a4390ea375af6ba1bd049cca169b5625ee6324f1f764f8cfe52b4d8e1d5ab2b5

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad186fbf3c31a13e121aff47e3407150N.exe
Size

1.3MB
MD5

ad186fbf3c31a13e121aff47e3407150
SHA1

779f0081b7f17be3371733d76942dc2afaf83f9c
SHA256

a4390ea375af6ba1bd049cca169b5625ee6324f1f764f8cfe52b4d8e1d5ab2b5
SHA512

943be3bc6c285b10fd2105215c82ada02896254cd64a01e8f8f40e784f36019c19a6b6bf29bf2602f7f3d3de37eca7d6be39faedfca5c71185106b25f33d3d9e
SSDEEP

24576:44oTPkCgwCbae/Fk6Ovgc9xVirnlBUKZ408vTZrX+lgdW:RoTcwSFkeYiLlBUKubZrX+ld

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1256	alg.exe
1860	DiagnosticsHub.StandardCollector.Service.exe
2056	fxssvc.exe
4244	elevation_service.exe
2496	elevation_service.exe
2120	maintenanceservice.exe
1508	msdtc.exe
1624	OSE.EXE
2828	PerceptionSimulationService.exe
3212	perfhost.exe
720	locator.exe
4228	SensorDataService.exe
2664	snmptrap.exe
3172	spectrum.exe
2364	ssh-agent.exe
2056	TieringEngineService.exe
4356	AgentService.exe
3024	vds.exe
4904	vssvc.exe
3760	wbengine.exe
1124	WmiApSrv.exe
4584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9842e04521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\locator.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\System32\vds.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad186fbf3c31a13e121aff47e3407150N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000178fe1d43ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfb5e8d43ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000087bedd43ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82cdfd43ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001940f2d43ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009af3c4d43ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000178fe1d43ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2c8fbd43ef0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000508be4d63ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000755c7d43ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1860	DiagnosticsHub.StandardCollector.Service.exe
1860	DiagnosticsHub.StandardCollector.Service.exe
1860	DiagnosticsHub.StandardCollector.Service.exe
1860	DiagnosticsHub.StandardCollector.Service.exe
1860	DiagnosticsHub.StandardCollector.Service.exe
1860	DiagnosticsHub.StandardCollector.Service.exe
1860	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3328	ad186fbf3c31a13e121aff47e3407150N.exe
Token: SeAuditPrivilege	2056	fxssvc.exe
Token: SeRestorePrivilege	2056	TieringEngineService.exe
Token: SeManageVolumePrivilege	2056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4356	AgentService.exe
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeBackupPrivilege	3760	wbengine.exe
Token: SeRestorePrivilege	3760	wbengine.exe
Token: SeSecurityPrivilege	3760	wbengine.exe
Token: 33	4584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1860	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4104	4584	SearchIndexer.exe	116
PID 4584 wrote to memory of 4104	4584	SearchIndexer.exe	116
PID 4584 wrote to memory of 4976	4584	SearchIndexer.exe	117
PID 4584 wrote to memory of 4976	4584	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ad186fbf3c31a13e121aff47e3407150N.exe
"C:\Users\Admin\AppData\Local\Temp\ad186fbf3c31a13e121aff47e3407150N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4228

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b9201779ae8ddaf86be44d262c688456

SHA1
83528969f3ee5c9da06b5f45ffbb87f5c64a4401

SHA256
8ed2b205651fe038cfe015d2afac15f3ef6d55b29985c0996ead121d49004efa

SHA512
62f7b3dc6f9e8d6512fdc3dc7409ef1efe4a2027e8d2bc3bd5fb05a14c32033698d8d269c8175f7a2113deb285f519c161d4cc785ce355796d4563528a12ab30

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2c95d985f83803ba5a4170dbe07b1716

SHA1
7e59e00e97ad4db3abe49b634bf1fc2199c00ac1

SHA256
f10563d5bb898c82b710068dc3129bc9c3fb22d1bb6eaf985aa149dab5459096

SHA512
420db18817fd289a6d51b2d4596ada7b4d5aa128e45995f2af414dab9788b6b7cc422b08496ce062cf04d30f701feda2b90f0513e3253ac92ef493d9aeec7d7c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c3f4186110cb2531008891f159e2b233

