230c818861ff859433ed8a58d929563db056768f8ce3de2bf92d275f62d828a3

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c53c179b3b1d9c380dc767e08a4ead40N.exe
Size

1.5MB
MD5

c53c179b3b1d9c380dc767e08a4ead40
SHA1

9755059ee752631fadc4423a82f722d4bbb6b609
SHA256

230c818861ff859433ed8a58d929563db056768f8ce3de2bf92d275f62d828a3
SHA512

2f92df28c57710a623e7d1b7da1c3efcbca7ea17f7dbe7bcd854448bac45b3bab57e8307a8e2315fbce60fec04b0b43de527072832c7f01071fb09bb356a842f
SSDEEP

24576:yz2DWl8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:kgDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2180	alg.exe
2548	DiagnosticsHub.StandardCollector.Service.exe
2588	fxssvc.exe
4756	elevation_service.exe
1632	elevation_service.exe
628	maintenanceservice.exe
4248	msdtc.exe
3676	OSE.EXE
1308	PerceptionSimulationService.exe
3520	perfhost.exe
1516	locator.exe
4008	SensorDataService.exe
2776	snmptrap.exe
4100	spectrum.exe
2100	ssh-agent.exe
4488	TieringEngineService.exe
4968	AgentService.exe
2128	vds.exe
2136	vssvc.exe
3960	wbengine.exe
3728	WmiApSrv.exe
2972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e9d5dd2e89816891.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\locator.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fa7b11130f1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e935e51230f1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a5d01130f1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e09b41130f1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2548	DiagnosticsHub.StandardCollector.Service.exe
2548	DiagnosticsHub.StandardCollector.Service.exe
2548	DiagnosticsHub.StandardCollector.Service.exe
2548	DiagnosticsHub.StandardCollector.Service.exe
2548	DiagnosticsHub.StandardCollector.Service.exe
2548	DiagnosticsHub.StandardCollector.Service.exe
2548	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3268	c53c179b3b1d9c380dc767e08a4ead40N.exe
Token: SeAuditPrivilege	2588	fxssvc.exe
Token: SeRestorePrivilege	4488	TieringEngineService.exe
Token: SeManageVolumePrivilege	4488	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4968	AgentService.exe
Token: SeBackupPrivilege	2136	vssvc.exe
Token: SeRestorePrivilege	2136	vssvc.exe
Token: SeAuditPrivilege	2136	vssvc.exe
Token: SeBackupPrivilege	3960	wbengine.exe
Token: SeRestorePrivilege	3960	wbengine.exe
Token: SeSecurityPrivilege	3960	wbengine.exe
Token: 33	2972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2972	SearchIndexer.exe
Token: SeDebugPrivilege	2180	alg.exe
Token: SeDebugPrivilege	2180	alg.exe
Token: SeDebugPrivilege	2180	alg.exe
Token: SeDebugPrivilege	2548	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2588	2972	SearchIndexer.exe	87
PID 2972 wrote to memory of 2588	2972	SearchIndexer.exe	87
PID 2972 wrote to memory of 4576	2972	SearchIndexer.exe	114
PID 2972 wrote to memory of 4576	2972	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c53c179b3b1d9c380dc767e08a4ead40N.exe
"C:\Users\Admin\AppData\Local\Temp\c53c179b3b1d9c380dc767e08a4ead40N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3520

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4008

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e165c67d55ccd153d515a957da5602f4

SHA1
9285dd3b55d72199e409571cd02aa6114a4951cb

SHA256
d46ebac3814777a88beedea1df3ad438e688e4853211570799fb539557b21047

SHA512
8db0752c484966d5845ce90386bb1a9aeafce1937fa74300b5f0a97fcef7d2dc6f7b253e312077de20f79569bb82d76cdb391ba5e7452edc619ee2e3805fe643

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7563567822fd4b44fb1bbf4d258a640e

SHA1
3f4792e66a6989d5914c70b7f62fdfadac2eec13

SHA256
634136e90c61b9909936aaeb3a665b25ba0bff920e31911edd41d7d2b9c6bba9

SHA512
2fcf73ca9b9d75e800579facf0db72afc6cbf2b9b03e3a148d49caf508e4460a10ed29474b8fa981bca358976a47aef4dd8735cbfd25a3de69c2d5abf10305ca

