89c72a5098c16cfc7ffa1614c34cc17f79cfe68c9a50363be10f7177b5836105

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2483334a75959e25a7317e15921668e0N.exe
Size

1.2MB
MD5

2483334a75959e25a7317e15921668e0
SHA1

a3d9bee683996550601443f5e3c02873e81b0ee6
SHA256

89c72a5098c16cfc7ffa1614c34cc17f79cfe68c9a50363be10f7177b5836105
SHA512

07288cc676b82e8e9c5d23d307bcc9f578a9807868820d117969eb12ec551a09b2257b65758f9881a4535bf56e56430d561f94a21f2e1ce3c737f09137257a54
SSDEEP

12288:FdsMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:P9SkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2888	alg.exe
460	DiagnosticsHub.StandardCollector.Service.exe
4520	fxssvc.exe
2328	elevation_service.exe
656	elevation_service.exe
3400	maintenanceservice.exe
5100	msdtc.exe
4776	OSE.EXE
2824	PerceptionSimulationService.exe
3168	perfhost.exe
980	locator.exe
4868	SensorDataService.exe
440	snmptrap.exe
3908	spectrum.exe
1160	ssh-agent.exe
4784	TieringEngineService.exe
4592	AgentService.exe
3448	vds.exe
1736	vssvc.exe
5044	wbengine.exe
3948	WmiApSrv.exe
4596	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\25356ffc2dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\locator.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\System32\vds.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2483334a75959e25a7317e15921668e0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2483334a75959e25a7317e15921668e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000788e4dc20fdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf77f0e420fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eaf91de20fdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000789ff7e420fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028d730e520fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c39af7dc20fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
460	DiagnosticsHub.StandardCollector.Service.exe
460	DiagnosticsHub.StandardCollector.Service.exe
460	DiagnosticsHub.StandardCollector.Service.exe
460	DiagnosticsHub.StandardCollector.Service.exe
460	DiagnosticsHub.StandardCollector.Service.exe
460	DiagnosticsHub.StandardCollector.Service.exe
460	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2348	2483334a75959e25a7317e15921668e0N.exe
Token: SeAuditPrivilege	4520	fxssvc.exe
Token: SeRestorePrivilege	4784	TieringEngineService.exe
Token: SeManageVolumePrivilege	4784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4592	AgentService.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe
Token: SeBackupPrivilege	5044	wbengine.exe
Token: SeRestorePrivilege	5044	wbengine.exe
Token: SeSecurityPrivilege	5044	wbengine.exe
Token: 33	4596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4596	SearchIndexer.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	460	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4144	4596	SearchIndexer.exe	116
PID 4596 wrote to memory of 4144	4596	SearchIndexer.exe	116
PID 4596 wrote to memory of 1824	4596	SearchIndexer.exe	117
PID 4596 wrote to memory of 1824	4596	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2483334a75959e25a7317e15921668e0N.exe
"C:\Users\Admin\AppData\Local\Temp\2483334a75959e25a7317e15921668e0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4144
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
455c8cbc235ddad324e0bacbe542dada

SHA1
bcaacf2a5c6152400677dd444ba13ceb6ba483c3

SHA256
718422623c8780ee11c54b3905c9a4cb9565fb2742c9b490e1c87bf0be355b2c

SHA512
42e4c626a808c96c5ba994f0023e4d04bd2f1995b5d679cdddfee0a14ea9937d830f43b97068b5a08ed720c9055750c978fd8927012e6575df2bd85822d27e79

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
deaae47e63d9618768e82fbe90f22b31

SHA1
95d128de707bc20a3a5846cb755bfd81265b18ea

SHA256
53bba0cd2826560a70b7175f98987337b64887f9482b64123f937005caf9d568

SHA512
62cc6a474cecac10d65e7efce13c4f51e0dacfd49cacd844c659f60bd4e17ae15beea03073030c82e493807d7119a80568b29c0fda1becdb5a3f006276ab2497

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e54021cc1c145e70bf8ce55bf2a97a6f

