c9bc87c4c3f16a9650e096997a5d3618d5a09126482400773e3e15bca85af43c

Analysis

max time kernel
118s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

589b7929eadfa0957a4e2e402f13db10N.exe
Size

1.3MB
MD5

589b7929eadfa0957a4e2e402f13db10
SHA1

62fc17587fc7b40c8bdeaef90891424560a25bd2
SHA256

c9bc87c4c3f16a9650e096997a5d3618d5a09126482400773e3e15bca85af43c
SHA512

1998bf55b59f3662c47871fab19f6faa12d86928d51f1c2cf05c22f37c659235e367449c1cbaca1961621158ab0f175a44bb2d4869c008a6a341d7ed1746eeef
SSDEEP

24576:T4oTPkCgwCbae/Fk6OvgcyTNjx+mZCkt76f/24pN+XNqNG6hditW:8oTcwSFkeXf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
764	alg.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
3908	fxssvc.exe
4348	elevation_service.exe
3044	elevation_service.exe
1188	maintenanceservice.exe
2400	msdtc.exe
2868	OSE.EXE
4000	PerceptionSimulationService.exe
1316	perfhost.exe
1752	locator.exe
3516	SensorDataService.exe
2660	snmptrap.exe
4232	spectrum.exe
1692	ssh-agent.exe
4932	TieringEngineService.exe
408	AgentService.exe
4772	vds.exe
2480	vssvc.exe
396	wbengine.exe
4688	WmiApSrv.exe
1012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cd0e64496003136b.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\System32\vds.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	589b7929eadfa0957a4e2e402f13db10N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	589b7929eadfa0957a4e2e402f13db10N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7c21841aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c28dd40aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8845b41aedcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4777242aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009dace40aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091b00541aedcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011e75d41aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3793442aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fefc3241aedcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	940	589b7929eadfa0957a4e2e402f13db10N.exe
Token: SeAuditPrivilege	3908	fxssvc.exe
Token: SeRestorePrivilege	4932	TieringEngineService.exe
Token: SeManageVolumePrivilege	4932	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	408	AgentService.exe
Token: SeBackupPrivilege	2480	vssvc.exe
Token: SeRestorePrivilege	2480	vssvc.exe
Token: SeAuditPrivilege	2480	vssvc.exe
Token: SeBackupPrivilege	396	wbengine.exe
Token: SeRestorePrivilege	396	wbengine.exe
Token: SeSecurityPrivilege	396	wbengine.exe
Token: 33	1012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeDebugPrivilege	764	alg.exe
Token: SeDebugPrivilege	764	alg.exe
Token: SeDebugPrivilege	764	alg.exe
Token: SeDebugPrivilege	4840	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3536	1012	SearchIndexer.exe	117
PID 1012 wrote to memory of 3536	1012	SearchIndexer.exe	117
PID 1012 wrote to memory of 5124	1012	SearchIndexer.exe	118
PID 1012 wrote to memory of 5124	1012	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\589b7929eadfa0957a4e2e402f13db10N.exe
"C:\Users\Admin\AppData\Local\Temp\589b7929eadfa0957a4e2e402f13db10N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3044

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3768

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
35615eeb29cae6df75e23fc814c42836

SHA1
bddee6a4af848fe52c09861b34e776a1c2db801e

SHA256
952a19c94f7a7113a07fd3843c6d7e82ace1283ab7482af172c206a18d2060fe

SHA512
e59c8e36685dfaaf58d1385619545bba23675b91aaae3e44e5a22575060d288bee4f48fb6056bdd78f7caf1c3c69e378c0f24dc33a3111777035a906121a9fe9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
78e3502ac9e2d91a789d5415c31f570b

SHA1
73ffffb41b34d9458952d505e3b32287dadd206b

SHA256
ce56bbd138e0dc0d70cfd12a60aafb08c8ea777de7a012f56fcdf6488c876ec3

SHA512
6c0016c2b104caaa14ce7f9dd4c39f7c1996f4729a25754af2b38b70a4276c9c703c1c19b23f30590db112b2b8c3d4e78c096bdf6522c9a4b48dce154af03f24

