5da6a2754ccb381b27f065bf76e526cf66ccbb8258cccec8ae904f5e166781ec

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3da63f7991e7b13c913887576f9b31a0N.exe
Size

622KB
MD5

3da63f7991e7b13c913887576f9b31a0
SHA1

6388b01e717c7bdd91034766a2ba0557bc3e4f6c
SHA256

5da6a2754ccb381b27f065bf76e526cf66ccbb8258cccec8ae904f5e166781ec
SHA512

4493d0ae1c47cd3ab3c51da0dc04f956d93894de056701ee705dc0b8bafc46af204e7494ddd8507e8bf0d66c400057901c63a519915e59de22fddc6d5ac3d9b1
SSDEEP

12288:IudWCIkeRlk7ugd1EOFcNW2f+zRIxzA0RJ4P3Zu/t4ZJ0FSlg6BdLET7bI/IiN:IudWHRlMugdD+JsRgZRJ4fM430Eg6nE2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3820	alg.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
2712	fxssvc.exe
840	elevation_service.exe
2744	elevation_service.exe
3792	maintenanceservice.exe
3176	msdtc.exe
924	OSE.EXE
776	PerceptionSimulationService.exe
4644	perfhost.exe
2868	locator.exe
4036	SensorDataService.exe
2376	snmptrap.exe
324	spectrum.exe
3836	ssh-agent.exe
3540	TieringEngineService.exe
4840	AgentService.exe
3432	vds.exe
4604	vssvc.exe
1288	wbengine.exe
1304	WmiApSrv.exe
836	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\System32\alg.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c1b88a6971c363d.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\System32\vds.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\java.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	3da63f7991e7b13c913887576f9b31a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3da63f7991e7b13c913887576f9b31a0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005449bec14edada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036a0b8c24edada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c840b3c04edada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e14cec24edada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b4818c04edada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fb0eac24edada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe
1412	3da63f7991e7b13c913887576f9b31a0N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1412	3da63f7991e7b13c913887576f9b31a0N.exe
Token: SeAuditPrivilege	2712	fxssvc.exe
Token: SeRestorePrivilege	3540	TieringEngineService.exe
Token: SeManageVolumePrivilege	3540	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4840	AgentService.exe
Token: SeBackupPrivilege	4604	vssvc.exe
Token: SeRestorePrivilege	4604	vssvc.exe
Token: SeAuditPrivilege	4604	vssvc.exe
Token: SeBackupPrivilege	1288	wbengine.exe
Token: SeRestorePrivilege	1288	wbengine.exe
Token: SeSecurityPrivilege	1288	wbengine.exe
Token: 33	836	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	836	SearchIndexer.exe
Token: SeDebugPrivilege	1412	3da63f7991e7b13c913887576f9b31a0N.exe
Token: SeDebugPrivilege	1412	3da63f7991e7b13c913887576f9b31a0N.exe
Token: SeDebugPrivilege	1412	3da63f7991e7b13c913887576f9b31a0N.exe
Token: SeDebugPrivilege	1412	3da63f7991e7b13c913887576f9b31a0N.exe
Token: SeDebugPrivilege	1412	3da63f7991e7b13c913887576f9b31a0N.exe
Token: SeDebugPrivilege	3820	alg.exe
Token: SeDebugPrivilege	3820	alg.exe
Token: SeDebugPrivilege	3820	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 452	836	SearchIndexer.exe	113
PID 836 wrote to memory of 452	836	SearchIndexer.exe	113
PID 836 wrote to memory of 3636	836	SearchIndexer.exe	114
PID 836 wrote to memory of 3636	836	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3da63f7991e7b13c913887576f9b31a0N.exe
"C:\Users\Admin\AppData\Local\Temp\3da63f7991e7b13c913887576f9b31a0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4572

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:324

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2616

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:452
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
773d1ef1527a76d543d4dc426349189e

SHA1
e94453b37dfa2deea6e3765f89a14ae4aa599e48

SHA256
58cd934dd537cabdc8de555f1f997346d178d749708386e5ba5ab6725cb64ded

SHA512
e6aea9c7310f7782fee71ece06bf3d0fb1bcf36ce0b2a9fefce8c15c241f6774f256a81d304561413c6d5830676a6b2a48fbd20307f98ba98069ea20c2db0946