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
06a09018bfa1fec277b5c1face1302d7

SHA1
cbf8d7cb8eb2eca3bf4038ce492c532853ee3ba5

SHA256
cf757a176cbdfe3cd9349346863911b604f4e7cb574222bbe9a259682d70bb39

SHA512
1941bb7b6eea9d7ed65c0567bc1422fa4641fad2fb16c506f6d659984e9e32dc97afdc9fcd4aeca4c96b64cd7aec4660f7b85693f16d4e53b7e02ae3e33f8867

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c413d77b24a69b5af62fef6afdd6681e

SHA1
b9b9127bb036ea45d59a666dcea7622d96824289

SHA256
9f2d49768ff8f2c7ae20c6e4d55aaa217d79da88bd5ef2f3b888d75c6c15b1b3

SHA512
fca6893e7c99a9408d31b60de29f62e9438b5d845ec80c1196fbf30e6c73d32c3061ab369d26d10ef57bb17bbf3a7853284f0cabc07dc9e85e3bc96810016583

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5001d92084f04faf6a573225093b014a

SHA1
e0c9189924c863e33dcf2a01e05546c77c3498fe

SHA256
9625df7dd7c8eae6c2024fdd11ad5d7745b0b99b20c882418de7fb8d45f8520a

SHA512
9faae7e80c988519ee97615d3f0727282b1acaace5b10835a2f95a74b8d19b24f07202e896f7e41b1aab89ecaa4670fb10da5dc7e59bbdce6c2da54722702815

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
ba6e52a0dcd2cebdedaf9a6b2ff9e58d

SHA1
8685988de2325d274312b29ff82fe0673b88929e

SHA256
b014ff1883003c8996c3a9ed23334bdf6646119b808f17abde8fc85b83361fbb

SHA512
2da4bf77352dcfa149a31e0f1b40b6648151b4a1654d5a684d3fab524e0ae52a6029b9f2889e990b4dcf1138df4ab78c59fa4e6afc3bc4682c6d97fbfc0bb4e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
de1272fc92e62ab21e84af50afe49ef4

SHA1
9956dcd65db3ba1fc2c6543d43e129f9e35b6144

SHA256
f1e451ed19d6cea2f08a9054dd29db5b3b147f082457103b84d30a6fad2d6f0c

SHA512
42ad65e2582629af27737b84b68b62efc165a51141ba42abcb5c5d0227d3437617c9945c97035eb213121cb7471c231ab2432de0451fba4c244c619331d3a254

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
761c245ca06b9725c289f213be97e676

SHA1
5316a1ab9efef20274b34da4a7b74ccfb4e96595

SHA256
ed7bb1af59f162e22e0145bf839a03728738bf1c3eec1dbb5e9c0a454f83232c

SHA512
c0ce315e3480832aa869ceb3390758eb219991f21686b211329d88c09fcdc3a20c84407c681ea7456ed18ed2030a6d0bc0e780ab1833e15904e88c8eb1039a20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
c6b8de7583e72f990ebc5b857c7da621

SHA1
062e6f652ab5afec491ec645c38667c591be2823

SHA256
4e813b84957386d4a2700f069c2be50962b9c0b34e099725f7040bb02f2e1f0f

SHA512
76faa4e7f828ad702a3ef202a73a95f46bf82a2744d868a3a771c72ccf183f13fa388dc5ea415f5d9ef98d0d0a35fd9f1f10ddee585acde588bfe2e7657f1dc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
27b7bedbb3af7b5415e5bff70031eb09

SHA1
36d801d7bcca68b9212ebe8508db2b148e060185

SHA256
3ca256f10cb0afecca929cd68a8dc3d859b3b5bd8cf5464ac65ccff781f44c68

SHA512
d76a4f645322216d981c0e4833100add07d20f742714e2eeb4cfd0be4f89c0eda4d9eac7854866673ddd129f80dfb19899095f98d00f4ef51496aab9d14cb32f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b6612036ba9fb12ab4b2a5f7055dd309