SHA1
bfef74770e60e933b50c158ca23624cea5420bee

SHA256
03b10479576b799cd844629bef7162ca34eea24d43bf10297d0a59c7ce011c7c

SHA512
25517ce09f5186afb4b9ff8b9a17354b92d56c0e97fd024c7d7efd291e7d041cf4cb4d98387eeeb1761584a680613c7c63443d07507d60c735ef587cf9d3b3b4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
29861cfbd70c8f9bfb19052afdaf3c59

SHA1
1f1bc92c7ef71a24e3cb6019f5f518b5060f0303

SHA256
e7de1dad4a66c161ac670432a84c953f8317ef1d1cb663789ffc721ac18b9ff9

SHA512
310138b5413563dc62ffb3b1ce8f683ae45c3111660f6cc9015dfc95915af954b4787695d1ed92134a1ddd6130ed8f3e12b48e8f7dbee1a14441589603a64c38

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
79c4723c518cafb1957d73ef8f9031c3

SHA1
ba2deb571cf56517a9319e55703fb3c40efbe726

SHA256
a26f4c55f2cb641d39bd5db94b686eb18ff20440f63ee84208b5feb511ebd47a

SHA512
825cd8662c6dd0106b834ef625df94302775fbdc32620a74da6ee92fc618d1e0801a5903b392592e7e4d9ac9ba46906f374dcbdb8c08b32ba8d3eb081bc38f41

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8407e2c32c271d1b89beae5ac63574bd

SHA1
6bd96654a176eefafbdc6f0ce10cbe1d0224b59d

SHA256
c0acb262b07ed714f740e70fd343d568d2ea829796333d951c240ef743ba9344

SHA512
e1e0824324221a267e9cdb793ec4308aa579acd5d419786a066bc3365c3971710e2e2e9511017bce5ba8ea93e6fae0560bb90bea3bdbda04bc8810eba36fe682

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3b982721c9487c8896baf16a81e20610

SHA1
b3a9514afb60d8f79907e7c808caecaa5f326f88

SHA256
e0e2f428b48e528f7dc96f3b669dd30803bb9b26f5c123dcc06228455720d683

SHA512
ce4d2856f4f1e9199608811e16057ec195ac6ebeca3cf2d7c09c281c7442c64d602ea2f87b726206ba079742121dfeb7861ea4b570c61c2416417a8d3ec93ad5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6adb7875575fd78812e4c9a45aafeb10

SHA1
cadcd19e2e9c7795d58258d4d38a574d2387d60c

SHA256
09c78e59a31f5e7c11ff5742e4c318a03c0b46f06cb18cf6b75e756f514acf34

SHA512
cafd32259ba379fc0a61aba1d4b1949a1d45c72193372de33868634bc432c9e9de50ae56d99e42a36cda1af07c88516522039f7fc2ba943a57d7c70964b2ce92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
bcf2fbf1d1ba601c57647d8627daa507

SHA1
4217795683113405daef7e8d9ce909a700ecde0a

SHA256
ba790a2d42a972b14c51db5e3c0b3f158943ca48e504cc0cad589b8030fd3d6b

SHA512
e536a281515d9368b44e442bf220f97ab2610c3e0e143c143a117da0f239ef4e6577835ef1d8b32f87ad5c367542db4760f7cb024b93cd84fe85ab890ce61ac6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
271173818b56557e3025d80880a4bd23

SHA1
b28c0b383b0f7cbde4c76ec8dc593d78cf472cca

SHA256
d62dc837683a836eb485d51e85b212eb67d3b5d6ae8ba95d2574d0f96bfb820a

SHA512
6327963e1d3481db9de5f871a56200c6bbc5a7fedd10a2f131f69ec5bf2e374c852d1933cab622c33bf330cc4e7ab0233304d4dbb6bfb3a0ed23bacfb83896e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c75b44c553b596af662d05e3e1cd1ff2

