a9d2fda4752595656e2f9fd5a1efad42da25231da42992158b24d880ff95810f

Analysis

max time kernel
119s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0983b66697fe55aed5dcaba8646a590N.exe
Size

1.2MB
MD5

b0983b66697fe55aed5dcaba8646a590
SHA1

9907e2e02b9779249123a6f147b2ada79f9b9163
SHA256

a9d2fda4752595656e2f9fd5a1efad42da25231da42992158b24d880ff95810f
SHA512

84201d8413bcf052a8bf406664a5359ddf2ecf858a43a41aac8b83228bf6116f5d864502413c4ea0cd632c0b33247c3b0ba3a1b935028a234521408665a02d11
SSDEEP

12288:Icz2DWUeMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:zz2DWoSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2140	alg.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
112	fxssvc.exe
4260	elevation_service.exe
2660	elevation_service.exe
3548	maintenanceservice.exe
4044	msdtc.exe
3800	OSE.EXE
4036	PerceptionSimulationService.exe
4160	perfhost.exe
64	locator.exe
2944	SensorDataService.exe
4652	snmptrap.exe
1884	spectrum.exe
2188	ssh-agent.exe
864	TieringEngineService.exe
4484	AgentService.exe
4404	vds.exe
3112	vssvc.exe
3548	wbengine.exe
3816	WmiApSrv.exe
1896	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\System32\vds.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f29a0a12352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f5aa641bbf5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c074f40bbf5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000779c0641bbf5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b723d41bbf5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae111c41bbf5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075741e41bbf5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000790e5a41bbf5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2864	b0983b66697fe55aed5dcaba8646a590N.exe
Token: SeAuditPrivilege	112	fxssvc.exe
Token: SeRestorePrivilege	864	TieringEngineService.exe
Token: SeManageVolumePrivilege	864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4484	AgentService.exe
Token: SeBackupPrivilege	3112	vssvc.exe
Token: SeRestorePrivilege	3112	vssvc.exe
Token: SeAuditPrivilege	3112	vssvc.exe
Token: SeBackupPrivilege	3548	wbengine.exe
Token: SeRestorePrivilege	3548	wbengine.exe
Token: SeSecurityPrivilege	3548	wbengine.exe
Token: 33	1896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeDebugPrivilege	2620	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 3376	1896	SearchIndexer.exe	113
PID 1896 wrote to memory of 3376	1896	SearchIndexer.exe	113
PID 1896 wrote to memory of 440	1896	SearchIndexer.exe	114
PID 1896 wrote to memory of 440	1896	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b0983b66697fe55aed5dcaba8646a590N.exe
"C:\Users\Admin\AppData\Local\Temp\b0983b66697fe55aed5dcaba8646a590N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3376
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fda80dde8ed2faf90a4d971a7b214bfe

SHA1
01f53ea421df6153447059be4dba9346e6c52308

SHA256
14905ddbe9bc631eb9c532b0cd2a2e5f5c4af59359b1163e186a37dd79984332

SHA512
9060dfd0f5b1799b9bfbc1988845e2a82d2089d9e103267dfa8e95406e0d26812a671ee5e2f601c3ab8bbb695656ba1d57fc5b0568a0216db0412fc58d477c47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bbac8db4fd823579f7a7cd385e6a7510

SHA1
cbc246387b0cd0e50e1cf2853397644469f3ba86

SHA256
8928d513b8316e327d51f9bac28486cab2e602017a599a7bf0e63549fb1fedba

SHA512
50bb7650fbed9b539ea926d0b8d93a2d7ab80e4d2a485a08161de2cb77c11bbd56a8116d9644632237461c43daba5e8a3e92347075dbdb62dd41a1c07dcb5ea8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ccba7370eb50867f6210664a3f999e43

SHA1
58cc70dd7a6420fdf0d6409a4d595128a13436f9

SHA256
5482c2e10a510bb44fa71877450db9cf678f460b0ef5f0cc117cdd4e2de4b1c2

SHA512
2b5094cc4f360f5365fa582b2ea0e9adb5c14b0fd36b9a16d7c538dcb1c6dfc7c87b5a1f905a3cfe15d9660ec33e6cfcd1eb2f0520824b272cc4c9736bc65c3e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
482fabef413bb92a17c64ec19793f7ac