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
4c47e17b1c16922fc7b39e16e5612ce7

SHA1
b27e0df43893bf821434a43936a00e4eeb9a5daa

SHA256
88fb525360244bed2a1896043cf1e17c103eab7e5b487b8275422abc4ff4b3c2

SHA512
2514728d0f9d20664dcf6eadf9e6502b8537de49557e0ed9d1e719fd7f944528b4d18d0d1b9cf8955f6be44a12d63f95d341998bed96f47a47043433ea283688

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
30a24d772a72147667cfb41bc30aca29

SHA1
3b5bf020b49cacc08f7d042eed9ef86cae88f701

SHA256
6731ac65b5c33c7c8739d63fbedf68e07eac85e1ad9fc1f9a7b6bc577c540fbb

SHA512
df2644ad72b54ef23286c2509d5a88b1edd6d3c7de5fd13dec055ae1c612ebde19c76c161af9619a5d415db3319a1faf1c2a17f5c3ce4cf653e0cda0eb6a3638

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e155052d92d67283f9923dc353c776e

SHA1
963134e659cefe363e21a9044de7a007e94f43f1

SHA256
350a5b4a9a3c2e9dbc8f8fc2ead6b0c882f82fd7f2dd58c09b7b3506ceaa4f0f

SHA512
e47ffd22f8c21523678f0733c2e03789fbd711e6b18b58646ef1d8b253d0c8d12bcb9ac1161a3fd5f0ac06775e53aaabbe88daef7768a18205d30f5401f8360b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
513895ace0c9db281b0e32ee7337a120

SHA1
ad16036928587e7b5a932353e28f33e70ff91e14

SHA256
29279a97452d4b8c01df271a97ce3fa31820675a768852835cb6fd7a5d91cc96

SHA512
a6cf46dc9cf8236fd04728e5eaccaac7231bbcfb93610f754f9b956085e687b367666bc2a85591893df011d5b9236cd9d15ee45038ac5acda705f5602315e9cb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dedc26ba205855d38c093effc44efbf6

SHA1
7b032eaf10b4c6b48859669a76ccd44f8a3ef16b

SHA256
f3cb130a8d3348837853cccf03eca0eed8933eca79e436b945f196bd758c6475

SHA512
7b29be6fd93a496f652df730590c8fc5f43e1b2cdfc3069e09d359a0f1df79d6663bc248c5412ac84f870f4b11f144f82c82906bfb957c5edd5b552ab30205e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
94726edccc40476d9f54b66d2e8aa0eb

SHA1
1c5e2881a098f6953dc80da8c726527a3e2030a4

SHA256
b0c2c475581e94cf75e70b10bcf6053d0a688163ed688e5ee794fe29e6de0759

SHA512
59903d1e0faf6703875f9bfa73d4c7eb71f9121dcb5c4ce67014982d0fbe40b28608482a724d3d0f363d2b0541708e4db78402e1f12efdd69df410a27cf187cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
74fba7d4eb2abb7a7d7777db8c2db76f

SHA1
f42a77809eb8b0d08d9f86d8a268c3cef95fd1d1

SHA256
6106e48b6988daadb9bb0c34a0c05c0b8418d1bcd489a297c01b0c0e95e43574

SHA512
969bb89b716f41a24a391424e15ac76193b6eecd7fec86536d33f207c81aa168e9d3078e028b4541569ebfda18dd2b73299ffc6ded0232aca03682d87eb34a0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
572c42bfd3c8f6e7e0585055baf35ab0

SHA1
77f5f40c02ab4af317391456b04a02e8a57b6294

SHA256
fc01a55eb4b7c13abad80006fb1e87dcbac329263da493961b60b87a6ae00c7d

SHA512
a29eaf86704339727c1cd8d8806c53d8c938dee1ce6c6aaa26f0de3e8e2b436c32cb72db71dc46ed56303b6ef7523b735f94a74deec3172e19dde86e7c89b513

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e2626d630be49e483cd825005906b146