SHA1
d93a2f5d8faa59a70af9380883913df18b090f98

SHA256
a987edbe8e0571d721929b7bebc12681c527b00ef46122c7e13600b05cabba18

SHA512
a5c118cd432854901b92d0fc59bdcf7e098a1233ab954e022a36b80cc42b1c65133ab89c913608e4d9a9c73d1912c807c9621468e4c584331de8d0fe4634c84f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e49e2dcd522932e284b75e199dd00178

SHA1
086614377dc677352f05ade7e0f9a98c4c6423e2

SHA256
9ef347fab58e7aaebd9bf7135a5a689924f34c32c18dd92761342af672752a2c

SHA512
71bc35bcfcb16b0c1c6a4fecf5cb7841e8fd5e09223abc2a3c25a7ca1b93e0de5b15230b51a70ea6c5931e52911fa7a081e0ce1d505830816787bc99d5fb21e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f53f9b3d36e80e17194765bb36b1017a

SHA1
db50684d5ec6626f33e2f2ec7783d8ac391c787b

SHA256
3c6f00c71dd7f81fd7f3984c35a0443572d02676d3866dd5cb5c53ece1081b73

SHA512
4c872e866383039155a77f1e063d38a3a14f82f1f35ba71c6a66163d9409fcab14f94730483d1fc5009538ec4c6be31c899f45357bdd9eef5193ea62dfec639d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c98a4fadf332d9a38d20bfb8ae78a584

SHA1
c2efad4b35d7bb15d9020173e8e00578f6d14238

SHA256
7de273ad8fe81d8a632e6133c795eed4a13fefe0bcf698324250cc4cea586037

SHA512
ff1997e7e7dd5e6a94a0c92c715bc3cd0c2f4b4fe0c2498865fad4e9335877791dada1666d9cb70714488fea71c0ea7372f9f110dbe7bb19fbe4ead4f5487dbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c07f138527b8b040438ec77bffb5b820

SHA1
f8ae078cec6f97c9c282f10fae11f8405c80df91

SHA256
8ad8f53ac869e488956379da1fc7327d5d8476852d5e0321426c832c5185a3cb

SHA512
38e5d201a539f14d66e9336ba15155610c9a92804665a3e71b94c3a971c706b0d5ed187d916342e1302c58f0a808fe16b4c02d77aef241c319c6fe8dd2341305

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2f4938541eba08bf42b62735d8e05859

SHA1
71008aa3bde13884ef9d072531e9ae22db6bd535

SHA256
ff403483b560a41e0ad43752b17359bc913ce1f58217751d7501e4a088aba8d1

SHA512
023b6e0fb9a8cda67cc3b0f7ed1e20aae09c0f6b436090d628d80b68aa1b8413fb88eea86405755f40eee64fc8fa528d764829e8f35635e236f6f4f5bd2ad4fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
1a846cf1d193116c5d211c1423da0ce5

SHA1
20c75eedb05ccbd344eb5d004c6285f13d7a31be

SHA256
5405bdc7663598c6c4040b97cfd8e32d106a828fca4be53093510363e6e5ce3e

SHA512
e158bb16662b2b6780a3452e9ae60288bac7cb1c03af3c4eff0cc4fae8e5782f71da327a3c28a0ade30fbe20fef324ee95e0edd2838e57f676229fb094ab9bd6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d6e0c06918ac6571e72b813849c2e8e4

SHA1
74323c2927a10ff31740f7af62286b888d9c38e9

SHA256
a32205a80020407d22bf5ee5396ecf525d259c2bd5bfa230d7f35ab71df06098

SHA512
bf701fbedf6dad872268fb621f56538a9ef82e29e00dad30ca41fc11151bf681a52822604c1e82bcff7bf6ca4cc70768ce81786ec116b37dc981b0c1d6ed8f4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7e5a385d2f56530a1ba01f1cba5ffc76

SHA1
a5e0257b0614c4fc0b2347bbdf4a38d1fa6363de

SHA256
40d65e79611cf4844e92e788592f3083f1110c5c6fc5ac069ecd93fa1b9c0b58

SHA512
114b6e7feb472fe18fc9f3abbd595013a23145bc2cf4319f22ad950ddf70505cd9a4d8785fa44f5f77e4bbbcd96f3a38d036a563515271af7fcb1e6ca07dc974

