8c2d6de16206a8b442989b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
daaf1e8b68756166f12a5fb32acc17a7

SHA1
c90a140673ef24c4acd3b4718d6fc512cfe4a25b

SHA256
15e0e66b8386ff5fc3b10ac5d16433489c0a64ff98dec3aa442cf0d556a253c0

SHA512
d1e5b08c891a65e4c4b0c3c289b3ebe8bafcaf61f68f9487cc140c31c2595bee056baaafbbd44ba7aea06ef49140ccfc6c112e894f2ed599fe37a21fe251a694

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d7becbf721d4b32110124076a50419be

SHA1
0bebaa5de15ff2cc236dc2bb0cbaa7f6cb2af136

SHA256
6179cbdfa2e64b9b62ecf103f8adf79db3f72c4ae5154b45507f32a64b438f7a

SHA512
3b0dadd6b97e73ea86d1e4a7dad66f7a26b7911b9cc976f39087f72d029ab7566f6d6fbd390832ea2aa45b276cc852622c7cc12406859ae2fe72ddb5e5e5c513

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
3a3d1b1a4b466ef7f7f9bf48236fd6d2

SHA1
21e1e41304fc95c898d542b1a2a92c28a327f1fa

SHA256
7c7ba62da74dfc030d275a7d8fa682b7a357c40797017a515856f7a3489fd92c

SHA512
6c0f42df26d1af9b92cc7626d88b0cae305d6621e18b1a069a954e4c0601126fda8a4b53bc1aaf71b11396a5c3b85eb369a5d73290fcbce43731a66d756d3b21

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6bdf95d479c0d13e4a5252afb1eac1a3

SHA1
c05bf513e4fe41b4f7050d590a38a4697f07dc80

SHA256
6353e97ea2859f00d90dc0418476ee98f383ebf21bbab63d8d2858dee120b167

SHA512
054f8d600545c6bd74b90eb9c84b47f4a60d44516cb1c15e81087a0c4514fd10d8e1ee2d6496b1ffdb0d50ba8713b08206677a13444403693b77d44734d27141

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
807530cb37dc2127d0caa89a988b2f85

SHA1
748e1ccfef12e05f02534535533dd1f99be8e0ca

SHA256
2824497e1bc4211cac8f7b5a0eb60969de89b8bf63116186de915bb0ab9bbe16

SHA512
d4796332e5c42508c80b99e757b70b93f1d10508e695287ffee3934354190e9dfa9aabb64a86094c2b25e7f7fc9769d62393580f147e5692692789e68febc4e5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
21b4840b6b2442f0aa85942bbaae9fc1

SHA1
6928915609e021824f569c85d92545130f2f4b91

SHA256
0cf1ec98b50d3e5609a61c5d17d4788856277b1c8b36ed77fc7e072dd0e3ee00

SHA512
2dbea223555829615886d63386a46e73a45aa23b34579a51c0c7e3e2b2a991f68e02c96f11b0f6188bde7fcc33fc32710b0f2556a0a4f93dfe4e7a03136f7fcd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
cbd67598a9840c7d009432f16aa94291

SHA1
f971251c0bbac2ed7354fb16b9819633247a5f05

SHA256
a3e2d03bfbfcb5d6115bb8c9eb3fbea323f7e3a95d4ca949b138f76bfefb4ce8

SHA512
8d4edf36ca68517e6538552b3c1dac3cc7b1490837acce7578cebb2b1a933495da0fb086bca153d89dee38d4ef8cf08f4aa2d5e165a03a545f5f569b04449167

Download Submit
memory/516-134-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/516-251-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/540-691-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/540-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/920-677-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/920-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1048-83-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1048-79-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1048-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1048-73-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1300-122-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1300-233-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1500-689-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1500-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1692-495-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1692-160-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1716-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1716-25-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1716-31-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1716-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1772-686-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1772-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1956-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1956-682-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1956-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2428-192-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2428-683-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2688-183-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2688-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2688-57-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2688-51-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2828-205-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2828-684-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2984-96-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2984-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3344-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3344-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3344-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3344-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3776-258-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3776-690-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4012-6-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/4012-530-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4012-99-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4012-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4012-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/4492-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4492-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4636-100-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4636-221-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4840-137-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4840-257-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4880-19-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4880-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4880-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4880-18-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4880-125-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5076-685-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5076-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5088-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5088-44-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/5088-38-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/5088-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5088-46-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download