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
aab37ad1102d0149fa9e190ab3dc58ce

SHA1
90ba47eb052d3633da20f6ed1e95149be1e3ea44

SHA256
32103d95f62ab787d26e6bbc5f0ae9bf9b2b8e0ac4621b93899bf64082588d8f

SHA512
8127e9a2f1dbdadc73a43c9d0da8dbb6d30c64269d194d8126ed55d7a2cdd6a0953d7e215ee34e80480a855efede85eec2d4ef5041601fc560989d17eb1f3f51

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3b7f594047418a162569e203403cbd73

SHA1
b97a6d5064f9e7c12865ca2dc18584a62678c952

SHA256
74408b8f856a456419ea16cafa2dd326cc0dd4c680643fb3778d0565f01f10f2

SHA512
9fb69c679232a84962e9afe327b3a294971eb8dcbcb9cf11546c4cfc0eed1984fcf75b044e40c25dfb92a5ba29f0fc3d6a5adb59b66f11105b8f26c57b411545

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3f4826d7e41c8ad3b803ed7045a94b64

SHA1
1d73461a3c14bf979e4faa12099b9bdf9bd89f72

SHA256
4e1e711895b9dce6548af11ddc616220e16f1f6543ffa7563a67a596cbbc3b2d

SHA512
cc5c237a1ef0657b80c00374a9a09898732fca4f78651c4d7894fff79882af447a9c30e910ac934e545bba02bbc1f53a44dd36bf87519c70fa04889ea3b7d4d2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a5f39038d3c56f61994cdcfd6faaf3d7

SHA1
4c03c8148af13fdc89371b555691aed79c08fb9a

SHA256
516de4893ea8b02dac663b1a7d89352a866fbd0b3f5c8cc195b43f09308bdfd2

SHA512
919080732adccf8c30ceff52f18c8e01e38b1bd295d4dbf00b14c00deb9dad82209c3766d5bb72fd663f031ce53afa1c11ebb22fe475799b692b1ef6f64839a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7d2603a3592900bcb2ed46484ec5f59f

SHA1
ea408d807b17c2fe3aa7afad71f58ce3d6773c83

SHA256
d7e87f6779e5a2858b8bb35eec614291c9a33c241a1b9e11ba2a5804eb752689

SHA512
65e76efeafb3d8b7123c0d2a9afdcb87733e383a3ddcdd3f98130e9edb3fcd445807d1fe5945b76c71127d977d85367dde24eda7396e37127d07c68edd2b5a8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a227f03bbb7c970cc09cd0a45465cf5e

SHA1
7f84af9d1cd5bde97d21ecbe50777e2a001130dd

SHA256
60297a7b6410641aa9d74a4eca7c7835a4d1782b9e68e89c7739e4853e504720

SHA512
4267a92550d994985b0c66acdbbb77e0ec3abdce81774ff2008add8e7534adff2b1bac420ece5a31cd8a89580f1fcf959687b33fad042640649cb18344f22757

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
de83485ffd4e78c76087a73d3964b4f9

SHA1
a14967f4dcc2f8a521569217ea8efbbd810d61ec

SHA256
f5129a795a7b3330072a48169c4cd761f0073e91a6b0168082eda0133adc85c7

SHA512
dba5b02a6f26e205e5146cb23a6ad04281f819f06ab570acf65eb43fa5b23125e5a3572d3296cf0c43421916b95e695a1f2e00f77182dfebe7c9086282fbc98b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0402f4d395617e9953401ea3064977e9

SHA1
459adc08396d86cdd8b737fc0567cc8d18b83a57

SHA256
38f0ea382d0fe61b730d9585111fcb0cf218dd13dd6d4c0da3387dac701d436d

SHA512
9b4f6fc4827a8347ba7275895f923cdbf9857661ee8cccff1877700b61261ddd3e332449247d42ca27ff2844815e252c0bb5af00e36e4ad8dbcb2b031ec67501

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
60d67f0ffce756987e7e54583609e0e4