SHA1
52e0d07c6ef59b197f1b8b3cfc3d56360b240c9d

SHA256
6f3ab9b332e4f38f5dee91dae5b449b68d48a6734a40ea9ebf06f0c19227c18c

SHA512
b4a0fe75813409669bebb255af3b7ec5e640f816f3a2c3497363bc3bb1b1e4d5242327c962a2a3824b60dc6a65cb80d3d4abb2859ddc49d0533636922426c228

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
135dc79468db84b09250063484a6bb81

SHA1
0222053b3e32915397976428cb3d1bf7fed0484f

SHA256
a4f18f0f58b959f229576cb0cb08eb304413024c6c50958563475f910578b27f

SHA512
8f17203708bceca740614c9025dbf1c471db30ab8c49fdd223deb0e1a333904a8b619fe7ab2399ff51f3f4e4d6d33b244b037174c168075508d4ee3ba66ec5d9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9518be0bfc4aa9a14043ae37d6c3357b

SHA1
7b4a2a16b7d9e81478052ea08a46c91fdf10a9e6

SHA256
7bfa6415dff651c01873a47a4d98fa4a20e5e95f98622dda27a4afed86e23073

SHA512
df0b5989cab7934b235d5360304b5d6bc7fa4f3a140893afdea8dd216fd38277addd1c0a42aa2d4f398d583d48b874def00558e92f499d99ff98ca8896e0eaff

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a3c9b416457e2dc6063b1920747f8979

SHA1
a27ade226147997682da4f9e39cfb69b2810bb35

SHA256
84b436892e6709f821ec86d05c67b36e1904444d6cc7e4c67011ed86b0981562

SHA512
c3aa21fa063b262b450b660be1385a3f4a555ca276a7c6dd16d1b6258f9e6ac7614d447b2832e589610877fc7a41aec64871ea11ee12fedbe1200574a8f3f0f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2838961747bed1037954b3fa6c69581e

SHA1
a8c5d463657dea977576f05907cb6521bcc8458f

SHA256
385b2843cbc934df587c3efb7d473ab1788a6e9549acdf112b0582b97c44284d

SHA512
e4f55e9a77e6a2916d9d782bb202ceb950ce824112f8f4252dd75defbcb51f0d2733842fe34d40a795e354c404f1437a4fea57914a7d73680c418a368539476f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ac8d469a2bcb176fa0086cf398d7cae1

SHA1
3aeabf16f85c484e1e7bf6ea1aa19be4f8974393

SHA256
e415525e8f1ffebd751949b020144294982ee611988369dc4c5259ba0e7a8abb

SHA512
281722d74a4572f5afb434fd45bef718dfbea72e345d1bd60c43f80c4652bc377947eb157ee37ac1b29b770e1bb6ab12d360578a66be8a98c48859b51ccd43cc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
22fc6c0208b6c0e374ff82511fca15f9

SHA1
5e5b6e026944ffa04ee39965550295572b6477d4

SHA256
7208e1aa3920633fd8d45ff4e09bc7574a4c8901482de722001fdb3612c09bc6

SHA512
873db35dcfae0a9be6d1ef74becaabb6dc64ecab481a3905b5b870bd5c15868af635d48b39166ed0a15f53b4abea2afb6c07f09410d28b869f6098fe5878473f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d4ce4aa5d9343f81c96108106431f8de

SHA1
4ec17951792773e29ad96333570c4f1d440a3c17

SHA256
1096879db656667b5f79a7a966eb0811fca736db03d17a3ce70b5c495c92d82e

SHA512
ab1c37e96f96b39a03f2678344d4289eb38e6c0b77b3caef091bcf86169bb431ff051d61eca0fc7dbfa71f394d618fbcf988e0c2f68ca7d169d508d85898715c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
60f0760b3415b49b2fb5cdbc9c85a96d

SHA1
5a69690b2fd1c2d80a0bb35639580b023227bd66

SHA256
638a203cce0e2286d16129cca2ab18ff962b0f4833adfafe3317c638ff16b4de

SHA512
d0c7f1019f22de6c7baa39524b8ef6c012ab618731bcebec67de56a1683c209985ea7f9b5b9b67e3fbef7913b80bdae766e30b2c6992086c9a74523a1f6cb9e8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7458cab4aff0fbdc9057364407827f1c