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
06f5a7e20cfe0ce561948e01748b5c78

SHA1
4a9206294bcd5782f9e21c43ccd51eb3743faa82

SHA256
892334f620f54686fbecc67e548fe56c511bb310ac427fc8c827c974235a4a35

SHA512
d17dc6f9f6810a2480cbd03134d29fb3e5bb4366ff68988906123f12a3417cf35c314034db7381f2ae5d29109ec1d5e7d70fc677c681912bd2c8f04bf7c38470

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bd81c82fbcca42fe7a765112bee49c8f

SHA1
8f0cd1247138b610488bf9dd9d5426886c41e369

SHA256
e619c9c0a823c553d76ed8b957ac00d94fda916f58949feb58bdb1c534571777

SHA512
3386bd7ea3218dd717d6204db6a5978dc0a847b3b22f410c4a67def5ebd59d1505f9598b0587a62655bc84271b01de2df520518366d2511c53d18e6c5aab1567

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
7282d0b22132aa085eb2df8c6db99f7c

SHA1
ac3d5faa79be9d41c79f001caba4b0e785414e67

SHA256
a68ab61cd2e3925f8052876eb341d3eeefd46715038147f96b4b6ba5bf526415

SHA512
e0a998e57907b95cb14b65f460c6048018926b952871daa6065138c54344778a4c2d39deb2e7155da3517607396b6ead014fb690fdd5f5085352e46687d200f9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
aae08e0fa65c66db6144d1315a7fa825

SHA1
3bffdf3fcc34b7b61cfaf1b1853ebfc91694fda1

SHA256
4dfb155b3a5d208f53a19121c8333f4e552a702af90aac51d8aded563df70b56

SHA512
708e5d7fc67f8b2566c047dc8537eebe7fef9403389421025b169f12a1602faa985e41cd87d7a4be8eceba1d10621433e88e1395ade7faf6b7a376e5ede82223

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
bf8b42c688881028c28f68c2bd18791f

SHA1
50ee5a07f80f97038a1069715d7cd457cfee478d

SHA256
c4d938c00cd861458a51c3df81c443ad6c6ef2a74c4912a09de6b70dbf622430

SHA512
4aab405ac4c2c411a90b9f390ffa8ce998e3647bf859e5c49f6762cece766645a3c24a3537e3da8443dfdf14c2b084c6cca26c1969f38cc738a7ca415b061ca6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9501d8f22ec9af8741cd7bc1bc101e87

SHA1
6933b7858dbf1788ee96472f88c9690d97261975

SHA256
f6a07fc4fefd51177d15bac499e70e893bd96deed3b6332292de44f83e8623fe

SHA512
d2aa055cb5ecc82df8d388969d36bb086bf04550426880dc9f878a0e594ceac65be27666903e9062024a56a87c6f257d3a83289e78fcd03f7e786720da1ea5e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c9189e70f6169052f422744057321898

SHA1
0f4b5a92ec0b0d2e37b2a3a6614710c8d07bc885

SHA256
9647ff99d0203437bf701a0956fc2b6cb9fe7209a7527913ddaed8c1a9882286

SHA512
61c264733745e191b2f0fa90c4c2e34826209d58569d9b3edc5783ada25708676e0d529cd9318e0e3b5ec9a599c02d8d7899c1edb48f0384740e59d2c1005dbe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
dbf399a428d7411605cc7a9c3c640a98

SHA1
2c3158c500a47ec9a9f4fbe214cc6ac7621f3c6b

SHA256
c73e0b4c3f0fa9d40a8293e88bbe0c8151c295c728434c0a58a6993544332f8a

SHA512
738db244d79e1a09fc4b4fd19663d0fa2435a845cf771b4bd4584657a0cf64b749a515a75322d57032eadad0af3b0b419e1be50ba85a6df23ccda8d1ac4a84d5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
67002ffeb69fb213cc09442b36b62725