SHA1
369a817d1474839f3bec6ce37a36f3bc41087043

SHA256
d64bdef1e673b1d8ca5c6d3683663b4eebc373e417337d3f9dc341020532eb36

SHA512
7dd111d368998e02139206b34c7951391dbcf69fabcc11d43317c8b8a9828884b16f8e17049fcf925a39ddfb536fa1216cccee94cdb72e9e4fe633c977cacdeb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9ce7548d5db79f663ca6d2086cfbb648

SHA1
8d63903a92cecfbffefdd643a86a69d4257fd29a

SHA256
551da159959f5959e7152e4bcef91e09ba53f481affbce56a6cb652db66ee607

SHA512
798477f05ada6e97b96f16580eeb962dff9a1f6a7841c66adb13e40e6fce2be3597203a9c39e3b51e0c33e41bcacd7cb57ca107d23d8ee3c67f9a1836e38af6e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
eb5f4a2fd9ffbd85139666ebbbff8c5a

SHA1
0b12ec4fdfcd06ad297730e4b8091578410bf4d8

SHA256
80b0f0da8dc9d674b64294b6ae5f52066cf6b30bb0ef4f8ccf2b4cbdf4ac814e

SHA512
93d0f9dcc11b8a86a50e8434e9a2235b3d5f4b26eba3693f18c324bdaaf82fe9a63eb08f546042cd3f0926d171ba577107463e3bc4eaa7b142d903d32119a43e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
f8328b8915b90a485e0d903950b8cc15

SHA1
d5c9c3eebb0c582b05fe4e0406255c42b1719230

SHA256
d1c681bb99808de21bce6d1121b9ad4e4b16d6badba0d2cfe0723c6dbcb5735a

SHA512
fdc848f867b56413ba1bd587d06d24d899164bafa6901f33a309e270138e7568cbdf5093da4ec875ab79f0470106a559eb6ea823186b059e086fe7aac61bce0d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
54f8d5a243730b0ca188621b6d69de95

SHA1
98e5cc36a60624305bf34f4542c4dd3392d4119f

SHA256
5631bac5ae59e1f4d0fba8084e925fcbbc7bdc296f2c43e84a483be47422ed2f

SHA512
085e0a38e5548c8b9f92083cafcb96613ec98a4331082792b754fc26884f8e55f36706f00ee8587324c7ea9a1ae57528d78075f74615ac388fd47e9459abaaf0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
14416505513bd859db8375828c0ccbc9

SHA1
e8ea9def91b68aed958130b482284f99dd3b3cd5

SHA256
9ed12368aeef19c445dd006feff5d92dec1e9934670fbff562138904273c9ba9

SHA512
b520ee253116a3bb934dd194f827e43972d77b7a98a1cb1aba871577ca67ed470d743946f91b633f376fb395e7ab6881ee2e2cc3cd7350f5f879de7ac91498aa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f53c01d3f1c95d50e5ef0ca457ed4910

SHA1
53e77e68bb604a9d107af823912bb949eedf12d3

SHA256
1638648361d266d7135d41f615340795c53f9de1b94d72b6f3b42cbe525b5efa

SHA512
91a962eb546f7aab4637c81fc09f944e9b2f41a44a4c866941aa10424b69394b97c25dbb777ca626a986e95ec3d29f1ff6fa54d68011ec8293df903438684ed6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
70e441ff29a8a9b9a44d8577c9a401e9

SHA1
bad310efbabbd22259ed9bef190569e36bfc71c7

SHA256
93c2ea4b76b52e83d4a3464c50b971a10796da2390ab7dac01c22f6268e3ea7f

SHA512
f0b9974259a2813913d4975d576e7d0b4def58ea38fabb31c3b8dcbf466638ca7dad40e44f9b76eb87036373f08deb1488d645ab4f91c9d147914d450273f0b1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
14817b5a46ac9551cd5511e88173ca92

SHA1
1ca1e42f285e7adb41c8f6f06e8112781bece0ea

SHA256
b6fb6749a2490face61be3d1d1404039116231d3376424a3e2f99551a0311ce8

SHA512
7e71c580ee7a22d2d2159cf8c8295613091b7909398963225e396da7911a70814b5c03ffbbc7ff8e8cc499e9f66374ad04533a80858c6ba2bfca21d47b4725af