SHA1
9aca80766d541bc3cdceaacafbf9927a32ba0219

SHA256
5918cfeb4caca40f807323626e7f2ea7f35fa1b6ac0f75eb1c352511447edca7

SHA512
7c53a1e86e49526d3d7e88b2751beb705b4bc1dd80af6ed1d3f741d2ad2ad21bf4bd5d6f9c7b8b34ec8637210748ef3a35c67802fce81095f76b9e7ba572c9bc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0918b5cc9ab672fff81b81e16be064cf

SHA1
3a728547eefe6448fe2097814604c25823e40b42

SHA256
bfb1433edc4f4f00a17fe00e973a8df0cb265a7a1e35025a99c206931f9acad5

SHA512
bb4e6120bd22c55895026b949dd36109934cd6d02a06ab7ab48d60f056d46c2549d8949ece126db8c4338a66955def57307e33806ab634993cbe1d12c9d638f1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
66c4604501089977a7bad7b28f780baa

SHA1
f9b910691730aed73b14fb170eb14a3059da43c9

SHA256
cbdc0658ac48cb8edd03084bffa79c17ff7dabf3aac44a823dd9494ae32cb517

SHA512
8f2189e888c893bd0cc3b44d17240ddc8e6e5b253c67b5d1fe136549db87bfde70e2e3507f8807a0d89421ffc66d40a0022df3df82191a54777c65e45efdf375

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
fe385af8b93490481429aa2a639e9432

SHA1
6039342650ba4875dd2e4e5e336ab866173c3374

SHA256
ce855ffaa2e934dcff2770aef4d5e0ff9b7c3b4c8cd7db79b4f7183ba80eb601

SHA512
38339dcd6fe35f3d2e3f29ceeb226ac7d12395ff2ff39764d6c0d64315c363a8d49762c9aba54615626af3eff9a5e4753852cd5815a1f596e738d3b89a2aa785

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a21f9cde92fd09de247608cc3953934d

SHA1
56cd374fa21ea3c1508c96ce0fc6fd545d770a24

SHA256
68282c5ff493e997c41919d40c1290562c4015f50d3d6e882617af9402753b47

SHA512
87f9971f0ebf9e1b935eefcb36f0c3e5a904784a12d485120cf5fbb4c4bf885da765a3d3eb9fc99a48c7d96cdbee3de88228fcd04190bb74519fb197916bc29d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3e67cd6332b9afd3471e4330a6b84d8a

SHA1
f304c28c4718e8ae35aa86f93534a9a5355ea8a6

SHA256
b581922cded380d7149d3f566155b0dd1fd0365e4921ac472d76e93c774388a4

SHA512
b146af10a7f414b50a7308ee104ca42b56e17cf1f5a619d3f8794cf6a224859f88169292e26331c918b45444082fa3ca976917c99e8c30bace36680294aa5752

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
058f9219e03ceb9235901026934e2c93

SHA1
881372b5c6a083c3bc5d00d733bed6d9d2059d1d

SHA256
eb4b21a2d755473b276dd1dbee449adc332feeaa53d049053dd7352f0ab9ee22

SHA512
007d39b5975ed2badf49471ce09833615e27f4bf1b03d9ef2a3b5848a45a7ed64a8bd1d8355cb9d4d397ed36180123a290576ea24ac273624098c2934d2debb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4e3b1a4bfa73812fd2532b97a18f9d88

SHA1
5f3b416edc98c2456d6351affa66b2670deb7e74

SHA256
8899966b5926f6e4f6a5fb45a491f843364ce28e51df6cf448f6080f6948de4c

SHA512
0308141c5cd81bf61aa35ef81627ce952ce76561195643709965b13d8c0da3c0b945a4adf36a88904a87ffd05d0c74a32c17564c664a44f752ba7f9d5c4d2863

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3b8d5a3edcb9cf9bd26637b0c4a27bc0