SHA1
09bf027e5e7f596067f4b745b94d418f725d34a1

SHA256
5c7a5065d51ac5c1b3da9de0cd38716804e0b1098c50b8cbb4178102699bb0cb

SHA512
6af2b74d6508f65973c5550a626b61819b23d495b52a3212a7bdd4e2dad94f7464e1c084e352e6a347964750ef760a4344390ac4a11939d6732b0c91c8a4934c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4a332b4e01bec4a270c03a628ea6b357

SHA1
0f7daf7c911953d14624ea12e726e48eef9b04a0

SHA256
d067684d81423f81b2435848273416d69fd0983a2b7303ae25545904bccc5485

SHA512
c599b3fa6a7d5225323a14701a9f640280de4a232be2bcfaddbaf7ff3482af4ffde3778a5a059ba2921db82f856ec320841a2ee4e71bae3a0d8080c05edbcac4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
f6343d09f0d7ad640237c90ce968eab7

SHA1
2e71bad853e50b514d6e128f09f66b6c967ae030

SHA256
bb1332587fa1015db5470b784b406f2e254253356a93c2a77f30c4c4e6ae0f46

SHA512
b47e40f915e1c33db0e250d74860f492ee6ed47fccacbf6748c94a843984be2000fbdbd42676390dcdb3a329111c297eedab4a6715e45391819b4dabffe824e0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
97184e5af464e5d99336a7952fdc9e35

SHA1
60cdd0e4460e16845ddd6d3557bbed409a8e406d

SHA256
fe0e5d55de2e46a3690f55c438f9d2831433e7607fb298f67028e04e7f14616f

SHA512
26631e0008f41c66bb0ccfc5591bcca51e858605753a1802ef163eb7445a63fa318db5c3e90aa2a6830b41bcd5c1a60cde344b122276a2aca2745b267adc36af

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b2d3cb7e7cd563943f9c6df2438a09cf

SHA1
57f10ba26fded8afc85ab256a19e1f946b6ce299

SHA256
d5918c21ea97f0a774054cf903b18f469328489dfae9306a68915a17284b74e9

SHA512
22d9d2a687cc41ed3bc66dc85b0b97075d14165b37cece86f516b79ccf95e5801d09b7db17283a3b687e2c55697c9be27074831a43c3b78e06c9c4caf85f5a1c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
54ef897a128b052d3412d44ecd869be2

SHA1
fed6b0da37860d4525290e5834eb6c2ef64dc188

SHA256
7253aa88e31f3c1eadc9d4e1e6556190574b2286be19adfaa5cf3c256be41b0a

SHA512
abab6d040705bbcec0197d36037a7a51d9feba9e78cf22fc6beceece6268a9d5f0a6c94459460f8ea1659d582219a190d53d111c8f577f862b0d888ee0b7af5b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
64f76954079a5cfe3ec2e5f806ba2357

SHA1
f132952a8f226ab9f759f01756e1adefe1850736

SHA256
9f013525feb6d8a7cd2cadcfc0cea42a887510c648f560ef5ed2a708f62166f6

SHA512
67ba8aa7ec020da2419350217a0b87e5beb8e0040f3a20f265d8ccbceda956ce697ea5b238aa4cf5e7487f04a9ccffa804e13f9bf07688442acf59c51594c2d2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
52e201b3432e89c6be91b6b15f4d0687

SHA1
0f93f7c0fb8c36f0d27444ab916eba3f96b61f3b

SHA256
4fa6484ceea0f9d0ebb8a7e60367fcedcc1a37ddc70f9c1b5c42fa3f71ae43a6

SHA512
706d952c1f7b244390ab5d0bf4cfc5989a243a04b2e2226727be4b793296bb0239a9ce070bf771375c577059787a48c2b6ed152e89b187ec9a7b72f7eee992be

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b58c2c7d9f70dedfc43024ca3233fed8

SHA1
6949b7cbb830e840f6f8bbfaec8da00769caf5c8

SHA256
9a8dc50be44f1b46bce340cd39ac214a86f30497031e943cccf362b840c03caf

SHA512
bd15e14334502b71cc0fdee07ccfe09075847e790b25c8941979f57c6dd4fda9b1c441c495dd75789a78af5b2ae3f62dc0ce79d8254fe2cb1a4f00bd08ebfabe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
040abb48123d630bd2e9f004601a8417