SHA1
b1ba738713814b88e73d70ceb52c62642f6bf4a8

SHA256
fbc1c3314c16c8f074bb4f97cc2f70f82f3b36f05b5e9f6e5e7a4719ef6cac87

SHA512
98bdc6720d42fb39c8be60b30f801e8951b5c77670a989071067c192cb3f3963791b6ef3f88d8c1babee55b89088bb72c2e244da87a2cbc13399bae873e0c0c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a431d223acad64eee1b9e83b1a613e0d

SHA1
ae3ca5a8c7339d7ac1025136224424fce3c90157

SHA256
a5576be06516d04d5d24b8c3bd1acb21cc954018fe2bad815fde455aa93febbb

SHA512
04507c23e28e82bd085aa654ae98e0224bb94914138cc0a7c2c8ece63434ada780d0598b035ec87d21b17f5b67d5fb67860c042968d0fcfb9ffd194afb101102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
25696ba43015c20cd8c0a8ebb249ee8b

SHA1
247ea5e11f5fc3c9929ff31e61bb8773df3087b7

SHA256
18eb7cf33463fb6ce5f768b4523e64244ed28919b4324d1eaec97e057f8c1e5f

SHA512
50206fae471359d656bbf6e573038b98cf2c426282e26bbb34f93005d255387bb9052fb62e5627d95f4521f5dead34a9e8a20b36b53d293b40c49c502aba0e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6a346d32a0c8a9c0b2224555341457fc

SHA1
90d8ff1cf0760b6a01fa5b699d94aee0fe858a25

SHA256
0f4265d8a79bd0cec3f967194077a0e269a241e130655079739b978076b65379

SHA512
1f6820677219e824eff6b6e8a57a52fa5df242f8e6745c956fc4933da79c6a4d43003f5211580f148a51eb69189c59761031437604cade77215703ee3c308c0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b29787d136c79a327fd09e810c7bc0d3

SHA1
a79e91d4f61c04ace9609d09934ce924b501f338

SHA256
755f959446138bffce0adca0df8dd901bf269b18311ac9faf79941fd0a25cf9a

SHA512
ec8d51135532331afb3172b2c3d55fac4048009f426acea82b8e7a43f5a52ec7bd0831fb7bdbd086a49320df94218bf66ad9b7a32894f48a51a1b43b0d5e5dfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
896067a85885bac98c2188fed9f31b33

SHA1
be2c50105175de56045b82f3fba2c66716e89b1a

SHA256
2692801d653f6084d4367db63cfd38d3e0387d41795897cbecb2a59aa4af5c3e

SHA512
1c0a15c7de9e081b67933906383ad86ca8dc7ed32ae38812d7e5540e9d1cf040c5054d32494949105f67a7ffa35e407cb23dcdc7d72c29dcccf8f9dd8965f77d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e487dc9a67562d8d60e0ff4135fb8522

SHA1
9ff32018c490d1f40ad919c4de1f89fcafe0c3c8

SHA256
55118619eccf5d0f97cbd6dcdc2d90e51771212105f9d53feb99773071a2604a

SHA512
b9a1fa2a0078685b7e5c9e0c9d7b7aaa9cccae006b12482889e0cc3e9aa5b3d3d83e90398c87881b4405075f9228f92d479b7a958580c6b18ff2e89f8e9cd3d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e0178aafbdec776a635cda06581d113d

SHA1
6a35fac8c2d57513ac52a4fad3180858019cf99a

SHA256
17801d2bf7693fb84b78584d6b10dbb387d3b71ffa406b0a9f27088a0cac17f4

SHA512
41250a1e9542f1781a96861b5630ffb4c418a500b737d2da286758a98c654355dadaa3fce8ca0b00f188f8d448de50cf9d8e1dc33ce1653ef007983144750e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
77b6eb0ede63c3e3d564ffeaae87fe68

SHA1
fc389e278d5bef310217c4e697e3e4ea9b880103

SHA256
7960f936e474f3e8b965d47b98649ca7bfbe88f214a5a48946c21bee85e6af40

SHA512
91e92bf6014e5d4e5aed28d576623a135520c2ff43f1f2a3d6ae6bca9d6d5527b9282531b9d7b7404ca6ef891fb9c656c64c89a3d941f2898447e97739426d2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
359b6f6c81e1670cf559434a6ebe1e4b