SHA1
ed46a60641743ce06ee7ff7fb5012acfb116bf6a

SHA256
8eb3146c1fed9eb895b9bd52196c6aec61908e3bf232645d8968bed42dafe7f5

SHA512
4db0cf1a9383d0f796582cb779ece21cb4135a16163780614d2414016fb6d55ea79d27f734abdb8d7f6f71ec47d410d19cfe21ba2d7524bcad776d5353c833fa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
cf742a6dd05cb6c5e0c2687eed39eef4

SHA1
00e66b61dc097c4df130713564ff69d2d4844f06

SHA256
1a4f7990dba78ff326c1cdb970dfaaa91b2d7089a2294674af773d0e4787d5a5

SHA512
4d699104c0a3125a4027299a3db029ab39908177263b4efc6ce2c553127094f7a237f2c202bf0deec40f23a4878be9e304db09638aacdfcf9132494d9a32f53d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
0b35ed994a361baaa2f30809b6857e3a

SHA1
1e82bca84de55be2b3367153e5ad8e9e6680417a

SHA256
3104559021a7fc6a6186caf2b7e30780dbf37cfc80eb99e2fe71ac89a601539d

SHA512
72d6b4b223c3d93dd50a26e54f20c630c7eae0b1120c486a14ba455db2db842793d51b97a07d9b346614adbe9390b8c1c074ea98fc1e4c234da3a5881546e264

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5cb62ab336de0cf2d79c518dbd93b50b

SHA1
1d0ff2cce654c6b2551fe08f097e94708b6af845

SHA256
97aa31afc30d5f9ad7b2db233112234641d20cab00a6eb978cb53bbd1cbb7ba2

SHA512
ce763cbf270168c4793cf23eb861e10e36c913a4456fd9874c62ce965943e600100b7b1b9e2a073171ce58350790a9081316b6b28aabd3ad52ad1555f99a8636

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
b08b9e62086d254061fc5e9ceb476d6a

SHA1
5419a2f44c5fbff2a3a7568e6b76c88141e59a1c

SHA256
8f0376e524f29a5eb1d37f1648b960fe2aa024e4d6b9c1bde47612a1af53313d

SHA512
538a4d22852d34a6491989f041c57ab29fd69e567f23e20802ef8c7b4160bc779b838910b8ffd3dbae100200ba69646989e3d7c17a17caebe37b9d1a00a5c1f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
90cde3b14932a0afb8ce5b44bef8507d

SHA1
692566dcd15a80adfe356a917d9072179fbd8682

SHA256
a44977beab078e1521f07774453de466525ad87a6249bc0329247eef9b8a8d77

SHA512
62b65329ed34cca3bee69a6e12444b5089c208a44f3051e2ac84df69c9ae6be246f5fe68f33fd5b938dd3f469c7c1f7ec332b1ec37258bd8faaf92e192da8642

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3b6295f728f0c93e0918d722ebee977b

SHA1
e8e2e03c033ff0979bbf14a3a73647fd180b0036

SHA256
85206d94e26904498961c8abe1a7622472ab556b305b123edb17e74ada88c68a

SHA512
c29623f95bdc38a76b06fbb449f6e03a387307337c63da87559cbffcd359d6af5fa25eb27a16facf53629ee3eaf95e15fa80847a56d5dd9ed2b72a36d843cdbc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
0c46cb6a1514fbd8622c979cd9050c41

SHA1
d000a6bd8a3c6df412ed15813a7579ee67586d91

SHA256
92046e4dd4b93fc71a28039eee717850559d0c027614b9134aae68048c0195e3

SHA512
5b81e4c7ba3a9db45cc6bd2f82384381c46c6af00739e2d38ce065ae99d2f16fa6997980b936000af9c630f689ad2e1a17797decc63a89adc416c7b282cc2126

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2959fcef9e46c44100554a8108a10de8