SHA1
9df5380aa9740656f5252a2bbde75872c39c1f3d

SHA256
4c59dc2906f2e67478efa64e7467a636b5edf64411bb344917b1adc790aa0fdd

SHA512
3cd45b5431cbb79b3283f16f93ba3a5a2f4840a2a93ea3a6f77242e284631b9474de08a608f1d90a00e71f6d77137b68f2bc03127ef4e028a521a6abd22ca0f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
bd9129125fe92e0ff36731ed73b62fac

SHA1
9f620d3daae9fa4c49b58804465e85f2c59cbc3f

SHA256
3557ef3205ef88ad57607de1f6f9daba24626f5ece52f1441c8761895403ae57

SHA512
776f959ccaf407959a7700569cc3ae96da8e216f5f75eb116d10539b3a5dd89b69dff0cd43ec0aa575e73662c98b4e3169bedd730990ee4b802a344cfcf2daef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
e6c253e679be401987b8f5a351b3dc4b

SHA1
7e74cf216374418b3cb6e2aa2512cb5e34e14c87

SHA256
839d7efb00d867023e8c743c9e305367b780c477db8d099d367efa9746df3465

SHA512
a0cd917dde22755f24145da16e6cd61728daa791c84b583c29dcce9c1f794ccaefe96a7005a58017bde29e307cc6a38df13928c78de6148c616b0bc2ab24b189

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
9aa6ad224e4554edfc0d195e872e8cb8

SHA1
67cc92e929c60aefa507a088db05795210d65e5c

SHA256
28d83bee0a66e4fc4858a6ad9a101637fd3eb2d95f8ad09484b5080e958f898e

SHA512
1ea30c07942e63a02d39f3c611e624ef781cd88f0344c2969a5f07676b700529169f34bec68d6a81c921aa47986604842a923bee257c472eeccd797bac0e77c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
c559e2cd6d96499c66c0b4584a4cd4dd

SHA1
2266d5f40120f16911dbcdee612d0d6e3d592843

SHA256
df93b2910a92b8879e0868196a9c6265762a07600e59d8bd3612c72e84abc509

SHA512
9f5851ebb36b06cb8571fab502786e68aa5bd1675b43f7ef48c2e920a1e86c58b1659ba5e9756ca6678dcd48309aa3678308d2778afbc483c10eff1b1abfc799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
506324f113855e2a93f31940f5bb85ec

SHA1
fe5804218dfbe1c44eb1d0429a104d17d80e26b3

SHA256
d714e27e2039abc05026a916b9e212d4b38869bc4737f42fb8ff3c081d539052

SHA512
eeb1a50e9ac666ad93039278b26348582a1e9c617adfe2af6dbd3f18123d3ee6638d8cf42a88c330bd87d2d4d488dfae166dd2d12562014fa81ff27cc2066bd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
2c2ff0052253cab4c7cb6b105b4dac14

SHA1
89d0ebce9825d77b003e72c7e39720b3a10cf4cb

SHA256
64314fed86289f793f8d1898b3109cff5c69a9213cab8e853e3b424d58e16b99

SHA512
bdec8a5c3751818805e940e79a63a51e6fe102941242580bfe5fe8f0d891ea6bd14b2dfb24e8f4b7bfe2730d0acab4d9a6b3a325bc9adc10e45f7d6be73dce3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
75be8ddd6c918ef0c164fb2c72ae1a88

SHA1
6b8a89d3c04e70e625b6f15bf59ee74999a174a7

SHA256
a9ee21f3af5efbe9cf35ea892198fb9f3a5ee4d29bea33a3dceda55b0cb1b1cc

SHA512
bf410e8a197157baf7a6d8a04be5be7ce29dcb80c31a6bcbd5531a5cde3b62a32fddf262d2e33a36c784e742f7764079c94cb3d7dbefb3351a24ba2893267d2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
78ba91afe508bd5cc5af8a7ff596852b