SHA1
3fac43dcc8f057687cce44cc985ce1786ef3716e

SHA256
7230ae67db0787c10a29fd5a65b4f47a1dd0b97b8004346a588a121e4386149c

SHA512
cb582b9903cda1e87766bb19a92d96e7f6a7c265d41e55916e0bc5a2ad5623184a9cefdb2f4be061dbb498d62e544be9157053b0f0a385c30f71449769e76291

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
97b05bd7b3cb5b8bf810d0f1ad75d81f

SHA1
beb2ac822455551c6d20308eb0ed454cf32af092

SHA256
606d68c5954ddf0bfffb7bebbb607521ceb189da971a0e3bb9c9c622eb7be582

SHA512
0a0016430f5363a6a0a10b4adeb9dbb6e321f890fbc6a3e185683d1fd61abfeaea2ea186cb4e1c87ad388cfdbadc5be2540e19e1f4f893b43b32f4bfd6c487bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3621c2e18889819deb80f55cc9372741

SHA1
d254bc5a5dc29517e6ebdb4d67dacaec960f638c

SHA256
8be3a132ca75ad6dd32e1ec587e52b40157bd7fccc2fb18a3b088b860f38dffe

SHA512
7ab1c29d25efcc7d0764f7f95f6cea8357467856201cdb9651e9f1c2aa74a358af8f5d1e81052512db3a7fc5b297c3495502d8e65d43d20c435b3a8bc17a6e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
97d72c10e5a31c5ab0d2b48078c4fafb

SHA1
f304cd2bac0e544e5bfb48c5df564659a46af7fe

SHA256
1d033345916e71ffa6120562d9e50a453c462cbc8d08b940e476fb3b0c1f061f

SHA512
e247b42fee24d931024507a4676805dbfad86012f2b29e434406739e2c57de9288815177fcf49e2ce9b5d3325ec3f4f8243c16fa7bcbea877b05b782c5974b24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d6a492512b734153947eab4c4f75e311

SHA1
d772c4a8f82d8fe7b29ffa21836a1ffecdad57f9

SHA256
1eca6681d7c898fbd54fe1314c25378852dcd35000a3fb78836e25813ea46298

SHA512
7cc32780fdada770f8fca067c2e2e08f25fd40c6d83bcd89938dd0a0844d659653c3973cb3983279c67ee9e3279c19a9c89a93ebcc4d5c72f5eeda9527477550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d67392ff98fde69d68dde6fae81035d1

SHA1
db74dc1044d79199d3808b3cfda2e636de0a1656

SHA256
381fb0a69484a40800dc9c6084a34cb6b0cf16161d141bfc713ef1e11a921f56

SHA512
03fc7e6eae4b114a5444a0aa3b7111d186b6c4fdbad5cb52c0b5baf890e94854b4a0e6ab2fa4adf90969a785e88ad5c3a9b5136f04069ade8586bbeb8e5f138d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3a262d105297220c01e4ac6678363b58

SHA1
d994ebde2499dd6cf20f371728891d89e0f3e5d0

SHA256
2e086d794e985ecca81d2eab65be57a31eed1f5843cc534e0fa80b0a5266ab83

SHA512
a6c103401d4841b68a9ee12497d614293f092e6fc03adf39ba1e75d829e2ade2d92ec601810b42f62a818cff2905e1264b22e35a14258ec60b1bd6101354547b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
67f9a2d5256a7d6debe86a629702e7de

SHA1
bffaea7bc52355156ccd9b015acbc32f01c9d075

SHA256
7340c8ab00f03521a98cdf07c50000b4901bfe90d4b64ae2487682fbf9bed703

SHA512
0482e031cf77f721b227cbe963fa185454f752f36215804dce48f8fa62ab73534ead74bc5687085849c482e6e40af39e06764128fd7b22752871f3d1c4d0d22c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
b103b1f382d54c3994cefd1e34a7a427

SHA1
b180c9a87e79056101237d2974572f1f9926e389

SHA256
39bb7e420d93d0c457c20f03936b10c2c9f2f5cbc39436e36c767a6c384b920e

SHA512
ede510cd0796e8de5684441fe5b995f71f7f7428692c045b09d6a5e94c1ae4cddc441df28c7dadbb945cb5e53d9e8358eae36926f9e1d20af35cb6d7ba93fc92