SHA1
96d8934e73feaf790772977d4ecade2118d17f1d

SHA256
7a7662152db463c81ee7bf6867bf2d64157d4c6effa60369f33ae32c178a5086

SHA512
bc60e85e62a9456cbf61b59682c85bfb832df7d9bf8f9ae261f2ce77198148d077d18321537fee1c33e41c84f03515fb1b98e70cd5f242123d84469d0333d83d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
696403aaf9324a463d4533984984c6fc

SHA1
a98ceeb6913d394f8edf36fa9ce8d1c03fb3ec33

SHA256
c8e37d47804d773b0e9f99872f82525cc26c310fb452b8e312cdb2b08a22f9b8

SHA512
8428e0f9157c28b10c9db9e6e82e5c760a4f93d48c997d59ba7d6ccbad6effefc96c73cb98971034fe020115fc26683c3dbda6acb091810ebc994006b6a68df9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a57c688d8730faf581f8bad794ee4ad6

SHA1
2a675fa66fbab282c458f22470d463102fd1aaf3

SHA256
3045ebb148d53f0834e512cc56dab338249056d213a2bdbc4af52aabeca14502

SHA512
0c39eb3cd73d5f5587de6f45056b3d22bd85f12e88bd0044e035548dce5a5b047a3ba7c4f992bcc5134a80db9672a2592f1bb9a97a482e4a5aa7f3cf31b01dc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6f381d6c4372b7de05d6f4dbd0df663e

SHA1
83852febfd0b3937f6747d66f8ea0127ddd04e15

SHA256
16505392b573fd0ef1f0bf74c310317c27f05f6bf54ac5b21895bcd005434079

SHA512
625fda665d3e4df5d75757524cf0f5e4fbe70c6316597786889bb89e0cbe3c95dc0ef83a7179a53054dab6626184ed94f4944caffd3cdced557d0ade2d2b8a09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
cdec319214e7d3b24142809828c67b32

SHA1
812b4439e3c94e82a77e7beae3783def978208e7

SHA256
071f91a81906a2b5a58d72771fb6df066c962535a43130db88c1fb986d784a0e

SHA512
d0b9105cd5078435c54b8da877254f9e6914fddb3a457b91dff02542af0feaf88856c83aa540c7961e12a1af9e3f8977dd3021c99db5de5eaabcacc66174f701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8b8a9995d3c567b0190ee26d4b3e9362

SHA1
8fc1426095de46093d468925f9c48018b7f69497

SHA256
255093dc70593417b87a8166ac8b5fdce8e97a31d57259c25b93d4187b6a6488

SHA512
f4c1104bc293288fe98079e54d21175e8228d4efad6e68bfba46d65686bc31f2091dec2bb8754a22d8bb8d5f70b77533ba2df17d3e711bf521a5e0d50c225fef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2bf18c5e24a6e6b2781178e6e5000813

SHA1
9dbf3fc3fc5e4c1925f0bfe4d06201de61332e24

SHA256
63ef40837914a17bde47fa57b7720d1dcde3f639a602dfeec9e309ee94d07eed

SHA512
3fa14887404989c528c9fe84cf246a9c141eef535669b7de4b874ed48a1923b98327a33332128e15f9f1312f7de2c74a9e6fd4ccb0ec3f04a749d343930445d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e1ab0484f754ff39cc0571b2aab3f041

SHA1
52c8a0821d97da732e4bf5595ec95a085e381273

SHA256
ace2f9ddf0f39be29fb7c2c993cbd48f823311e5f88da7c735bab63851ec11c1

SHA512
60d6c9f05ad8b1068202b47b843bb8f4ba9313fc19ca808e61e19e0dc8b83babdce0c2f1f0b3b18f1fed0fcfa77386c99b15bd7fd02e22996b9f4bc9163b2862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
347b53abfdd86b609cf9c66005ff7893

SHA1
58e1444a2dc506f1b7fd815a9e1b05a7451e6ccb

SHA256
8f1084576f28a0a78c534b0b35c519d2ef13adc1dd786b8d8f8599f1426134f3

SHA512
032e6b8aecd0073240d324009ce7a57040cc9b21d6067392ea5e21aca5111086fd00ac38455934fe017ba671d26e38fabb0964af82eb0a31923ca16b139a3604