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
017a9b80850ee0973e38a18e2482f4e6

SHA1
5c8d0ccaf9a44f40503b1b6ebc27990e790e1669

SHA256
e44a15d0b5384ced99cd25aef8a42cb7f4d925f8e2176244b13b33783e458472

SHA512
a2ac7ace90843db464da77cc6e8975bd4d2f87452559d7c4c6968657c36eb1d9d1b83d4d324e96c56d64a6814bdddcc5ca2acbabbc6e9240e7329c6357442a9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
def8fc3020428411947dabec2e3c775d

SHA1
c68ba993df5839407b3d380b3753e9de2ff240f7

SHA256
1878af7fb91c38a854748277344d91a45b6088638b1b937fe494947046e3b79a

SHA512
03baa77fee576e309adb890753876d170cf405abfb3151008383d419086a656f033f436fe9ea57e40ab4960231862caf1988dd5d18b4f9d55cd3592228bafa16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7d537483a63a67870d0aa812bf48fb53

SHA1
5a6e06f108fa7949be5ce5e1a4c5d60c2b7232a3

SHA256
f4e2925e91337d1c2e07349f0886ad10e4f5dda48e0bc55342cbc23480664d2e

SHA512
26f7b8a34e63abebc707f3b22640ac444db9064d2e9a673dd3611178c3ad8df54b35eaa2a2f242fb2e0f64fab9537ebea440511ff71acf4a0f55b37148541ed8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
0252812af3873eb892af3fadb3c2e537

SHA1
acf6eca64247114219ce7c944ed53567c837cfb8

SHA256
0206823ee220778f62080b519a06c83273b1cca110c0a2aa4686d8f8c5d89dbd

SHA512
3de36c8a7826c29e6224dbe73d977d53be2bfee58227186d33ace9086b78550a82659166b7e6a88e9564bbc64fe62d4dc6a61f899b006f05eeb0c601062edd4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
84b9188612626116baefe46e89b0a48f

SHA1
3d644869bb98a5915f78c44a5927b9d720354ba8

SHA256
931458d5a1d30e62033f6523edb66bfeb195cd694dfb4b0a4dcb25c9f012d4b6

SHA512
3e1851b2e73ec69ebbaf564e1980b7dfd3906fdc1dfaaa66c3d68326388ff731235e84c8bf08fe42a1f584e1cac7c2f4814e71e6f741fbd82ceda553f14acdfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
71c0f521bffc70c4878475c74363d53b

SHA1
7938660393951c98add02d1fde6fc9dca2f43025

SHA256
7aaf949861d06dbe7fbb325869376418d6a9087acd859ca2617a20e2df0073aa

SHA512
79f31b94f44418e98f5c9ec4eb6f44edbf11e43544b66d03fe06f28ff469a3b52bf94be1fbd946c574f7343f5d52c13488ac208e49e9f12cb3147925d1d3ce81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
352be5a06bacf4516540f9792b893715

SHA1
5a5cf91d71f797aba2c42bbc35a4c4bad41e6ce9

SHA256
9c4d2e51d8201fd2d7a4941aee3db029306316022349a334ab6b62ca7136f831

SHA512
e5ba1221f827e7935acbf23532fcb6bbca00aab55b57d37e583841b475702131be1852602e79f7500acf59569974ca97cd1b6b2592dfe15c4aba1f151a42d25a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
4938f2a644b064827586fd7562e2ab0f

SHA1
652459e76569d0c1434c2d808bc95753cd8f471f

SHA256
ab5142f6fbaf4169105a4531be3799a1ad2b670a6aa35d49bb5eba2cfe30cb27

SHA512
9e33664e609677673079135b4b4723f67bfd46d8ce316d8391441f0910f9950f0e2d9252b49bc5e6b2808973f3fbb8528ae2467d4146763a43b1e5ee0d0ec662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
9dc75017a996da60df33eb4d4e4098ec