SHA1
9a9d37caedf718ce4fb1cfd6ef7ad37874b422e8

SHA256
35941b936ee0006f4dc50689d6982fc6aa48b520ee0cf39573672833b2f519f7

SHA512
34a4067c6d6be7a9bae24211c9be6b023ad992fd271dac24d39128cc5623b685cb92545f9bb234a409defd60b9d244eb6e3f3027d995c43776dd24260e071391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
42e14b5a9598b6f65f2ae5bb8b1a9eed

SHA1
07058b62a97eefed9fbaea4bac54eb8a8c609882

SHA256
b3b0dbe426555f3e9e83c3c8133f252cca28d19e7341660b957fc7d365a9e851

SHA512
cb62b38069830b602d33b187905ce92e8695d40891f3eeaf8c1547124262b8cf1fc7d84721f7ccf1179c4d0981f87aa068b7b603360c58ef8f842dfd615e614c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
d589fe8e2cfa6f257e430433c47f5f0d

SHA1
5e0491ea0e9f8963f598647e3fc1122b6eae2bb8

SHA256
fc789b9d4c672cd743af3c6e089daa15bb85a22b488084a11fb40a2b2eb3ee9b

SHA512
660086f5517c1fa06e4fe82685a2d98a6393e23d42014bca764da4d6cb28b63f95586f592dc1c832bf510f4c297102aafb44d5690876c857a812f16f70ccff26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
cb9acdf3c1b91cc7f78dda1191e22f51

SHA1
ef8e620b4e7c70451b4397c952192ab77179c4b1

SHA256
92b65d0e71ca2986953ab4963e2996ca5f15080e1ca7261a6a6dd9c7da72bce7

SHA512
c428c71a5b783b2d562ff21e48b7f9e98b252b8d290e3fe23d20d593dba4022d79b8248a765ecdaf7e1e30010c6af423c8e815588a2450b6f79baccfbddb3d9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
1d6af5de7b5bd51eb78994dda060a6c6

SHA1
fdf8c808bb92f63871e7c078b4567643af155c09

SHA256
2e39752fbf25f9cf8836fc36a4b9325b773f5c815b04ace1565527cccb519c5f

SHA512
393275a07e11baaf5a4c71105420b801cddad66f7813046aca4d15909287503a8762565dc90c846139372efba5a8186568dcb8094bd71da7dd62ccd88efbbadf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
20f8e4d692ef7c7e9309a9b0c031a07b

SHA1
190c38fbe20b14590fa060cfc910f32479e2ca88

SHA256
5db50d60bc64b0c8289cda3af968187330cd33d994fd2ed470d6e00b67e45f48

SHA512
b628b87331daf4d356b23e86b8ce9322ff4459824098ad2a6d5250cbd2abbe943f2682ee81154cc4f2b54ca19cb4dc9461eda020e1191562820c5401e9ada96e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
49583305a233f537612b9594d813fd9a

SHA1
9e327ef8be57089174c25bf6d35dc12095709376

SHA256
b5cc86a0e4a15200a05100fb3a69998d3afeacd5228d02f1b474afa2fc1da246

SHA512
003030fe1fe4eea4aad2f12588543b1d085c106ef5fa2e99cbb52195e87607ea439937754a162ca949bd96d30d6f1a688b173979719edd90f705f3ef8123f396

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
9280928f8e7414ec4670a63f6276df65

SHA1
74f0b6142f16ea5fafe6c9cded42a66f86e79829

SHA256
31f59cec6c739a1f580b1e76a99b1eb73366218a7d70c392cd0d4794fc6f3140

SHA512
7a0cdf461d1a23958849ab841142950426a241fb96c4b99bd351f4ad1bb6264f3f19c1cf8e740af9102e3cfa4d925644851163dfa58cb889b89579800cfb9637

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
3df897ffa417add1f309e8ec925abea2

SHA1
b00ceed34d301465d2eb62596be8ce735a9d0340

SHA256
44a115f4169d434304b0d5584e2ae752051a99a940ed1bff0f3919381ee0d22b

SHA512
9e7c4daaad25d27e192888bdfa906464794e1fa4e8b7d19c50a42d7466e10b91969920c7378a31f8cb7d0dc144350662e9c8abb84e1a65aac8b393ca20c0861e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
94113f31f6396462c892598ec1d1bbd1