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ecf17011b8cfb3df98286038ac9fbe5e

SHA1
544c05063457c0e7f8dbe73ec99fb4d62396b4e0

SHA256
a58272dfdb799d96f2bc12ab0795bcc27a4a7be4e1b2ee589bbd905d3413ef91

SHA512
106d9c78558e16819f14b3ddd484ac4aaa3cbcdb5329cf776c8d80be3e29f46165b3172a1ce24498e47e4c6cdbd8ff3caa451b0da855b9e34f95abb010c71e72

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
325739b60159cac7c3f94d8b16542ae0

SHA1
f5d595dcd14cb27e5648ae669512c4aa4f11be48

SHA256
fd6377dfeb4afee8a5b224e84d86dbef53896c87d0ae834b6df20bcfbd86846d

SHA512
9904eccaf2808a92ecc2ab224793239f2f3f0c2a15dfd4affbbfc0285cb66e08e82bf097b8b91daae0e37ebb6b0bfc4a05f2c8d06746ddfe6d9535d8b6796fd6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
00a7842288bd5889c9b153ed3a1cb5b6

SHA1
354838aac086e948588b6ff8746c0b245be6322d

SHA256
afb1c9ce9ba0aa3d7f9fd9e8aef9002e580f2692ed6984563237de859377995a

SHA512
91870d61be45defb2edc7bf417285f0f807a08c299949585628e69c0b89664aa41c66253bdc84ad89a259629e0ce39b38c2d9a2ed90d74ddc8feb3653ff59124

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5f1bb300626a3b25043a0d472638855f

SHA1
7ae68a8b68fa0c765887b7098e7b4e9f614ac3d3

SHA256
9a58f510cbbfca4720fadd33a6262b9c5e0f67214fbd6143268211a08d3db21d

SHA512
63bc2374337d5480ea09727157935a84dfc9da3394e65aa08df0b10525666470e8c5227189108c687bedba47543f7180af5da999a044e4ad0e6a89b5c89538ea

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
c851c72590174188ac0232bac7666fd3

SHA1
1f84fc57babe0ad4115a31a4b5d042b303c5458f

SHA256
c469ea3837cd1b246e72993a37fb3ae2f1c235a2cc08016426f960d557c0c92e

SHA512
cc4dad73bced64f64c59d82b976ff86f05df7946b6e1367d8771c4fe1e58f04a4207310cb857b9aa4217267eab1f302172ef1a1865b1a8bfe173903087dbe494

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d0b4440ad7688ea1247602194023dbdf

SHA1
cdac60dba82597a44968076f8e73756aad22c5d0

SHA256
a99d3c0b218ce26233a28989f0c5e9c1a52e3ee22c1a0abaa14b5d61b012142c

SHA512
73f345d57de42699678d34de871e6e47e3331d41d74fa2093c41cfb5c97b97514a9fdd53968e020bf280978e4307087b1c1555c032f78bf15fcd9afc42720be2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d18b02f8c135190dea1cda0514d5c00a

SHA1
d2a48db10f17ca2aceb25e5b4050b268d993c6bf

SHA256
e30c9d6319e43e48667616ac9eb01a6e4f8a191a64faf49d8749ccdf1790508f

SHA512
e2a876ba06cf6a2b223b36f4546327be272c2cb8e0305ab08f51fe75ecdc6196d69337277646b7faa6f6b6fbf03cfff594ce3047140d56272d221059e9da289b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
85b80e417062699c6a8e44ba68f3f8ad

SHA1
26466b1021ea43a967344e75b2b4542d5c6adacf

SHA256
e406826f1ee2bd33fee838f2755c6472cd05c5e59da86d08ae2ba446e2360c88

SHA512
3ce66dcb611d0450229be740aeb6e48e0008ec84a71271f84c1a9054143ab1f3067d729d31d5b6488529193a5cb07057af770faa350e2e2684fd99dacda2adfc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
e7d7f4c4c7b4610ba8056f65f9953771