SHA1
f8e64d68f5e21702cc3a33e43a1f73dd1a44542b

SHA256
4a86cc9c1c20170f5b5be5f99acd08541fe386f73e6a4c5fef4a3c0451b3a9fd

SHA512
5a6d60c448a68f8782b60a9855fa1b0a9fc441111768081abbe9a09d4b38f38ff48b9a954bddaef34b484ec7fb6cbe6851295ed5c801e7f3871a1f923cb87a0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
718694040a3e73eeecd712a4555c996b

SHA1
d00397028d525b9b311f657b10806e6f75144ab4

SHA256
b3cd1398d7a0d9d9b9ee20af2e9cd817c75b2f117885383e11a05fd8e3cf3434

SHA512
2b6967e29c90910352b6427ecc22153c275d22fe670a27dc9bfbf6b22f9cad4640b0f695d9384bc51e7a70e992e27fffc48c5fcaba02dd17e1a5661278197653

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
59fd3d749021b16705279ff6c226a4eb

SHA1
66ad9fb30b942599c1692bc200833dce243fd81b

SHA256
44e2515b149486ef0ac3eb7d8863b86136b687484154db1ccb4f66c5be5d22be

SHA512
e9d0cca3479802e8001c9a2c164575e522f9232e178a5b1076906f9f574694d4e25e3f1d4bd687f8e5dfdc40b492df41e65c02188909c8c79df9e9bdb68375e2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
90481eb182440940a7847382aff7a08a

SHA1
851da3e1cea1df40c9ceb8d06ca09f222803671b

SHA256
2362375564008a324f8e49782969e7870bba8ba0be98b818e3b5535e239bf88f

SHA512
e674177e7d147db15cd75d4d9bed0e8b1d4c8e7ac6be8c3c24cf25a52de9619fff07b0f1529cb1f6d5f4f1266100cd1afc9b8969ccfc683bfa637590ae68af37

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7aa530f0cc3358cf9e10b7aa3a86a70e

SHA1
00270f57c756dfe63504d86af52d1456191435ec

SHA256
f2f8f7eb99400db0c1c0b458aa36e26eb1946aee7b91a7d6acf2bf44ffff22fb

SHA512
51a17f3d77532b81fe628c1ebe5c6eac8be7d340c8da95635699a92c82f04589f0f1963af3a02a66aad8eb792d77e352658f3206f888c85a6fbc6c489d3e7597

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a03d58c81fa700bd7b5937df5c54abf9

SHA1
969a1986f51ea7e8cb6ec93de4fb72a3a156e478

SHA256
78efb53694ac0055107d3169185d1f838d8ca6b355d9aa5ffe93102fcc89418e

SHA512
34dcb5aed5a6289d72d2320b4a4a53e2be1e191eff96e61e8bf8ea47925362758afe0e016ba44dfaf0daa4ac37d238ff647be66a6bc78cf1b11d6c53ca181330

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
31d8d9274c3069883f9cae786c1e227e

SHA1
1bb3a5c001257f77a80dbe705ba2113e717c62cb

SHA256
863ced83bd4a1429f2651484ed69e6eb585e193b1ce2f6065b0079ed1e94a196

SHA512
2010bd365172b074da957464c8699b30c37d30b0fb871c7a1d32e12c031874e10de7c59a4daa8b6e2f366495e34ff3660ff65c6251145b8590703623b1f20ca4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c6b11e6edd6f90e182b000699c3f21ae

SHA1
e370db98c3a7a3ae8483dbe8e34c414e427fcbfd

SHA256
f84693f1064d7c28e6ef96d17c332cc66015f4022b09cef80d75d3e3b5b3d5a0

SHA512
232177a715cb6450298e45dfab94e334d5686a181365c17d106844e36ad356f5b87ea94c5beb9a89bce5a2138a482790aee6152c6e040cf6285646293afa7ef8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ca2a219fa25c1caef353ac8d59ce2c3d

SHA1
627c3b3dc653a53b104b846f70aa2604cd113f9b

SHA256
2e815db2e35884dacbb9a8f78e773955b9b850ceb77f49373a32621e67180a82

SHA512
fd3fb818dda34b74745c93fb10b62662973ffdf15022d5d1918891ce68edda1d45e727ac2deff1171e92ed2782e5972cb476acc04d1569a1aa7e75aeac4d7e3a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
27194dcaf9ced2a849c8b074099c4917