SHA1
24352920cdd9371b4a2d627e4e967948122abd04

SHA256
7f67266b0638c208e69b9c823fe453af12cf3765f576baf9cf358361b196ebdd

SHA512
6fea06054a99069a3391db9cd006980f91f33e2b9ffde17b854cb129e63c9674d823c11bf3420a027abe2ac9f7530e3cc2a0e5568dae7a11f51280895f4005d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7a4d48ec4874b75e843df1354602bf4a

SHA1
54a51f63d4647a8907120f0fe3eeaa01da4a2908

SHA256
c3d0224cd7c92456567b6a8f452f8870e17df3558919b55ba607eaa380b22d14

SHA512
8400ed324bc3643c815da225a1589b33925c876e8c3fc858eed539cfa7a3e2f3c5a992444771870f6bc46e8f75ead1884a9b2535fae1add23a708f1f305ea7f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d015dc03fc0da89c6ee52afd204e40fa

SHA1
74667773722044ea8b44c6a7603cae13be67aaa1

SHA256
94a5e0d3275c6fcbc88d43f82627f601ce667735ba7994825cbfb42fbec508cd

SHA512
58f742e4ed8a1839f3e7ef50a6cd045ab72d7be516e4654a2ab4f6dd25cdca5dd398f36d1141a33099a2ebdaa4bb6e026eb887b735c65bc2d3fe502b5f06fde3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e886e767bccb3fbba16369d6252ba809

SHA1
ffd785facc521c4f70fec32093c8ed6ac10d14f2

SHA256
7ab73532453c6e7a7dca13361566b75946ab765e2db3793995ba2c238403e8e9

SHA512
6d15b50e81b864d1ef4edd46e9702f99c4aa560ef78d3d33531f09d0bc4ed11d4e3051ff512fb9fe2ed123e334c80363b28a911bf89e054043dc6eeadcfba230

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f717d5467921fe0049776558b9729290

SHA1
b04b18a7e3c9fe69d2851ca08902133cda1e54d4

SHA256
f17d37fc2209a30827bca1e39299030c4a0894730c0fc78a67bf6e7c72940a96

SHA512
ad8c6b8f5f5ded2c45c876eec97b1f31f22a5499878112a3f00a95e7166cd6ce0e71a302f745486580828210140c45e91e15036d114d7fe051be54488e4af330

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3396f8e2cce7af02a9ca6ce121b05668

SHA1
44645012adce9924f47f9f1c5ce1dd697a32bc0c

SHA256
07601f7d834739605e6ae980b871351c8db3cf514f24edffde23b48d9b5c6d26

SHA512
1fe52eeb0846d39c8825de7acb3953315beff36e493f8f26f86913905308a39fb081223c36ca043401681bd4bf1a43e3cf7e17b38e70bc8120d07efff210cb46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1ab8d7a94025328a372ddafe6e058deb

SHA1
dfe58a8ff4e178f337e77c3d974b6812992c5f41

SHA256
fe25def70212bf6f190e1a83bcd59c8cb45414c53a7531983eb6bd489bfd6b44

SHA512
6b4624e61a03175edeb19f2e3bdca657efd51c931eca9f73df3843f79282ddeec435010463eaa8dc843d1613726fbdee14da42c14221ab54ef36221ffae98c89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3f0575130c18246c7ca53a5567526f0e

SHA1
a4d8f33b9e8c1ca34397de0b4d36453ba0bd0b97

SHA256
3d1ea18902bdb85107bfd878dc478df133af6058a6216b6a153e0cce22a629d6

SHA512
320ce3bfe05f1413e61eeef2f0daf14b70b6972aca5ac4237721c592907887e6116755d7683f877dab4de578407617906610ea8dec677d25662d72b9ad13c8e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
38d4b380d35268fd28ea580a7677502a

SHA1
3972a97eef20308cd7f7038151ffd04ced147100

SHA256
27d183c0247346dd5ccd1c991838d6adfb5392f5baa9ebdcd16a9767b213589f

SHA512
0e7d02547cbb4c7d3098375b6cd06061f3ca77c9554a4a2d36af3e8ff215dd2bf9da3eabb83bd5839e68d919d343ae1c83a6b1bcec4eb84ed6efb454ee7a7df8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d7929ab929e4fe10121b0aad27722c3d