SHA1
4355968e0ee8c287cdd3943ed3e89b799e997291

SHA256
ca9e4d63608ddc2b9abc97649e1d577069f0e24cd5d7575ed0f7ba5b66fb068f

SHA512
6ffcb2239bc6f874c6cbeb1124fa8d1b4b220db0d25351786b887c84d02e6e3add7b999a4102d5f1ab1c864fbd101f8476522e1e57370fd4d6c794d367c4b424

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
979a7e8c3c753d43f2fb03d9bcb198ba

SHA1
ae2b6e8efe51c589d1d00fcaf485b516522ddf89

SHA256
0b0331f06a108b32a2706f03fc4158b64781d926da294c8044bc8ebd216c093f

SHA512
446968ed7d7d049438e70ca60f696f57ed450ee15535381b3a03b786b5bbac12245c42354607240813efa760b7c0a6ce9ecf93b87bbb401abce1f6c5e869c565

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e6c459fa28f74ea31cdb0806870a2cbe

SHA1
126e2b1b72957c282548458905ff11f483aba6fe

SHA256
5e3c2e6187c82245f4d3978582f7da70775235e0ce68b7acb3fcf921b94da2c2

SHA512
fce679b0f13ae26814ac8a99684b79784d3d0b8bdeab032d85ddd960ae55f9107cee36e9a7900f16f2da1ae76d3ccfe87c4fe37ba6e0e56a78a4c310beb19af4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
803426dbf811dc34c44239a5f9be3250

SHA1
015cb45bd4a8af9037e6c8fc56f7fe90f933aebd

SHA256
d9af3f3fb15f424fa92431222d08ff4fd25b59ca02229f096d2b5c517bab976d

SHA512
68a63b8427ac4e9866586d96af9b6c423bc6bed9c7e2ebd98a3e26ca7f35138594f1c5eb7df71e816d73a86a2b0cc0a24cf80c7a2a321b2e32b45d2eb7837042

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
04dce9bb9cbe1b52def4342272d38532

SHA1
a917a9093d683e65b39abfe367e054ea9ee0fc53

SHA256
b19a24f1ed090e89e2a0963668d9e418a85f256a0705043773e2279f6284ade8

SHA512
3dd8e55e3c6d0f8da4317171d4edbf3ab17a5b10701124e82a811675d442bf9dd30a9fd334ff5c524ba0e4b3ee8c5dad38fc72a2c97a7e071e286e10095e0177

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e8a9fd57449822ec5566be3a9137c3b2

SHA1
fbba6265ea282d79d17e4a487e88d661546260d0

SHA256
236d3ac9e0f1929f6c5953df2931ad01167f38e5706afa60ca162d4201b03465

SHA512
6bcdc9dfad0516682578ef62c352d243ed633272f64c0de7b2f3c45b7fd568feb9679ab39868598e838c07dc806db0f3e53bad11593973836761911d4e47a858

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
4e6b7146cf50b55d3723a4ab68d07ad9

SHA1
5ed0cf91caa59a930c5910bdf98bed711f68422e

SHA256
e211c419c10e3070792767b7f3fd2b8f0b4670f796cb76ef21289b1549e93db4

SHA512
62f50deba2790482a34412154cf12771ce67ac35b32922a439032aac92a441428a8cab3ddaf5e5425e7710c4ad41c0aba73d7fa42286c8b71529f7077d64e651

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ab57e8a33a2e57d7126b7d0a724d2f44

SHA1
1b8dda119480870e081f65771ad029e9d8bc6f19

SHA256
20b0c8e47d2bbf3c6bec73a7461bda003090b8049985abb59f293aa653eef0c1

SHA512
be93813362d3fc0a09ba53b7d3752f2af4b41f12df122110c77310a0f5df85ce3b0b4185de47f0d0cefa73b25cb3301ac32d58330c2d185a116a2efe37b905f3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
83bb43bc801f99f0180a5d28ae41645a

SHA1
50ee5b6e7eeeb969af9982b89103b33636dba057

SHA256
ac1d78a9ff08e14041182710c3a36e59e4e1d139ef55fcb65a4df931eef2ff33

SHA512
02e9d978e057b73ebfad09d4208b284dc06b87bc5516abae7e20e1fe7735b7fda580f65926c280da4dd8cc27e5ad6c497576afed0c7d108a704cf6f65c66cce1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
359971bc28f5cf33c3fed47599bf0636