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c2f2a015221484141d6d41357b10a9de

SHA1
b3384b68f15edf23799b9782c2f8298d9287b323

SHA256
8480560ca8a5da8beda2d91a31251239811a251270264e0822014550b1b72958

SHA512
6ee70142df0127d45497c8fb7b0df5188168c0588846164f3136080f7fc27111ae7092f57aa05f638b08f8d28bafe6cfe060cb51e1f1ba20d9d03d3577ebc8bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a3f4c6eb0318bc73a6eb4c2d23ddd3ce

SHA1
e7a65ea82719b99b712a5bb92833e3b4babe94a3

SHA256
1dbd9fb230e639a8e68bfe385cb5e1bd79e33a12f894be2202054b53df28e097

SHA512
49342b8361966e8d35dd140ac7f96d09f6ebc2d2badccf1f1e61c04add5babf0e6886d3400de9f2246917f21bf7d5e53b0bd5cfefb83f0d2849a941708f6e496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
b8e5f8fe94414a9ed962e00281edc2c7

SHA1
7e4e16393f9496133f3cf798e30d3d2ded7ed6dd

SHA256
205f978d372b95a2627ccf56d3cb4c9fd01d88bae017502cefd1873be176272f

SHA512
95e32911bdaedee3c0418ac8e6b23fc7281dd595404d8b9411f608e7735771fb818559ea345929171c728f30e699e6bcd11162a97d84539a45e99939d0f211f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a4bf3e6974eabba6fedd63f420404ab2

SHA1
2bd18344784dd63c333011cde6d310c0e9c45bb4

SHA256
f86003ea9251eb1d00ad9e6b65364d352ab67ebbbccd659af2b50d892cd907f4

SHA512
78aa7161d6d5f1147aa64d92e9de2e9a92bfb467b4655f7f39e0208ab234b49cbdb8e436c29b09be3d72828b33306294c25dcb4e0392f0bca4bcc69c8a739080

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3e69757157dc8c5c3c2ba0fb080772ce

SHA1
9b8d04abe2f6bc1caa8dfc4868ee33152d6eba10

SHA256
06fc9a8a8ca3c19e841b753f5e7f8c2dbb978f693746340b518e2a8f02bd71cc

SHA512
32960ac79e4b8c0befd07fbdd569931dd74175a2f72b3ce94a450a57c012573c2806a278707918236980baf219b0628cf615da0346ec3ee00a984d999cdde53d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
9c771a01ff0c0011a2e93dbca755ea51

SHA1
e71a7ce5ada4401e92d055f223ca69bfb3456b36

SHA256
cb2cf012e959575a4d377eb3e60e004a3a752985cf72585daa5339a552f46f45

SHA512
ac870030d289ed66e0956ac14c8742fe45db69e4c467172b9dd071164f528b0e43acc538e4913181ba5b5646559ff34b3f8424d8bd3de8ae6add134126bb7672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b6ab64d014adaec8c6ad39cebe7c517e

SHA1
a2338d41a07c79810d3b48ef412256c96820d41a

SHA256
5264fd495eddb39bf931cc71f5cd15a65d197291e891e289b63075dd363ad6fd

SHA512
a2c76bee9c85892608fb9778c3e5a0e2b2387e22f020dc5db1d9454d7f3483b3ed84066414bdbc811e393084fba55035cd90d5bcfbc37fc94f8dd6989f36a273

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ce50a60fc86cdf4ea54924a829fb10f2

SHA1
f7ffe06d35c7b91f96c8e5b9a064c6954b93024f

SHA256
1a45edd49aa18a52acd8e3019518e03f21270db6f96c3516fdc5f7436856fdc7

SHA512
642c266550f815c3c29434821f946996aa8d086a5564082e655815a0e37517e495bf6cf3f195abf38a8fabb9b30e85935310653bc61845c2144adfd5f5924e65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3d083054bf2f99a2662e886b8722b3d2