SHA1
5ea40efba4cfed66c4d67dca66fd082fcef205f4

SHA256
5713893f2c1c817fccea77a6995ae03d6e771cf32d03baf50a07e11e756db383

SHA512
a9b5dcf512ec5fd9914d31b300150623f1bf0f19df72d4a2ceb3dfa9a029eaa99caf7ffd0c6667af58218f3b30b23a304a051c86971ff966954d0d7a1375b87d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fdfd1bc858fe8bc794d561bf53240202

SHA1
8d50a48b47bce00e04c532b5094c2524c05f2e04

SHA256
1b7a71008b26bb0fd29865be53e07afea9bf9baf899eb2a54aa648c3d9e9ddfe

SHA512
cbb9051a767a078338925fc767a17af5fa6ada9a17869c9c0c8df22ce76cd6923cf8cdfacda21459bf1795db210572d0283f9ddfb0befab1a2cfff2aea2a5bf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
33a4fdbde1aa540b8fd70483105882df

SHA1
d9c226b6fea511a6fd2db888a309400cfac9dc2b

SHA256
2438d4ab32ce8070376d1fce7b7cc6950ad7397bf3f89ec17b87f43b1c513113

SHA512
a977b9692a7ee7ff9efd5f2cf28721d6736c682524c8bdf2ec215cd970e2b4d44b3cc95fc3d2f1b438f2aa0de54d092ea06e7055767639ef0cc59782e2fafe42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
24a64aef600b0388ed53d42d5a215791

SHA1
235614b180e6cfc57d18dd0e64dc9ca794bde890

SHA256
706e7e00ecbfdd8a47fb5552257caf01fc5de544a6e2b20167bf7cbeb314bf2c

SHA512
31b8337a378ce029dc7f4c00d8332be5938ad90d5a7cde172e51698514614a2270040d2b860eadf523a657bd03bb422619e8b700cb06d6b1f2e36c155b3aae8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8e40ac3650bca405fc86f6af36f5f246

SHA1
7f86f75dc7cc322c4fd50a5670d8a2c7ea5841b7

SHA256
50139e3be004ca81f68e173dc6e3477aad632463c52eb513e4a836e527e686c1

SHA512
c70ce57180c733323b9aaa447dbc1a73cc8e5884c5502937bd0ddd600bbec040a87a81157afd44cd5c79015cce28edbc799d0dbc3e9a13c7753c475d1889a2f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7494c3685327df45fc6717194c1cd1e4

SHA1
901d6fc8a54e8c4fba8f9ba7f359a31429e3ae6d

SHA256
8f3c9f70b27811221be4675b76ade80b9b13e66f79b51aaa63066deaa25d2a4d

SHA512
4ec7bec4d37b2beae6399555fcaa2546f25d5d125f4bed68aa0bbb321aa3fca5ff6ed0963cb86153b204a5749ea4de65a92f327840467d5bfad947e82d41754b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ec84d221b9e490bcb939fee4a8b57c56

SHA1
036d64a6c8235f47a233f325641e26db78a33a8e

SHA256
fc5bfe9814746b544ca77ab61a7e393aba12dd01424076883145df4758169ce8

SHA512
cf8171de1f245ca5929cd8f700d6506cafe785891d59768a74a78052b7820b1d1060a053f9fdfb20374875d300d16ee133565ea34edeb3e493302b4b1ac80138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
07c24534565162d286fc1ed360121461

SHA1
92323bd07d4d2780dd44141fceccffd0670a6d75

SHA256
b3571d2bf77e65daa6786785cbb07346b3c5b5a32f38fd8b130ef49f5ed355e7

SHA512
50d29a4907c1158d91e60b4206f29255b5015f8aa9745fd1c00ced165e283308d2e3e4f5f718d848ef488f01a58fa1f7770e4b54828800cbd670848ecfc8ed4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
037291502a9fc2a4c24b6130ffb79387