SHA1
c023df17138b491d78dbf95b708d4c2004bd7cb5

SHA256
709f643c8bbc9200f6205f89329447d6fc0b95e0e79c8dca99bf40ac1956c76c

SHA512
95cbd89e42eb9718f9b08ace7ba67f113370c07072d05bbedbe1a578a141a051067f14215daf2ec98cfabce66c52d19db7b5135b41dcab4c9dcf1a37acd23418

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a8a4ab45d012a6b70b06efda7be61a0e

SHA1
d7c59955ae351e168ebd496755cb373fb150be00

SHA256
2ad5f90aebe0815b18930d016a41504d3a64f057c639239beaa32d0bbc8ba8c9

SHA512
342c1a85487515c9ae3c10019d6cba62d4e2adb9638bc74cde89fd516fe4fd9429c6b8e3ea5c1f14716866773af7fc2fcff6dfe29b0b437a87041548e9c55771

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b28b931af4fbae09712a5fe14ab29c58

SHA1
b90e65a2a78a98e90fac48e7298c63fc4b51493d

SHA256
f5d1baf5bc06ce0fde758898b156275460d6c9e93d9cb70b8a5f2d1898d8eed0

SHA512
a989f000f17611950d8edd7adcfc1db2621ef3bbd97cab292c97aec1963d12d3a92a9ae8dca185c1d307bcd6f98722cf610cdf1fb078b6ab2968e1e41d132fd0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
42e1fa7a3814ef16047034f9028447c4

SHA1
2ba895d6c190202cb1ab707a53c536b63a0d0569

SHA256
240cf579faa133b3635363b2d405df1380c402edde327e3fde35027004499b20

SHA512
bc3fff6df791bf0de0bdce05c84d849a6122c0ab3febcfe3553e7fe3765e5a446d0fac96013c627c081cc98c80c55c7a2893612891faf2693ffc988a6e3950e5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
83e2b01a4e6e28d3fd1aa19651be1ba6

SHA1
a82f223d97a5379476a69e8ac01f2fac114056e3

SHA256
b6c96aa25a7dc028a36873543f8aa693a4b6766e3b7fd51d949917503bd40abd

SHA512
0dbb95f2a6ad32fdc790244927960473bfc0e5155c9b4b93bef2cd8aa8151b0c71c6164fbc3f9e05b8b3705d7ecab1061530a41c03fb8552d81c5f72c794ced1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e30e4045b8c14f7c3948df5fc1da6e3c

SHA1
9c367d55dc476d30a403141723bd66868ca76c94

SHA256
421b8c38b5d30746f492c9070c253285665e4857c6703d3958b5a42d76d52246

SHA512
13bdf0fe583f99a7128e07a4f92a938b1a6d2c2b60586b5fe70d3d0d0f63bd8dd54ee603451097523eed290fde7ed9f51de46e267d5ee9e1f1e55c36d3fd429e

Download Submit
memory/440-389-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/440-163-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/460-126-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/460-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/460-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/460-32-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/460-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/656-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/656-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/656-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/656-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/980-261-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/980-140-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1160-194-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1160-495-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1736-542-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1736-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2328-60-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2328-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2328-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2328-53-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2348-462-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2348-0-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2348-1-0x0000000000AE0000-0x0000000000B46000-memory.dmp

Filesize
408KB

Download
memory/2348-72-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2348-8-0x0000000000AE0000-0x0000000000B46000-memory.dmp

Filesize
408KB

Download
memory/2824-237-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2824-127-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2888-103-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2888-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2888-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2888-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3168-249-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3168-137-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3400-87-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3400-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3400-85-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3400-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3400-76-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3448-538-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3448-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3908-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3908-437-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3948-270-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3948-544-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4520-48-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4520-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4520-47-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4520-39-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4520-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4592-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4592-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4596-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4596-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4776-225-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4776-112-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4784-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4784-535-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4868-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4868-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4868-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5044-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5044-543-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5100-210-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5100-91-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5100-92-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download