SHA1
04365f6b43cb1cdd0ad8ea163707da15d1ff27ea

SHA256
c0141ec99d7f24129ddfe62ab2f791ad4e347dfd113494e4abc0179a9e28a21c

SHA512
a16b95f56b9bc048c793dabef46fd23dc3552a2584377e3132a0c25d678e4d3c1cf03b4897c3ea4cf98997b4aa3906888ebcf1b20332799ac125267d0b1488b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
cb2659c3134b66b19251226e0c1dfa74

SHA1
e609fffb03515c03229f762b9e9119fa02345252

SHA256
be401e282a4d65a3a8e8863b4da00ee63b9f77e1f0e1842c0f81ef2be7e16fa3

SHA512
a788e2a89b230a154e3e13b9ec3cdd95119e5210abe185911607e6d9b82c6188725f772a44fcfe110020b44c80e508e6b937bb1a4b5cf1701ecedde38cdbfa31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
b302e3344530d2dac816444b02e67576

SHA1
200abef579205b404b966792147358f45ee5f7f1

SHA256
bde7a0e78874d524ac75b434fb824d0d7f4d9bd7af12ad2e7bc0ebb3abdd22cf

SHA512
c9ccce7f1d051a647ba1612621c72edc4d322f60b59cea40f2f130e5adb70fd0fbbaa4084bab00220be9e6bda246952c33d3510a315d85b96d78723631151b98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
1b7d300db03a8449e2ae8b4d38739118

SHA1
5d4879dd91a5c28376799d2e8a22d8aebe3d6baf

SHA256
e58730466be61f00a50b2bb3bd8a9a122b0f8164e5b4b46a862ee6942edfd9e7

SHA512
227261a49e157326f2e6e50000d18302cdc8943d879f45736ca2222e543d2f4d86811fa5ce7e3b6d359072791ff70db54e927f83de39313676912a0c375e011b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
c0c12e2ce1fa67e377beb3bfd16a3b51

SHA1
5e2af124efb36fc61fb0853f5b8daf46ae01bd85

SHA256
0319455271c4a723e7d3192bad513996c2c9f6c49d3d512e6939fcfe8fa65532

SHA512
923fbb6d212cb210aaba29ba343cabb09e966b66e16bb67730d186af8d9fd87f34364e418b3e123fa36db8f0a8faca2695e16bb990ce600bed2480bf7c1d1baf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
be8a3d00f4633edc005125eac946132f

SHA1
174f03e088a267959d83b685d48fa0ea7a8e86e5

SHA256
5d97a9fd1eaa2fdc4e8839185572a47cf01d6dc2756e2ef18c5341ef88dd5b33

SHA512
58298f732f46b76153bb4b5f46a9d91a24b1d4cfe0a69614e7f8e9f97a968bed98f98e77958a86bb9c7b5284840e62fc79b8df014f829488faaa9b96ab6b08f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
183a82177818ebf0bd68ddb089c9a6c9

SHA1
3819e51c7a0878d2e2c22350c34d2f4837368075

SHA256
86938d0a39cd75abe75616806ab1052f911caae4b0f19342b9e6887a5e709541

SHA512
0a3b55625520a59c5305a4f0808f6dbe01de8604f082ee9d7ca1014550d75b38465350585d92dda062c74d667540c8eda0faebabb218129b9002797cb6a3f000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d5d95b831411693619c79c2ba91ad858

SHA1
383fc0987ded0ee7c063e7e66f23e3729b752cbb

SHA256
1457583f672d31314bfb6120edf917e885c15e1098b57ae4617fcce0bace2db0

SHA512
9000a9c4d21a3ddc32de4359443e3bc367c574dd0d2c0bd73ad4aa9b8bf541bc04ead6a21242700049f100bf3b318ee4b6352eed2822fc9db6424c6433c66e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
3888995818c9474c8e2682d99086d685

SHA1
c9f7206e19417d94a541d5a9e03ed1d69609c172

SHA256
91df52483e0a4486147bf071c3a8446e0980931c77b92d8a5a3c8454ccdbb882

SHA512
b9997542d68fbe7661ecd56cec56929309589a8313efd2274392e387de343182c0d53bec7c92f1a209cc79c3f3dc8370c9bb1694026ba693c136d87946cd27f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
445ad45f659a9b2fc2f3f27164d57cfb