SHA1
52a11cf4128ccbae153b2045da1a2ba0f4c282ce

SHA256
da14d8940f635974f1ed20c38d3c280dee602ddccab6df7fd72c6a8fd3f3cca0

SHA512
20bd48516d29d8198abde6acd81c6bff83d0752f98ea1020f01d75ad5785ef17ecf1b504fe8f28fed6f6f3dcc0f03080e547adafacec85b7d79d3d83693b61f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
edfbfac72bb7ad1169e34d3f29d01f6d

SHA1
9571d9703c063aefe849d8d8911c1d1ba16d4e46

SHA256
d1bf0144492a9d24bc17da90c64d44ba3a04b3de2cde7d4c94b347017f82c6c1

SHA512
08ab47627b15ad85a910bcb0fc9492402fa7cf9592bda2ba5510bc7843945c27aae100fe7f3f21788c73b2b0fc44caa5b1b4eef22724f903cc3aa57702ae3dd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8984ef01388d77ff90a7573faa1988cb

SHA1
4c1ae26946cea9da9cd988be09ac2c0b9584008d

SHA256
b8cc73179e8b9a77b27a95ecd91c2fc50d70a0ac9eff684f5f3ce2f390e043bc

SHA512
bbc7a1c93bf8c745ac7f57017bb5243116152ee9319f1f700aa477acdedf542b7c4d3c3a10bdf57541ce7bb879593922bd6f4d62d3bb0ec96752afce13dff29a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
dd6991188086ac823e9a12ee44735bcb

SHA1
c9658f54627cf5327cca5480a192ffa785d12487

SHA256
ac6f8e5ae0e1ef75f52587c2b29266df1b0bf831ff0f73783883e0eb26a8e728

SHA512
35b715b0ec2f102ed97017ebd41cd3a4f57d1a296d4ab81be72130603b8dd99645e48b94b3954a946fd2e8d25395ffb3f8d34a1adb241bd51950440508b58d9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ca330623e922b5a89d9dd224a6bab057

SHA1
56eee91247d40dccf42dd5d96739d149c5fe7cb9

SHA256
be9430f0abbe39b29fed609d94de6a2e634499456764b6bb2ef635253e7375d3

SHA512
4dad9b5fc8b4a4f441bacbd817f9e4fd33ba677574c0c41e198b0fed9dd1a8542d5c4e01810cd8fdbf243cb936a6ed1831afc4b20b84cecb0696ebb24f713eb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2b5777de5b8d2ce59820d653349f78f8

SHA1
b18eb036e0c46ae010011a29fe6fb2c1a6c7926e

SHA256
cc12fd244a0e2aae3b3b93248574bf66bbb7fe7fd09910ee90f23cd56da0f9bd

SHA512
aac7a935c88b3602569925989998aecc8a33a5740f8516ab404615075c0064dbacee21154a3ba22cc231f8fd48c44b0fa7afd570992a954b1df9993c6a63c1a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ba7e75e67df5b087a8150be4230b634e

SHA1
1ba990121f5dd66fb9acb2e2f254deb10fa8e160

SHA256
7d6fa42b2c205d23a6e48f93ea148d0df7bbe4c57ce05a68d51a34dd37b63695

SHA512
be492488bc687b16b58e765a5f8038ed7f9db3379d4daaf016eea926994a9f5bc25d28f1239a55c0c6bcac5db752e66c88f0e3c449bbdd9674d4b0a1ff0bf0ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ca60b77ea44e319fb08c1178d8288c69

SHA1
9628756d28e916b60de5c6f391141c2cd94f56ac

SHA256
fe5979ddc83f97cade7eeef507a4fded3c4d9e7b04c9ec387360f090092e21a8

SHA512
056f64689b8cca655a92f371056aeeceb0151e9b41c4adccac838afe29a98358334cc5c641dfe2a4f237c1e919f5f35de03719cdd607e39f584b63c5ef5592cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
031f6a1634169872b662d4f1580a63d4

SHA1
24ea1f5ef4af72177f37da5cb50fc0fae84bd8c8

SHA256
809395577d1a9f7ffd7e163285aa9eb25273d09f6da0642072c840b701227adc

SHA512
df0567323b4a8b18ad6666fdd3e074b9d16e81f0150be8e949945ae30b4ad663669c6c7263d7818057390b2964c4569199fd9eaa0df91f957711f49b10340d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c09b334e768889a8d439d3647ca718c6