SHA1
93192404b366a2cfe00ce54b1d31c9bccb87e41e

SHA256
7b9e109c2e97b9af0f99e950d1c373ab1974ddb024052c6b897f8af8b4ee09fc

SHA512
6c006dd38d263e863ac6e93689347067ad7160b74db2d4ca46d308465c571a81f9178851a312911131834706fac9f56c51f04aad6a739f42e24f502e3ea9f9bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f6facb659f1b9b32c16aec44208a653b

SHA1
9aaaf6d9ad76fd4e654ad9019ccd0a0e6373c902

SHA256
5a14596dcba09698bfcfcdf62d32c63ac3ffffb9b159a29547e70e1bfaa47d7c

SHA512
d57ab662f427c8df5fa58c62aea70c70077168e6a09a6966a13fd81449bcf73deee0e2fb9495c71b4e4b6476d44d30db46b2cf47618853e2469db487b26a292d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5ffa197ee3fd99e84ddb09a8fcbad2ba

SHA1
ef2633fd4ac44cbe494e35f395622f005859f55f

SHA256
956199591d915af42e654f5e08c16980f3320026397a02c108edb8a4ea87bd8c

SHA512
b98a36065777004c0ae0eab32e2949ecbaf941857911099a0f1ccf8399d15c9bb9eb0d5625825d2a458e9984756ba1a5b0f421f3fc62c7b17e085fd1f6dadc6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
045c4bb83355cb9756dfa768c71315dd

SHA1
96674fee5b7f9b0831dae0cef9285a81f8021b85

SHA256
2d3fdaf08244a83a82e5384783674dd8feee733f9fc6a779b82b39719bff6e39

SHA512
38ce0b89d71651e15959d3985e314ec977d8c2192b1778b2f98733b0df09b705f04782fde30ada295e140c29027047eaf1b584acc149a88e8bf304973cdc2419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0d66b91daeb3800513db194698891e17

SHA1
f22989c91ef8b4c01cffe84e853b8c04876bda12

SHA256
91f5135a3ea6881b739b5b170805c6e58cc35fcfa93aac542c0890fad3426620

SHA512
3526bb8f8e5ebba4bf6595a6b5138ef7978b973897cbcb5aa0f25833eaf80ad19102ce27a6a74fc25996a42cf7dbd108f0756df06b8760791caf77f4c7222741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2a50799302d4e79f216f1e9681abeecc

SHA1
4f5b385a6ea98eec6a8fe17034273a455ce88d07

SHA256
ff16b58b92131ea22c7c0ec7679eebaed38e91b2f0b6bf52fac4bcdc29624025

SHA512
2cd73698e19b31d20c0344186f0ed8468d1a0cf172f3d0d1825590fa8bcb2886f57e52f831ccac9b2450849dcf8fcfa7a21caa56ca7406990b27f115124b7c22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b88eb2e0ba0dc9d04264067513690da6

SHA1
634d9f13bc36f3509dea394f2b007881e1ca5a05

SHA256
e72e6e3912f1cbff0203e0eec67242be7d959f0db39e105b4cf2799fbb787111

SHA512
2725acf75ebf90863fb859c2424a710be407ec4f86116bf1d33ddfebbcb66631a3d694629c84e60a1d5b2251f88fda3c2c13e6a5a6d1353f222ba1f82e18d8b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
bb7d84fa55ef7870343e5a690de54cba

SHA1
f308f1e75f141002bc3533675b820ab1ba701c7a

SHA256
67470923b08002067e3ca35da23e102f11e1671f67d84fd13715411eed749aca

SHA512
5ab587879e461ce0c9b520d1d360f947519cbaf874a3b62a6769462f7ac58be3bc4adbade62f04a938a898f8626f97e9bae61de98445966d7de7ecf259d0466c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
61e7390955c91fa7bbc7b3e55cdd04b4

SHA1
2e26fc77a86171a0d2912fbae30f1860d702205a

SHA256
2777cd7246203fa931069f677b2b07c6eb3ae1780731553bdf7fc75068972e28

SHA512
2969d33d9c19d270fc9119b546967f1c6fe435b08509aaf6de6753cc87e11b2e990884e091c42da35fa5370ee824d192dbf52581756c0f5154f7b754abb204ce