SHA1
ec81a59052f494e11792b85284642ab773963736

SHA256
511cf7e98b698bd39cd7cff86609af288e217f417a631a1af00f596a8b0f54e8

SHA512
e3269df08c2701626603b562855a66b17ef62c637e872ab74d075125778b5ef6252071835bb2a218cea4ce95a9f777e341892e6c721643ddb0775cb443c2c4e5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5b588e948a900d281cbd5d147b8483f8

SHA1
e067b92080b6b1680b1ca3eb58f49bb3141990a4

SHA256
51992b1fcc9db2266a44046bd30248f05e7dfa16fe6b589ef727d8e3ba08ebab

SHA512
4bb062290a23ef244bca8e0f0eb909b167d9817dc13275f8923446e981b7a9f15ac5e6b01c586920ed384216aa24bf6ed2319d3b19f3ffc1935282d21914fa0b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b1cbffb7966f16099752bc20a4252e23

SHA1
2d22cac2d6b6083056977fa531c6001c34466c04

SHA256
bde068b00f83dcfe6cc02f312635aa4c19f3bf1970551fd8002d712468e19a6d

SHA512
f4ed2cd348f49f30f86b852facecd6ada408a9bdb7dd761b83185a483532c124ede923df076a50ec096b00ba568fd24c28f30cd29343a0f51fbcfffeed3a9184

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1ef87ee6b6a0e2dba71838a90ddd00c9

SHA1
9a5ae29b0ccffc3f360fc058ec07fb414b327435

SHA256
effcaaddfd6cb2f087fff7552d569dc2cca5621e6db3e7f8e6b7b88579c9fd47

SHA512
3726de21a889c09c63ea48eb21e5c29f9c093e04170bd73b01db2b3ec3a90d2e7d83c4308a309fa8480bd1ab02843683361a7613cb7353b4a026fab612b113b1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bdcd5a970dbeef5f3fef1999a9db4761

SHA1
7f13988fb530c22088d01b09fae97b7e4018f6c5

SHA256
f87eb6e603022d8a474fc847a84d4461f02f6835b711461219926c221337e1a1

SHA512
5043c61b43ff5336a1fa62f5f437711074fdca35fd010dbe9b1e5a1a9240009abdd720993205d72d252225ccd62e9bd10faba731bacad717bcdc762172d6c58e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f0116f3242b106c00c3a93fe5689f87f

SHA1
399a5724de23ef4939580fb6539edf807584c0d6

SHA256
22c20da9a408ab57989356ac5a6674794455e40c8c640d91e2d7253d6d78556e

SHA512
4231b8e75ca9797d1b5ecfdf1cedebd474d4a86b28602800f9087382d695549a209e16646c5ffa2bdb1f56526280b29d7d14b1576cf1203e6fb73fde0117e469

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ca1343012019bf3850eabc6f5430bfbd

SHA1
32aa9081dcd30373efbdfaa4eae00414ee628021

SHA256
cb1a2be87f2b09b453d4e48479b71710769b32b9cac9f7aac5b85f57793160d4

SHA512
eec5ddeeb769affb74886d4f03561af094ca616829598fbfd54a5b269aad8559b3d7599331b8f64b6a9daa4f92762157e9215544751799b197a1a1afeabbe77f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
de654013860e531fd3759f306976b65f

SHA1
fed396297373bd5ac8dcceec333d14d0c930c675

SHA256
b1aaed47d2503697035704399016fc1d11f67d153440566e058ed8c15e3b2c4a

SHA512
cd22b6e5e980c192773535cf77b2fcd0b5eea1f6ca9ae98a39a8eeb80fcadb1853345a6af8c8edff187b7810e337843aab738d93ae9560599ebbfad342df33d9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c484892a7bd8d24b548477e4b0121fcc