SHA1
5f3d04216980871b5b9ce13c82da475cfa2d1d70

SHA256
72ac44f82c93e8b7566bc11400dad7f4615c678ec8ce09c30a333366fd4bb0ad

SHA512
1fb4e505a50a80062824113665574175236850a83b4e7828a9e61678cfc45cded73da4f67c1f9c39a166d326ee9ea26a979e0bd3a193c667789fb6bd394ec147

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b363102e3f7fd2b5c41bc399de6f13eb

SHA1
3f474c8cce39f76af572015a13c2ec9bf4fe8d5b

SHA256
441bf95e0f4e8dad16d3fc174ee33f25552973d1f2cc4e21c518bf67466d5f5c

SHA512
04ca9707d07a14a115251bbd93f2afe5c4555949f309538cb50ebcb7ffb050cd9efc27d40a4dae3a2dca423c1271b6e73704325a1a60bbbffb060b221f9430fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
7dc5acd8af5d623ae2c9a5cf1897b762

SHA1
1527f0a013a7b476bdbc73abd6b75b73926b7afa

SHA256
e01e50f276e29205211bf2759a40b0e55cad0cdabe7db3c2e0dd94396ccc4c60

SHA512
9e83762ebe2767a733b40d669bad55353d70f22cf00494d3608e48a5d4cda38ace67f5e25d4a96bd8ca2fbdbc12f2fb6f369985e715170bf5cd2464949952963

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3d32e1df697dd0e912182375a154951c

SHA1
af026800c9b3676e836bc6502e9b702132eef11b

SHA256
7f86a1ab9a30592e20c87f5a0b040b83cff0bca3384982794fe6df0f6e2fa37c

SHA512
8ebe269337b4e2137acd99074823ffc4c92b2b52f8cda46ed0321d283f7b5b5fec4c1e8b9c7ba0b62fbc60c8406c856c9eae8022c85d3591e6ec2e0efb811c89

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b17a6d3b6448b6b66e41f66595b469a6

SHA1
57482af0d13aeaaff5b8e98403017dc79ef00719

SHA256
e9660cfe81ef8b6a70cb4f06a76dc6c30892c51ecba8afac879bc27e9c82a8ee

SHA512
25530daa432aa86c9cace175cd15744afcbf7ca924c01ece346d08d5bb9a520f287803ac95cbf6eb89a2084c82ce776202cbae3de4dd1378d5dd9ebae5628009

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
6d8466b7d4eb56c5d00e0f327c1a7149

SHA1
a90ab2ebb97c98f2d9d7086556358b87a0fb3cfb

SHA256
360e707e21284b093f3d42d25b41c0b7291b7a96cd3d9dc036d707eab8182b8d

SHA512
7366c1ff4c16b4a8a7705c9acf7f3fe2abfc3df8b5f862681728c9d9f115f0b67ccd8eddcbeb31e421f7a4393bcb61f763614a971b4ad3419037d742068b7355

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d6d009f5c46cc4e8e68c25153170c8e6

SHA1
146ea3ca045f770630217668a450344d8d93eeb8

SHA256
0f2716afac2c286d32aa70ceb8782fc4c03f890309539776a75583c0ea87ef28

SHA512
d38cf1d28e03cea68dfb144ba96942d5669578a51e2f05c96349e7ec421c2ee732f308c322ed0c4bdcbb05368f967eb5b46c580d9fbfe38da8a997eab725473f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c3e87cb49ded8d622e41065c3fdf4524

SHA1
5b1988ba6fae6a29262d2fa1722978e0d2148b62

SHA256
cb80a8991a55dbfb51aa4c95f3dd7aadbdedf2c67ebedb9a0877dea2e49e6763

SHA512
66e42365c58dc5ec36289c3fc326c984c05a0587b8f7f6c50534d4098c7e7cc4dfa65677671f5dd0c7555a7778310cdb435431970678057096790af5551fb384

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
53818a383abaad91b349239630932403

SHA1
43af1610bc44c0d3c833ca4879a075ea3d0f5422

SHA256
50025b955c3602a2747067891d31181f9a4a90e4b4782fef841235c31d5e6f96

SHA512
a8d1d8cff97965306705849a188b5f13d19ba4a5d9c85c25093d7cce60dce92289a40a1d0141084430f119264d3886ffa3819e2e3ac8aa33edf7e37ace279ca9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
4229ecc40bac5bc9cf39f70f9bee04b9