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
25c3f3f899ec233cb1595036f19174ae

SHA1
81df01a2b9b8dc75a53e567ee5fdb6307ecb8a1b

SHA256
ab081dd3dac4647f136d0b7dc623322cd5526abf6b8a5b9a5f460d81c8855bff

SHA512
290a105ef35cb0527669d36d1e1c88fec3580342f02237f00be3fd04283cbbb237549c67e3b2087e2c9fd222d5f8bf2964e6ed60f7b83cb4d2b1256e902aa06e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c0910d551decaea8b335507cd914e90d

SHA1
d177dd4a6ab6e0a7666cfbcfe82418ff69125591

SHA256
45213edd83235b8e57f38c4c7598abb4517b89ce0b856e0ae6be1196eae950bc

SHA512
e7a082f328ff2d0ca0f538bc45648eca8e5d44b8971e29203fe8b1cfa3d116afbc8eb5211f9848949a387ab1b5c68ac58106753123ec6bf69ffc0a218b1d4641

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
67659c8159e14e025f3ad7e5da80e547

SHA1
edffd508bf52107f3d56ce5fa7fa75c77f8cf39d

SHA256
9ff53850d679409039572dc7b3470a79dabf1ecf84d560d10177aaf8e783bf40

SHA512
ee5a93674f3ca0d6395d7efa6087e7e625a1d40dff6a56e3b6cbed2b5fed45a7c2764c6353a5fd6d112f5da526be41d01f57f32bd48623c089b58ee50b850a0c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d58e2314209a7871d9c1c8b82c5d809

SHA1
1b2918ab8e330cc99f0b54b33b18ea923540b709

SHA256
fda34d0bf7d5f6e010b624783bbadae687ce19d717f9ccbf44a364232190d7d6

SHA512
49c75a636f28b78fd151b404dcfa2a349f4b8435f61e9a18316b68ff3a46b1de6aceff5ed5418fa441e55d2305763962b80d3d0e18a7b5377063400f75d8ed84

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
07437d95bf7fbe7557d36c0b82edf97b

SHA1
80efa8c1f7359865857dd045f6e95ddfd41aa7c4

SHA256
0256c6435f284b8128c918606ad498b9112861fe3409e183d4171ac9a615eea8

SHA512
fb0e4e48582f7698af4e145c252a947a0cb283f6a425dbb4189124cf230e8725cd30af2df05defdb265af6ea9b9521bff89ad387f48fa0f9930b6439f60b5894

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a217f60d48be1cdd387cc68976527dd5

SHA1
c89a8f0ada074b83e768689a9deaaef776613390

SHA256
17f84d3cca6e1fdffd8913c9fb8796197613e2131c3e9c64c3f3bff9da574fe3

SHA512
b73fc839f09c22fbd26339ee00f88e109e9aa1a1e66ba8113e62288ac05a12e002c2b4b7f326f7116115cd1bff11c40eb859c657fda539cafafba958d258fc1f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5135899f04c3bca5dd194fbcb2229629

SHA1
b6bc6da4b2429ab41c4db38148905ec64dfe26e6

SHA256
e25b0ae30f49e074f9dbc9762fa79494a32e51f9ad8df4ee32bcb9fa5aefc270

SHA512
9d0b671c8dd722fbdc9837c70a15e0dce9cd04cb5c61b90fe0a741ae74de1b7c308281104e637a30a0bac1a0197a82e3073139fc1e6cfef286d2a73d798bbf78

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cee6215aa76c7d57fe59d0fa9702b158

SHA1
cb02fec025ba581905bacba60b8fcccc58eac2e2

SHA256
6a743e0f476f41f40f1bd9a759557ccdcdd55f1ecf3ad26fb37fe16fac77e0ba

SHA512
be9713df73abcba7ae0b3c058dc86ed05c42740c7052a57e6a1d250652152f684171fd2f2488b559b895b1b1718892fe0eea17d9ac0a2ae113ccf7092cb92250

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f60f083c08b7f179322e09cdc8e5ef74