SHA1
ca2a98b5d6d6a020a75787945f7fc4c603460a8c

SHA256
901a0a6b8409a4b2f1fc9d99945e180aaf6258bedcecbb2333d11dfe3eb9d127

SHA512
db4520deb6967160670168c5eae72b2f0037d2e89d35dd1da846836fcad456215aef7e68581381a56e135692cc84712f007ba8a53958be3c61804e2d54b836de

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
1d5ed9efe91711adc2470e9e41e094ed

SHA1
ac78767be26d4a185f0e817021bb8d620e0137b5

SHA256
5fc87e53185946efd5555165e4527a00e2c6e12838574415639f5cf296393b3c

SHA512
cf88d266e2cd08dcceeeaf48f8d6bb16a7bd970b6609a9ef610593f0f16307eec1953c97c8d13dbb8033f005c1c0739dc66503676d2e810500759af9a51ca6bb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
12fc7028a84c3205f32a5f1cb4f50fbf

SHA1
7d4058e14f4e37a06e97b872876e01ef3e479f0b

SHA256
115e7b80c858543e615101f5f8431074d2af36649aea2b67bee42fff183005ed

SHA512
843c2f36ad81b26c8e35a7744b6f33a7d79767368c1019e4975d1e00a08ad37424c7a678ec0ec5310d6cc84d1d7912b5676e4de8041c325c15925209cddaa55e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5d3ea890dd78861036d313bfd1b138e2

SHA1
d7a5bb575c85ad205f645514bb7831a3ec876e4c

SHA256
9fd8cc6cc1bf3144fa8b28545a17405b061b83111dc1025b8747ba655c3aed1c

SHA512
717a5e10720270939129303a362adc161738aef5cd6a2ca6d4d15d3027b5f1a2fd17d94ff7433d480986ef2dbf9e40baf2fc325fd3c8dc3656f150b12d774995

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
947f53ff9c300bf4bbc00bd7cfcbe6f7

SHA1
ebaf1d8388c8436ab8be051f0b3309ecc2e2df4f

SHA256
9a8a9e6d03c14cf93f2aacf83185371b1b12eee6823a4991151dc84708574ebd

SHA512
c58d2ddd337b8f8fcdb0cf98ef0690431a8a3fbb6a65eb408d0148ee8104569809eed567c62b3df009e3eb240437b1ea3a12844168b9a289448db469dbad2aa9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
8bb39cc9243adcc5f3f74fd34794aa24

SHA1
95750870e5e270f11e4e5c6452782ddd44869ed3

SHA256
43d8acdaa847a75fa84f24228e674bbc3b85f7bf0397f78a931f5fbf053d6fd1

SHA512
ed788a6b1eb7745eeef7206c85e7092d9358a3094bf5debd8d23133cfe2595742f37664ee2b75e0a915327436cbb8299d752b86fbbe575d0fa73996e75263009

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f7fc2b6f31e28ba1a8daab4df99ca00a

SHA1
1d3cd94e0afd3a05a1bd4e362d873b22f9ec5de9

SHA256
77f460237614a49db917e7d8028562cebeec15a1563e9ef5c86eeabee7a3bcb4

SHA512
1082759b3ad545bdce35e5476cec46d1416a2e4dfebee7429c0ba62bc8b93237e3df46a159baf3f038cdfbeeb00f26fdc05e3925937f7dc9aa53e0ac88866c3c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
80eb663d5ff2fa8be326f940b1450267

SHA1
e3eb81bad239e8f2f0f51edfc1222f3a8f646cbe

SHA256
757d1c803885130a74b9d35d24869fc856d7deae9e990240a3af475e5dbbc000

SHA512
6d32b298282c0a8cf4425dca0b9bb1a34a62610ef7a9e2c637d86430531709020706046c5736a9b93937678fc9181356dd60e138ce7e7b65c4a291efd379b884

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
730484dcbd195361dd5e4a94ebc6446f

SHA1
7bf894a8fd417ea130c154b9096fa9b3e0333e3e

SHA256
e5bba9b6717712e2bc773d507a3cd987ee8144edac9bb9f2ee3d635ea93b90d5

SHA512
cddd42f9e13081b9e3899909ae3234547d65b16c9b78997e693c546dd42336f24634b4e236c70de1129cbcc01565fed4ad00d4c0db1a681acaa544ca9a8446e7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9773d9e65dceac4cb570c1f784997377