SHA1
b35d8e2c3768eb6b3614772655ceb6981c8f99fc

SHA256
e0b49e769c54d34d18afb3cf2093f67a3f6bab4c58d0d00201c0931cd74ec39a

SHA512
ab32ad4d7c545808c172deec2c2acfea7f255807d1586fc721280dd2f6079333612bdba4849586e7dd198fcd13786fbe1901a4e0f39c5ef922bedcae0850b49d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9e93188c4cf5bda65ff15234e1b9c2fb

SHA1
c9f11ae5fec4787fe4354aa8e55c374325f07c14

SHA256
925314455c394b8f04e5d10db8944bea4f02e8337259b5b40a77de6214d21c2b

SHA512
5731558f5271a4c49c07f40d65406aaee13a0ec5c396ff7dff50085f480121b4b017704986fadb8c4675db23f6d657e52ac377ef33f70820af155a6cdf56041c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
57765644ad0c8515c28666ba03ba6151

SHA1
86dc38ad5ef66b04d954306db192ac27a71c1113

SHA256
48c80224bad973fa61c1d0a419cd1d5f6a3804700c8005f7b2b6f6ebc68a02e7

SHA512
3993bb5b1e979b99a02704c17bf9b7b42629075840bdafa782dd05f7ab9e4de93e176fb5bf8e67955895e2e4245c8e5e9bed5779933912491dce77930d3c129d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1c4ecc927a78e7aa3c18bd65711ea6b7

SHA1
ee931d3dc949d0fd1d1276f69aa96a08fe6e7629

SHA256
24f0ff85529a6031bd35902fba1120417c21881710f88e18f546c0cf46e785ef

SHA512
6e5f704bd91406032a390911c285ca53881cbd7a0895226ef2e3dd09214be406213537072417d7762e4cc3e20f882c45782a64970dfbb53bfdf93624ba9e664f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d50c411a12e212e7df57bcf3e95e460

SHA1
7533687ba3e1e5923bfbdea5551e42e711d0d161

SHA256
1cfa0bbfaf70640f9dff34e8a2821c9802e73b90a1f7711d9df94d74cf8fa829

SHA512
2ee83911f3777967d901365bc90023d2205711707d8e3c4f32c4f3520346347ebd371d6fa62b540c8c3e9e9dfe0365740f8ca692f3975b89fe86b742fadda47f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
07fd5eb8467d1581914708c561830030

SHA1
6172486790eedc8b89e895590b3f0337d11580ee

SHA256
8bb6908a2cb252891be89488ff18f716c6a275a266a67c07311e9c05e2a9e03c

SHA512
41b4a70c16a21f89623709a80c02031abfc72879fa8b0d984478968940ee3f27a353b5ce5652c467a08704804d2fa8696ed64d96d1cfeef69255a74be9fd0412

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
14fb5d4985220f21b915b952b1c6efe8

SHA1
9c71b1461df6384432d36a0048c311fda69fb127

SHA256
1e34ffe6002886c226b0aa0d60d9366eca1436ff514675471088a7bab468db5c

SHA512
66eb1550e3523caa3b57f049b83b79e92d2dd25aab4589dc44d4f5e28c54789001c6313dab9ef0112ea7f8a24fef7942d7bc5b4b8ded10d224d37d33091762b0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e293e9f729db385ae5bf40191089c532

SHA1
afe17cce230ba6b71c60d211e2f66a4e18e5aaa1

SHA256
9546b415f54698ac35e9f98d0461c422238962b845ffdbc3b095dd2dac33cf43

SHA512
ed5860036bbd19e0f1b475b172aa79aed15dc805c295f341afb06f437fdbc32a5399d3e4ce982e83b34c77081b938d52e319cb6f009a58c2bcae24c767e7f995

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ebe9f02a84072bead78cc382efee9ef7

SHA1
e8a50e09971517aa69eec53d6f540fe4b34d9cd1

SHA256
dc5b1020baed26be2220b3fc0750383c25eebabf660f4df0befddd2e3a4e5a78

SHA512
a6b18600b08d1fe63c080f2b7b7de2653dcd97f600ea902738d785d404a341df6c47f4cc5eecb3fa09cdc61ba642df84134f5e7be2e0f40fd7fa8f6285eddd89