SHA1
9d1e2e4d1f1542f01fb86035e69a072f012a508f

SHA256
593b56a9a34355ea835f770b6d5d1d80a2026d32d183e9b056c5f718def044a0

SHA512
33ed2a036572718fd534a6f539d23fd873c45b63d2eceeadbac762735ab8d1cb9472608372252c62e45ebf953dd7d40339918a30c2900f0617abbee5ea7ef17f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d3e57218aa7f4179793ac134a12c1c25

SHA1
d2ca580343ca1082deb0dd0066d7310eea655a55

SHA256
fe2e16f12863b4d9686cbfa70a31c9e4b3b3ade4a5e3b4539c7c70de14ca36d4

SHA512
95b5f524eeedde341f391c0b7c921e4f98f8b547b9f77186a3a41c07371d2cb9b5a4621d22611f1a4ec6c4f1b37672881c20954e17dee10ce878be96b92c99c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7b5f6dce83e1a0164a2dfcca495d55c0

SHA1
a25a4f70197fbc315da3e305c3cb2952de540e3b

SHA256
932edd31a6b7ecdcaf8d033a3963cb738344cf8a3c00c429e5ba12561c1b3009

SHA512
da9e5cecfa5c9214f56f5b90a223a1ce3d6f1116f4f7f3c9dcc7e7ea61c805c637c82e3c5b5b8f20f5894374c42ed8a10032a15408cf9c9e90492116dbd1c01a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2f622becf1d94ae5d57e2038b8e64dc3

SHA1
151c03bfa11185ca3e1a1cc4387fe1b797fac0ef

SHA256
5ff87d4cb118a164fce26a9d75021f7a5f5c6e1ca9cce259ae974611d96514d1

SHA512
8c2f6a02b1d92de0920e1f432e1d9b63500fcb104a55503f43fe33ff688ad09e597ce4e4ee677d17a42feb22b5c3abdb9ee6d784c1357f89a4a138d54bdd7eba

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d4c447579d7d4b7d0c7225e10bb6ae50

SHA1
e6e1b4f52e38f6d21f803a80215a4988f043455e

SHA256
4f8ce5ddaa6e9b8d3fdf7258c7fc3fcfec3795469165262fa229dafe5d86f5f9

SHA512
f5f064a85a75b7dec89e15097feef700adbe43ef5d860f821e5d418b88caeee5c2e0a39c93911e52e66c29caaa40a8f1700a0ea03d30f3dd215c3c307090a096

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4045f64f09f1076463729e242752c299

SHA1
1b4b8447a6b4981ebc531c89d0ee4a7b5a266d00

SHA256
78186906ea009a863c400783dad3d78b36801c0f39173217f3c40a349a6ce05b

SHA512
ef4f57d66150031b8bebc4970607362b6d3504dedacc91a4c97e7d22c3185a7f37884f8b5e1e71513f52716a034c9accb6129c9b99e5c456f184715950a5b482

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c45103ded209ab562275032cccfa7695

SHA1
d9f67fb98d10517462af38635523e961b634bdfc

SHA256
8fdc4eececc79bbd3c6eacb337188b4683e4889b6facfc8bfb4acaf002fffb09

SHA512
db7433b8d82b69c1a61c1895012d3a78b2456fea5adae256e839dde8ec6cc56f6e75c7bf957dd0fcda790b049a0576fa0cac9cb97f696e54b564d42ff5217fa4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7b0624a91159cec5ca830abe34b3ae82

SHA1
a487f4f57367eefab209c86580e10d5b1949db9f

SHA256
37dcd814352363eac866cba42a4b6bf6dbb193b2fa0cd82ec38ae6c3501c5dd0

SHA512
776d512139700e451350642ac02b8e77a5a850f44c9013139dc6943df4e80b386073428e6525aeb010176b44321094c6bc4d917dc8cc8b4ee1e229f9e8004451

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
616c26ec4430b97005d776d93fe0931e