SHA1
69c4da6f16824356c923a0ef6067493ded7b3efd

SHA256
20957dc05397d245052c3d6fc448f4d74a0b4814c7d940a2dc42a02327fd5966

SHA512
ca4ba104fd5ad0bad29eff937bd4458b5d838051398935d4de93f6a477c99e7159db10a4fc41196de736555e5285f2eaf1b193452dec03e8a8215ea46765a52f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
906c2c582c4441a70ed352f1929b86ed

SHA1
01cf4eb3492b65199d6da0a63e415b6cae8343fb

SHA256
5f8b09d06a71794f69f89d78f5718911c78fec61e4a2369ff9d010f482b91109

SHA512
55c1f47606137b12831d4178560db5e8668febbe999c33be9b4f913732dccc6d984b38da1f182d7e55c61aa69e9ea9b8f024e4dbd8ba149f91aac6f7aabbdcf3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0789998a3a5fb999615fbf99fa869ae4

SHA1
6abc6b88c7154b784c74c9b597d8e44ba493c1ba

SHA256
33978cb18a105726868114bdb90bc4e2bb76f451d82fd1007f68f23b068e7056

SHA512
5e016198681041321e80d399c2b84635fcef939f7528c80a3debe831dc3b0d86ae84b774166633a98c79a44cb374ad731b8d16d27ed4b492b9bda55a9646d4bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fae7765454ec48bb71f1c8eec41777de

SHA1
3b88dbc876167d2bd45a85206a3f7e7d846cfd56

SHA256
bcbe3cd919934d88d0d4c2acefb42790fb4bfe7c22407e7184365862584bc4e8

SHA512
3d8f936121c20197522c701296011cd908ba5f35abdb5a38865b078d5e0fd2ccd73bd88761c87438e51fb0d3b85eac9d6c68d79ffd3110b212c9d18171dd6e9c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
71c7e1d9c0d0a0d8b0a67bc89140c901

SHA1
c5fbd7b287ac679cc89332d08a45342c0aaf3f07

SHA256
5dc54bbbaf76f332175d846c24420ed04c28e881546d2efb00301e502c9f8ffa

SHA512
fc456a31f85d74acf8b252f27d403d2d87111e792aecb4c63024924b54223034fe80ad20329e7e82a1970053d7595c8ce4680a413405043ad38c5ed3720bba26

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
915268c5213984999fe38461809df673

SHA1
5cf20519b98b86144d855d21e66f69d55d1d6f42

SHA256
e982963e910df9b1e5b36cecd812db06a9fb58f9674245e851a9f7457f2df785

SHA512
d4250ab12c95b894054f7a32260fe5675008bc9d02e3dd415b9bc810a66364cb6d5b0f82a477b8f03a2a20d6441c01ed0f354bd9cb8329145986a7ad45b87d41

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d33b2e6a6326418f4c418aed7a335859

SHA1
04b5b8f90b8e008b3f68676c535d95cf25b21fb1

SHA256
473ca3c9cab333c8cad7515c8c398fa54a6d0f6799e93f2a67bd4c6e620b6474

SHA512
0e8e7ba559c1ccb9821cc8ca95f28a9d454b2d84d35cf2a80fc73681b9b4ebe428f0f8ad286ff562e1afffda198b6b15911531170d9e64c0cbc229c9c810f3d7

Download Submit
memory/628-75-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/628-81-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/628-162-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/628-86-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1308-164-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1516-166-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1632-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1632-454-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1632-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1632-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2100-258-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2128-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2136-259-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2180-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2180-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2180-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2180-179-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2548-256-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2548-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2548-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2548-36-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2588-62-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2588-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2588-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2588-39-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2588-45-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2776-168-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2972-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2972-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3268-0-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3268-520-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3268-522-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3268-9-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3268-1-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3268-83-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3520-165-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3676-163-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3728-628-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3728-261-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3960-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4008-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4008-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4100-192-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4100-624-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4248-89-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4248-169-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4488-262-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4756-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4756-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4756-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4756-453-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4968-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download