SHA1
06f8639447c981279b5046e1e03859f7851da2a0

SHA256
0d3b13f6744dc2ebf69a52f7d00d724951f1376d3008f47d904d8ef3180a54d2

SHA512
c5a7f2c2599cae3cb7412fbe39e3371a1a478f155e9f28c23d848b7cc3085c9fc2503fde6d41a88ad740f6b4f69d9ccc20c49f7908a904b6bec52fe25c109904

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a42b0b950cab066c752fe81379e99122

SHA1
13a317ce877f09f60b778c28291ca6ea2d862991

SHA256
12cdd60f16839b984a2c356ca690c1145a10ca68c25ab3576919559e27f6a3d7

SHA512
8b4bffd6a316ee4972ed12b3f0e735706c9620fb9802f524f92a4e1d802df4519bb4273c2e1ed2ea032c33c0df067579aa9136369261fafa654c8c3cff977309

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5c093665ddefa7b066acffdc60f376b1

SHA1
9d2f2a671f279765571e93dd0ef63b696639a290

SHA256
5f8b612efb9b78f46f63d9ad4be562b031a48adc88f8cf1b1556aeb89d155d5a

SHA512
242a66f95b5b94e4dbea7009dc630556d0affb52ebc7172cc059d4ae4bb7d36b73a17f4cb77b4c16b46bb45a261497cb4b51c7f6bd68769186754d4983b041d6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b969f73d3f3031a1378f4177a16be588

SHA1
5cdec8a616481bcf2368b1f6d342cc71e0774593

SHA256
c7cb64b47d86b47a597e55aa9e35caca95165c6e63b686c07ca88f9cf6615b26

SHA512
3183597414f5fe1243d2f904a21d1861546221974dfec941b32f36ae97f093b1ea98a3e042b2a952f6f5729fc27afa4b7fbc745fabe355d6a8fc4f9c8e5f5f7d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c7baa64fb8234daf10da4c92e5c5efbb

SHA1
3570be7eab6aabb9fed03d0b56d5ab7c1f17511b

SHA256
2bb64ef9aa5c4653e0ff82c85228ee559b8ef41c3e635af6b5855bed852b2a9b

SHA512
986bdb670b703c3914ac39a5fbcc1cd87be395d331eef91f0dee018b4f13848ffdc8a8762a764edf8e6dfa2eba9f38afb220a2282e61147e4453ba51b5fdb549

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0e0f12422b01d1abe558c0150de3482a

SHA1
4097efec3037faa138fbc7254e7ab4bf6c10b484

SHA256
eb48e75f887398264716e5813d57da275d67c0f6d94fc74ed1602385550c9b3c

SHA512
0e50a468cd949c4cd77426986470612ab45bcd4443ec04c519033d22a4c3b5d9da1d7db7c4ec0974b8474d4e10c2f90177e20072a298c36e765ec87e59bb6bd4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
67fac43fa770c45452dc0961726c3573

SHA1
1fa7ba47e6912f68110af8f55e90f81b7ae6c165

SHA256
b660e5e54c315104c040a2f95ef59049dfa1b0ea819201de8d2552932eef71c2

SHA512
04aa0fcbe47509a2c97d38b166e9e1db292cb8b9e4ada8f673d7c6c071ce964dbbd448ab4c92bbd8853e0bed08c72996ebeb117127136974644d6cd0f3a6dacf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2f116724cc8444e1adc16d4d7c1432ec

SHA1
aed9b531e8f0a6f7fac194c1144ec262346d374d

SHA256
ca2938c72fb3d6218aac84b050625901a00a46b8f4506fec2adb6dbbc843d7e2

SHA512
09f9bd6ad322d9e52b245d6b4ff709481a924760b89559aafff6c6161202f28b3ac07e2b672362e28a664899c776dde18ba2ca9ac3a8b8f75b82ce5e5ac382de

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7525bf3dd9559d2959dc5d1db121ea9d