SHA1
f83a183dddbb21e26f9fdc173a11fa579117ebd4

SHA256
f8b4ce452a390b7ee05f7d789688e6c0e8cf8004ad52743e82df4697cf929c24

SHA512
daec9578ae0bf48a4f7afb7ad1815cde0066f0e3c4fa8f44b3fe6be87f06e7a29f61a4c54d915044f1d897b24d21c2640638b2ce392a68f533eeea4b6e490f54

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2f59f54c2d9d07dfc8589b1913edf482

SHA1
5e2903cb5ddefbac706634b4da7817e8f4b36903

SHA256
6644776374d7bd5a4a214621a10116904178a7c6c863ae3cd287b388361c13ed

SHA512
534bca72a5a65d1cba07abe23636f45e1da5be975dbab25ad5ea622bcac5715e3d7329bc1e113ef7bf57ba148dfef3b96246971afb34408a045b5e6e1c59d978

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4f9cb4e4d5883bf97b6b5910541b4ea1

SHA1
0c2a002baaddf6443338cfc156ef389c5899d8c4

SHA256
2934a7de4d2dab12fb6af802fbf650cefd61c3f060289075d8cc765c0507ce2f

SHA512
5fe855a083b34f4527d9ecd82bb8fff265b0b982657f5ad780ad5c205d0c3cd69270d5ac302e353ff72f914fcc33d32b794991887ab11da51ef1d676dd310b4c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fe407fdc71f9e88aae8f57316b1a04dd

SHA1
43d85e8e63daf6b32d86db2e211d24ea63b0b4bc

SHA256
96bb7198d7d01ec7ef8bb530cc232eaa2425edaf0108466c168fd970cd307e3b

SHA512
e6f748e4d0aee393374744eff02243674389da603d0836a0e88d31a5999091b0c781adad15367c13c622d06ba939b27b4efffcd79c86c6408ac4d8030d10f2fe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6892a16ca518084e0b8cfeecd6e6c8f3

SHA1
bd921e400d1cae46ad6f2b5397049938414b5fed

SHA256
e98a97c8729b039cbd526dee9888f299ef8e04b48419703123893a750f2e705a

SHA512
479dafbd8707b7d9cae3ee6ac1189c46f885e47b479352baef0cfb3997c4f4242bf3ed65112ad50b7cd1506b32500e29ef5a5ecdba8b53d7db9afd78f75306e1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
56ccf5e64a88b462dd72d30087f8d823

SHA1
310c7f1e877bb516e9c54b99639bc6b98545b9ce

SHA256
5ff7e41320dcac73cadb95f0e22fec43c6cf83eb54ba7a6e715ca3feb58079c2

SHA512
3e910c080afa129cd29170eadad132603fae3aad367a91b9d5eaace80035329a8cb5a86c3b860b85b00b780e710a27130fe321f3d21446a522ad0487d94dcde9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9f15883d3cc9639fc296216544e25231

SHA1
f223959fc1af124606dcb672d23a0cf68ec0a200

SHA256
82303defebf9c52496189e671e042ba5ff014168bb3804b2e17f20a8915a2358

SHA512
563fbf916c0cf75b3c39f7ea364c82c0dd245bbd496f30f313b0a021e38cd71977197b6a91cee982d13b8da5b1da413e879fe20f9049d3e5b91823292e41abe3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b7881fd53eef9a1e4e85e51420d3131f

SHA1
4e48ffe768993f02294d42b06b5ba6be6a2bdb4b

SHA256
29ebb3655a3729fe0c40675af3f2b5e87bc13c2203f9bfe9ea0ff81d072736d7

SHA512
fe15c48a052cda53ab23991928b74906ba660dab1069acd4617cd4df1c63394de8e39d47b5c405711e18cb41f8cfdd16fefd978bd78a1f10f0464da813b5dea8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3ed552a3ab0848d4ab22b93e861fffaf

SHA1
5f5a55fe68af40168abd6eb076e9bf059adc7ac2

SHA256
090430d741e42b682da2c9b2e7891129f7e9726263b421f1baf7416011f7ba91

SHA512
258792f928f32b9e44031c74ec000afdd791a2ce1327f2a8fe832117b3d3113b832f39c690091e2b6dc7862f4892c98562a9987bf4266dccd06d4df5caa10a77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
85e34e81152fdad57e4fa569b1cfaac9