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
c4ce441d2d9c7e0e918abc6615634507

SHA1
05c66bc522f81dac23e0624978dc4779c0da8987

SHA256
e03d90155b8519a598f52f390b247fefac0c5c752372ad3c2fc734242f4219e7

SHA512
a1b6600736ad0c5b723ff51fd702eafffbd6be1a3a43e82ef9a5a1d796af3f4384aaa8ec6a6e5f3737100a45df9372cebd3aeaabaa002b8a663e8f67f028dc64

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
72e04793188c79a2ef5af162706cfdce

SHA1
869370e236d045e38cfdcd04aaf48581a21cc881

SHA256
75709739ace45769be04eb4879be475bccc7b9f06af5fb07ee0228d0a4eb01ff

SHA512
4ae81c03bb4daf556c16fca09484943a6a83af0b8b1540a9d38000c91aafba5e4e0240d1b101ba608b6c5152262ed7d3613094d232df6edee7b961b8ae128a33

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f0c6642318bdd37dd993e44e03f3fc9a

SHA1
5248c7955d0e0f729ce1052e7897beedd41ec980

SHA256
eecbbe951debb59544672ef4d7f7152ce1431f7565d179cebdcf6b1a183c7e57

SHA512
cca280e856380c8c7a4dbdf8bb2dcb374001c4b883d5f73bbd6462780b737eb44396007f0ead99708833c876e9806e903105ae53b74bafc49434ca9743e6a0f9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
69f9b2d2808e9fda5eca416a3090b516

SHA1
6f796c521d94bac21ccd675033a9861049a1bc05

SHA256
a769c44ae0d4664c708532ea32bb5a8a00b3469c809770dff2cfa018715a2b4c

SHA512
b949eaaea6fef90c97a2c9829dc8ec59b2ed1369d002b91f5fbaf936fa3aaf62b4bc0cb2a22d472759a1d8b38fdb65413c1801606b95b823b3d1a5a2c306395a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
40bf9b13e20cf0d17a2594285907f3d0

SHA1
528fd63b92b82bb278fadd752c10a0360277d321

SHA256
3a98ac1c9c9c7a1c77b01c1808907a0b57b9155f1c64568d7aeba7faae5c5697

SHA512
373b8335568895db004efe9ef0e21f31040f9582510ae55a3f8ed25e1f5e213e82a4e13f1e528f0f7a6d71cb92c411b2d32f6531298cc81340cc670f78663233

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f0c2676178134552327adda5b9127a28

SHA1
d2d9892f737a491598ea1c0bb46f15c7fb865208

SHA256
d0eedd81f59ce668c177ebc3f9a83eed9ab5a76c1f47d05397e6f9f8276add11

SHA512
a93a185574975ea1e44dde29bc1a69ef1174bf4be5e9b9e6a2e751a2e77b45fc996cce4c2bc8539a91496569e5a61745e0fd0560a79bd21da4bd92d37508020c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9d7fc3285ca31b584ef1c7fde0404532

SHA1
c5619535c5de27077c82443c4e8603bef257cbc8

SHA256
b03602b1d241b5908c6a3cf879a271b5ef93ff31d26bafae0b9760d77ebb5cdb

SHA512
ef154d2db2565b51f023fc08187a2c0dd6ee42eec87515aa8c03ffcbd9afae5f1f94aee328ca3b2a24fa7e0a8f254dbf92ea431a4e444f0c22d6671a2506d34a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
526a374e35d884f9ccee20138ec3de92

SHA1
0257f9f538925b79bec00cfead85eed9be7a0066

SHA256
405e0d5a366632a72a562da3dd24a514b136997c574eaf678b4faba6b51ef785

SHA512
2d5d2d8a98b8302ba3b1428f978294679f409869af85209140a18df6c0a247d84f7a3c033f55b17f3ec695a4e4de69f4357e59251f965955bf00bfa24aaab0ef

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9b973e40597b03ab0aa04b0835725d08