SHA1
d5944dc1fda5b84eeb598cb8a744d0b4edc95393

SHA256
4a3ef27580e01829940a618db96447476db9cecec98ed1557b9aac61ce2db085

SHA512
b2dcf15c78bb56617d7d949242820ac89f615663476ed10114c79b510a475f92f0a8a88e09012ab591747b13b215564a86553cbde899c0d063875512ecad00f1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2f48480e4af724ae8d05fd9dff7f7479

SHA1
d0fd79b4608c9b61e6d942a36526e191885b3cc2

SHA256
7c000001d3397d8d93dc8fc60c3b3f809fd93c8fd4b6b58da57a57f471e0154c

SHA512
faf1ac61af853426f10eda22687fa39b030153f9ea16a41b0ec39695ccdff56d4e2aaac812cdd2e11b4929355848da75e0a6b6c8908399492eb34323be59f633

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
f40e8dc10051642c5e822f37c0e0e995

SHA1
8fb267b7b618859847d5e31cec3f7c179b973b6e

SHA256
77138507f6a519b14e7d8d14ad5a9a982e1ecc04b7c271a32e73bc9acea98b2b

SHA512
19b150ed28cc64dce70cbb780210bbe1d30e623e6c2a5a4bac25d2b22254d625655364df8d416cd29241b324329c80859c2b3d71247fa7b47b3abbcee9961f5e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
54f107fdd7ed47b5f9308bfded80f96b

SHA1
0910a4182346b0e4cc97964197ad9484c81690c4

SHA256
034c2e156d5c79bad6dcf5e4545acb86b06d7519373c8cf5f7a191f98b12c956

SHA512
ba818735714da5a9030d4da8a47c99b382138fdba0364e8c97e77f546493429cc8cec7c6ebcb09e11f279ffd34843db70add33eb299d63026e28e94c21ba5552

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cbd3878f6996d48d272a56f8d8af748e

SHA1
881553abc7e219ce277275bebe7ecf65ace42a70

SHA256
900dc3747674bb0a8d58aada7ed48d7c2fffb8723604f81c7a270db84fd70097

SHA512
5d7d2adc8336b33cfff700789d94aa15e8ede117b2cd31f3d63bd3c922f954b5e4eb126c169b30875f9582eae89906cfce18bc19a6b6e439082e8c04e732aae9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
a1ed0d8e227e734af8ccd664dc13b886

SHA1
4ee07f90e4205c2814682763ef354340e72650ed

SHA256
6f0c95c3e78b18b5ae3e9125921d9f992983e22be582cf63416db1b21f0a5519

SHA512
1f7557d02b9df3ab5eb2f0bf0e3d347cd941c3dd009c116f670950c885302a54c3f487ead29911dab4f2c88513fa9d681415e3b0067e954a89c8389325f59161

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
370993f76ad6edd65f146acd88a9b7c3

SHA1
8ae4e9b8a501925439ff51797fd4a5fb66c0c8c7

SHA256
c85a55920c809ae8afdd965753c84ff5d2657190a0414baded877f8c076727cc

SHA512
46ac85e7eaf4a2cff98593f059f5072c4230d0cf62ce9879eab5774b7ab8cf4398608c8b301192b10f6fc79f7c87635ae7d9de9e1a8d43922ca019702e882c6e

Download Submit
memory/64-239-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/112-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/112-46-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/112-40-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/112-48-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/112-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/864-228-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1884-226-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1896-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1896-588-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2140-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2140-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2140-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2140-112-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2188-227-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2620-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2620-36-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2620-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2660-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-394-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2660-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2864-64-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2864-0-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2864-470-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2864-469-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2864-9-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2864-1-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2944-534-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2944-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3112-240-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3112-535-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3548-87-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3548-82-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3548-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3548-584-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3548-76-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3548-84-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3548-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3800-486-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3800-113-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3816-585-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3816-253-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4036-115-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4036-512-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4044-91-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4044-92-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4044-465-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4160-221-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4160-513-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4260-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4260-53-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4260-265-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4260-60-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4404-238-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4484-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4652-224-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download