SHA1
1fccabb8103ac7febe4284e76e09f94c31073801

SHA256
71d7b28b29dea71b904a233cd6044bff53e7d9165425343eb427e908c95ef126

SHA512
c73b5ec107ec844d5d77b2f7728335c1ee53a7c3348c9c3e2f7f66021ffd02f2ca13d23bd3a929d1724d053bf8ff414b777cec9ffaf17230e71b730435480748

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0959a89ca4f0f671f8eeecb8499b7c13

SHA1
07f7d7cfa4aea901b4a2dfb1b96d47e776b54032

SHA256
604632735721aaffea8dc33b8d9f36cf020fb294c14fb2efb5ff923646ede960

SHA512
2536e039b6c193faae01f09c842b134ec8173491e39900fccab06726c4b8b63f3fbf9d6735cab7052c2d214aa406b5a8b98bf6be919c43ebe16f6ded4e629488

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
be31b60a9e3451f7bb36b582f7b6d282

SHA1
68e110db2c4f52bd0337d31259d268cf369a8b9d

SHA256
11d4e9da5134e65ea61b982d88653740194a2e9af9ef200e168e1b0e6edf65dd

SHA512
b9c7c2d7963f73319e1c611e7701e5c6c6f7b5937367abf50f8a232ef38ddcbf81d8ae1d0db332daf1f9b33d37d6be857cb5fc085711a04f77ba6fa17e0e6e28

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9805364f6d9f0db1b5da17571a74cdb0

SHA1
c5f51a2000aaf8fcdb10559b33075f48a157a24c

SHA256
035cda5a2921d8a99787ae84da629081d424262f9f6b166c5c5faf652bd72b6e

SHA512
e8e965cbbe546d7caa0cb7cb0b73297ad0dc6e5d41485a06f951166e59b4140ff46bca1a171e68f818247b51d39618c864326ec231a9fbf4960ad7615277ec58

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d1b64b980a7fd5099cbe3d5f7ba37321

SHA1
d5176d61ea6c47b82c27ae80339b0b83839f3639

SHA256
f5bb3d3749d4280c7cb3a6c19fcc0fca52c5a9ef95154357f1b60654ab7eb16b

SHA512
1ca90d95a2eb95b9bf331f6c812bcc088c9a325bf0406932f031725fcf3070562eecfc8aa92db2344a2c33a89ba4fe1186495cc22df86c3b75234dfedbb37355

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e476b29b4632cc185fb25c5b0bd20ff6

SHA1
11c5a718bcff013f786d6ade91a03c6b9ea14e15

SHA256
1952bc7a9fe14586a0ad23e17d33cc9b35eae942c25c00d910843fdb44dd86e1

SHA512
58a742c1e70a74992539079197502d5628571487f4de9a498feeb8f45ca288e6b2ff6456e16c760ee45efb34e335cf973f71c96de89c5b238cb686c7b51d940e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c16df89fa7d2a39f2181bde56664c67a

SHA1
14f93fcd915fcbf8b911d0449d5dc78b5d08df24

SHA256
1b2cd1c92687332df88be0cccd0fad06d383bf1d5cd1b10b2d4d22b27bf29896

SHA512
c9133fb9cc0f51c91a5a075d02f9f1bf00f1a2d10a162dbe9439a31adcb63b1155fe3f9f076f25409c4f7ec5a232ae31f341ae4ba0961d1c6274bdc4df704fdc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1a35df7bf3ae1bea59753a4b7f9dfbc2

SHA1
c53f4cd277a7a39c596e5a97a185730d5f62dedb

SHA256
60975bc55db907f61ceb0bc2bec145287fbbb247ad9976dd9b88ecb8aad2bb8f

SHA512
d163c6cd26dd3e110b329b34b2fdb1a6b7a092f0fd1e188e477c7c1648dd7f22ae40367ae49a72dbabc3ccfe83bdeb5d927cf634987a2fa2caf6aa992afca1bf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
34af1dc55adfbf391829ca51eacf59f7