SHA1
9b7239689659740750844f9fb8bac201c163dd6c

SHA256
59a71d775ed56d454b910cba023c0c787220edc5ba02fb5f0fdcb8a37072f31c

SHA512
0aeef585536cb1f1a17690f30f06dc4a032bbd9cbe56eaa43bd5b8fea7c2a5da40c4cd048da3d245cf3456a42b114ff03eca28dc1d70ddd511d7faedb075ba87

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
25b7e92274df631cc4a6fb3b697c5cf9

SHA1
4d30cba34b1e4e44079c86ac3d8b8bffe5b0b169

SHA256
015fc54401c5b964907da9eca0faf51db830a7a400951f0c31aa190f9bd90bc1

SHA512
90e0f084fea78a1caa225156776c93444ef9d4b7923c365d3a84c29fa5c0a23d1a850f7915c86ed27b86ce260b452d4b0a956ac677f7c318e19d7f4e25e5e263

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d20f9bfbfdd369d93225d3f111ac7019

SHA1
3dc685542e43afac15afeb68d5c7338a3f9da137

SHA256
cd496a5cfd9b1eea116be5d9a5d3ad620bbef977df72be1b4038956a014f1152

SHA512
0e7250194557ea5a662e0b38f2240d3fd1e0a0cdf87e5edfc5c6372a4cdb323b7115b5a59e3163bbb1855522b7c9605463ef03fe0a1ad15197e6d4782aba2658

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f808317f1839c79bd1900d19269b94f2

SHA1
0371dc6aeafa3497c8e2623b83a5fa86ef78c088

SHA256
7fdcf97e84ec55ad2249e87617eb04304ac3e3afafab294e3ce88c2fc0b7f271

SHA512
00a1f51e3e5c33af9aabaad1de8b8ed58be3ea65a045b40d521d49fc546d17f007eddaedc883d5008cc9e81bee9497801eb4bece8456b20bfec9a61e73af182b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3c6179a42df460b0f6b4ea34388a3762

SHA1
a87ae318301bb07112a3c7b5968e322f96da8165

SHA256
539feee2f453a552dd0fa3a72af1d74b6add76fe4308aef2c62dc2ab0c293272

SHA512
af4df8be4c78469b99a2e2bfd164af9af6677a513264cc8cd803ac4e640f1f866fcb6b39df755a7ad722b1f674dc1366d21e34d81d5a1b417d13255d61f94c7b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
3291dacea21aa311968e9b0b199f237f

SHA1
85e17485be3418a0ac64179c45bc13c7c6664ad6

SHA256
07a4c5fb65dbc146fd5d433aca8457b4e9f86c8a7413eda1a9d5a6f49da63bc9

SHA512
93513b5a5f1cf09d5352db69928d6a623b71e5e158785a5ea16e11f2638a4024681f72cbbf8bc0198d0adfc7a14369518dab26166a41335cb1db73108c5edf3f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d1e558384f8148ce51e8d86e9b75909c

SHA1
0c3ac64e3f5bccd2c30023afd036225fd76b0c1a

SHA256
e0be4bd52125b28d491e303f8ad830e74ae21762beac5836100bd289ede994ac

SHA512
1ac9e6f616c46bd3a2faf4678da866b07412e915753a5f2fa73d7c2fee68c0704bcac89190e7408d74ee97773113ff1b595b374045605f71aa7d067b9895eb19

Download Submit
memory/396-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/396-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/408-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/408-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/764-90-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/764-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/764-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/940-1-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/940-8-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/940-0-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/940-354-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/940-74-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/1012-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1012-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1188-75-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1188-81-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1188-85-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1188-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1188-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1316-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1316-241-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1692-517-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1692-180-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1752-132-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1752-253-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2400-92-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2400-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2400-202-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2480-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2480-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2660-445-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2660-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2868-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2868-217-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3044-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3044-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3044-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3044-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3516-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3516-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3516-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3908-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3908-48-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3908-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3908-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3908-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4000-229-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4232-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-497-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4348-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4348-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4348-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4348-52-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4688-622-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4688-259-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4772-589-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4840-125-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4840-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4840-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4840-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4840-31-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4932-518-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4932-199-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download