SHA1
4e96334e973491f814ef6b87a98a9f62b5b214fe

SHA256
ba024e6f3d080ae81c08f21751f0249481b54d3e73c49a030aaf45ff47229d12

SHA512
545dc229c24edd4bc4ab7aa98b50e54ae4deddf5ae3dd78bb294650b942b76ac39b39425fd9156120b7762941c13aeba0abdf889f0e6e1f10789a692bd50f054

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
760e7eec27f9b0a72afae89a8af108de

SHA1
3acd7d35c01168addcc37238fd84e3921ccba14b

SHA256
c0ce55264cff95c873ce4627f277e6f4f015cb801c371c1432cbf2117ee1723f

SHA512
e5f95e37876fcf45756c61cdd75a04cad4dac56351aeb3fd4c07e80c41ed3e35cb602de63db803d5e8ba1269876a578a4517f816f45b1e6bf64eb383029bfddd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
db8ac8b1f9e79b35444358b75b337d67

SHA1
f52770ac89c9fa924ce818e4e66fb6ded9c3fd66

SHA256
df965a306ef792f0646393e1b3200b36095577a09fcc8e8e0278c7953ae86764

SHA512
ac30ab819d3ad77900ea677b0b6537831905d34349bb0811c7158ab647c17121be08514f7357357b41afa061aedbba6b6a81ff52348fc945dedb6633691b55b7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7c3d692113cf8172e1a9d2477b8ccefe

SHA1
700fe044568fcf97d25c90934b3e1b11c5c9cb6a

SHA256
d272a3ee64f06f61cff79efdb8eeac43f5e37536c9180a1556427f93c5952d8b

SHA512
5f60a4257fd99faa3795de0c6021fb812828cfe9411740eb4c470287e77d7ca28e15458a4833ac1a758288d9f733105813f796a0875689de7aafdc1486a969d5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d3a5e298ac8a05d111c21c7cba8c3da9

SHA1
446a686d9d201d09c033a35e54b657a49b935eea

SHA256
2382fa03658a489b6a5469cd10b588841168ac47488dd7b2e3c9910a83a4e3e2

SHA512
78b1ed5ffd43b9e07e6224d97fe1c4d7ce2217c113b0aa920ac62ed0fc50258a298bcd9312563ba318a852b329dcb96df92a367178eaba278cbc21afb93076ff

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b389af5fdec42a7f8f5b7bed94e48cba

SHA1
a69c60de3a67e00fd86b32e4d0b6983a7cd4f450

SHA256
8209658d859044e8c779b114167e50b47bf4244646a74b17dc1f16ff22f3fe2e

SHA512
f61398c9d539e64433fccb36352c2514c8dadee89fa7929512c74bf71ff537f39fd44a3a2bcff8f65fbdbbadea52e013c2c7d7d4d98038ba34c79d835599ffb4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5e00130e605f723b2d57eedf8b577ee3

SHA1
1f6bde65473fbcd1032a2f1ea31410308e791a29

SHA256
aab49ba9be601a537e614caf9e0aeb8b366e2531878a05171f68230186190d3b

SHA512
0483f9cbcaffff07fcc6ccdba9778dc86446003695f955f1214b1e5dd8b2c97fd74d8346ecf8a82a5710a64ad4a6198cdc9f8f4cba4c6114e4a98e195010f8b6

Download Submit
memory/324-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/324-597-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/776-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/836-303-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/836-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/840-436-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/840-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/840-52-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/840-58-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/924-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/924-596-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1288-301-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1304-302-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1304-601-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1412-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1412-1-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/1412-8-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/1412-99-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1412-6-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/1988-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1988-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1988-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2376-185-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2712-49-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2712-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2712-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2712-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2712-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2744-462-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2744-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2744-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2744-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2868-150-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3176-89-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3176-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3432-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3540-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3792-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3792-80-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3792-85-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3792-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3792-74-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3820-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3820-125-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3820-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3820-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3836-184-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4036-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4604-264-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4604-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4644-149-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4840-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4840-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download