SHA1
5c693d5455f6b1386aa7a35956ae08ba0feb9b69

SHA256
3cdfd4efaf3f6fe7ae89bbd7422c9f95573aeada80752b18c8393871cf63aaef

SHA512
070a1d7736b909426a87d4aab701a476222c0189f7151698050de5d12064c6437e80af9937c1b3783d7f1c9f60ff4479124aef066f71678e2a4c831ea9dfbfdf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6faa7092f1d0a06b6e28ac1669489f64

SHA1
89d4bd301793fd15008839115b218b69be76ae41

SHA256
e0cdbe2af21b3e8f3a12cf71144cf88484fddec08e5c18439dca4c33c77d36ce

SHA512
0c8ad264192635303a2a7cd1b2f75b3132398932bff92b1275527f56ad29fdb575f6eda3278e0a937fc9d1ba475e0cfe8de8e0761f7396062f262925290b25f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f8bbc274d9f7bc66c88d02d5dcb35db7

SHA1
dc1cd048b8696054c0faef595c89425962ec1e27

SHA256
923be68129f1cb3e92ff22fc408af01d11dc9e64749ec4bad54bfe79eda7baec

SHA512
28a2833e92c7e1ef973bc76a5608ad2d021b70319583cb92d439ee49b44628d3fd93e918e6b063257240aaa8d962854d83d06dfb85658c0b6d6876a9151d7239

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e0f148c077410f5472657f138360e7cd

SHA1
77091674e131ec076c9254b1aa0706b79af87f38

SHA256
34b2291370b216aa1596bc2b54675b67e92a7154aca5dfa7c4120883d73a688a

SHA512
782d57ac6c3fe48a8defca4a188179f56adafa1b6abc4f214032cecd59552a2e75a622ec5a2c957a73646218b5dcd227835f7cf262086bf2855b079ee3eeccf6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
01cc2819f7382e95bd5dce2403606d4e

SHA1
96d00b4c11d45b4299d29a40db641099c98b8f88

SHA256
c59ddde6f1fa3ea2d7f9c655c99c1b58eed3fd300b719be5bbabe05461b16063

SHA512
19dbda88aa98b3d905562efad066285b19ee86a9f7e5c77eb9b0acf132d9acf18178511e0f94ca54bd87efc19e7352c709a772017e5491236e37ea4ab297b648

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
358b408873268a09eb827aeef20ee03a

SHA1
6dcd542bb7a50ec24045ba4f6a8ba9ec677804df

SHA256
4d18275fcaaedb29399d06b428256acfedf4af9d50f19a874eb5b10da4a2612d

SHA512
04f01fcaa8d3529f66b471c7d0a3bc9cdc2c7e3416bc347e62f3f6e978a720f40cb24d9a034b2e0975cca4c6d1ccdff8724f7cd95d36009d2563b4ee2bdbfc5e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
907820e636d313907f00a19b4afd3492

SHA1
96a62d092f737ed28db90a7c5ac6f95c8fdd7f44

SHA256
c7989bafffbc9201db6601a586fb6fcf81eadb5e1b90f002a5fed7816dccf109

SHA512
b410704490c5286d4cd4649e209b452f9ea3df7a530159e9a60add96f3ddea6510dd9c68c926a4149fa751f59747e83fbd51bb9a7a36ed1be7613062bd07457e

Download Submit
memory/720-262-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/720-134-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1124-603-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1124-263-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1256-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1256-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1256-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1256-100-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1508-101-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1508-92-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1624-218-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1624-116-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1860-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1860-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1860-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1860-119-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2056-193-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2056-511-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2056-47-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2056-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2056-61-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2056-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2056-38-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2120-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2120-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2120-77-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2120-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2120-90-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2364-182-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2364-417-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2496-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2496-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2496-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2496-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2664-340-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2664-165-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2828-128-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2828-230-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3024-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3024-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3172-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3172-367-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3212-131-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3212-242-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3328-0-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/3328-76-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/3328-8-0x00000000022D0000-0x0000000002337000-memory.dmp

Filesize
412KB

Download
memory/3328-2-0x00000000022D0000-0x0000000002337000-memory.dmp

Filesize
412KB

Download
memory/3328-384-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/3760-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3760-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4228-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4228-601-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4228-145-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-57-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4244-50-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4244-168-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4244-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4356-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4356-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4584-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4584-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4904-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4904-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download